Who may we collect data on?
We have categorised the types of ‘Data Subjects’ we collect data from. This will make it easier for you to identify what category(s) you would fall under and the types of data that may be held on you. The following is a list of ‘Data Subjects’ that we may process data on:
Customer – Customers that would be attributed to B2C oriented businesses.
Client – Account Customers that would be attributed to B2B oriented businesses.
Contact – Often associated with a Client (in the B2B world) which, although not specifically the company in question, identifies individuals who might be used as contact points within that company and could be seen as individuals associated to a company.
Prospect – A potential customer or client qualified on the basis of their buying authority, financial capacity, and willingness to buy. Sometimes referred to as a ‘sales lead’.
Website Visitor/Visitor – A visitor to any of our websites, whom accesses via any internet enabled device.
Supplier – A party that supplies goods or services. A supplier may be distinguished from a contractor or subcontractor, who commonly adds specialised input to deliverables. Also called ‘vendor’.
Employee – Works under a ‘contract of service’ or ‘Employment Contract’ and not contracted ‘for service’. All employees are workers, but an employee has extra employment rights and responsibilities that do not apply to workers who aren’t employees.
Temporary Worker – An agency/temporary worker is an individual typically supplied by employment businesses to work under our direction and supervision
Worker – Works under a contract ‘for services’ or any other contract, whether express or implied, whereby the individual undertakes to do or perform personally any work or services for the ‘employer organisation’ of the contract – not an ‘employee’
Contractor – An independent individual who works for the organisation under a contract ‘for services’, whereas an employee works under a contract of service. Typically associated with Self-Employed workers. Contractors are required to sign the visitor book and fill out a short form applying to their visit, as a contractor if working on site.
Sub-Contractor – A subcontractor is a person/party who is hired by us (or the main contractor) to perform a specific task as part of the overall project objective and is normally paid for services provided to the project by the originating general contractor; applying in the context of the organisation acting as either a contractor or supplier.
Visitor – Individuals or groups that may have no formal linkage to the organisation but are formally ‘signed in’ upon arrival. Also the term is sometimes used for Website Visitor
Policy Holder – Policyholder for a wide range of potential products or services, for example pension schemes.
Volunteer – Individuals or groups that provide products or services where they are neither classed as employees or on contract and are not part of the organisations HR/Payroll system. This includes individuals carrying out ‘Work Experience’.
Professional/Expert – A person in conjunction with a specific, limited-term project requiring professional knowledge, skills or technical expertise (for example, lawyer, health advisor, pension provider, accountant)
Recruitment Candidates – Candidates being considered for open roles, whose information was either obtained directly or via an employment agency.
Next of Kin/Emergency Contact – Employee/Worker’s preferred contact in the event of an emergency.
Leaver – An individual who worked for the organisation as an Employee or Worker, whose employment was terminated voluntarily or involuntarily.
Employee Benefit Providers – Providers of Employee Benefit Schemes for example, Child Care Voucher Scheme, Cycle to Work Scheme
Other – This is a catch-all definition for personal data that may get collected as part of any business process and that doesn’t fit in any previous category.
Types of data we collect
This section aims to outline the data we collect, how it may be used and how/when we destroy personal data records and when/how we may have obtained it.
When you visit our headquarters, you will be asked to sign in the Visitor Book, we collect the following data:
a) your name;
c) vehicle registration;
d) name of contractor’s representative (if a contractor); and
e) your video image via our video-entry door access system
note: recording can only be initiated at the time of answering the call and is only for emergency or special circumstances. The repository for the records is local to the device and has limited memory; self-cleaning on a rolling basis, If data is for some reason required to be kept for longer, there should be a legal basis and/or consent documented.
The information may be used in the event of an incident i.e. accident, break-in, fire, car accident etc. The information is collected to ensure the safety of visitors and any persons on site (including Contractors who are working under the duty of care of Royde and Tucker Ltd.)
Unless a legal basis is identified i.e. ongoing police investigation relating to a visitor, the book is securely destroyed, annually via shredder.
When you visit our headquarters, you may use our guest Wi-Fi, we collect data about:
a) your device type;
b) the volume of data which you use on our network;
c) the addresses you access when using websites or applications; and
d) your usage by mac-address or IP, access time, frequency and location.
The Guest WIFI is not actively monitored, but access to the management console by authorised users gives the capability of analysing the data logs. The log data is purged on a rolling 6 month cycle and is secured, with access to the logs only accessible to IT Manager(s) and Managing Director of the organisation, whom holds the password; the password to the logs is changed quarterly and the password to the WIFI is changed quarterly. We may need to access and process this information from time to time for example, in the event where the WIFI is being slowed, we may monitor the traffic to identify which device is consuming the resources. We do not access or attempt to access any of your files.
When someone visits www.ratman.co.uk we use a third party service, Google Analytics, to collect standard internet log information and details of visitor behaviour patterns. We do this to find out things such as the number of visitors to the various parts of the site or the times of day when visitors are browsing – this enables us to make decisions on how best to improve website functionality/efficiency and ultimately, the experience of the visitor. This information is only processed in a way which does not identify anyone; aggregate statistical information is used in any decision making.
We do not make, and do not allow Google to make, any attempt to find out the identities of those visiting our website(s). We do not have full control of the settings provided in the service, specific changes or exclusions can only be made via contact to Google Analytics.
Contact Form Submissions From Our Website(s)
If a visitor uses the ‘Contact Us’ process, personal data is required to make submission:
When you submit the ‘Contact Form’, the following data is captured:
a) your name (required);
b) your email (required);
c) your company (optional); and
d) your message
This information is not stored within our website(s) database, the data submitted, is immediately sent to our Sales Team via email. That is the only record of this data and it is needed to enable us to respond to genuine enquiries made via our website(s). Our Emails are hosted and stored in-house and are protected under the measures and controls of our IT Infrastructure and internal policies, which is described further in this notice. We keep our contact form enquiry emails organised and protected by authorised access only, with the ability to retrieve or delete at any given time. Any further contact, would categorise the website visitor as another type of ‘Data Subject’, then falling under the relevant processes/measures applicable to that individual’s new ‘Data Subject’ type.
Contact Details, Billing and Shipping Details and Addresses
As part of our general business operations, personal data is required to confirm orders with Royde and Tucker Ltd. and we also require personal information of our suppliers when we confirm purchases with them. Royde and Tucker will require the following information to confirm orders with our suppliers or with our customers/clients:
a) your name;
b) your email;
c) your telephone number;
d) billing address details;
e) shipping address details;
f) remittance details (if a supplier, customer, contractor or sub-contractor);
g) credit card details (if payment from a Customer is taken via credit card, the details are entered directly into the card machine by authorised staff, whilst the card-holder is on the phone or present in person (to avoid writing down), no credit card details are entered into our business systems, any card numbers that are written down, must be authorised by a Manager rank or higher and are under strict policy to destroy instantly, via a purposed shredder);
h) online payments are only taken via Paypal, we keep no records of payment details or card numbers for these payments. Payments are processed via Paypal, through their secure systems. The shipping address, email and phone number are all that is required for us to accept payments via Paypal.
This information is a standard requirement to confirm business activity in the form of ‘Orders’ either in the form of purchases or sales. The information is recorded under lawful basis to allow for confirmation of order, delivery of goods, payment of invoices and ultimately, adherence to the business ‘Sales or Purchasing Contract’ commitment established when confirming an ‘Order’ in either direction.
This information is logged in our core business system, Epicor ERP and is attached to the record relevant for the data subject i.e. Supplier, Customer, Client, Prospect etc.
Access to the in-house, core business system is controlled via ‘User Permissions’, the authorised employees processing the data will only process the data to fulfil their responsibility and are aware of their obligations under GDPR and our code of conduct.
Internal Data Subjects’ Data Employee, Ex-Employee, Workers, Next of Kin, Recruitment Candidates etc.
If you are somebody that has worked for us (current or previous), be it as a staff member, worker or contractor, then it is likely that we have/will collect information about you. If you have applied to work for us, then it is also likely we will/have collected information about you. The information relating to these internal ‘Data Subjects’ is controlled by our HR Department, a lot of the information is a legal requirement and retention laws may apply, information regarding these Data Subjects is summarised in this policy – For more information on this kind of data, please send your enquiries to:
The following lists the types of data that may be collected, for any of the ‘data subjects’ listed in this section commonly referred to as ‘Internal Data Subjects’– for more information, it is best to contact us directly and we will be happy to help:
(Employee, Ex-Employee, Worker, Volunteer etc.)
a) your name;
b) your personal email;
c) your telephone number;
d) address details;
f) bank details
g) date of birth;
i) emergency contact details (basic contact details only i.e. name, address, telephone)
j) recruitment records i.e. Job Application, CV, Interview Notes, References, Proof of Right to Work in the UK, Qualification Certificates, Background Check Documentation, Copy of ID, Job Offer Letters, Pay and Bonus Letters, Employment Terms (and changes to), Salary, Pensions, Tax Codes, NI Numbers;
k) recruitment records of special categories i.e. Criminal convictions and offence record checks and health checks (where required);
l) medical information;
m) Disciplinary, Grievance and Capability Records;
n) Appraisal forms, performance reviews and ratings, targets and objectives;
o) Annual Leave and Sickness Records including Doctor Letters;
p) Annual Leave and Sickness Records for Special Categories – Medical Reports, Medical Conditions;
q) Psychometric Assessment Data
Next of Kin
a) your name;
b) your personal email;
c) your telephone number;
d) address details.
a) your name;
b) your personal email;
c) your telephone number;
d) address details;
f) recruitment records i.e. Job Application, CV, Interview Notes, References, Proof of Right to Work in the UK, Qualification Certificates, Background Check Documentation, Copy of ID, Job Offer Letters.
g) Psychometric Assessment Data
All the information regarding ‘Internal’ Data Subjects is held lawfully and securely. Processing for Special Category Data is not performed by Royde and Tucker Ltd. or any Data Processor without documented legal obligation to do so and consent is provided and a documented impact assessment has taken place, a record of processing activities is logged when processing this kind of ‘Special Category Data’. This information is only accessible to authorised users; HR or Directors only – and is secured both physically and digitally, Special Category Data being secured with ‘extra-safeguards’ and protection as per the GDPR requirement. Personal Data is sometimes shared with third parties such as HMRC, employee benefit providers i.e. Cycle to Work Scheme and may be processed by professionals/experts we employ for specific works i.e. Accountants or Health Advisors carrying out Occupational Health Assessments. More information on the security of data can be found further on this page.
a) your name;
b) your personal email;
c) your telephone number;
d) address details;
f) remittance details (if a supplier, contractor or sub-contractor);
g) shipping address details
What Are Cookies
On occasion, we may gather information about your computer for our services, and to provide statistical information regarding the use of our Website(s) to our advertisers.
Such information will not identify you personally; it is statistical data about our visitors and their use of our site. This statistical data does not identify any personal details whatsoever. It is used by us to analyse how visitors interact with the Website(s) so that we can continue to develop and improve them.
We may gather information about your general Internet use by using a cookie file that is downloaded to your computer.
Where used, these cookies are downloaded to your computer automatically. This cookie file is stored on the hard drive of your computer as cookies contain information that is transferred to your computer’s hard drive. They help us to improve our Website(s) and the service that we provide to you.
All computers have the ability to decline cookies. This can be done by activating the setting on your browser which enables you to decline the cookies. Please note that should you choose to decline cookies, you may be unable to access particular areas of our Website(s).
Any advertising featured on the Website(s) may also incorporate cookies, over which we have no control. Such cookies (if used) would be downloaded only once you click on advertisements on our Website(s).
Basis for Processing Data
The law on data protection sets out a number of different reasons for which a company may collect and process your personal data, including:
In specific situations, we can collect and process your data with your consent.
For example, when you tick a box (Opt-In) to receive communications in relation to a specific service. When requesting consent to keep or record your personal data, we’ll make clear to you which data is necessary in connection with a particular service.
In certain circumstances, we need your personal data to comply with our contractual obligations.
For example, if you order an item from us for delivery, we’ll collect your shipping address details to deliver your purchase, and pass them to our courier(s).
If the law requires us to, we may need to collect and process your data.
For example, we can pass on details of people involved in fraud or other criminal activity affecting our company to law enforcement.
In specific situations, we require your data to pursue our legitimate interests in a way which might reasonably be expected as part of running our business and which does not materially impact your rights, freedom or interests.
For example, we will use your purchase history to send you or make available personalised offers. Consent for direct marketing will be requested, explicitly from all other forms of consent.
Security of Data
We know how much data security matters to all our customers. With this in mind we will treat your data with the utmost care and take all appropriate steps to protect it.
We secure access to all our websites using ‘https’ over SSL technology.
We secure when a device is connecting to our network from ‘outside’ our network, via Virtual Private Network (VPN) encrypted also by SSL, for example – a salesman will carry their laptop when visiting a client, they may use ‘somebody’ else’s WIFI and therefore they would need a secure connection to our network to access say, their emails or files, potentially containing your personal data. We would want to ensure they are only allowed access through a specific route, using their own, password protected login, under the security measures ‘we’ manage, as opposed to those of the ‘owner’ (for instance, of say, a coffee shop) of the WIFI network our salesman was using.
Access to your personal data is password-protected, employees have user-access controls assigned to them and an ‘Internal Processor Agreement’ has been agreed to by all staff processing personal data, outlining their responsibility, expectation and any actions that may result from a breach.
We regularly monitor our system for possible vulnerabilities and attacks, and we carry out penetration testing to identify ways to further strengthen security.
We leverage Firewalls, Enterprise-Level Anti-Virus, Anti-Malware etc., Enterprise-Level Back-Up Utilities throughout the entire organisation. Backup images, business critical and special category data is encrypted (AES-256) on-site, including before any form of transfer if and where required. Royde and Tucker Ltd. are the only sole-holder of any data encryption keys we may apply.
Last, but certainly not least… PEOPLE! We do our best in keeping staff trained and up to date on the most current forms of cyber-threats and regulation affecting the privacy/security of businesses/individuals and how to apply best-practice; continually making efforts to be more capable of scrutinizing dubious/harmful incoming communications throughout the organisation and developing a culture of ‘privacy by design’.
Whenever we collect or process your personal data, we’ll only keep it for as long as is necessary for the purpose for which it was collected – a file is kept internally, which audits all forms of data in the company, retention dates are applied per data type within this, along with detailed instructions of whom has access, at what privilege level, the method of retrieval and disposal of the data, what form the data is held, where it is located etc. This is a highly confidential document and is only for authorised employees/directors.
At the end of that retention period, your data will either be deleted completely or anonymised, for example by aggregation with other data so that it can be used in a non-identifiable way for statistical analysis and business planning.
If you would like more information about the retention periods for specific data types, please contact our data protection lead via email: DP-Lead@pocketdoorkit.co.uk
Who do we share your data with?
We sometimes need to share your personal data with trusted third parties.
For example, our Website Development Company, Couriers Making Deliveries, IT Remote Backup Company, Auto-Mailing Company, Ebay and Paypal all provide services which enable us to do business.
Here’s the policy we apply to those organisations to keep your data safe and protect your privacy:
· We provide only the information they need to perform their specific services.
· They may only use your data for the exact purposes we specify in our contract with them.
· We work closely with them to ensure that your privacy is respected and protected at all times.
· If we stop using their services, any of your data held by them will either be deleted or rendered anonymous.
· Agreements are in place with all of our Data Processors, to ensure that privacy of personal data ‘processed’ on our behalf, is lawfully held and managed.
Below is a short description of the Data Processors we engage:
Mailchimp– Auto-Mailer We sometimes use a third-party provider, MailChimp, to deliver emails to our mailing list. We gather statistics around email opening and clicks using industry standard technologies to help us monitor and improve our service. For more information, please see https://mailchimp.com/legal/privacy/
You can unsubscribe to these general mailings at any time of the day or night by clicking the unsubscribe link at the bottom of any of our emails or by emailing our data protection lead: DP-Lead@pocketdoorkit.co.uk
Southmedia Ltd. – Website Development and Hosting We use a third-party, Southmedia Ltd., to develop and manage our website(s).
The data is hosted on a server, managed by a Sub-Processor OVH Ltd.
The information gathered via the website(s) is included in this privacy notice and is secured through sufficient means (detailed in our formal agreement with Southmedia Ltd.). Southmedia Ltd. have taken the required actions in order to comply with our requirements and to that of the GDPR, we are satisfied with the information they have supplied relating to the services they provide in the processing of ‘Contact Form Submission Data’ acquired via our websites. OVH Ltd is Sub-Processor whom is under agreement with Southmedia Ltd.. Southmedia Ltd. is under an ‘External Processor Agreement’ with us to formally capture the relationship of Data Controller, Data Processor a Sub-Processor under GDPR. http://www.southmedia.co.uk/legal/ | https://www.ovh.co.uk/personal-data-protection/
Bridged Networks Ltd.– IT Support and Remote Backup Company
We use a third-party, Bridged Networks Ltd., to provide on site IT support and provide a ‘remote, off-site backup’ of all our business critical servers, containing potentially all forms of personal data held. These backups are not for individual files, each server’s files are packaged as a separate ‘image file’ (individual files contained can only be revealed upon decryption, to which only we hold the key (AES-256 encryption)). These ‘image files’ are transferred via a secure VPN connection, with encryption to the image files being applied before transfer. Bridged Networks Ltd. have taken the required actions in order to comply with our requirements and that of the GDPR, we are satisfied with the information they have provided relating to the processing of ‘remote backups of business critical machines, in the interest of Business Continuity, Risk Management and Disaster Recover . An ‘External Processor Agreement’ is in place to formally capture the relationship of Data Controller and Data Processor under GDPR for Bridged Networks Ltd.
Courier, Freight, Delivery – Deliver’s goods, on our behalf, to our customers/clients
“Contractual obligation – In certain circumstances, we need your personal data to comply with our contractual obligations.”
For example, if you order an item from us for delivery, we’ll collect your shipping address details in order to deliver your purchase, and pass them to our courier.”
We occasionally use Ebay and Paypal to take orders for specific types. The data processed is covered already under the Contact Details, Billing and Shipping Details and Addresses section. Any orders that come via Ebay , are paid via Paypal, only authorised members of the team access these accounts. Orders are processed directly into our standard system and internal processes; Ebay and Paypal merely provide the demand and means to take payment for these types of orders. We do not hold or store any payment (credit/debit card) details, Paypal is the payment handler that securely processes payment information and is the only method we use to receive payments online. See below the links to the privacy policies for both organisations, we are satisfied with the compliance levels of these organisations:
Sage Payroll enables our Finance and HR team to ensure staff are paid on time and the correct data is provided to HMRC (Government). The software is regularly updated by Sage in order to comply with any legal changes and has an integration with B and CE People’s Pension. All have been identified as a ‘Joint Data Controller’ – an agreement is not required between our organisation and the ‘Joint’ Controllers, but acknowledgement of their responsibility can be found at:
Sometimes we will need to share your personal data with third parties and suppliers outside the European Economic Area (EEA).
If you are based outside the UK and place an order with us, we will transfer the personal data that we collect from you to the appropriate parties required to fulfil the contract i.e. couriers, customs agency etc. in the relevant country from the UK.
Protecting your data outside the EEA
The EEA includes all EU Member countries as well as Iceland, Liechtenstein and Norway
We may transfer personal data that we collect from you to third-party data processors in countries that are outside the EEA such as Australia or the USA.
For example, this might be required in order to fulfil your order, process your payment details or provide support services.
If we do this, we have procedures in place to ensure your data receives the same protection as if it were being processed inside the EEA. For example, our contracts with third parties stipulate the standards they must follow at all times. If you would like any more information about these contracts please contact our Data Protection Officer.
Any transfer of your personal data will follow applicable laws and we will treat the information under the guiding principles of this Privacy Notice.
Access to your personal information
You are entitled to be informed, view, amend, take/move, object to/restrict processing, not be subject to auto-profiling and decision making, delete/’be forgotten’, for the personal information that we hold on you, unless there is Legal Basis to do so.
If you would like to make an enquiry regarding personal data, please email our team directly with your request, making sure to include your:
– Full name
– Relation to the company (see Data Subject Types)
– Your request
Under the GDPR we are under obligation to respond to a Data Subject Access Request (DSAR) within one month, we will do our best to respond to most requests within 72 hours, however there may be cases where a more thorough request may be required, needing more time to gather all the information and personal data.
Your Personal Privacy is very important to us. We hope we have been able to provide as much information as you may require but please do not hesitate to contact our Data Protection Lead, should you wish to seek more information. We are committed to complying with both the GDPR and the UK Data Protection Bill to the best of our ability, going further than just the letter of the law.
We are ISO 9001:2015 Certified for Quality Management.
We are registered with the ICO as a Data Controller (Ref: ZA342957)