Our GDPR Statement
The new EU General Data Protection Regulation (GDPR) has now come into force and impacts every organisation which processes personal data of EU citizens. It introduced new responsibilities, empowers businesses to be accountable for their processing of personal data as well as enabling EU citizens to protect their privacy and control the way their data is processed. Even though the UK has left Europe, the GDPR still applies and replaces the UK’s Data Protection Act 1998.
Data protection definitions
Personal data is any information that relates to a living individual. It also includes any data that can be used with other sets of data to identify an individual. Typical examples of personal data are name, identification number, location data, online identifier and email address.
Processing relates to any operation carried out on personal data including collection, recording, organising, structuring, storing and using. Processing also doesn’t have to be by automated means which means that processing includes paper-based, non-digital systems.
A Data Subject is the individual whose personal data is being processed
A Data Controller is the organisation which determines how personal data is processed
A Data Processor is an organisation which processes data on behalf of a Controller. This typically means a third party who is used by the Controller to process their data (e.g. a marketing company used to send out marketing materials)
For detailed information about the GDPR and data protection, visit the Information Commissioner’s Office website: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/
Your GDPR responsibilities
When you use our services to store or process your personal data (including customer’s or user’s data), you are the Data Controller and we are a Data Processor. This will be true for any personal data you place on our servers either directly, via a hosted website or by use of any of our other services.
The GDPR requires you, as a Data Controller, to ensure that any Data Processor services you use to process personal data are GDPR compliant. This means that when you use any of our services to process your personal data you need to carry out due diligence on our services and ensure certain contractual terms are in place.
This GDPR statement is our way of helping you meet these GDPR regulatory requirements and to offer you an assurance that we take GDPR and the security of your personal data as part of the everyday running of our services.
Our GDPR Commitment
As UK Company, Swap Commerce Limited is committed to ensuring our business, services and internal processes are GDPR compliant. This GDPR Statement provides our assurances to GDPR compliance.
Swap Commerce Limited has put in place:
– Employee data protection training to ensure all staff understand their role in data protection compliance
– Updated internal policies relating to data protection and responsibilities within our businesses for ongoing GDPR compliance
– Check all our systems, processes and services to ensure they meet the requirements of GDPR, particularly around security of data and our use of any external third-party services
– Procedures to ensure ongoing compliance
– Updated terms and conditions of services that meet the contractual requirements of GDPR in the Data Controller – Data Processor relationship
Our services are compliant because:
– We have fully assessed our GDPR compliance both regarding the services we offer to our customers and regarding our internal policies and procedures
– We have appropriate technical and personnel protocols in place to ensure the security of your data
– We carry out due diligence against any sub-processors or other third party processors we use to ensure their GDPR compliance (such as data centres)
– We only allow specific members of staff access to our servers and what access that is available is limited to specific circumstances
– Our staff are trained in GDPR compliance and understand their responsibilities for managing the systems that process your data
Our role as a Data Processor
You are the owner of the data you submit to our servers.
When your data is placed on our servers, you are the Data Controller and Swap Commerce Limited the Data Processor. We do not access the data you store on our services and any processing (as a Data Processor) is only stored to help facilitate the transactions we manage on behalf of our clients and suppliers. Our clients and suppliers are typically Retailers, Marketplaces, Couriers or 3rd Party Fulfilment partners.
We do not use personal data for any processing of our own.
Swap Commerce employees
All Swap Commerce employees are trained and made aware of their responsibilities under GDPR including their duties with regards to access, security and processing of any personal data stored on our servers. Security and data governance are covered in our employee handbooks and actively discussed as part of quarterly meetings to ensure all staff are up to date.
Changes to our approach
Should our approach to any aspect covered by this statement change we will make sure, where your data is impacted, that we notify you within a reasonable timeframe and in line with any contractual terms in place between us.
In the unlikely event of a breach occurring (as defined in the GDPR) we will notify you within 48 hours of the breach coming to our attention. This will be enough time for you to consider your requirements, under GDPR, for reporting the breach to the ICO and Data Subjects.
We are registered with the ICO.
We help you to comply with GDPR
Our approach to our own compliance also helps you comply with your own GDPR compliance requirements. This statement should go some way to explain our approach to GDPR compliance. By using our services, you can be assured that your use is GDPR compliant.
If required we will assist you or the Information Commissioner’s Office with any query relating to the GDPR compliance of our services.
Data Protection Contact
Any questions, queries or requests for further information regarding our GDPR compliance should be sent to:
Swap Commerce Limited
86-89 Paul Street
Third Party Processors
Our carefully selected partners and service providers may process personal information about you on our behalf as described below:
“Digital Marketing Service Providers
We periodically appoint digital marketing agents to conduct marketing activity on our behalf, such activity may result in the compliant processing of personal information. Our appointed data processors include:
November 1, 2021