Privacy Policy

---

It is noted that the General Data Protection Regulation came into force in May 2018, but that transitional arrangements apply to existing data users such as the Company. It is the company’s policy to review any changes which may be required by the Regulation and to phase them in as appropriate. This policy will be reviewed at least annually.

The Data Controller for the company is Matthew Flude

The General Data Protection Regulation controls how personal information is used by organisations, businesses or the government.

The Information Commissioner’s Office is the UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals. The ICO is responsible for enforcement of the regulation. Engraved4you is a registered member of the ICO.

Engraved4you is responsible for using data and has to follow strict rules called ‘data protection principles’. Engraved4you will ensure the information is:

•  Used fairly and lawfully
• Used for limited, specifically stated purposes
•  Used in a way that is adequate, relevant and not excessive
•  Accurate
•  Kept for no longer than is absolutely necessary
•  Handled according to people’s data protection rights
•  Kept safe and secure
• Not transferred outside the UK without adequate protection

When information can be withheld

There are some situations when organisations are allowed to withhold information, e.g. if the information is about:

• the prevention, detection or investigation of a crime
•  national security or the armed forces
•  the assessment or collection of tax
•  judicial or ministerial appointments

An organisation doesn’t have to say why they are withholding information.

General Data Protection Regulation applies only to information which falls within the definition of ‘personal data’.

Personal data means data which relate to a living individual who can be identified –

•  from that data, or
•  from that data and other information which is in the possession of, or is likely to come into the
• possession of, the data controller,

and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual.

The General Data Protection Regulation is therefore concerned with four types of data which can be broadly referred to as:

•  electronic data;
•  data forming part of a relevant filing system;
•  data forming part of an accessible record

Version 1

Created: March 2025

•  data recorded by a public authority.

Processing of Sensitive Data

At least one of the conditions must be met whenever you process personal data. However, if the information is sensitive personal data, at least one of several other conditions must also be met before the processing can comply with the first data protection principle. These other conditions are as follows.

•  The individual who the sensitive personal data is about has given explicit consent to the processing.
•  The processing is necessary so that you can comply with employment law.
•  The processing is necessary to protect the vital interests of:

-the individual (in a case where the individual’s consent cannot be given or reasonably

obtained),

or

- another person (in a case where the individual’s consent has been unreasonably withheld).

•  The processing is carried out by a not-for-profit organisation and does not involve disclosing personal data to a third party, unless the individual consents. Extra limitations apply to this condition.
•  The individual has deliberately made the information public.
•  The processing is necessary in relation to legal proceedings; for obtaining legal advice; or otherwise for establishing, exercising or defending legal rights.
•  The processing is necessary for administering justice, or for exercising statutory or governmental functions.
•  The processing is necessary for medical purposes, and is undertaken by a health professional or by someone who is subject to an equivalent duty of confidentiality.
•  The processing is necessary for monitoring equality of opportunity, and is carried out with appropriate safeguards for the rights of individuals.

Loss of personal Data

If, despite the security measures Engraved4you takes to protect the personal data held, a breach of security occurs, it is important to deal with the breach effectively. The breach may arise from a theft, a deliberate attack on systems, the unauthorised use of personal data by a member of staff, accidental loss, or equipment failure. However the breach occurs, Engraved4you must respond to and manage the incident appropriately.

Direct marketing

The Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) provide rules about sending marketing and advertising by electronic means, such as by telephone, fax, email, text and picture or video message, or by using an automated calling system. PECR also include other rules relating to cookies, telephone directories, traffic data, location data and security breaches. Engraved4you adheres to the Data Protection Act and PECR in the use of its marketing of services and does not use automated calling systems and will ensure records are kept of marketing calls. Engraved4you also utilises the use of GoDaddy, web hosting, their Privacy Policy can be found at

https://www.godaddy.com/en-uk/legal/agreements/privacy-policy and Payment Processed Via Square and their privacy policy can be found at "Privacy and Security | Square Support Centre - GB"

Subject access requests by Individuals

An individual may request a copy of any data held about them, or information about the reasons it is kept and processed and the people to whom it is disclosed. The information must be provided, in clearly understandable terms within 40 days of a valid written request and the payment of the required fee where applicable. 

A person seeking information shall be required to prove their identity in accordance with the DPA. The 40 days will run from the date the person provides this information, and pays the required fee where applicable.

Information may be withheld where Engraved4you is not satisfied that the person requesting information about themselves are who they say they are, or when the requester is an organisation or body where Engraved4you are not satisfied that they have the authority to receive that information.

Disclosure to and about Third Parties.

Personal Data must not be disclosed about a Third Party except in accordance with the General Data Protection Regulation. If it appears absolutely necessary to disclose information about a Third Party to a person requesting data about themselves advice must be sought from the company legal team.

Address 7 chatton Row Bisley, GU24 9AP

Sharing Information with Commissioners and Other Authorised Partners

Engraved4you will share information with commissioners and other authorised partners following the principles of the General Data Protection Regulation and in accordance with local contacts to ensure that local authorities and other authorised partners are able to meet their legal obligations for such acts as the Freedom of Information Act.

Monitoring of Data Protection Practices within Engraved4you

• Engraved4you will be audited 3 monthly by the company audit team and processes within the branch will be monitored to ensure compliance. Any infringements will be reported to the company Data Controller and an action plan completed
•  Analysis of complaints

Complaints

Complaints will be dealt with through the company complaints procedure. All Complaints involving data protection will be raised with the company Data Controller

Data Retention and Destruction Policy

Documentation will be only kept for the required time determined under the General Data Protection Regulation and destroyed by using a shredder or in the secure shredding boxes.