GDPR FAQ at INX Direct
What does GDPR stand for?
GDPR stands for General Data Protection Regulation. GDPR is the new standard for Data protection which comes into force on 25th May 2018. One of its aims is to ensure that consumers’ personal information is protected to a higher level than before.
How is my data secured and held under GDPR?
Two of the principles of GDPR are “Privacy by Design” and “Privacy by Default”; as such we have considered all the information that is supplied and/or captured and hence documented and secured this appropriately.
In addition:
- We train everyone at INX Direct as everyone has a responsibility to ensure that we maintain the security of any of your data.
- We have external vendors supporting us in the usage of technology to protect and alert against threats; and hence minimise any risk.
Can I ask you to correct or delete data?
Yes – you have a right to ask to “be forgotten” or to have any data which is incorrect corrected.
In some cases we will temporarily not be able to forget you – such as if we are still fulfilling an order to you – however once this is complete we should be able to delete/anonymise any data held.
We anonymise data where we have a compliance reason to keep a record of the order – but have received a valid request from you to delete your data.
If you want to be forgotten or have any questions please contact customer service.
Do I have to give consent?
In some cases by using our services you are inherently giving consent – i.e. for the reasonable use of your address to facilitate the delivery of an order you have placed.
In other cases you will give specific consent i.e. to receive marketing communications when you register for the newsletter or an account without checking out. You can always opt-out or ask what consents have been recorded.
Does INX Direct consider itself to be a data controller and/or data processor?
Under GDPR, INX Direct will be controller for all data we collect ourselves, and processor for the majority of it. We will have the same obligations as a controller or processor under GDPR to handle personal identifying information in the correct manner.
As controller, we use a number of different processors to fulfil our services to you. Each processor reports to us as controller and must adhere to our, as the controller, rules. This means that if you ever have an enquiry, we are your single point of contact as we are responsible for all our processors.
An example of a processor could be the vendor of an order management system; where we manage your order data within their system. Even if your data is in their system – they are not allowed to use the data – only support us in the fulfilment of our services to you.
Why do I receive marketing emails?
Under GDPR, it is important that we only send marketing communication under an appropriate legal basis. The two we are using are “consent” and “legitimate interests”.
- Consent – When you sign up to receive marketing via our newsletter sign up form, or you register for an account on the site, you are given the option to consent to receive marketing. A declaration saying how your data will be used, and a link to the privacy policy will be shown, along with a checkbox that needs to be checked in order to consent.
- Legitimate interests – If you are a customer of INX Direct, we have the ability to send marketing communications providing we meet strict criteria set out under GDPR. The ICO states that we can only use this legal basis if all of the following are true:
- Obtained details during the course of a sale.
- Marketing messages are about similar products or services.
- The opportunity is given to opt out at the time of data capture (initial sale), and the opportunity is given to opt out on any marketing communication received.
What are “legitimate interests”?
“Legitimate interests” is a legal basis that can be used to process data. The ICO states that it is likely to be the most appropriate where data is used in a way that people would reasonably expect and has a minimal privacy impact. There are three elements to the “legitimate interests” basis:
- Purpose test – Identification of the legitimate interest.
- Necessity test – Is processing necessary to achieve the purpose?
- Balancing test – Are the company’s interests balanced against the rights of the individual?
Where we rely on legitimate interests for processing, we will have carried out a thorough Legitimate Interest Assessment to ensure the three elements of the legal basis are met.