On 25 May 2018, the General Data Protection Regulation came into force across Europe together with the Data Protection Act 2018 in the United Kingdom. This legislation replaced the former data privacy law and regime, giving more rights to you as an individual and more obligations to organisations holding your personal data.
One of the rights is a right to be informed, which means we have to give you more information than before about the way in which we use, share and store your personal information.
As a result of this new law and the likelihood of changes in practice and precedent over the next few years, this Notice will remain a live document with regular updates to help you access this information, along with information about the increased rights you have in relation to the information we hold on you and the legal basis on which we are using it. Please note that date at the foot of this page which will inform you when this Notice was last amended.
WHO WE ARE
We are Gower Enterprises Limited, a company registered in England and Wales. We trade under the name E-Cigarette Direct. We sell electronic cigarettes, e-liquids and vaping accessories via our website and our retail stores and to our wholesale customers. We are based in Crofty, in South Wales and you can find our contact details here.
We take your privacy seriously and safeguard your personal data to the best of our ability. Please see below for more detail on the personal data we collect, why we collect it and what we do with it.
HOW WE USE YOUR INFORMATION
This privacy notice tells you what to expect when Gower Enterprises trading as E-Cigarette Direct (ECD) collects personal information. It applies to information we collect about:
- Visitors to our website and the Ashtray blog
- Customers who make purchases via our website
- Customers who purchase from our stores
- People who call or email our customer services team
- Surveys and competitions on the Ashtray blog or sent via email
- People who subscribe to our newsletter
- Job applicants and our current and former employees
- Individuals in relation to a data protection enquiry or complaint
VISITORS TO OUR WEBSITE
When someone visits www.ecigarettedirect.co.uk we use a third party service, Google Analytics, to collect standard internet log information and details of visitor behaviour patterns. We do this to find out things such as the number of visitors to the various parts of the site. This information is only processed in a way which does not identify anyone. We do not make, and do not allow Google to make, any attempt to find out the identities of those visiting our website. If we do want to collect personally identifiable information through our website, we will be up front about this. We will make it clear when we collect personal information and will explain what we intend to do with it.
Our website search is powered by Magento. Search queries and results are logged anonymously to help us improve our website and search functionality. No user-specific data is collected by either ECD or any third party.
CUSTOMERS WHO PURCHASE FROM US VIA OUR WEBSITE
When you make a purchase, we need certain information from you in order to fulfil our contract with you. This includes your name and address, telephone number and payment information. We require your telephone number in case we need to get in touch with you about your order or if there are any issues verifying your age as below. We will not pass your personal information on to any third parties for marketing purposes or for any reason not connected with the fulfilment of your contract with us. We will not use your telephone number or email address to market our products to you without your specific consent, and you can withdraw your consent at any time by unsubscribing from emails, emailing [email protected] or calling our Customer Services team.
We also require your email address so we can send you order acknowledgments and updates. Your email address is used to create your customer account. On the first occasion that you purchase from us, we also have a legal obligation to verify that you are over the age of 18.
Age verification is provided by AgeChecked Limited who are a data controller using data already held in their records in order to verify that you as a customer are over the age of 18 or to advise that they are unable to confirm this. We record that a customer’s age has been successfully verified in your customer account so you don’t need to go through the process again on subsequent purchases provided you log in each time. We do not store information other than the result and information given to us as part of the checkout process but AgeChecked Limited may record that a verification has been provided to us. AgeChecked Limited’s privacy information can be found here, including how they manage your personal data when a check is performed. We are advised by AgeChecked Limited that any such check will have no effect on your credit score.
Card payments are processed by Sage Payments and you can find their privacy information here.
Your name and address will be shared with our delivery service providers which include Royal Mail and DPD in order to deliver your purchase. Delivery services act as data controllers in their right and may use any data provided in order to arrange delivery or to provide delivery or tracking information. This would include information such as individual recipients’ names and addresses, email addresses and mobile phone numbers if provided.
Our website development & maintenance is undertaken by FAT Media Limited who act as a data controller on our behalf in order to help us improve our website and functionality. We have entered into an agreement with FAT Media Limited who have undertaken to keep your personal information secure and to comply with all European and UK data protection standards and requirements.
COMPETITIONS ON THE ASHTRAY BLOG
CUSTOMERS WHO PURCHASE FROM OUR STORES
We use closed circuit television (CCTV) images to provide a safe and secure environment for employees and for visitors to our business premises, such as customers, contractors and suppliers, and to protect our property. We record images only. There is no audio recording i.e. conversations are not recorded on CCTV.
The purposes of installing and using CCTV systems include:
- To assist in the prevention or detection of crime or equivalent malpractice.
- To assist in the identification and prosecution of offenders.
- To monitor the security of our business premises.
- To ensure that health and safety rules and Company procedures are being complied with.
- To assist with the identification of unauthorised actions or unsafe working practices that might result in disciplinary proceedings being instituted against employees and to assist in providing relevant evidence.
- To promote productivity and efficiency.
Cameras are located at strategic points throughout our premises, principally at the entrance and exit points. We have positioned the cameras so that they only cover communal or public areas on our premises and they have been sited so that they provide clear images. All cameras are also clearly visible. Appropriate signs are prominently displayed so that employees, clients, customers and other visitors are aware they are entering an area covered by CCTV.
Images may be recorded either in constant real-time (24 hours a day throughout the year), or only at certain times, as the needs of the business dictate. As the recording system records digital images, any CCTV images that are held on the hard drive of a PC or server are deleted and overwritten on a recycling basis and, in any event, are not held for more than one month. Once a hard drive has reached the end of its use, it will be erased prior to disposal.
Images that are stored on, or transferred on to, removable media such as CDs are erased or destroyed once the purpose of the recording is no longer relevant. In normal circumstances, this will be a period of one month. However, where a law enforcement agency is investigating a crime, images may need to be retained for a longer period.
Access to, and disclosure of, images recorded on CCTV is restricted. This ensures that the rights of individuals are retained. Images can only be disclosed in accordance with the purposes for which they were originally collected.
The images that are filmed are recorded centrally and held in a secure location. Access to recorded images is restricted to the operators of the CCTV system and to those managers who are authorised to view them in accordance with the purposes of the system. Viewing of recorded images will take place in a restricted area to which other employees will not have access when viewing is occurring.
When you make a purchase using a payment card, certain information will be processed by our EPOS system, Cybertill, and card payment services providers in order to take payment and complete our contract with you. All card payment information is protected to Payment Card Industry Data Security Standards. We do not retain a copy of this on our systems.
We offer an in-store loyalty card scheme which allows you to earn points from your purchases which can be redeemed against future purchases (subject to terms and conditions). In order for you to join the scheme, we require your name and postcode. We also require your date of birth to confirm you are over the age of 18. By joining the scheme, you consent to us processing this personal data.
If you join the loyalty scheme, your personal information will be held on our electronic till system database. We will process your information for the purpose of running the scheme. From time to time, we may also analyse data collated by the scheme in order to better understand our business and customers. This data will be anonymised where possible before collation.
You may also consent to give us your email address but this is optional. We will ask if you consent to receiving our newsletters but you do not need to agree to this in order to join the loyalty scheme. If you do consent, you can opt out of receiving newsletters at any time by using the “unsubscribe” link provided. You may also leave our loyalty card scheme and request your data to be deleted by contacting [email protected] Please note that we will take reasonable steps to verify your identity before proceeding with your request.
PEOPLE WHO CALL OUR CUSTOMER SERVICES TEAM, CONTACT US VIA SOCIAL MEDIA OR EMAIL US
When you call our customer services team we may record information about your call including your name and telephone number and the reason for calling. If you place an order over the phone for the first time or if you are having difficulties ordering online, we may take information from you for the purpose of carrying an age verification check which we are required to do by law before you can purchase electronic cigarette items from us.
Age verification is provided by AgeChecked Limited who act as a data processor on our behalf. We record the result but not the detailed information in your customer account (unless the information is also required for the purpose of completing your order, e.g. your name and address).
We use a third party provider, Hootsuite, to manage our social media interactions.
If you send us a private or direct message via social media the message will be stored by Hootsuite for three months. It will not be shared with any other organisations.
We use Transport Layer Security (TLS) to protect email traffic. If your email service does not support TLS, you should be aware that any emails we send or receive may not be protected in transit.
We will also monitor any emails sent to us, including file attachments, for viruses or malicious software. Please be aware that you have a responsibility to ensure that any email you send is within the bounds of the law.
PEOPLE WHO SUBSCRIBE TO OUR NEWSLETTERS
We will only send you emails if you have demonstrated your consent by opting in (by ticking a box or clicking a button in an email). You may unsubscribe at any time by clicking the unsubscribe link in any of our emails.
We use a third party provider, Mailchimp to deliver our monthly e-newsletters. We gather statistics around email opening and clicks using industry standard technologies including clear gifs to help us monitor and improve our e-newsletter. We have entered into a data processing agreement with Mailchimp where they have undertaken to comply with the GDPR and data protection legislation. For more information, please see Mailchimp’s privacy notice.
JOB APPLICANTS, CURRENT AND FORMER ECD EMPLOYEES
ECD is the data controller for the information you provide during the recruitment process unless otherwise stated. If you have any queries about the process or how we handle your information please contact us at [email protected]
What will we do with the information you provide to us?
All of the information you provide during the process will only be used for the purpose of progressing your application, or to fulfil legal or regulatory requirements if necessary.
We will not share any of the information you provide during the recruitment process with any third parties for marketing purposes. The information you provide will be held securely by us and/or our data processors whether the information is in electronic or physical format.
We will use the contact details you provide to us to contact you to progress your application. We will use the other information you provide to assess your suitability for the role you have applied for.
What information do we ask for, and why?
We do not collect more information than we need to fulfil our stated purposes and will not retain it for longer than is necessary.
The information we ask for is used to assess your suitability for employment. You don’t have to provide what we ask for but it might affect your application if you don’t.
We use a third party Applicant Tracking System (ATS) provided by People Apps Limited to record and advertise our vacancies and applications. Here is a link to their Privacy Notice. We have a data processing agreement in place with People Apps Limited.
We ask you for your personal details including name and contact details. We will also ask you about your previous experience, education, referees and for answers to questions relevant to the role you have applied for. Your information will be stored on our ATS and our recruitment team will have access to all of this information. The information on our ATS will be stored at a destination within the European Economic Area (“EEA”).
You may also be asked to provide equal opportunities information. This is not mandatory information – if you don’t provide it, it will not affect your application. This information will not be made available to any staff outside of our recruitment team, including hiring managers, in a way which can identify you. Any information you do provide, will be used only to produce and monitor equal opportunities statistics.
Information that you provide on a questionnaire, test or survey may be held temporarily on our Google Drive system before being transferred to our ATS or HR system. We use Google Forms and other services provided by Google Inc as part of the GSuite applications. In this case, your information may be transferred outside of the EEA to the United States. Google Inc. are registered under the EU/US Privacy Shield mechanism and we have entered into a data processing agreement with Google Inc., who undertake to comply with the GDPR using the EU Model Clauses.
Interviews and Assessments
We will ask you to attend telephone and/or face to face interviews to order to assess your suitability for the role. We might also ask you to participate in assessment days; complete tests and/or occupational personality profile questionnaires – or a combination of these. Information will be generated by you and by us. For example, you might complete a written test or we might take interview notes. This information is held by ECD.
If you are unsuccessful following assessment for the position you have applied for, we may ask if you would like your details to be retained in our talent pool for a period of six months. If you say yes, we would proactively contact you should any further suitable vacancies arise. After six months, we would contact you to find out if you would like us to continue to keep your details in our talent pool. If not, or if we do not get a reply from you, your details will be deleted.
If we make a conditional offer of employment we will ask you for information so that we can carry out pre-employment checks. You must successfully complete pre-employment checks to progress to a final offer. We are required to confirm the identity of our staff and their right to work in the United Kingdom. We will also seek assurance as to their trustworthiness, integrity and reliability.
You will therefore be required to provide:
- Proof of your identity – you will be asked to attend our office with original documents, we will take copies.
- We will contact your referees, using the details you provide in your application, directly to obtain references.
- We will also ask you to complete a questionnaire about your health. This is to establish your fitness to work and whether you require any reasonable adjustments to assist in your work.
If we make a final offer, we will also ask you for the following:
- Bank details – to process salary payments
- Details of other personal information required to comply with our legal requirements, e.g. your national insurance number, date of birth and marital status which we are required to submit to HMRC as part of our payroll process
- Emergency contact details – so we know who to contact in case you have an emergency at work
- Proof of your right to work in the UK, for example we may ask to see and take a copy of your passport.
Use of data processors
Data processors are third parties who provide elements of our recruitment and human resources service for us. We have contracts in place with our data processors. This means that they cannot do anything with your personal information unless we have instructed them to do it. They will not share your personal information with any organisation apart from us. They will hold it securely and retain it for the period we instruct.
Vacancies and applications
Job board websites
Our vacancies are advertised on the following websites (as well as our own website). If you create a job seeker account and or apply for a vacancy via one of these websites, they will be the data controller in respect of any information you input into their website (including your name, address, work history and so on). Please read their privacy notices as to how they will store and use your data:
Indeed Ireland Operations Limited
A company based in Ireland as part of a US and international group of companies: https://www.indeed.co.uk/legal#privacy
A US based company who are signed up to the EU/US Privacy Shield: https://www.indeed.co.uk/legal#privacy
Reed Online Limited:
A UK company as part of an international group of companies: https://www.reed.co.uk/policies#privacyPolicy
For certain vacancies, we sometimes use the services of a recruitment agency to advertise the role, review applications and carry out assessments including questionnaires and telephone and/or video interviews. Use of a recruitment agency in any relation to any vacancy will always be made clear.
Information collected by a recruitment agency will be retained for 12 months following the end of our agreement.
Working for us
If you accept an offer of employment from us, your personnel records will be held on PeopleHR which is an internally used HR records system. You will be given your own log in to this system which will allow you to view the majority of the information we hold about you. You will also be able to amend certain information if it is incorrect or becomes out of date (for example if you move house).
When you start working for us, if you meet the auto-enrolment criteria, we are legally obliged to enrol you into our Workplace Pension Scheme. You will subsequently have the right to opt-out of the scheme if you wish.
In order to meet our obligations, your details will be provided to Smart Pension an auto-enrolment platform who provide our Workplace Pension Scheme. If Smart Pension confirm you are eligible or if you are not eligible but are entitled to join the scheme and have opted to do so, you will be auto-enrolled into the pension scheme. Details provided to Smart Pension will be your name, date of birth, National Insurance number and salary.
Once you join us, you will be given a copy of our Employee Privacy Notice which will set out more information about the personal data process and why.
How long is the information retained for?
If you are successful, the information you provide during the application process will be retained by us as part of your employee file for the duration of your employment plus 6 years following the end of your employment. This includes your criminal records declaration, fitness to work, records of any security checks and references. We will usually retain information about your name, job title and the dates that you were employed by us for a longer period of time but please refer to our Data Retention Policy for more information.
If you are unsuccessful at any stage of the process, the information you have provided until that point will be retained for 6 months from the closure of the campaign.
Information generated throughout the assessment process, for example interview notes, is retained by us for 6 months following the closure of the campaign.
Equal opportunities information is retained for 6 months following the closure of the campaign whether you are successful or not.
How we make decisions about recruitment?
Final recruitment decisions are made by hiring managers and members of our recruitment team. All of the information gathered during the application process is taken into account.
You are able to ask about decisions made about your application by speaking to your contact within our recruitment team or by emailing [email protected]
YOUR RIGHTS AS A DATA SUBJECT
At any point while we are in possession of or processing your personal data, you, the data subject, have the following rights:
- Right of access – you have the right to request a copy of the information that we hold about you.
- Right of rectification – you have a right to correct data that we hold about you that is inaccurate or incomplete.
- Right to be forgotten – in certain circumstances you can ask for the data we hold about you to be erased from our records.
- Right to restriction of processing – where certain conditions apply to have a right to restrict the processing.
- Right of portability – you have the right to have the data we hold about you transferred to another organisation.
- Right to object – you have the right to object to certain types of processing such as direct marketing.
- Right to object to automated processing, including profiling – you also have the right to be subject to the legal effects of automated processing or profiling.
- Right to judicial review: in the event that refuses your request under rights of access, we will provide you with a reason as to why. You have the right to complain as outlined in clause 3.6 below.
All of the above requests will be forwarded on should there be a third party involved in the processing of your personal data.
If you need any more information or guidance about your rights, you can find this here on the ICO’s website: https://ico.org.uk/for-the-public/is-my-information-being-handled-correctly/
ACCESS TO PERSONAL INFORMATION
We try to be as open as we can be in terms of giving people access to their personal information. Individuals can find out if we hold any personal information by making a ‘subject access request’ under the Data Protection Act 1998. If we do hold information about you we will:
- Give you a description of it;
- Tell you why we are holding it;
- Tell you who it could be disclosed to; and
- Let you have a copy of the information in an intelligible form.
To make a request for any personal information we may hold about you, you need to put the request in writing addressing it to our Information Governance department, or writing to the address provided below. Before complying your request, we will need to confirm your identity as far as reasonably possible. For example, we may ask you to confirm details so we can check it against the data we hold.
If you agree, we will try to deal with your request informally, for example by providing you with the specific information you need over the telephone.
If we do hold information about you, you can ask us to correct any mistakes by, once again, contacting the Information Governance department.
COMPLAINTS OR QUERIES
We try to meet the highest standards when collecting and using personal information. For this reason, we take any complaints we receive about this very seriously. We encourage people to bring it to our attention if they think that our collection or use of information is unfair, misleading or inappropriate. We would also welcome any suggestions for improving our procedures.
This privacy notice was drafted with brevity and clarity in mind. It does not provide exhaustive detail of all aspects of ECD’s collection and use of personal information. However, we are happy to provide any additional information or explanation needed. Any requests for this should be sent to the address below.
If you want to make a complaint about the way we have processed your personal information or if we have not been able to assist with your queries, you can contact the Information Commissioner’s Office which is the statutory body which oversees data protection law – www.ico.org.uk/concerns.
LINKS TO OTHER WEBSITES
This privacy notice does not cover the links within this site linking to other websites. We encourage you to read the privacy statements on the other websites you visit.
CHANGES TO THIS PRIVACY NOTICE
We keep our privacy notice under regular review. This privacy notice was last updated on 15th August 2019.
HOW TO CONTACT US
Data Protection Team
Gower Enterprises Limited
Unit 23a Crofty Industrial Estate