1. OUR BUSINESS

Enormous Art Limited is a company supplying Heritage Giftware and Fine Art Prints to Museums and Historic Houses, and to general customers through our online store. We supply these services directly.

We hold and control data on the people we employ, which we use to facilitate that employment. We also process data from our clients for invoicing and payment collection.

We do not hold large volumes of personal data at any one time. We securely dispose of information as soon as there is no longer a need to retain it. We will not use data for profiling or bulk processing.

All employees of the company are responsible for data protection in their areas of operation.

.

2. GENERAL

This policy and the associated procedures are designed to ensure that Enormous Art fulfils its commitment to respect the privacy of the personal information we handle as both a Controller and Processor and to comply with both the intentions and the detail of the General Data Protection Regulations throughout our business.

.

3. PRINCIPLES

Enormous Art is committed to complying completely with the requirements of the General Data Protection Regulations in all aspects of the work we undertake. Our work practices will be designed to ensure that we only hold such data as is necessary for the execution of our responsibilities to clients and customers; that we use the data only for those purposes and that we protect that data from misuse and illegal access or theft. We will securely destroy or delete personal data once it has ceased to be required. We will ensure that all the people we employ are aware of their obligations.

.

4. DATA STORED

Enormous Art holds the following personal data:

Type of Information Purposes Legal Basis of Processing
Clients Data: name, address, email address, phone numbers, work undertaken by the company, invoicing and payment information, including details of bank accounts to which payments are made. Ensuring orders are fulfilled and managed effectively.

Ensuring clients are paid/charged promptly and appropriately.

The execution of the company’s business.

Fulfilling our contract with clients.

Customer Details: name, email address, delivery address, and phone number. Acquiring and fulfilling contracts of work.

Ensuring customers are charged promptly and appropriately.

The execution of the company’s business.

Fulfilling our contract with customers.

Employee Details: name, address, email address, phone numbers, and payment information, including details of bank accounts to which payments are made. Ensuring employees are paid promptly and appropriately. The execution of the company’s business.

Fulfilling our contract with employees.

.

5. CONSENT

Consent must be obtained for all data Enormous Art acquires as data controller (we will ensure that data we process has been obtained with consent). Consent may be obtained in face-to-face contact, in writing, by email or by telephone.

Consent obtained for one purpose cannot automatically be applied to other purposes. A separate consent will need to be obtained.

When consent is obtained individuals must be reminded that they have a right to withdraw consent at any time.

.

PRIVACY STATEMENT

Any documentation which gathers personal and/or special categories of personal data for Enormous Art should contain the following information:

  • Who we are and the nature of our business.
  • We will share data with clients with whom we are seeking to do business employer the person whose data we have collected.
  • Explain that we will not use data for direct marketing and we will not sell the data to any third party for any reason.
  • We will keep the information for as long as we have a commercial relationship with the individual, after which it will be deleted or disposed of, unless the individual has asked us to delete it before this.
  • That their data will be treated securely.
  • How to opt out.
  • They may inform us if data changes or proves incorrect. We will ensure that any changes are transmitted to anyone with whom we have shared data if it is still in current use.
  • We will not transmit information outside the EU.

.

6. HANDLING AND STORAGE OF PERSONAL DATA

ELECTRONIC DATA

When it is necessary to send personal data by email it will be sent only using a secure system. All electronic personal data must be stored in a password protected storage.

PAPER-BASED DATA

Any paperwork containing personal data should be treated as confidential and kept securely:

  • Documents should not be kept in open view (eg on a desktop) but kept in a file in a drawer or filing cabinet. Storage should be lockable if it can be accessed by non-EA employees.
  • Where sending personal information is absolutely necessary it will be sent by recorded delivery or a similar tracked service.

.

7. TRAINING

It will be the responsibility of any director of the company employing an associate or an employee to process, transmit or store any personal data to ensure that that individual has:

  • Training on the requirements and duties imposed by the GDPR and the implications of these for our dealings with people whose personal data we are processing.
  • Training in the company’s data protection policy and the way in which it is implemented;
  • Training in the use of secure methods of storage acceptable to the company and to clients.

Enormous Art will ensure that anyone handling personal data will have access to appropriate tools to ensure the security of the data.

.

8. ACTIONS ON DISCOVERING A BREACH

Any person working for Enormous Art who becomes aware of a breach or a suspected breach (that is, data transmitted to third parties in contravention of the conditions set out elsewhere in this policy document) should notify the company director immediately.

The director will instigate an investigation into the breach. This should establish:

  • Whether a breach has in fact taken place.
  • The individuals whose data have been affected by the breach.
  • Where the data have been sent to.
  • The extent to which the breach affects the individuals: does it impact on their rights and freedoms, will they incur financial, reputational or confidentiality loss, or other significant losses?
  • If it established that a significant breach has occurred the company will notify the individual and the Information Commissioner’s Office.

.

9. DISPOSAL

All personal data should be disposed of as soon as it is no longer required, or for as long afterwards as it is in Enormous Art’s legitimate interest to do so or for as long as is necessary to comply with our legal obligations.