GDPR (General Data Protection Regulation)

This page forms part of our terms and conditions, as well as our privacy policy. It explains how we comply with our obligations in terms of the General Data Protection Regulation and how users and buyers on our website can enforce their rights to deletion of personal data. It also sets out the measures we take to protect personal, private and sensitive information, the circumstances under which we collect such data.

At the outset, we confirm that we request only the minimum amount of data required for us to process a purchase on our website. This includes your name, email address, telephone number and delivery address.In the course of shopping with us, our website does also collect IP address (the address of your computer, so to speak), mobile device identifiers.

Data which we do not require are things like occupation, job title, remuneration, ethnicity, religious affiliation, political opinions or other personal information of that nature. Additionally, we do not collect or require collection of any genetic, physiological, biometric, health or sexual data, so we will never have any such data in our possession or under our control.

GDPR now protects all of the abovementioned data and users or buyers are entitled to have such data protected. Sensitive personal data is also protected and has broadened the scope of data required to be protected.

Personal Data is defined as any information relating to an identified or identifiable natural person.

Sensitive personal data is now defined as data consisting of racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data, data concerning health or data concerning a natural person’s sex life or sexual orientation.

Our system uses encryption in respect of any data entered during the purchasing process but in order to ensure the fullest possible compliance with GDPR, we encourage users and buyers to request that their personal data be deleted if they so wish. This can be done by sending an email to compliance@whiteboardshop.co.uk.

In line with GDPR, processing of personal data is only lawful if:

  • it has the consent of the subject (consent to this portion of our terms and conditions is obtained but you can always elect to have your data deleted where it is protected data)
  • it is necessary for the performance of a contract (this applies to our website insofar as we need your name, email, telephone number and address to fulfill your purchase)
  • it is necessary for the compliance of a legal obligation (this applies to our website insofar as data is needed to comply with tax, legal and accounting legislation)
  • it is necessary to protect the vital interests of a subject (this does not apply to our website)
  • it is necessary to perform a task in the public interest or in the exercise of official authority (this does not apply to our website)
  • it is necessary for the purposes of legitimate interests (this does not apply to our website)

We do not process or require any “sensitive personal data” so obligations relating to that do not arise.

As required, we have undertaken a review of all data collected to date, and have deleted any personal data and identifying data or any nature.

We have also reviewed the manner in which we require and process any personal data. Consent is required and obtained and additionally, subjects are given an option once the purchase has been completed to delete their user details from our system. This will delete the customer email address, telephone number and IP address. The only information about the customer that then remains on our system is the customer name and address, which are encrypted but which we retain for accounting purposes to record the transaction. This information will never be released to any third party. We believe that this information is necessary, the bare minimum to retain a record of transactions and does not impact on any individual’s rights.

Only limited executive staff and senior sales administrators have access to any personal data. These staff are all aware and contractually bound to confidentiality in respect of subject identifiers and personal data. As such, technical measures (the encryption of data) and organizational measures (staff training and contractual obligations) are securely in place.