The type of personal information we collect

We currently collect and process the following information:  Personal identifiers such as:

•Name o Location data [address]

•Telephone numbers and email address

Date: 29/10/2020

How we get the personal information and why we have it

Most of the personal information we process is provided to us directly by you for one of the following reasons:

•to enable us to fulfil a contract for delivery of goods or services

We also receive personal information indirectly, from the following sources in the following scenarios:

•from our customer when orders are placed for manufactured products. These products are built to order and delivered by us on behalf of our customer.

We use the information that you have given us in order to:

•verify your delivery address for products you have purchased as directed to do so by our customer.

•Contact you to arrange a suitable delivery time

• confirm, for a minimum period of 12 months, the details of your order to enable any potential warranty claim or returns issues to be handled correctly.

We may share this information with our delivery partners in order to fulfil our delivery obligations. Under the General Data Protection Regulation (GDPR), the lawful bases we rely on for processing this information are: (a) We have a contractual obligation.

How we store your personal information

Your information is securely stored at our premises WELCOME FURNITURE LIMITED, CIBYN INDUSTRIAL ESTATE, CAERNARFON, GWYNEDD, LL55 2BD.

We keep Personal identifiers, contacts and characteristics (for example, name and contact details and sales data) for 24 months. We maintain data in our servers as part of our Enterprise Resource Planning [ERP] system which is anonymised and archived every 12 months. This sales data and other regulatory compliance information is kept in line with statutory guidelines.

Any data in paper form is securely disposed of, via shredding, routinely every 2 to 3 months.

The organisation takes the security of your data seriously. The organisation has internal policies and controlsin place to try to ensure that your data is not lost, accidentally destroyed, misused or disclosed, and is not accessed except by its employees in the performance of their duties. This includes:‐

• An Internet facing firewall to prevent outside penetration of the organisations network. Policies allow mail to be delivered into the mail server from a specific set of addresses(our externalspam filter) but no other accessis allowed. Thisfirewall also maintains a list that prevents access to malicious sites on the WWW.

• Spam filtering. All our mail passes through a spam filter which looks for unsolicited mail, malicious software and dangerous links.

• Local firewalling. All our machines are individually protected by firewalls. This prevents problem software proliferating through the network and unauthorised access from one machine to another e.g. only the IT department can remotely connect to a Company laptop.

• Local anti‐virusto prevent any malicioussoftware getting through the firewall orspam filters or be brought in by other means. Every machine in the Company has anti‐virussoftware installed which is constantly updated via a server on the network. Thissoftware also maintains a web blacklist to prevent access to malicious sites.

• File access controls. Access to data on the servers is controlled based on need. Management authority is required before any changes of access are made.

• Encryption. All Company emails are encrypted when the recipient supports encryption.

• Additional controls. The ERP system, HR systems, Payroll system and the document management system are also controlled as above.

• Filing cabinets. Data kept in files are stored in lockable cabinets and secured in a restricted office.

• IT Policy. This policy is to ensure that all information technology users within the organisation or its networks comply with rules and guidelines related to the security of the information stored digitally at any point in the network or within the organisations boundaries of authority.

• Social Media Policy. This policy is aimed educate employees and minimise risks when using social media which can impact the organisation and employees.

Where the organisation engages third parties to process personal data on its behalf, they do so on the basis of written instructions; these parties are under a duty of confidentiality and are obliged to implement appropriate technical and organisational measures to ensure the security of data. The organisation will not transfer your data to countries outside the European Economic Area.

Reporting breaches

All members of staff have an obligation to report actual or potential data protection compliance failures. This allows us to:

• Investigate the failure and take remedial steps if necessary

• Maintain a register of compliance failures

• Notify the Supervisory Authority (SA) of any compliance failures that are material either in their own right or as part of a pattern of failures

Disposal of Data

As part of our statutory accounts routine, when annual audits are completed, our SAP system is archived, which includes disposal of all transactional level data, removing permanently from record all consumer data the which is held from the previous financial year, ie 12‐24 months old.

Your data protection rights

Under data protection law, you have rights including:

Your right of access ‐ You have the right to ask us for copies of your personal information.

Your right to rectification ‐ You have the right to ask us to rectify personal information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete.

Your right to erasure ‐ You have the right to ask us to erase your personal information in certain circumstances.

Your right to restriction of processing ‐ You have the right to ask us to restrict the processing of your personal information in certain circumstances.

Your right to object to processing ‐ You have the the right to object to the processing of your personal information in certain circumstances.

Your right to data portability ‐ You have the right to ask that we transfer the personal information you gave us to another organisation, or to you, in certain circumstances.

You are not required to pay any charge for exercising your rights. If you make a request, we have one month to respond to you.

Please contact us at

Name: DAVID LINGE

Address: WELCOME FURNITURE LIMITED, CIBYN INDUSTRIAL ESTATE, CAERNARFON, GWYNEDD, LL55 2BD

Phone Number: TEL: 01286 662950

if you wish to make a request.

How to complain

If you have any concerns about our use of your personal information, you can make a complaint to us at Name: DAVID LINGE

Address: WELCOME FURNITURE LIMITED, CIBYN INDUSTRIAL ESTATE, CAERNARFON, GWYNEDD, LL55 2BD

Phone Number: TEL: 01286 662950

You can also complain to the ICO if you are unhappy with how we have used your data.

The ICO’s address:

Information Commissioner’s Office

Wycliffe House

Water Lane

Wilmslow Cheshire

SK9 5AF

Helpline number: 0303 123 1113

ICO website: https://www.ico.org.uk