GDPR & Data Protection Policy
Company Name: The Carpet Shop (Swindon) Ltd
Version: 2.0 Effective Date: 01/04/2026 Review Date: 01/04/2027
1.Policy Statement The Carpet Shop (Swindon) Ltd is committed to protecting the privacy and personal information of our customers, employees, suppliers, and business contacts. We recognise the importance of handling personal data responsibly and in compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. This policy explains how we collect, use, store, and protect personal data in the course of our business activities.
2. Scope This policy applies to: • All employees, directors, contractors, and temporary staff. • All personal data processed by the business. • Paper records and electronic systems containing personal information.
3. What Personal Data We Collect Depending on our business activities, we may collect: Customer Data • Names • Addresses • Email addresses • Telephone numbers • Payment and invoicing information Employee Data • Contact details • Emergency contact information • Payroll information • Bank details • Employment records Supplier and Contractor Data • Contact details • Company information • Bank details for payments We only collect information that is necessary for legitimate business purposes.
4. How We Use Personal Data We process personal data for purposes including: • Providing products and services • Responding to enquiries • Managing customer accounts • Processing payments and invoices • Managing employment relationships • Meeting legal and regulatory obligations • Preventing fraud and maintaining security We will not use personal data for purposes that are incompatible with the reasons for which it was originally collected.
5. Lawful Basis for Processing We only process personal data where we have a lawful basis to do so, including: Contract Where processing is necessary to fulfil a contract with a customer, employee, or supplier. Legal Obligation Where UK law requires us to process information, such as tax or employment legislation. Legitimate Interests Where processing supports the operation and management of our business, provided it does not override individual privacy rights. Consent Where explicit consent is required, such as certain marketing activities.
6. Data Security We take appropriate measures to protect personal data from loss, misuse, unauthorised access, disclosure, or alteration. These measures include: • Password-protected computers and devices. • Secure cloud storage and software systems. • Restricted access to personal data. • Regular software updates and antivirus protection. • Secure disposal of confidential documents. • Staff awareness and training where appropriate. Employees must not share passwords or leave confidential information unattended.
7. Data Retention We only keep personal data for as long as necessary. Typical retention periods include: Data Type Retention Period Customer records Financial records 6 years after last transaction 6 years minimum Employee records Recruitment records 6 years after employment ends Up to 12 months Health and safety records As required by law When information is no longer required, it will be securely deleted or destroyed.
8. Sharing Personal Data We may share personal data with: • Accountants and financial advisers • Payroll providers • IT service providers • Legal or regulatory authorities when legally required We do not sell personal data to third parties. Any third parties processing data on our behalf must have appropriate safeguards in place.
9. Individual Rights Under UK GDPR, individuals have the right to: • Access their personal data. • Correct inaccurate information. • Request deletion of their data in certain circumstances. • Restrict processing. • Object to processing. • Request transfer of their data where applicable. • Withdraw consent where processing is based on consent. Requests should be made in writing to: Data Protection Contact: Howard Griffiths Email: [email protected] We aim to respond within one month of receiving a valid request.
10. Data Breaches A personal data breach may include: • Loss of personal information. • Accidental disclosure. • Unauthorised access. • Cyber security incidents. Any employee who becomes aware of a breach must report it immediately to management. The business will: 1. Investigate the incident. 2. Take steps to minimise any harm. 3. Keep records of the breach. 4. Notify the Information Commissioner's Office (ICO) where required by law.
11. Employee Responsibilities All employees and contractors are responsible for: • Following this policy. • Protecting personal information. • Only accessing data needed for their role. • Reporting data breaches promptly. • Maintaining confidentiality. Failure to comply with this policy may result in disciplinary action.
12. Marketing Where we send marketing communications, we will comply with applicable privacy and electronic communications legislation. Recipients will be given a clear opportunity to opt out of marketing communications.
13. Policy Review This policy will be reviewed annually or sooner if there are significant changes in data protection legislation or business operations. Contact Details The Carpet Shop (Swindon) Ltd Address: Unit 1 Orbit Centre, Ashworth Road, Swindon SN5 7YG Email: [email protected] Telephone: 01793 436 038
Company Name: The Carpet Shop (Swindon) Ltd
Version: 2.0 Effective Date: 01/04/2026 Review Date: 01/04/2027
1.Policy Statement The Carpet Shop (Swindon) Ltd is committed to protecting the privacy and personal information of our customers, employees, suppliers, and business contacts. We recognise the importance of handling personal data responsibly and in compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. This policy explains how we collect, use, store, and protect personal data in the course of our business activities.
2. Scope This policy applies to: • All employees, directors, contractors, and temporary staff. • All personal data processed by the business. • Paper records and electronic systems containing personal information.
3. What Personal Data We Collect Depending on our business activities, we may collect: Customer Data • Names • Addresses • Email addresses • Telephone numbers • Payment and invoicing information Employee Data • Contact details • Emergency contact information • Payroll information • Bank details • Employment records Supplier and Contractor Data • Contact details • Company information • Bank details for payments We only collect information that is necessary for legitimate business purposes.
4. How We Use Personal Data We process personal data for purposes including: • Providing products and services • Responding to enquiries • Managing customer accounts • Processing payments and invoices • Managing employment relationships • Meeting legal and regulatory obligations • Preventing fraud and maintaining security We will not use personal data for purposes that are incompatible with the reasons for which it was originally collected.
5. Lawful Basis for Processing We only process personal data where we have a lawful basis to do so, including: Contract Where processing is necessary to fulfil a contract with a customer, employee, or supplier. Legal Obligation Where UK law requires us to process information, such as tax or employment legislation. Legitimate Interests Where processing supports the operation and management of our business, provided it does not override individual privacy rights. Consent Where explicit consent is required, such as certain marketing activities.
6. Data Security We take appropriate measures to protect personal data from loss, misuse, unauthorised access, disclosure, or alteration. These measures include: • Password-protected computers and devices. • Secure cloud storage and software systems. • Restricted access to personal data. • Regular software updates and antivirus protection. • Secure disposal of confidential documents. • Staff awareness and training where appropriate. Employees must not share passwords or leave confidential information unattended.
7. Data Retention We only keep personal data for as long as necessary. Typical retention periods include: Data Type Retention Period Customer records Financial records 6 years after last transaction 6 years minimum Employee records Recruitment records 6 years after employment ends Up to 12 months Health and safety records As required by law When information is no longer required, it will be securely deleted or destroyed.
8. Sharing Personal Data We may share personal data with: • Accountants and financial advisers • Payroll providers • IT service providers • Legal or regulatory authorities when legally required We do not sell personal data to third parties. Any third parties processing data on our behalf must have appropriate safeguards in place.
9. Individual Rights Under UK GDPR, individuals have the right to: • Access their personal data. • Correct inaccurate information. • Request deletion of their data in certain circumstances. • Restrict processing. • Object to processing. • Request transfer of their data where applicable. • Withdraw consent where processing is based on consent. Requests should be made in writing to: Data Protection Contact: Howard Griffiths Email: [email protected] We aim to respond within one month of receiving a valid request.
10. Data Breaches A personal data breach may include: • Loss of personal information. • Accidental disclosure. • Unauthorised access. • Cyber security incidents. Any employee who becomes aware of a breach must report it immediately to management. The business will: 1. Investigate the incident. 2. Take steps to minimise any harm. 3. Keep records of the breach. 4. Notify the Information Commissioner's Office (ICO) where required by law.
11. Employee Responsibilities All employees and contractors are responsible for: • Following this policy. • Protecting personal information. • Only accessing data needed for their role. • Reporting data breaches promptly. • Maintaining confidentiality. Failure to comply with this policy may result in disciplinary action.
12. Marketing Where we send marketing communications, we will comply with applicable privacy and electronic communications legislation. Recipients will be given a clear opportunity to opt out of marketing communications.
13. Policy Review This policy will be reviewed annually or sooner if there are significant changes in data protection legislation or business operations. Contact Details The Carpet Shop (Swindon) Ltd Address: Unit 1 Orbit Centre, Ashworth Road, Swindon SN5 7YG Email: [email protected] Telephone: 01793 436 038