This is the GDPR Statement of Origin Storage Ltd, 2-3 Rutherford Centre, Rutherford Road, Basingstoke, Hampshire, RG24 8PB (whose registered address is 44-46 old Steine, Brighton, East Sussex, BN1 1NH). This document sets out how Origin Storage complies with data protection regulations including the latest GDPR requirements, from May 25th 2018.
This Statement applies to suppliers, customers and subcontractors and aims to address the Q&A requests that are required by our partners for GDPR related procedures.
This document is available at all times on the Origin Storage website (www.originstorage.com/gdpr). It outlines how we collect and use personal information, how we meet our obligations as a data controller and as a data processor.
It may be updated from time to time. The online document will always be the most up to date version. You can contact [email protected] for any questions relating to our GDPR Policies.
Is Origin Storage a Data Controller or Data Processor?
We can be either or both depending on the type of transaction we are performing. Under Article 28 of the GDPR, Origin Storage is defined as a data “controller” for personal data that our customers provide for certain transactions; e.g. when we set up an account and/or when we process orders for delivery to our customer premises.
As data “controller“ we may collect contact details, payment details and company details. These will be used to transact orders, to confirm credit, to take payment, to deliver goods etc, as required to fulfil our legal and contractual obligations in processing the account and orders.
This data will only be used by staff who have a business need to access the data, will only be shared with those 3rd parties who enable us to perform our obligations (e.g. credit agencies and delivery companies), will be secure in our online and offline systems and will be retained for a maximum of 7 years in order to enable us to comply with our legal obligations, after which time it will be deleted. Our use of sub-contractors or GDPR “data processors” is governed by an agreement that ensures they are also compliant with GDPR and that the data is dealt with accordingly.
Origin Storage is defined as a data “processor” for personal data that is provided for certain transactions; e.g. when we “drop ship” orders to our customer’s own end user customers, when we transact licensing agreements or request special bid pricing.
As data “processor” we may collect end user name, address and other contact details that may be passed on to our own sub-contractors (e.g. delivery companies and vendors), as required to enable us to carry out our contractual commitments to our customers. This data will only be used by staff who have a business need to access the data, will only be shared with those 3rd parties who enable us to perform our obligations (e.g. vendors for licenses and delivery companies for deliveries), will be secure in our online and offline systems and will be retained for a maximum of 7 years in order to enable us to comply with our legal obligations, after which time it will be deleted.
Our use of sub-contractors or GDPR “subprocessors” is governed by an agreement that ensures they are also compliant with GDPR and that the data is dealt with accordingly.
Does Origin Storage have a Data Protection Officer (DPO)?
No, we are not required to have a Data Protection Officer under the GDPR. However we have a Privacy Officer who is part of the senior management team and reports to the company Directors. Our Privacy Officer is available via the [email protected] email address.
The Privacy Officer is responsible for overseeing that Origin Storage is meeting its obligations to Data Protection laws and regulations, including GDPR. The Privacy Officer is also a point of contact for Data Privacy related queries from staff, customers and suppliers and other third parties and the contact point for Data Access Requests and Data Breaches.
What personal data do we collect?
When customers register with Origin Storage, for either a trade account or to receive marketing information by post, phone or email, we will collect some or all of the following personal data:
Name, email address, fax number, postal address, business contact and billing information, transaction and credit card details (during transactions).
Your preferences on what marketing information (if any) you’d like to receive and how you’d like to receive them.
When customers order from Origin Storage we collect additional information including:
Payment details – including credit card numbers where relevant
End user details to enable direct ship / drop ship – including name, address and contact details
End user details to enable license registration
End user details to enable special bid pricing requests
Origin Storage does not collect any “Special Category Data” as defined by the GDPR for any interactions with customers or suppliers.
How do we use this data?
When registering with Origin Storage customers will be asked for consent for us to use personal data for the purposes listed below:
To enable us to confirm business details when setting up an account, for legal, financial and contractual purposes so that we may provide commercial services to our customers.
To carry out basic checks for due diligence when setting up accounts to ensure all details are genuine and correct and to avoid fraudulent use of data.
To allow us to comply with legal requirements placed upon us.
To send you tailored communications by post, fax and/or email about new products, promotions, news items, event details, special offers or other useful items of interest.
When purchasing from Origin Storage we will request and use customer and sometimes end user data for the purposes listed below:
To enable delivery of goods directly to our customers.
To enable delivery of goods to our customers’ end users, including via sub-contractor delivery companies (subprocessors).
To facilitate the purchase of software licensing.
To enable special bid pricing requests.
We will keep data for the duration of our joint relationships. Data will be retained in accordance with legal requirements and be deleted after such requirements are met.
For example if we end a business relationship, data will be retained for 7 years and then destroyed.
Who has access to personal data?
At Origin Storage we take care to ensure personal data is only accessible to those who have a business need.
For example when setting up an account, the data used for that purpose is only accessible to employees involved in that process. Personal data is not accessible to employees for whom there is no business need. Access decisions are taken by the senior management team.
Who do we share personal data with?
Origin Storage only shares your information with third parties as required to enable us to comply with the law, to setup and transact our business together or to deliver products to you or your customers, as follows:
Credit agencies in order to confirm credit status of our customers.
Credit card companies for the purpose of taking credit card payments.
Vendors for the purpose of completing software licence purchase and renewals.
Vendors for the processing of special bid pricing requests.
Vendors for direct ship to customers or their end users.
Delivery companies in order to deliver goods to our customers or their end users.
We may pass your marketing information to an authorised marketing agency, only in the event that they are acting directly for Origin Storage and this data will be deleted immediately following that specific Origin Storage activity.
In each case, our sub processors will be obliged to follow GDPR and other relevant privacy regulations and guidelines in order to safeguard this data. The data will not be passed outside the European Economic Area as per the GDPR regulation without prior consent or special measures being in place.
How are corrections of data carried out?
Origin Storage regularly confirms personal contact details and marketing preferences with our partners, following which a confirmation email is sent to confirm the current details. This information can be updated at any time by contacting Origin Storage by phone, to an account manager or to the Privacy Officer. If you believe we have any incorrect personal information about you, or if anything changes, you may request to see this data, which we will provide within 30 days at no charge.
Any relevant changes in your personal data should be notified to Origin Storage via your usual contact or to the [email protected] email address.
Does Origin Storage have a central repository of data processing activities?
Yes, Origin Storage maintains a GDPR compliant data processing repository. It is reviewed and updated on an ongoing basis as required.
How does Origin Storage manage Storage and Security of data including personal data?
Origin Storage takes great care to keep data secure. There are both physical and electronic processes in place and management procedures ensure data is protected. We use encryption where possible, for example when taking credit card orders. Data is physically stored in the UK at Origin Storage owned facilities and is not passed outside the EEA. Precise location of the data and backups is confidential in order to maintain data security. If you need more information please contact the [email protected] email address.
What is Origin Storage’s Data Retention Policy?
Data including personal data is kept for up to 7 years to enable Origin Storage to manage accounts, requests, compliancy requirements and legal requirements. After which time it is destroyed. Personal data relating to prospective employees who are not successful candidates will be kept for 12 months and then destroyed.
Data is removed through standard deletion and overwriting processes to ensure restoration is not possible.
Data deletion and destruction is authorised via the management process and staff training and compliance checks.
How does Origin Storage manage Data Access Requests?
Data Access Requests are monitored, logged and managed via this management process and documented accordingly. The Privacy Officer is part of this management process and would be responsible for managing it to completion.
How does Origin Storage manage Data Breaches?
Should a data breach occur that would be logged and managed by the management system described above. The Privacy Officer is responsible for ensuring the correct processes and procedures are followed and documented, including reporting to any relevant third party. Data breaches are understood by all staff and management and processes are in place to identify and report them through the management system. Training of all staff includes this subject and other GDPR related responsibilities.
Internal tracking and audits are carried out to ensure compliance by staff on all data privacy related matters.
Does Origin Storage train staff on Data Privacy?
Yes, all staff are trained on Data Privacy and GDPR on an ongoing basis. For example prior to May 25th 2018 all staff have been trained on the company and individual requirements and responsibilities. All staff are aware of and agree to the lawful requirement placed up on them individually and the company.
Training is delivered by various internal and external parties and is under the direction of the Privacy Officer. Refresher courses are run on an ongoing basis as new staff join, regulation changes are made or to reinforce as required.
Is Origin Storage registered under the DPA?
Yes, Origin Storage is registered under the Data Protection Act 1988 and complies with DPA and GDPR guidelines.
Does Origin Storage have any security certifications?
Yes, Origin Storage has achieved accredited certification to ISO 270001 which demonstrates that we follow information security best practices, and provides an independent, expert verification that information security is managed in line with this and our business objectives.
ISO 27001 allows Origin Storage to achieve the technical and operational requirements necessary to prevent a data breach under the General Data Protection Regulation (GDPR). Our effective information security management system (ISMS) which conforms to ISO 27001 meets all the requirements of Article 32 of the GDPR. A copy of our ISO 270001 certificate is available on request by contacting our Privacy Officer.
How are changes to this statement & policy managed?
Origin Storage may make occasional changes to this policy in order to ensure compliance and best practice. The latest version of this document will be available at www.originstorage.com/gdpr and the date will reflect when the latest changes were made.
Who is the Origin Storage contact for Data Privacy?