What is GDPR?
“General Data Protection Regulation (GDPR) is, essentially, an upgraded version of the existing Data Protection Act legislation”

The General Data Protection Regulation (GDPR) is a legal framework that sets guidelines for the collection and processing of personal information of individuals within the European Union (EU). The GDPR sets out the principles for data management and the rights of the individual.

The General Data Protection Regulation covers all companies that deal with data of EU citizens, so it is a critical regulation for corporate compliance officers at banks, insurers, and other financial companies. GDPR will come into effect across the EU on May 25, 2018.

What personal data information we hold

We would like to begin by confirming that our easiSpec® assessment/specification tool does not hold or store any personal data that can possibly link back to any individual. It does register which of our dealers created the specification, at company level. We built the easiSpec system to be fully GDPR compliant from the outset.

As an organisation, Ergochair Ltd holds minimal identifiable personal data. Under GDPR, personal data is defined as “any information relating to an identified or identifiable natural person”

We hold the following information:

• Names of our dealers, third-party assessors and people who work with us, their business email addresses and business telephone numbers.
• Names and email addresses of our organically-grown marketing database of companies and individuals.
• Partial-data consisting of individuals’ names and body dimensions including brief relevant details of disabilities or postural conditions relating to that individual. Although anonymised or pseudonymised wherever possible, on occasion, this data may include contact details such as email address, phone number and/or address for consultation visit purposes.
• Names, company names, email addresses, premises address and telephone numbers of people or companies who supply us with goods and services.

Communication of Privacy Information
We are communicating our privacy policy via this document which will be available at all times on our website.

How we acquire this information

• Dealers, Assessors and people who work with us: Provided to us either at the time of opening a trade account with us or subsequently to update us on relevant changes and additions.
• Marketing database of companies and individuals: Organically gathered at events, trade shows, exhibitions, sales activity ensuring the individual’s consent was obtained by opting-in to hear from us via email in the future.
• Individuals requiring assessment: Supplied to us either directly by the individual or (with their consent) via our dealers, an outside assessor, the individual’s dedicated case worker, Occupational Therapist or other healthcare professional.
• Suppliers: directly from our Suppliers.

Who we share this information with
In line with our ICO registration statement, we sometimes need to share the personal information we process with the individual and also with other organisations. Where this is necessary we are required to comply with all aspects of the Data Protection Act (DPA). What follows is a description of the types of organisations we may need to share some of the personal information we process with for one or more reasons:

• family, associates and representatives of the person whose personal data we are processing
• suppliers and service providers involved with meeting the need of the client
• central government, police forces & security services (if applicable lawful request made)

Individual’s Rights
Under GDPR, we acknowledge the following rights of the individual, in respect of any personal data that we hold:

• the right to be informed
• the right of access
• the right to rectification
• the right to erasure
• the right to restrict processing
• the right to data portability
• the right to object
• the right not to be subject to automated decision-making including profiling

Subject Access Requests
As outlined in GDPR guidelines, we will respond to and comply with all subject access requests within one month.
If we feel that the individual’s request is manifestly unfounded or excessive, we reserve the right refuse or to make a charge.
If we refuse any requests on the above grounds, we will tell the individual why and inform them that they have the right to complain to the supervisory authority and to a judicial remedy – We will do this within one month of the request.

Our lawful basis for processing personal data
We hold personal data as described above, to enable us to:

• Conduct assessments for individuals who require our advice and specification for our products on a consultative basis.
• Manufacture the relevant product in conjunction with an individual assessment.
• Contact and update our customers, dealers, assessors, suppliers and other interested, opted-in parties with relevant information about our things such as our products, services, pricing and other business developments.

Consent
We understand that consent for us to hold personal data must be:

• Freely given
• Specific
• Informed
• Unambiguous

We understand the need for positive opt-in and that consent cannot be inferred from silence, pre-ticked boxes or inactivity. We have always included a quick, easy ‘unsubscribe’ link on our email marketing communications. We have also expressly advised our entire marketing database that they can continue to hear from us by actively ‘opting-in’ to clarify that they are comfortable with this.

Data Security and Retention Policy
Our IT systems are monitored and backed up continuously. We have an active security policy in place to ensure that all data is backed up and held in a safe, confidential environment, including a secure, encrypted virtual server. All of our laptops have an activated encryption function in the event of theft/misuse.

We hold personal data for a minimum of 5 (five) years, and an average maximum of 8 (eight) years, for product warranty purposes, after which time it will be deleted.

Registration with ICO
Ergochair Ltd is registered with the Information Commissioner’s Office. You can view our registration here: https://ico.org.uk/ESDWebPages/Entry/ZA321097 or by visiting the Information Commissioner’s Website at ico.org.uk and entering the following reference number: ZA321097

Data Protection Officer;

Our nominated Data Protection Officer registered with ICO is Robert Lunga.

If you wish to discuss any aspect of this document, please contact Robert at: hello@ergochair.co.uk or by calling 01454 329210.

Subject access requests should be submitted in writing to: Mr. Robert Lunga, Ergochair Ltd, Unit 1, Rainbow Court, Armstrong Way, Yate, Bristol, BS37 5NG

© Ergochair Ltd – 2022