Dayes Ltd is a kitchen and housewares supplier. Under GDPR we are a Data Controller. This means we decide how your personal data is processed and for what purposes.
We know that the data is not ours – we are merely custodians of your valuable information.
2 What do we hold data for?
We do not hold any data on Children.
2.1 As a Data Controller:
To manage our employees
For marketing and information promulgation, business to business
For customer services
For managing business relationships in the provision of services (e.g. agreeing service provision, and accounting)
We hold some information classed as special category information under GDPR Article 9. This is health and welfare related and is held to help us discharge our duty of care for employees’ wellbeing whilst employed by us.
3 How do we Process Data?
We comply with our obligations under the GDPR by:
- Ensuring personal data is accurate and correcting inaccuracies discovered or notified to us
- Not collecting excessive amounts of information
- Only retaining information for as long as is necessary, and in accordance with our retention policy
- Providing appropriate protection of data confidentiality against unauthorized access and disclosure through appropriate technical, physical, and procedural measures
4 What is the Legal Basis for Processing Data?
Marketing and information promulgation is to business customers only. We send information by email on the basis of Legitimate Interest. We do not need consent for this, but we ensure people have an easy way to opt out of any communications.
Our employee data is managed on the basis of Legitimate Interest and Contract of Employment. Processing data is required for carrying out responsibilities under Employment Law. We process data on behalf of our clients under that same basis.
5 Transfer Overseas
We do not knowingly transfer personal data overseas (other than to our parent company Nedac Sorbo bv). Our major IT provider, Microsoft has operations within the European Union and claims to be fully GDPR compliant.
6 Data Retention
We have a Data Retention Policy which can be found with our GDPR Policy. Retention periods are typically based around statutory and legal requirements. A small number are based on industry best practice.
7 Sharing your Personal Data
Your personal data is treated confidentially and is not sold. We do not share marketing data.
It may occasionally be necessary for us to share certain information with other providers, to ensure we fulfil our duty of care to staff. This could include, for example, occupational health. In this case, the staff member will be asked for permission to do this and the data shared will be the minimum necessary. We will seek assurance that the third-party provider is GDPR compliant.
Personal data is not retained on our website.
9 Your Rights and Your Personal Data
To make a Subject Access Request, please write to us detailing the information that you seek. Please try to be as specific as possible, because as a small company searches can be expensive. We will charge a reasonable fee based on the administrative cost for searches that we deem to be excessive or unfounded. We will charge a fee for repeat searches, even if the original search was free. Requestors should not assume we have received the request until they have received an acknowledgement.
To make a request for deletion or rectification, please write to us or speak to us, detailing the information that you believe needs correcting, and evidence of why the data we hold is incorrect. We will confirm receipt of the request in writing.