Privacy Policy


The purpose of this statement is to set out how we use the personal information we may obtain from and about you. By registering as a user of the services provided by the Company and using the Company’s website generally, you agree to this use.  We will comply with the Data Protection Act 1998 and the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) in relation to your data.  In this policy, you will find information about what types of data we hold about you, how and why we collect it, how we use it, and how we keep it secure.  This policy also outlines your rights and how you can exercise them, and how the law protects you.  This policy should be read carefully and in conjunction with our Terms and Conditions and our Cookie Policy, both which can be found on the Company’s website or in hard format via written request to the Company’s registered office address.



How we obtain your information

We will never buy or sell your data.  We obtain your data through a variety of means, predominantly from yourself directly, either via written correspondence, web entries, face-to-face or by means of email or telephone contact.  Certain data may be supplied to us by other customers, for example if we are asked to ship an item to a third-party address.



What information we hold

When you register and use this site you will be asked to provide certain information such as your contact details. We will use this data to fulfil our agreement with you.  The data and information we hold and process about you consists of the following, if applicable:



    • Your name and contact details

    • Your account information, including your username, password and preferences, if you have registered.  This applies to each membership and account you have registered for with us.

    • Your address book entries to include any shipping or billing address you provide.

    • Your historic orders and current shopping basket together with your payment information and payment history, including any returns.

    • Any correspondence between you and the Company in any format.


What we do with your information and our legal basis for processing

We may use information that you provide or that is obtained by us, and may share this information with our third-party service partners:



    • To register you with our website and to administer our website service.

    • For assessment and analysis, e.g. market, customer and product analysis to enable us to review, develop and improve the services which we offer and to enable us to provide you and other customers with relevant information through our marketing programme. You may change your consent by adjusting the appropriate setting or informing us through our contact details in this policy.

    • To record your attendance of and interest in openings, exhibitions, trade fairs and other related events.

    • To provide shipping, packaging and delivery services.

    • For invoicing purposes – to invoice you in accordance with the goods and / or services rendered.

    • To report any potential insurance claims – these may include special categories of personal data; to discharge our legal obligations or to process and/or defend a claim.

    • For the supply of goods and services; to collect payments due from you and to make payments due to you.

    • We may also share information with relevant third parties in order to undertake credit checks to minimise our exposure to default, prevent fraud, and to comply with our legal obligations.


If we process any ‘special categories’ of personal data (for example any information relating to your health, religious beliefs, sexual orientation, etc), we will usually rely on receiving your specific consent at the time, unless there is otherwise a legal requirement for us to process such information.



Where your data is held

The Company has in place appropriate security measures which ensures that hard copy personal data is kept in lockable storage and filing areas with controlled access.  These measures include:



    • Keeping all personal data in lockable storage with either key and/or number-lock-controlled access.

    • Storing and password-protecting all personal data held electronically on a server accessible only by relevant and pre-approved Company employees.

    • Placing any PCs or terminals, CCTV camera screens etc. that show personal data in a secure location, so that they are not visible except to authorised staff.

    • Ensuring that PC screens are not left unattended without a password protected lock-screen being used.


We endeavour to take all reasonable steps to protect your personal information. However, we cannot guarantee the security of any data you disclose online.  Due to the inherent security risks of providing information and dealing online, you will not hold us responsible for any breach of security unless due to our negligence or wilful default.



Please be aware that our website may link to other websites which may be viewed through our website. We are not responsible for the data policies or procedures and content of these linked websites.



How long we hold your data, and how it can be deleted

In addition, the Company has put in place appropriate measures for the deletion of personal data where it is held by the Company; manual records will be shredded or disposed of as ‘confidential waste’ and appropriate contract terms have been put in place with any third parties undertaking this work. Hard drives of redundant PCs will be wiped clean before disposal or if that is not possible, destroyed physically. A log will be kept of the records destroyed.  This information will be held by the Company for as long as we both are parties to a contract or transaction, or until such a time as you withdraw your consent for us to hold it.  Accounting information will be retained for the suggested time period as recommended by government legislation following the termination of the contract or transaction for record-keeping purposes in relation to tax.



Children

If you have reason to believe that a child under the age of 16 has provided personal information to the Company, please contact us and we will delete that information from our databases.

 

Security systems

As part of our security services within common areas and external perimeters at a number of our sites, we and/or our service partner may collect personal images through CCTV or through ANPR technology (Automatic Number Plate Recognition), and signs will be displayed notifying you of these arrangements.  This live feed and stored footage can only be viewed by appropriate Company employees and may be shared with essential third parties with legitimate cause (for example, police or insurers in the instance of crime or injury).

 

Stored footage may be shared with any individual depicted in such footage, by request.  We will only share footage with relevant individuals if theirs is the sole image depicted.  Any request to view footage should be made in writing to the Company at their registered address.  Each request will be responded to in writing within 30 days of receipt.

 

The Company has retention policies which govern how long this information should be kept, generally for no longer than 30 days unless an incident has been logged.  Any data stored in relation to any logged incident is held for as long as is required to perform these functions.

Access control and visitor management

The Company may provide an access control system that allows secure entry to a relevant building or property, and/or details of visitors to the premises. We deliver these services pursuant to prevent and identify crime. These systems hold personal data – typically an individual’s name and access data as they enter various parts of the building or property in question.



To ensure compliance with data protection laws, the Company will review personal data within any access control and visitor systems, and any historic personal data will be permanently deleted at appropriate intervals.   If you require any accounts to be subject to alternative treatment please provide written instructions to the Company at their registered address.



Where we process your data

We and our third-party service providers normally store and process your data in the United Kingdom. However, we and third-party service providers may from time to time store and process your data elsewhere, including outside the European Economic Area. This may be because our contractor or supplier who carries out any order fulfilment or payment processing, for instance, may be based elsewhere.



If your data is to be stored or processed outside the European Economic Area, we will comply with, and take all reasonable steps to ensure our contractors and suppliers comply with, the rules under the Data Protection Act 1998 and General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) for processing personal data outside the European Economic Area.



What we may need from you

We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is another appropriate security measure to ensure that personal information is not disclosed to any person who has no right to receive it.



Your rights


    • Access to your data
      You can see most of your data through your account web pages when logged in on our website. You are entitled to a copy of all personal data we hold about you. If you would like to exercise this right, please contact the Company in writing at its registered office address.

    • Your right to stop marketing messages
      If we are sending you marketing literature (including paper-based and electronic messages), you have the right to ask us to stop doing this. Please contact the Company in writing at its registered office address.

    • Your right to alter or erase data
      You are entitled to ask us to alter or erase your personal data, by contacting the Company in writing at its registered office address.  We will respond to any written request within one month of receipt. If this withdrawal means we are not able to provide a service to you, we will advise of this at the time of withdrawal.


You can also lodge a complaint with the Information Commissioner’s Office.


Where the Company is the Data Controller in respect of personal data processing, our details are as follows:


 

CCA Galleries Ltd (company number 02710748) whose registered office is at Estate Management Office, Greenhills Estate, Tilford Road, Tilford, Surrey, GU10 2DZ
The Company is registered with the Information Commissioner’s Office.



This policy was last updated in May 2018.