We are SANDBAG LIMITED with registered number 04382666 and address 50 Milford Road RG1 8LJ. Our Data Protection Lead can be contacted at email@example.com. We have produced this privacy notice in order to keep you informed of how we handle your personal data. All handling of your personal data is done in compliance with the General Data Protection Regulation (EU) 2016/679 (“Data Protection Legislation”). The terms “Personal Data”, “Special Categories of Personal Data”, “Personal Data Breach”, “Data Protection Officer”, “Data Controller”, “Data Processor”, “Data Subject” and “process” (in the context of usage of Personal Data) shall have the meanings given to them in the Data Protection Legislation. “Data Protection Lead” is the title given to the member of staff leading our data protection compliance programme in lieu of a requirement for a Data Protection Officer.
What are your rights?
When reading this notice, it might be helpful to understand that your rights arising under Data Protection Legislation include:
The right to be informed of how your Personal Data is used (through this notice);
The right to access any personal data held about you;
The right to withdraw consent at any time, by opting-out using the options present in communications;
The right to rectify any inaccurate or incomplete personal data held about you;
The right to erasure where it cannot be justified that the information held satisfies any of the criteria outlined in this policy;
The right to prevent processing for direct marketing purposes, scientific/historical research or in any such way that is likely to cause substantial damage to you or another, including through profile building; and
The right to object to processing that results in decisions being made about you by automated processes and prevent those decisions being enacted.
You can exercise your right to access personal data held about you by logging in to your account on the store where you made your purchase. You can also gain access to your personal data by emailing firstname.lastname@example.org with the subject line: “Subject Access Request”. When you submit a ‘subject access request’, you will need to provide confirmation of your identity by contacting us using the email address associated with your profile or attaching a photocopy of your driver's license or passport. This is provided free of charge and our response will be made within thirty (30) days unless our Data Protection Lead deems your request as being excessive or unfounded. If this is the case, we will inform you of our reasonable administration costs in advance and/or any associated delays, giving you the opportunity to choose whether you would like to pursue your request. If you believe we have made a mistake in evaluating your request, please see the section ‘Who can you complain to?’.
If you have questions about any of the rights mentioned in this section, please contact our Data Protection Lead at email@example.com.
WHO IS THE DATA CONTROLLER?
If your data has been passed to us by a third party for processing under their instruction, that third party is the Data Controller. They should have notified you that they would be passing your personal data to us, SANDBAG LIMITED, at the time they collected your data and within their own privacy notices/standards. On some of the websites we manage, we collect your data on behalf of a Data Controller to add you to a mailing list or forum. For a list of Data Controllers that we process personal data for, the section below ‘Third Party Interests’.
Where we collect your personal data for fulfilling purchases from one of our stores, we are the Data Controller.
If we have received your personal data as part of a direct administrative relationship between our business and yours, we are the Data Controller.
WHAT ARE THE LAWFUL BASES FOR PROCESSING PERSONAL DATA?
Under Data Protection Legislation, there must be a ‘lawful basis’ for the use of personal data. The lawful bases are outlined in Article 6, Section 1 of the GDPR. They are sub-sections:
'performance of a contract';
'compliance with a legal obligation';
'protection of your, or another’s vital interests';
‘public interest/official authority’; and
'our legitimate interests'.
WHAT ARE SANDBAG LIMITED’S ‘LEGITIMATE INTERESTS’?
Legitimate interests are a flexible basis upon which the law permits the processing of an individual’s personal data. To determine whether we have a legitimate interest in processing your data, we balance the needs and benefits to us against the risks and benefits for you of us processing your data. This balancing is performed as objectively as possible by our Data Protection Lead. You are able to object to our processing and we shall consider the extent to which this affects whether we have a legitimate interest. If you would like to find out more about our legitimate interests, please contact Dataprotection@sandbaguk.com.
ABOUT OUR PROCESSING OF YOUR DATA
We might collect, use, store and transfer different kinds of Personal Data about you which we have grouped together as follows:
Identity Data such as names, usernames or similar; marital status; title; date of birth; sex and gender.
Contact Data such as addresses; email addresses and telephone numbers.
Financial Data such as bank account and payment card information.
Transaction Data such as information about payments and details of purchases you have made.
Technical Data such as IP addresses; login data; browser info; time zone; location; browser plug-ins; operating systems; platforms and other technology on the device used to access this website.
Profile Data such as usernames; passwords; security answers; purchases/orders; interests; preferences; feedback and responses to surveys, blogs and messages.
Usage Data such as analytics relating to how you use the website.
Marketing and Communications Data such as your preferences about receiving communications from us or third parties.
Special Categories of Data such as details about race or ethnic origins, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health, genetic or biometric data.
We also collect, use and share Aggregated Data such as statistical or demographic data. Aggregated Data can be derived from your Personal Data but is not itself Personal Data as it cannot be used to reveal your identity. If Aggregated Data is ever used in combination with your Personal Data and becomes identifiable, it will be treated in accordance with this notice.