Norfolk Rivers Trust (NRT) and all its wholly owned subsidiary companies (collectively known as “The NRT Group”) are committed to protecting and respecting your privacy. Norfolk Rivers Ecology Limited (NREL) is a wholly owned subsidiary of Norfolk Rivers Trust.
This Policy sets out the basis on which NRT (“We” or “Us”) collects personal data from you and the way in which it will be processed by us. Please read this Policy carefully to understand our views and practices regarding your personal data and how we will treat it.
For the purposes of the relevant data protection legislation, the “controller” (or “data controller”) is Norfolk Rivers Trust of 7b Bayfield Brecks, Bayfield, Holt, Norfolk, NR25 7DZ. Questions, comments and requests regarding this Policy are welcomed and should be addressed to firstname.lastname@example.org.
1. Why we collect your information
We collect different types of information about you for the following reasons:
• To take specific steps necessary to process your application for an NRT account.
• To provide quotations for goods / services through the NRT Group.
• To place orders for goods / services through the NRT Group.
• To carry out our obligations arising from any contracts entered into between you and us.
• For our legitimate interests, in order to manage and / or administer your account, unless any of those legitimate interests are overridden by any of your interests or fundamental rights and freedoms.
• To communicate with you about the goods and services available through the NRT Group, if you have given us consent to do so.
2. When we collect your information
We collect information from you when:
• You enquire about an NRT account.
• You complete a registration form.
• You complete a Direct Debit mandate.
• You provide the information requested on a requirement or enquiry form.
• We request information from you in order to process a quotation or order.
• We speak to you over the phone in the process of managing your account.
• We communicate with you via email in the process of managing your account.
• You write to us to confirm changes to the account.
• You complete a lead sheet at a show or event.
• You visit and / or use our website(s).
3. The types of personal data we collect
In order to open an account with NRT, the minimum information we require is your name, address, telephone number and email address. If you complete a direct debit mandate, we will collect and store your bank account details to take payment for the goods provided. If you do not complete a direct debit mandate, we will ask you to provide credit or debit card details to pay over the phone. We do not store any debit or credit card information on any of our systems. Whilst your account is active, we may collect additional information about you if it has been provided using the above methods.
To ensure we comply with our legal obligations, we may also collect personal data for our health and safety records and to enable us to perform any due diligence necessary to enter into a contract. For example, we may ask you to provide the following documentation;
• Certificates of competency / attendance.
• Insurance certificates.
• Machine operator certificates.
• Qualification certificates.
• Shotgun certificates.
We reserve the right to disclose or share your personal data in order to comply with any legal requirements, enforce our terms and conditions, or any other agreement we enter into with you, or to protect the rights, property, or safety of our business and other members. This includes exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction.
4. How we use the data collected
In order to meet our obligations to you under a contract, we may use your data in the following ways:
• To process your application for a trade account.
• To provide a quotation for goods / services.
• To provide you with goods / services, which includes managing the collection and delivery of goods, and managing any contracting services provided by us or on our behalf.
• To manage your account and to keep accurate records of goods and services provided.
• To contact you regarding your account, for example, to liaise with you to arrange collection or delivery of goods, or to provide services as requested.
• To invoice you for the goods / services provided.
• To take payment for goods / services provided.
Complaints and disputes – In the event of a complaint or dispute, a call recording (if available), may provide additional information to help us quickly investigate and resolve a complaint or dispute.
Employee safety and wellbeing – A recording may become a vital piece of evidence in the event of any threats being made to the organisation or an individual.
If we need to process your personal data for a reason which is not outlined above, we shall contact you in order to obtain your prior consent for such use.
5. When we will share your personal data
We will share your personal data with the following third parties for the reasons stated below:
• Selected third party suppliers / contractors. A full list of our approved suppliers is available on request. If you ask us to provide a quotation for goods / services or you ask us to order goods / services on your behalf we may pass your data to the supplier for the reasons stated below. We will only pass your address and contact data onto a third party supplier if you have asked us to provide goods / services.
• Address and contact information may be passed to a third party supplier when obtaining a quotation on your behalf in order for the supplier to provide an accurate delivery charge or to enable the supplier to contact you directly to discuss the quotation.
• Delivery address and contact information will be provided to a supplier when placing an order for goods / services so they can process the order, deliver the goods / provide the services and invoice us accordingly.
• We may pass customer information to credit reference agencies in order to verify your identity and assess your credit score to ensure you are able to meet your obligations to us under a contract.
• Address and contact information may be passed to selected third party approved fund providers for reporting purposes only.
• Your personal data may be shared between the NRT Group of companies and its’ employees in order to facilitate the management and administration of your account.
Where we pass your personal information to our selected third party suppliers, we will only provide the information that is necessary to deliver the goods / service or perform the obligations in a contract. We have a contract in place with our suppliers that requires them to keep your information secure and not to use it for their own direct marketing purposes. NRT will never sell your personal data or pass it to any other third parties without your consent.
We reserve the right to disclose or share your personal data in order to comply with any legal requirements, enforce the terms and conditions in our contract, or any other agreement we enter into with you, or to protect the rights, property, or safety of our business and other members, suppliers and contractors. This includes exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction.
6. Where we store your personal data
Offsite backups are securely held as part of our disaster recovery plan, to ensure that we can get back up and running quickly in the event of a disaster.
Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data when it is being transmitted to us. Any transmission is at your own risk. Once we have received your information, we will use strict safeguarding procedures and security features to try to prevent any unauthorised access to your personal data.
7. How long we retain your personal data for
We will hold personal data and bank account details (where given) for as long as your NRT account is active. We will undertake an annual review of our accounts, and if there has been no activity on your account for twelve consecutive months we will write to you and ask you whether you would like to keep your account active or not. Transactional data including invoices will be held for at least the minimum amount of time that we are legally required to hold it for.
8. Your rights
Please see the relevant sections below for further details on your rights as a data subject. You can exercise any of the above rights by emailing us at email@example.com.
We will endeavour to comply with any request made within one month from the date of your request. However, we may extend this date to two months if the request is excessive or of a repetitive nature. If we need more than one month to meet your request we will let you know.
Please note that where we receive requests under this section which are manifestly unfounded or excessive, in particular because of their repetitive character, we may:
• Charge a reasonable fee taking into account the administrative costs of providing the information or taking the action requested; or
• Refuse to act on the request.
8.1. Right to access / access request
You have the right to request access to the information that we hold on you. In order to protect your information, we may take reasonable steps to verify your identity before we can hand over your data.
8.2. Right to rectification
You have the right to ask us to update any personal information that is incomplete or inaccurate. We will endeavour to ensure that if we update your information, we will pass this onto our selected third parties, including suppliers and contractors.
8.3. Right to erasure / right to be forgotten
You have the right to ask us to delete your personal data if;
• The personal data is no longer necessary for the purpose which we originally collected or processed it for.
• You object to the processing of your data and there is no overriding legitimate interest for us to continue this processing.
• We have processed the data unlawfully.
• We have to in order to comply with a legal obligation.
8.4. Right to restrict processing
You have the right to ask us to restrict or supress the processing of your personal data if;
• You have previously informed us that the data is inaccurate.
• We no longer require the data for its original purpose, but we need to hold it, or you ask us to retain the information to comply with legal obligations.
• We have processed the data unlawfully.
• We are in the process of deleting your data.
• We will endeavour to ensure that where you have asked us to restrict the processing of your data, we will inform our selected third parties, including suppliers and contractors accordingly.
8.5. Right to data portability
You have the right to receive a copy of your data in a commonly used machine-readable format for transfer to another controller, provided the data was processed for the purpose of a contract between us and the processing is being carried out by automated means.
This will allow you to move, copy or transfer personal data easily from one IT environment to another. Alternatively, we can transmit such data directly to another organisation. Please note that we will not be able to comply with a data portability request if this will affect the rights and freedoms of others.
8.6. Right to object
You have the right to restrict processing based on legitimate interests. If you exercise your right to object, we will stop processing your personal data unless;
• We are able to demonstrate compelling legitimate grounds for the processing.
• The processing is for the establishment, exercise or defence of a legal claim.
9. What to do if you are not happy with how we process your data
If you consider that we are in breach of our obligations under the GDPR you have the right to complain to the Information Commissioner’s Office (ICO).
10. Review of this policy
We keep this policy under regular review. This policy was last updated on 24/05/2018.