Registered office: Stevens(Scotland)Ltd Denburn Way, Brechin Angus DD9 7DW Company registration number: SC066731
“You” and “your” means you, as an individual, as a data-subject. “We”, “us” and “our” mean Stevens(Scotland) Ltd, or any of the brands/websites it operates:
1) Stevens(Scotland) Ltd. – www.stevensscotland.co.uk
2) Chris Craft Window Blinds – www.chriscraft.co.uk
3) Luxury Blinds Direct – www.luxuryblindsdirect.co.uk
We have categorised the types of ‘Data Subjects’ we collect data from. This will make it easier for you to identify what category(s) you would fall under and the types of data that may be held on you. The following is a list of ‘Data Subjects’ that we may process data on:
Customer – Customers that would be attributed to B2C or B2B oriented businesses.
Prospect – A potential customer or client qualified on the basis of their buying authority, financial capacity, and willingness to buy. Sometimes referred to as a ‘sales lead’.
Website Visitor/Visitor – A visitor to any of our websites, who accesses via any internet enabled device.
Supplier – A party that supplies goods or services. A supplier may be distinguished from a contractor or subcontractor, who commonly adds specialised input to deliverables. Also called ‘vendor’.
Employee – Works under a ‘contract of service’ or ‘Employment Contract’ and not contracted ‘for service’. All employees are workers, but an employee has extra employment rights and responsibilities that do not apply to workers who aren’t employees.
Temporary Worker – An agency/temporary worker is an individual typically supplied by employment businesses to work under our direction and supervision
Worker – Works under a contract ‘for services’ or any other contract, whether express or implied, whereby the individual undertakes to do or perform personally any work or services for the ‘employer organisation’ of the contract – not an ‘employee’
Contractor – An independent individual who works for the organisation under a contract ‘for services’, whereas an employee works under a contract of service. Typically associated with Self-Employed workers. Contractors are required to sign the visitor book and fill out a short form applying to their visit, as a contractor if working on site.
Sub-Contractor – A subcontractor is a person/party who is hired by us (or the main contractor) to perform a specific task as part of the overall project objective and is normally paid for services provided to the project by the originating general contractor; applying in the context of the organisation acting as either a contractor or supplier.
Visitor – Individuals or groups that may have no formal linkage to the organisation but are formally ‘signed in’ upon arrival. Also the term is sometimes used for Website Visitor
Policy Holder – Policyholder for a wide range of potential products or services, for example pension schemes.
Volunteer – Individuals or groups that provide products or services where they are neither classed as employees or on contract and are not part of the organisations HR/Payroll system. This includes individuals carrying out ‘Work Experience’.
Professional/Expert – A person in conjunction with a specific, limited-term project requiring professional knowledge, skills or technical expertise (for example, lawyer, health advisor, pension provider, accountant)
Next of Kin/Emergency Contact – Employee/Worker’s preferred contact in the event of an emergency.
Leaver – An individual who worked for the organisation as an Employee or Worker, whose employment was terminated voluntarily or involuntarily.
Employee Benefit Providers – Providers of Employee Benefit Schemes for example, Child Care Voucher Scheme, Cycle to Work Scheme
Other – This is a catch-all definition for personal data that may get collected as part of any business process and that doesn’t fit in any previous category.
This section aims to outline the data we collect, how it may be used and how/when we destroy personal data records and when/how we may have obtained it.
When you visit our headquarters, you will be asked to sign in the Visitor Book, we collect the following data:
a) your name; b) company; The information may be used in the event of an incident i.e. accident, break-in, fire, car accident etc. The information is collected to ensure the safety of visitors and any persons on site (including Contractors who are working under the duty of care of Stevens(Scotland) Ltd)
Unless a legal basis is identified i.e. ongoing police investigation relating to a visitor, the record is securely destroyed, annually via shredder.
When someone visits www.stevensscotland.co.uk we use a third party service, Google Analytics, to collect standard internet log information and details of visitor behaviour patterns. We do this to find out things such as the number of visitors to the various parts of the site or the times of day when visitors are browsing – this enables us to make decisions on how best to improve website functionality/efficiency and ultimately, the experience of the visitor. This information is only processed in a way which does not identify anyone; aggregate statistical information is used in any decision making.
If a visitor uses the ‘Contact Us’ process, personal data is required to make submission:
When you submit the ‘Contact Form’, the following data is captured:
a) your name (required);
b) your email (required);
c) your company (optional); and
d) your message
This information is stored and encrypted within our website(s) database, the data submitted, is immediately sent to our Sales Team via email. That is the only record of this data and it is needed to enable us to respond to genuine enquiries made via our website(s). Our Emails are hosted and stored in-house and are protected under the measures and controls of our IT Infrastructure and internal policies, which is described further in this notice. We keep our contact form enquiry emails organised and protected by authorised access only, with the ability to retrieve or delete at any given time. Any further contact, would categorise the website visitor as another type of ‘Data Subject’, then falling under the relevant processes/measures applicable to that individual’s new ‘Data Subject’ type.
As part of our general business operations, personal data is required to confirm orders with Stevens(Scotland)Ltd, and we also require personal information of our suppliers when we confirm purchases with them. Stevens(Scotland)Ltd will require the following information to confirm orders with our suppliers or with our customers/clients:
a) your name; b) your email; c) your telephone number; d) billing address details; e) shipping address details; f) remittance details (if a supplier, customer, contractor or sub-contractor); g) credit card details (if payment from a Customer is taken via credit card, the details are entered directly into the card machine by authorised staff, whilst the card-holder is on the phone or present in person (to avoid writing down), no credit card details are entered into our business systems, any card numbers that are written down, must be authorised by a Manager rank or higher and are under strict policy to destroy instantly, via a purposed shredder); This information is a standard requirement to confirm business activity in the form of ‘Orders’ either in the form of purchases or sales. The information is recorded under lawful basis to allow for confirmation of order, delivery of goods, payment of invoices and ultimately, adherence to the business ‘Sales or Purchasing Contract’ commitment established when confirming an ‘Order’ in either direction. This information is logged in our core business system, and is attached to the record relevant to the data subject i.e. Supplier, Customer, Client, Prospect etc.
Access to the in-house, core business system is controlled via ‘User Permissions’, the authorised employees processing the data will only process the data to fulfil their responsibility and are aware of their obligations under GDPR and our code of conduct.
If you are somebody that has worked for us (current or previous), be it as a staff member, worker or contractor, then it is likely that we have/will collect information about you. If you have applied to work for us, then it is also likely we will/have collected information about you. The information relating to these internal ‘Data Subjects’ is controlled by our HR Department, a lot of the information is a legal requirement and retention laws may apply, information regarding these Data Subjects is summarised in this policy – For more information on this kind of data, please send your enquiries to:
HR Manager – firstname.lastname@example.org
The following lists the types of data that may be collected, for any of the ‘data subjects’ listed in this section commonly referred to as ‘Internal Data Subjects’– for more information, it is best to contact us directly and we will be happy to help:
a) your name; b) your personal email; c) your telephone number; d) address details; e) photo; f) bank details g) date of birth; h) gender; i) emergency contact details (basic contact details only i.e. name, address, telephone) j) recruitment records i.e. Job Application, CV, Interview Notes, References, Proof of Right to Work in the UK, Qualification Certificates, Background Check Documentation, Copy of ID, Job Offer Letters, Pay and Bonus Letters, Employment Terms (and changes to), Salary, Pensions, Tax Codes, NI Numbers; k) recruitment records of special categories i.e. Criminal convictions and offence record checks and health checks (where required); l) medical information; m) Disciplinary, Grievance and Capability Records; n) Appraisal forms, performance reviews and ratings, targets and objectives; o) Annual Leave and Sickness Records including Doctor Letters; p) Annual Leave and Sickness Records for Special Categories – Medical Reports, Medical Conditions; q) Psychometric Assessment Data
a) your name; b) your personal email; c) your telephone number; d) address details.
a) your name; b) your personal email; c) your telephone number; d) address details; e) photo; f) recruitment records i.e. Job Application, CV, Interview Notes, References, Proof of Right to Work in the UK, Qualification Certificates, Background Check Documentation, Copy of ID, Job Offer Letters. g) Psychometric Assessment Data
All the information regarding ‘Internal’ Data Subjects is held lawfully and securely. Processing for Special Category Data is not performed by Stevens(Scotland)Ltd. or any Data Processor without documented legal obligation to do so and consent is provided and a documented impact assessment has taken place, a record of processing activities is logged when processing this kind of ‘Special Category Data’. This information is only accessible to authorised users; HR or Directors only – and is secured both physically and digitally, Special Category Data being secured with ‘extra-safeguards’ and protection as per the GDPR requirement. Personal Data is sometimes shared with third parties such as HMRC, employee benefit providers i.e. Childcare Scheme, pension and life insurance providers, and may be processed by professionals/experts we employ for specific works i.e. Accountants or Health Advisors carrying out Occupational Health Assessments. More information on the security of data can be found further on this page.
a) your name; b) your personal email; c) your telephone number; d) address details; e) photo; f) remittance details (if a supplier, contractor or sub-contractor); g) shipping address details
For more general information on cookies see the:
On occasion, we may gather information about your computer for our services, and to provide statistical information regarding the use of our Website(s)
Such information will not identify you personally; it is statistical data about our visitors and their use of our site. This statistical data does not identify any personal details whatsoever. It is used by us to analyse how visitors interact with our Website(s) so that we can continue to develop and improve them.
We may gather information about your general Internet use by using a cookie file that is downloaded to your computer.
Where used, these cookies are downloaded to your computer automatically. This cookie file is stored on the hard drive of your computer as cookies contain information that is transferred to your computer’s hard drive. They help us to improve our Website(s) and the service that we provide to you.
All computers have the ability to decline cookies. This can be done by activating the setting on your browser which enables you to decline the cookies. Please note that should you choose to decline cookies, you may be unable to access particular areas of our Website(s).
The law on data protection sets out a number of different reasons for which a company may collect and process your personal data, including:
In specific situations, we can collect and process your data with your consent.
For example, when you tick a box (Opt-In) to receive communications in relation to a specific service. When requesting consent to keep or record your personal data, we’ll make clear to you which data is necessary in connection with a particular service.
In certain circumstances, we need your personal data to comply with our contractual obligations.
For example, if you order an item from us for delivery, we’ll collect your shipping address details to deliver your purchase and pass them to our courier(s).
If the law requires us to, we may need to collect and process your data.
For example, we can pass on details of people involved in fraud or other criminal activity affecting our company to law enforcement.
In specific situations, we require your data to pursue our legitimate interests in a way which might reasonably be expected as part of running our business and which does not materially impact your rights, freedom or interests.
For example, we will use your purchase history to send you or make available personalised offers. Consent for direct marketing will be requested, explicitly from all other forms of consent.
We know how much data security matters to all our customers. With this in mind we will treat your data with the utmost care and take all appropriate steps to protect it.
We secure access to all our websites using ‘https’ over SSL technology.
We secure when a device is connecting to our network from ‘outside’ our network, via Virtual Private Network (VPN) encrypted also by SSL, for example – a salesman will carry their laptop when visiting a client, they may use ‘somebody’ else’s WIFI and therefore they would need a secure connection to our network to access say, their emails or files, potentially containing your personal data. We would want to ensure they are only allowed access through a specific route, using their own, password protected login, under the security measures ‘we’ manage, as opposed to those of the ‘owner’ (for instance, of say, a coffee shop) of the WIFI network our salesman was using.
Access to your personal data is password-protected, employees have user-access controls assigned to them and our GDPR Data Protection Policy has been agreed to by all staff processing personal data, outlining their responsibility, expectation and any actions that may result from a breach.
We regularly monitor our system for possible vulnerabilities and attacks, and we carry out penetration testing to identify ways to further strengthen security.
We leverage Firewalls, Enterprise-Level Anti-Virus, Anti-Malware etc., Enterprise-Level Back-Up Utilities throughout the entire organisation. Backup images, business critical and special category data is encrypted (AES-256) on-site, including before any form of transfer if and where required. Stevens(Scotland) Ltd. are the only sole-holder of any data encryption keys we may apply.
Last, but certainly not least… PEOPLE! We do our best in keeping staff trained and up to date on the most current forms of cyber-threats and regulation affecting the privacy/security of businesses/individuals and how to apply best-practice; continually making efforts to be more capable of scrutinizing dubious/harmful incoming communications throughout the organisation and developing a culture of ‘privacy by design’.
Whenever we collect or process your personal data, we’ll only keep it for as long as is necessary for the purpose for which it was collected – a file is kept internally, which audits all forms of data in the company, retention dates are applied per data type within this, along with detailed instructions of whom has access, at what privilege level, the method of retrieval and disposal of the data, what form the data is held, where it is located etc. This is a highly confidential document and is only for authorised employees/directors.
At the end of that retention period, your data will either be deleted completely or anonymised, for example by aggregation with other data so that it can be used in a non-identifiable way for statistical analysis and business planning.
If you would like more information about the retention periods for specific data types, please contact our data protection lead via email: DPO@stevensscotland.co.uk
We sometimes need to share your personal data with trusted third parties.
For example, our Website Development Company, Couriers Making Deliveries all provide services which enable us to do business.
Here’s the policy we apply to those organisations to keep your data safe and protect your privacy:
· We provide only the information they need to perform their specific services. · They may only use your data for the exact purposes we specify in our contract with them. · We work closely with them to ensure that your privacy is respected and protected at all times. · If we stop using their services, any of your data held by them will either be deleted or rendered anonymous. · Agreements are in place with all of our Data Processors, to ensure that privacy of personal data ‘processed’ on our behalf, is lawfully held and managed.
Below is a short description of the Data Processors we engage:
Vital Hike Ltd. – Website Development and Hosting We use a third-party, Vital Hike Ltd, to develop and manage our website(s). The data is hosted on a server, managed by a Vital Hike Ltd. The information gathered via the website(s) is included in this privacy notice and is secured through sufficient means (detailed in our formal agreement with Vital Hike Ltd.). Vital Hike Ltd. have taken the required actions in order to comply with our requirements and to that of the GDPR, we are satisfied with the information they have supplied relating to the services they provide in the processing of ‘Contact Form Submission Data’ acquired via our websites. www.vitalhike.co.uk
Credit Agency – Euler Hermes (credit check companies and set credit limits)
Courier, Freight, Delivery – Deliver’s goods, on our behalf, to our customers/clients
“Contractual obligation – In certain circumstances, we need your personal data to comply with our contractual obligations.”
For example, if you order an item from us for delivery, we’ll collect your shipping address details in order to deliver your purchase and pass them to our courier.”
· Tuffnells – https://www.tuffnells.co.uk/privacy-notice
HMRC, Sage, Standard Life, Scottish Widow’s Pensions, Ferguson Oliver
Sage Payroll enables our Finance and HR team to ensure staff are paid on time and the correct data is provided to HMRC (Government). The software is regularly updated by Sage in order to comply with any legal changes and has an integration with Pension Enrolement. All have been identified as a ‘Joint Data Controller’ – an agreement is not required between our organisation and the ‘Joint’ Controllers, but acknowledgement of their responsibility can be found at:
Sometimes we will need to share your personal data with third parties and suppliers outside the European Economic Area (EEA).
If you are based outside the UK and place an order with us, we will transfer the personal data that we
collect from you to the Partnership in the UK.
The EEA includes all EU Member countries as well as Iceland, Liechtenstein and Norway
We may transfer personal data that we collect from you to third-party data processors in countries that are outside the EEA such as Australia or the USA.
For example, this might be required in order to fulfil your order, process your payment details or provide support services.
If we do this, we have procedures in place to ensure your data receives the same protection as if it were being processed inside the EEA. For example, our contracts with third parties stipulate the standards they must follow at all times. If you would like any more information about these contracts please contact our Data Protection Officer.
Any transfer of your personal data will follow applicable laws and we will treat the information under the guiding principles of this Privacy Notice
You are entitled to be informed, view, amend, take/move, object to/restrict processing, not be subject to auto-profiling and decision making, delete/’be forgotten’, for the personal information that we hold on you, unless there is Legal Basis to do so.
If you would like to make an enquiry regarding personal data, please email our team directly with your request, making sure to include your:
– Full name – Relation to the company (see Data Subject Types) – Your request
Data Protection Lead – DPO@stevensscotland.co.uk
Under the GDPR we are under obligation to respond to a Data Subject Access Request (DSAR) within one month, we will do our best to respond to most requests within 72 hours, however there may be cases where a more thorough request may be required, needing more time to gather all the information and personal data.
Your Personal Privacy is very important to us. We hope we have been able to provide as much information as you may require but please do not hesitate to contact our Data Protection Lead, should you wish to seek more information. We are committed to complying with both the GDPR and the UK Data Protection Bill to the best of our ability, going further than just the letter of the law.
We are Registered with the ICO as a Data Controller. Moving forward, we are continually improving our systems to improve the security of the personal data we hold.