Keston Boilers (referred to in this document as ‘Keston Boilers’, ‘data controller’, ‘we’, ‘our’ or ‘us’), are committed to protecting and respecting your privacy and the security of your personal data. We aim to be clear and transparent about what we do with the personal data we collect. (‘Personal data’ means any information relating to an identifiable person). This policy:
- Sets out how we process your personal data. (‘Processing’ means anything we do with your data, and includes collecting, using, storing and deleting it)
- Sets out where we might send your personal data to others, how we protect it and your privacy rights
- Only applies to our website, and if you leave our website, you will be subject to the policy of that other website provider
Who we are and how to contact us
Keston Boilers are part of Groupe Atlantic.
In respect of the General Data Protection Regulation (GDPR) and the Data Protection Act 2018, the data controller is:
Data Protection Officer
The personal data we collect from you
We may collect personal data from you in the following circumstances, when you:
- Fill in a form on our website http://keston.co.uk. This includes information provided at the time of registering to use our site, subscribing to a service, requesting further services and completing the Contact Form
- Visit our site, we may automatically collect traffic data, location data, weblogs, browser, usage and other communications data
- Report a problem with our site
- Contact us by phone
- Become a customer. This may include: your name, postal address, email address, phone number, job title, reference information (e.g. invoice number) and any other information you give us
- Register a product warranty online or through our call centre
- Interact with us via social media
- Join a loyalty scheme
- Complete any surveys we send to you.
IP Addresses and Cookies
Click here if you would like more detailed information about how these cookies work and our policy regarding the information they collect.
How we use your personal data including legal basis
When you contact us using the Contact Form, we may store your personal data. The legal basis for this is ‘legitimate interest’. Where we process your personal data under this basis, we perform an assessment that balances your rights and freedoms alongside our interests, to ensure that what we do with your personal data is what you would reasonably expect.
Products and Services
There are three legal bases under which we process personal data for product and services:
- When you buy, and / or register a product. The legal basis for this is ‘performance of a contract’
- After the expiry of a warranty for example, we may also keep your personal data under the basis of ‘legal obligation’ re: gas safety, and health and safety regulations
- Where we keep your personal data for the purpose of product recall requirements, the basis is ‘vital interests’
We may send you marketing messages by email, text message (sms), telephone or post about us and our products and offers. For email and SMS messages, the legal basis is consent. If you want us to stop sending you information by email or SMS, you can opt out at any time by selecting the ‘unsubscribe’ link on any email or sms we send you. You can also email us at email@example.com. or write to us at:
Data Protection Officer
We may ask you to complete surveys for research purposes. The legal basis for these ranges from: Legitimate interest, performance of a contract, legal obligation and consent. Where consent is relied on, the method will be opt in, and you have the right to withdraw your consent at any time.
How we share your personal data
We may disclose your information to third parties if we:
- Sell or buy any business or assets, we may disclose your personal data to the prospective seller or buyer of those assets
- Have a duty to disclose your personal data to comply with any legal obligation. This includes sharing information with other organisations for the purposes of fraud prevention
We are required to have written contracts in place with any third parties we use to process your personal data. This is to ensure that third party processors only act on the documented instructions of the data controller, and to ensure that both parties understand their responsibilities, especially in regard to safeguarding personal data.
Where we store your personal data
Some data that we collect listed below, is transferred and stored outside the EEA. All other personal data is processed within the EEA.
Processed outside the EEA:
- Google Tag Manager (website analytics) – EU-US Privacy Shield.
How long we keep your personal data for
This depends on the type of personal data and what it is used for. We only keep personal data for as long as we have a legal basis to do so, and we adhere to the principle of data minimisation. This means that we only keep the minimum amount of information necessary for specific processing.
- We keep personal data you provide by filling in forms on our site unless or until you unsubscribe. If you unsubscribe, we retain minimal information about you to ensure that we know you have unsubscribed
- Financial transaction data is kept for a maximum of seven years. This is due to legal obligations in relation to accounting and tax
- Where there is a contract between us, and in case of any legal action, personal data is retained for 8 years after the end of the contract
How we secure personal data
We use a combination of physical, technical and organisational controls to safeguard your personal data. We are also committed to regularly testing, assessing and evaluating the strength of our controls environment.
- Personal data is stored on secure servers
- Payment transactions such as card transactions are encrypted using SSL technology
- Emails are scanned for malware and viruses
- Data sent between our website and your browser is protected using industry standard protocol such as Transport Layer Security
- Data processed by third parties is safeguarded by contracts containing audit rights of inspection and warranties
- Personal data is stored within secured networks, and is only accessible by a limited number of people. Access rights and other policies and procedures forming part of our Information Security Management System (ISMS) further secure your information.
Where you have a password that enables you to access certain parts of our site, you are responsible for keeping the password safe, and we advise not disclosing your password to anybody else.
Our security procedures mean that we may occasionally request proof of i.d. before we are able to disclose personal information to you.
Unfortunately, the transmission of information via the Internet is not always secure. Although we do our best to protect your personal data, we cannot guarantee the security of your data transmitted to our site. Once received however, we will use our procedures and security to prevent unauthorised access.
You have certain rights (detailed below) under data protection law, and you can make requests to us about any personal data we hold about you. Requests can be in writing or verbal, and can be made to any part of our organisation. It will help us to complete your request more effectively however if you contact us at firstname.lastname@example.org.
We will also need to verify your identity. The Information Commissioner (ICO) have a page on their website that includes a template for a letter which can be used when sending requests to us (https://ico.org.uk/your-data-matters/your-right-of-access). We will respond within one month from the date of the request, and will not ordinarily charge a fee. If further copies are required, and / or the request is deemed excessive however, we may charge a reasonable fee. Your rights:
- Right to access: You have the right to request a copy of the information we hold about you. If you want to request a copy you can contact us as detailed above
- Right to rectification: We want to make sure that your personal information is accurate and up to date. You have the right to ask us to correct or remove information you think is inaccurate
- Right to erasure: You have the right to ask us to delete your personal data. You can ask us to erase your personal data where there is no good reason for us to continue to process it. This will apply for example where the purpose we collected your information for is no longer relevant, or where you withdraw consent, if consent was given to start with
- Right to restriction: You have the right to request the restriction or suppression of your personal data under certain circumstances. This means you can limit how we use your personal data. This might apply if for example you believe the processing is unlawful
- Right to data portability: You have the right to ask for a copy of your personal data in a form that lets you copy or transfer it to another IT system in a machine readable way, and / or another organisation. This will apply where the processing is based on consent or a contract, and the processing is by automated means
- Right to object: You have the right to object to the processing of your personal data in some circumstances. You have the right to stop your data being used for direct marketing purposes
- Right not to be subject to automated decision making including profiling: Where such processing produces legal effects or similarly significantly affects
- Right to withdraw consent: Where our processing is based on your consent, you have the right to withdraw this consent at any time
- Right to complain to a supervisory authority: If you are concerned about how we are handling your personal data, you have the right to complain to the data protection authorities. In the UK, this is the Information Commissioners Office (click here https://ico.org.uk/make-a-complaint/handling to visit the ICO’s website).
Customer Contact, Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, SK9 5AF
Policy last updated: 21st August 2018.