Arcon Privacy Policy

This document is intended to be published on the www.arconsupplies.co.uk website and available for issue upon request to website users, enquirers, customers and suppliers. It covers the general principles of how Arcon Supplies gathers and handles data. It also outlines the services and standards website users, enquirers, customers and suppliers can expect, with respect to their data, when dealing with Arcon Supplies. This document sits alongside the GDPR Policy and PCIDSS compliance checklist, both for internal issue, which cover actions, implementation and recommendations in detail regarding safeguarding data including employee records.

1.0 General

Arcon Supplies take the safeguarding of data very seriously. This Privacy & Cookies Policy describes the principles of how we gather and handle data.

1.1 GDPR Overarching Requirements

Arcon Supplies are committed to being open and transparent about:

• what data is collected
• what purposes data is collected for
• the legal basis for processing data
• our data retention policy for each processing activity
• the parties involved (both inside and outside our organization)
• the security measures we implement to protect data
• what data is transferred outside of the EU, if any; and
• other related details which may apply company-wide, including data of employees.

1.2 Managing consent and maintaining detailed records related to it

Arcon Supplies are committed to managing consent and maintaining detailed records of:

• who provided the consent and when it was provided
• what their preferences were at the time of the collection
• which legal or privacy notice they were presented with at the time of the consent collection
• which consent collection form they were presented with at the time of the collection
• how our teams are informed to ensure they are aware of their obligations under the GDPR
• to review and audit the data we hold on a regular basis
• the procedures in place to handle requests from data subjects to modify, delete or access their personal data
• the security notification procedures in place to ensure we meet our enhanced reporting obligations under the GDPR in case of a data breach in a timely manner
• the policy on retention periods for all items of personal data, from website users, enquirers, customers and suppliers’ data to employee data
• the internal procedures for handling data

2.0 Website

2.1 HTTPS

www.arconsupplies.co.uk has upgraded from HTTP, hypertext transfer protocol, to HTTPS, hypertext transfer protocol secure. HTTPS uses separate protocols called SSL (Secure Sockets Layer) and TLS (Transport Layer Security), which mean the data sent between the website and the website user is more secure machining it harder to intercept and encrypted, so less easy to read if it is intercepted. If you are browsing in Google Chrome, Internet Explorer, Firefox or similar, you should be able to see a padlock symbol to show the website is certified as secure.

2.2 Cookies

2.2.1 Complying with the EU Cookie Law

• Cookie policy - using cookies means both processing user data and installing files used for tracking, it is a major point of concern when it comes to user data privacy rights
• Cookie banner - allows users to be informed of and obtain their consent while including the option to block any scripts that install cookies without prior consent.

When visiting the www.arconsupplies.co.uk website users will see a pop-up cookie banner asking for their permission to accept or decline the cookies on the website clearly and most importantly, before Google Analytics executes. The banner will also have a link to this Privacy Policy for user to review before accepting or declining cookies.

It is not possible to view the website without cookies running. Some cookies are essential for the operation and function of the website, including navigation and security. These cookies do not typically contain data that personally identifies website users. At present, no cookies are used to personalise web content or gather personal data from users on the www.arconsupplies.co.uk website, except for the contact us/call back request form where users are given the option to input some personal data. Handling processes for the data collected from the contact us/call back request form are described below.

The www.arconsupplies.co.uk website also uses Google Analytics to analyse the performance and usage of the site. Google Analytics is the only non-essential third-party cookie currently running on the website.

The cookie banner asks the user for permission to use cookies and then once granted, the page either reloads and the Google Analytics scripts proceed to execute. If the user declines permission for the use of cookies it will not be possible to reload the page and Google Analytics will not launch.

2.2.2 Google Analytics

Arcon Supplies uses Google Analytics to analyse usage data such as volume of web traffic to the website URL arconsupplies.co.uk

Other usage data may include anonymised page views, geographical location of users, duration of visits to the site, bounce rate, frequency, time of day the site is accessed.

See Google Privacy Policy & Principle specific to Analytics which describes how Google manage personal information when you use Google's products and services, specifically Google Analytics. The arconsupplies.co.uk website does not have any additional cookies, neither third-party or our own cookies, to harvest personal data and web browsing data except the contact us/call back request form where users are given the option to input a limited amount of personal data.

The purpose of us using the analysis of the data that Google Analytics collects is to monitor and improve the performance of the website, enabling us to best represent our business interests.

2.2.3 Managing Cookies and Cookie Policy

If the use of cookies on the www.arconsupplies.co.uk website changes, or new cookies are introduced that implement significant changes, this policy will be reviewed and updated to reflect this. Furthermore, if non-essential cookies are introduced the cookie banner maybe altered to enable website visitors to disable non-essential cookies and use the website with just essential cookies running.

2.3 Contact Us/Call-back Request Form

You are not required to provide any personal information on the public access areas of the www.arconsupplies.co.uk However, you may choose to do so by completing a form. The contact us/call back request form on arconsupplies.co.uk website invites users to enter a limited amount of personal data to enable Arcon employees to call or email the user to provide our services personalised to the enquirers specific needs. A record of this data and subsequent services provided is kept by Arcon Supplies for legitimate business purposes.

Submitting the contact us/call back request form does not imply consent to subscribe to newsletters or other general marketing campaigns.

Aside from essential third parties, see below, the information submitted will only be shared with a third party when the enquiry is best answered by an Arcon Approved Applicator or a specific product manufacturer.

2.4 Third Party Websites

Some hyperlinks to third-party websites are included in the arconsupplies.co.uk website. While all attempts are made to only link to reputable sites, Arcon do not accept responsibility for the privacy policies and data collection activities of these third parties.

3.0 Newsletters and General Marketing

Specific consent will be sought from website users, enquirers, customers and suppliers to subscribe to newsletters or other general marketing campaigns.

4.0 Emails and Phone Calls

We may process and record information given in emails or phone calls (or similar forms of communication) for legitimate business reasons. The retention period for this information will depend upon the type and nature of data included. Any sensitive information will be handled in line with GDPR and PCI DSS good practice, see telephone card payments below for example.

5.0 Transaction data

5.1 Current Methods of Payment

Payment for goods and services provided by Arcon Supplies can be made by one of the following methods:

• By bank to bank transfer including both domestic and international transfers
• By cheques made payable to Arcon Supplies
• By credit or debit card in person at the trade counter via point-of-sale card payment terminal
• By credit or debit card by phone via card payment terminal using customer not present options

The card terminal is provided by a well-recognised and trusted PCI DSS compliant financial institution for secure transfer of sensitive card data, further details can be provided upon request. This policy will be reviewed, and wording changed if necessary, if the card terminal provider’s details change. No sensitive card data is kept after authorisation of payment, unless required by law. Records of transaction type, receipts and invoices are kept for the minimum statutory period.

This policy will be updated with the relevant information if additional payment methods, online transactions for example, are added.

6.0 Transfer of Data Outside the EU

Arcon Supplies do not knowingly transfer data outside the EU. No data is transferred directly outside the EU for processing, handling or storage. However, there is potential for global third-party service providers to transfer data outside the EU without us being able to determine this with certainty. These are the third parties we think could transfer data we provide them with outside the EU and the factors mitigating risk of a data breach:

• Google Analytics may store analytical data on servers outside the EU, see current list of Google Data Centre locations https://www.google.com/about/datacenters/inside/locations/index.html - mitigation for this risk, the data held should be anonymised and not identify Arcon website users. It is a globally recognised standard analytical tool for websites used for legitimate business purposes.
• The card processing terminal and merchant services provider is a major UK financial institution and as such may have data processing and storage distributed globally although this is not easy to determine – mitigation for this risk, it is a well known and trusted organisation subject to UK, EU and global financial regulations and is PCI DSS compliant. We believe the highest security provisions are taken to protect the sensitive data they handle regardless of where it is processed and stored.

7.0 Arcon Account Holders & Suppliers

7.1 Account Holder & Supplier Data

Details of account holders including key contacts are held and safeguarded in line with Arcon’s internal policies and GDPR compliance. Sensitive data such as bank details are held in a secure environment. No sensitive card data is kept on record in accordance with PCI DSS compliance. Records of transactions, payment types, orders, invoices and receipts are kept for the minimum statutory period.

7.2 Account Holder & Supplier Data Updates

Please let us know if you think the data we hold about you needs to be updated; changes in bank details, key contacts, business addresses, accounts payable addresses, payment methods and similar are most pertinent.

8.0 Retaining & Deleting Data

8.1 Retaining Data

Arcon Supplies retain data for legitimate business purposes and to fulfil our legal requirements as a business trading in the UK.

The data we handle for any purpose or purposes will only be retained for the length of time that purpose or purposes require, either for legitimate business purposes and to fulfil our legal obligations.

8.1.1 Cardholder sensitive authentication data

Cardholder sensitive authentication data is deleted or rendered unrecoverable upon completion of the payment authorisation process, in accordance with PCI DSS compliance guidelines.

8.1.2 Transaction data

Transaction data will be retained for a period of 7 years, from the end of the year during which the transactions was made.

8.1.3 Account holder / supplier data

Account holder and supplier data, including order data, will be retained for as long as the account remains open and 7 years, from the end of the year during which the account was closed.

8.1.4 Correspondence data

Correspondence data be retained while it is still deemed to be required for legitimate business purposes.

8.1.5 Analytical data

Anonymised analytical data processed by Google Analytics is used to analyse the arconsupplies.co.uk website performance and trends both short-term and long-term, when the website ceases to be a business concern this data will be deleted.

8.1.6 Newsletter / general marketing data

Newsletter and general marketing contact data will be retained if a record of consent to receive newsletter and general marketing information exists and the person remains opted-in.

9.0 Your Rights

In accordance with GDPR, individuals have the following rights:

• The right to be informed.
• The right of access.
• The right to rectification.
• The right to erasure.
• The right to restrict processing.
• The right to data portability.
• The right to object.
• Rights in relation to automated decision making and profiling.

However, if your data is held by Arcon to fulfil our legal requirements as a business trading in the UK or other legal reasons some of these rights cannot be implemented. For further details see https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/

10.0 Reporting

This policy applies to all persons working for Arcon Supplies or on our behalf in any capacity, including employees at all levels, partners, agency workers, seconded workers, volunteers, agents, contractors and suppliers. Arcon strictly prohibits the breach of GDPR in our operations and supply chain. We have and will continue to be committed to implementing systems and controls aimed at ensuring that GDPR breaches are not taking place anywhere within our organisation or in any of our supply chains. We expect that our suppliers will hold their own suppliers to the same high standards.

10.1 Reporting Commitments

Arcon is a company that expects everyone working with us or on our behalf to support and uphold the following measures to safeguard against GDPR breaches:

• Reporting of GDPR breaches in any part of our organisation or supply chain is the responsibility of all those working for us or on our behalf.
• Workers must not engage in, facilitate or fail to report any activity that might lead to, or suggest, a breach of this policy.
• We are committed to having open and ongoing lines of communication with employees, suppliers and customers to address the risk of GDPR breaches in operations and supply chain.
• If we suspect that employees, suppliers or customers have breached this policy we will ensure that we take appropriate action. This may result in terminating such relationships.

11.0 Privacy & Cookie Policy Updates & Amendments

This policy will be reviewed annually. Updates and amendments will be made to this policy if any significant changes in Arcon’s data handling or safeguarding occur.