Privacy Information | Pengridion Books

GDPR STATEMENT OF COMPLIANCE FOR CATHERINE COOPER

I have read the Information Commissioner’s Office guidelines for compliance with the new General Data Protection Regulation (GDPR) rules. This document that follows explains how I comply. If you have given me your email address (by emailing me, or from a purchase, for example) you should read this to reassure yourself that I am looking after your data extremely responsibly.

1 Awareness

I am a sole trader so there is no one else in my organisation to make aware.

2 The information I hold:

Email addresses, postal addresses and names of contacts in schools who have booked school visits.
Email addresses, postal addresses, and names of people who have emailed me or bought something from me.

I do not share this information with anyone. Ever.

If someone randomly asks for another person’s email address, I always check with the other person first. Email addresses or contact addresses are never given out to anyone without the addressee’s written permission.

3 Communicating privacy information

If at anytime you wish for your contacts to be deleted from my address book, please contact me either by email or letter.

4 Individuals’ rights

On written request, I will delete data.

If someone asked to see their data, I would take a screenshot of their entry/entries.

5 Subject access requests

I aim to respond to all requests within 24 hours and usually much sooner.

6 Lawful basis for processing data

If people have emailed me, they have given me their email address. I do not actively add it to a list but the email is automatically saved. I will not add it to any database or spreadsheet.

If people have bought something from me, their postal and email addresses are saved on the orders. This is standard practice for purchasing online but I do not use their data for anything other than contacting them about a problem with the order.

7 Consent

I have never harvested email addresses, nor would I. Anyone on my lists has contacted me.

8 Children

Young people sometimes email me but I don’t know their age unless they tell me – and I only have their word for that. I would not deliberately keep their email address but a copy of the correspondence is automatically saved in the sent folder. Since I am not “processing” their data, I am not required to ask for parental consent. I reply to the email and don’t contact them again.

9 Data breaches

I have done everything I can to prevent this, by strongly password-protecting my computer and accounts. If any of those organisations were compromised I would take steps to follow their advice immediately.

10 Data Protection by Design and Data Protection Impact Assessments

I have familiarised myself with the ICO’s code of practice on Privacy Impact Assessments as well as the latest guidance from the Article 29 Working Party, and believe that I am using best practice.

11 Data Protection Officers

I have appointed myself as the Data protection Officer, in the absence of anyone else.

12 International

My lead data protection supervisory authority is the UK’s ICO.