Contact Us
Contact Us

Privacy, Data Protection & GDPR

Privacy Statement

This privacy statement sets out:

  • What information Exertis Supply Chain Services collects from you and why,
  • How Exertis Supply Chain Services uses and protects any information that you give and
  • How you can access and manage your information.

Exertis Supply Chain Services is committed to ensuring that your privacy is protected. Should we ask you to provide certain information by which you can be identified, you can be assured that it will only be used in accordance with this privacy statement. Exertis Supply Chain Services may change this statement from time to time by updating this page. We will make clear whenever any changes are made. This statement is effective from May 25th 2018.

What we collect

We may collect the following information:

  • Name
  • Job title
  • Company name
  • Contact information including email address
  • Demographic information such as postcode, preferences and interests
  • Information relevant to specific customer offers and/or surveys which will be explained atthe time
  • IP Address
  • Browsing history on our site
  • Referral source
  • Search word history
What we do with the information we gather

We require this information to understand your needs and provide you with a better service. In particular, we will use it for the following legitimate interests of our business:

  • Monitoring, recording and storing telephone or email communications for the purpose of internal training, to improve the quality of our customer service and in order to meet any legal and regulatory requirements;
  • Improving our products and services
  • Customising our website according to your interests
  • Periodically sending you promotional mails, emails, or SMS messages and social media posts about new products, special offers or other information which we think you may find
    interesting using the contact details which you have provided
  • Remarketing with targeted digital advertising
  • Use your information to contact you for market research purposes and
  • To contact you by phone in relation to the above.

We will also use your information to manage our contractual relationship with for:

  • Internal record keeping and account management purposes, for example verifying your identity and fulfilling orders you place and
  • Contacting you by email, phone or mail for the purposes of account administration and/or processing and fulfilling orders.

If you contact us or we contact you, we may ask for certain information from you to confirm your identity, check our records and deal with your account efficiently and correctly.
Where we have asked for your consent to use your personal information for a particular purpose, this consent may be withdrawn by you at any time. Please see the section entitled ‘Controlling your personal information’ below.

Security

The security of your information is very important to us. As part of our commitment to keeping your data safe, our technical experts maintain physical, electronic and managerial procedures to safeguard the information we collect online.

Only authorised employees and carefully checked agents, contractors and sub-contractors, who provide a particular data processing service for us, are permitted access to your data. These people will only be allowed access to your data for the purposes identified within this Privacy Policy, processing it on our behalf or for IT security and maintenance.

If a third party processing your data on our behalf is located in a non-EU country that does not have data protection laws equivalent to those in the EU, we will always take appropriate additional steps to ensure that your personal information is kept safe and secure by those processing your data on our behalf. This will generally involve ensuring that such third party agrees to sign up to a formal legal agreement committing such party to comply with standards equivalent to those that would apply were that party to be located within the EU.

We aim to protect all of our customers from fraud. As part of this, we may use your personal information to verify your identity to help prevent or detect fraud. These checks may involve your information being disclosed to credit reference agencies, who may keep a record of that information. This is not a credit check and your credit rating will be unaffected.

How long we hold your information for

The time period for which we keep information varies according to what we use the information for. Unless there is a specific legal requirement for us to keep information, we will keep your information for as long as it is relevant and useful for the purpose for which it was collected.

Where we are using your personal information to send you marketing information we will retain that for 5 years as we understand that you will not buy from us on every occasion but frequently we see repeat purchases from customers in this time period. We will retain your account information for 7 years in line with our Data Retention Policy.

You are entitled to request that we erase your personal information at any time, for example where you cease to be an active customer of ours. Whilst we will generally seek to comply with your request, there will be circumstances where we are entitled to retain such personal information (e.g. in respect of legal claims).

Controlling your personal information

You may choose to restrict or control the collection or use of your personal information in the following circumstances:

  • When you are asked to fill in a form on the website or elsewhere (ensure that you do not tick any box which consents to our use of your personal information if you do not want us to use
    your personal information for those purposes)
  • If you have previously agreed to us using your personal information for specific purposes and wish to change your mind
  • If you wish for your personal information to be erased from our systems
  • If you wish for us to transfer your personal information to a third party (e.g. another service provider). In this case, we will provide you with certain personal information held by us for you to pass to that third party (or, in certain circumstances, we may be able to transfer that data to such third party directly if you wish for us to do so).

You have the right to:

  • Know that information is being processed
  • Access information that is being processed
  • Rectification of information being processed
  • Erasure of information held on you (commonly known as the right to be forgotten)
  • Restrict processing
  • Be notified about what information has been rectified, erased and restricted
  • Portability (that is, to request your data be handed over to someone else)
  • Object to the processing of your information.

It is important to note that this is not an absolute right to review all the information that is held about you, as there are various exceptions to this right. These include:

  • Where personal data is kept for the purpose of preventing, detecting or investigating offences and related matters and
  • Where the data is given by another person in confidence

If you want to remove a consent or request erasure or transfer of your personal information, you may do so at any time by:

  • writing to us at Exertis Supply Chain Services, Director Responsible for Data Protection, Unit 21 Fonthill Business Park, Clondalkin, Dublin D22 FR82, Ireland
  • emailing us at scsdataprotection@exertis.com
  • calling us on +353 1 405 6586.

We will not sell, distribute or lease your personal information to third parties unless we have your permission or are required by law to do so. Where we do seek your permission we will name the relevant third party at the time we seek such permission from you and any such permission shall be limited to that third party.
Sometimes we may have to pass information to statutory bodies authorised to obtain data under various legislation, such as the Gardaí or tax authority.
If you believe that any information we are holding on you is incorrect or incomplete, please write, email or call us as soon as possible, using the details set out above. We will promptly correct any information found to be incorrect.
To protect your privacy and security, we will take reasonable steps to verify your identity before granting access or making corrections.
This policy replaces all previous versions and is correct as of May 25th 2018. We reserve the right to change the policy at any time.

Data Protection Policy

We are committed to doing business with integrity which includes taking good care of the personal information, of our customers and other people, that we use as part of doing business.

The processing of personal information is integral to many of our operations. It ensures that we can meet the expectations of our customers and improve our service to them. The people whose information we use trust us to safeguard that information.

If we fail to put in place the right controls to ensure that personal information is not abused, lost, passed to unauthorised parties or allowed to become out of date, then we lose the trust of those whose information we are looking after and we might also be breaking the law.

The General Data Protection Regulation (referred to as the “GDPR”) provides rules which apply to the collection, use, disclosure, interception, monitoring and transfer abroad of information about individuals which includes customer personal data. GDPR sets out the principles that we must follow when processing personal data about individuals and also gives individuals certain rights in relation to personal data that is held about them.

Related legislation, the e-Privacy Regulation, sets out rules about use of personal data for marketing by email, SMS and telephone. Compliance with this policy will also address the requirements of the e-Privacy Regulation.

The aims of this policy are to assist us in meeting our obligations under GDPR and e-Privacy regulations.

Data Protection Principles

GDPR is framed around clear data protection principles. We must observe these data protection principles and be able to show that appropriate steps have been taken to ensure compliance with the principles. In summary these state that personal data must:

  • Be obtained and processed fairly
  • Be used and disclosed for specified, explicit and legitimate purposes and not in any manner incompatible with those purposes
  • Be adequate, relevant and not excessive
  • Be accurate, complete and up-to-date
  • Not be kept for longer than is necessary for the purpose(s) for which it was obtained
  • Be processed in line with the rights given to individuals under the GDPR
  • Be kept safe and secure.

Importantly, we must be able to demonstrate to the relevant authority that we have taken appropriate measures to ensure that we are complying with these principles.

What is Personal Data?

Personal data is data relating to a living individual who is or can be identified either from the data or from the data in conjunction with other information that is in, or is likely to come into, the possession of the data controller. The data protection principles apply to any sort of personal data which is either electronically processed (e.g. on a database) or which is held or intended to be in a structured filing system (e.g. a set of personnel files).

What we have to tell people when we collect their information

When we obtain information about an individual, we need to be transparent about who we are and how we will use the information. We always need to provide:

  • The identity of Exertis and contact details of the person responsible for data protection in Exertis
  • The purposes of the processing for which the information is being obtained as well as the legal basis for the processing (e.g. legitimate interests of Exertis)
  • Who outside Exertis will receive the information (any such transfer to a third party needs to follow the rules in this Policy)
  • Where applicable, the fact that Exertis intends to transfer the information to a company based in a country outside the European Economic Area
  • Any additional information necessary to be fair and transparent in our use of the information.
  • The period for which the information will be stored, or if that is not possible, how we determine that period
  • The existence of the right to request from Exertis access to and rectification or erasure of the information or restriction of our use of the information concerning or to object to our use of the information as well as the right to ask us to transfer the information to someone else
  • The existence of the right to withdraw consent at any time (if the use of information is based on consent)
  • The right to lodge a complaint with the relevant regulating authority
  • Whether the provision of the information is a statutory (i.e. legal) or contractual requirement
  • The existence of any automated decision-making (e.g. by a computer program), and meaningful information about the process involved, the significance of, and the envisaged consequences of such use (e.g. where an individual is identified as being a priority delivery customer based on an analysis of data from other sources).
Monitoring and interception

You are entitled to know about any monitoring of electronic and telephone communications systems or CCTV surveillance that Exertis may undertake. CCTV monitoring will be indicated by signage although from time to time Exertis may have to undertake covert monitoring for purposes of security or otherwise to protect its legitimate business interests. Information about monitoring of electronic communications systems can be found in Exertis’ CCTV Policy. All covert monitoring must be authorised by the director responsible for data protection.

Third Party Data

Our Commitment To Protecting the Personal Information Of Customers and Other Third Parties

Privacy of customer, supplier and contractor data is important to us. To better protect customer privacy we provide a notice on our website and in our marketing publications to explain our information practices and the choices a customer can make about the way his or her information is collected and used. To make this notice easy to find, we make it available on our homepage and at every point where we may request personal information from a customer or third party

The Way Exertis Uses Customer Information

We use the information a customer provides when placing an order only to complete that order, maintain high levels of customer service and to contact them about buying more of those, or similar, products for a limited time afterwards. We do not share this information with outside parties except to the extent necessary to complete that order. On occasions it may be necessary for us to communicate with the customer for administrative or operational reasons relating to the services provided.

We use return email addresses to answer the email we receive. Such addresses are not used for any other purpose, and are not shared with outside parties without explicit consent.

When obtaining customer contact details, Exertis will either rely on its legitimate interest to market its products to customers or will seek the customer’s permission about use of the
customer’s data and contact preferences. Where there is a legitimate interest or the customer has consented, contact details may be used to supply information to the customer by telephone, SMS, email or post, about Exertis and to send occasional promotional material, such as information about special offers which we think the customer might find valuable. We must always make clear that the customer may opt out from receiving future information at any time; we can only contact the customer by post if the customer has specifically opted in to receive communications from us or we have another legitimate business purpose (such as marketing or
account management) for contacting them.

Marketing by email or telephone is governed by slightly different rules – you must always check with the relevant team before using any personal data for email or telephone marketing respectively. In general, we are allowed to market to customers by email or telephone if they have provided their contact details to us as part of a transaction in which they bought goods
from us – for a limited period (our retention policy is available on request to scsdataprotection@exertis.com) we can use the details they provided to market to them more of the products which they originally purchased.

Our Commitment to Data Security

To prevent unauthorised access, maintain data accuracy, and ensure the correct use of information, we have put in place appropriate physical, electronic, and managerial procedures
to safeguard and secure the information we collect. Access to the information which is provided by customers will be limited to authorised employees as required for the purposes identified above as well as IT security and maintenance.
Any personal information provided by a customer may be used to verify the customer’s identity and assist us in preventing or detecting fraud. As part of these checks customer information may be disclosed to credit reference agencies, who may keep a record of that information. This is not a credit check and the customer’s credit rating will be unaffected.

Third Party Access to or Correction of Information Held

A third party is able to withdraw his or her consent to processing or request access to all of his or her personal information that we collect online and maintain by writing to Director Responsible for Data Protection, Exertis Supply Chain Services, Unit 21 Fonthill Business Park, Clondalkin, Dublin D22 FR82, Ireland.

To protect privacy and security, we must take reasonable steps to verify the third party’s identity before granting access or making corrections. The third party will need to confirm in writing (including by email) their full name, full address, date of birth and a description of the information required.

GDPR allows Exertis one month to provide the requested personal information. This starts from the date we receive the request containing enough information for us to identify the customer and locate the information requested and proof of identity (e.g. photocopy of driving licence). However, we will try to provide this information as soon as possible within this timescale.

A third party can correct factual errors in his or her personal information that we hold by sending us a request that credibly shows that there is an error in our records.

Data protection rights exist in voice and video recordings. We must treat video and voice recordings in the same way we treat other personal data.

Voice Recordings: In the event of a disputed fact arising from a telephone conversation which has been recorded, the recording of the relevant part of the conversation may be disclosed to the customer, provided the release form in has been completed, and a copy retained on file.

Video Recordings: Any request for access to video recordings should be dealt with in accordance with the Exertis CCTV policy.

Processing of Information by Service Providers on our behalf

Exertis will sometimes need to use a third party to provide services on its behalf which will involve the use of customer information, for example a mailing house for marketing purposes,
outsourced IT solutions.

If you are involved in transferring any data for processing on behalf of Exertis to a third party you must ensure that a Data Processing Agreement is signed by director responsible for data protection and by the third party and that an appropriate IT security risk assessment is performed by the local security officer.

Requests from police or government departments

Requests from the police and government departments are not data subject access requests but classed as requests for disclosure by a third party. The GDPR expressly provides that such
requests may be exempt from the data protection principle regarding restriction of access to personal data if the conditions set out in the relevant exemptions apply, namely that there is a statutory right for them to have access to that information.

Although these are not subject access requests Exertis must maintain a good audit trail, good tracking system and ensure that all disclosures are properly recorded with reasons given for the
disclosure.

All requests that have been received by Exertis should be referred to the director responsible for data protection who will log the request and handle the response process.

Any such request from the police, tax authorities or other government department should be referred to the director responsible for data protection. Please note that private organisations are not authorised to investigate criminal activity so the exemption may not apply.

The director responsible for data protection will:

  • Maintain a log of all requests
  • Ensure these written requests are signed off by someone in authority in the requesting organisation in a formal request
  • Maintain a copy of information sent in response
  • If redactions (i.e. black outs) are applied, reasons for the redaction are to be maintained
  • Ensure that sent documents are signed off by the relevant manager
  • Ensure appropriately secure mode of despatch e.g. recorded delivery, encryption

For every request for personal information received through a formal request, the director responsible for data protection will ask the following questions:

  • Am I sure the person is who they say they are (only formal written requests are to be processed)?
  • Is the person asking for this information doing so under a statutory power or under a court order – obtain written confirmation?
  • If I do not release the personal information, will this significantly harm any attempt by the requesting authority to prevent crime or catch a suspect?
  • If I do decide to release personal information, what is the minimum I should release for them to do their job?
  • What else (if anything) do I need to know to be sure that the exemption applies?
Privacy by Design: Recording Decisions which affect Data Protection

GDPR introduces the concept of a data protection impact assessment (a “DPIA”), which is a requirement when the business processes personal data which is “likely to result in a high risk
to the rights and freedoms” of the subject of the data.

We will use DPIAs as a compliance tool to describe, assess and mitigate the risks to an individual’s rights and freedoms from the processing of personal data and also to demonstrate
that measures we will take to ensure compliance. 

The minimal requirements for a DPIA are that the assessment shall contain at least:

  • a systematic description of the envisaged processing operations and the purposes of the processing
  • an assessment of the necessity and proportionality of the processing operations in relation to the purposes
  • an assessment of the risks to the rights and freedoms of data subjects
  • the measures envisaged to address the risks

We will always carry out a DPIA prior to introducing any new data processing or where changes to an existing process will have an impact on personal data. The ultimate accountability for ensuring a DPIA is in place lies with the data controller. Failure to comply with DPIA requirements under GDPR can result in very substantial fines.

A single DPIA may be used for a single processing operation or to address a set of similar processing operations that present similar high risks, as long as sufficient consideration is given
to the nature, scope, context and purpose of the processing. Situations that may particularly indicate a high risk which will require a DPIA include where we undertake the following:

  • evaluation or scoring, including profiling or predicting
  • automated decision making with legal or similar significant effect
  • systematic monitoring
  • processing of sensitive data
  • data processed on a large scale
  • datasets that have been matched or combined
  • data concerning vulnerable data subjects
  • innovative use or applying technological or organisational solutions
  • data transfer across borders outside the European Union
  • where the processing itself prevents data subjects from exercising a right or using a
    service or contract

The DPIA will be a record of our decision-making process where we are taking any steps that have an impact on personal data in our business. A record of all DPIAs will be retained centrally by director responsible for data protection.

GDPR Statement

The General Data Protection Regulation (GDPR) came into effect on 25th May, 2018.

All defined terms in this GDPR Statement shall have the meaning ascribed to them under the GDPR legislation.

We will in some instances act as a data processor and on others act as a data controller and/or joint data controller. To ensure that there is consistency with regard to the statements it makes in relation to GDPR and to reinforce that we take our obligations under the legislation very seriously, we advise that:

When we are acting as a data processor, we will:

  • not process personal data except on instructions from the data controller
  • agree a data processing agreement with the relevant data controller
  • use reasonable endeavours to assist any controller, whose personal data it is processing, in fulfilling its obligations to respond to requests from data subjects
  • implement and maintain an information security program
  • ensure that people authorised to process personal data are subject to a duty of confidentiality
  • co-operate with Supervisory Authorities
  • inform the controller without undue delay after becoming aware of any personal data breach
  • not sub contract processing activities without prior written authorisation from the relevant controller
  • put in place adequate processes to ensure that personal data is adequately protected if transferred outside the EU

When we are acting as a data controller, we will:

  • process personal data in accordance with the principles and grounds for processing set out in the legislation
  • provide the necessary information to data subjects when it collects personal data
  • put in place processes and procedures to allow data subjects to exercise their data subject rights
  • put in place suitable measures to safeguard data subject’s rights where automated decision making is necessary
  • embrace the concepts of privacy by design and default
  • agree a data processor agreement with any processors
  • co-operate with Supervisory Authorities
  • implement and maintain an information security programme
  • make all notifications required under the legislation upon becoming aware of any personal data breach which requires notification
  • where required will carry out Data Protection Impact Assessments
  • put in place adequate processes to ensure that personal data is adequately protected if transferred outside the EU

Questions

All questions related to Privacy, Data Protection or GDPR should be referred to the director responsible for data protection. 

Request Form

A Subject Access request can be initiated by filling out the following form. In line with GDPR, your request will be dealt with within 30 days. Please use the same form to request changes to the information we hold about you.

    First Name (required)

    Last Name (required)

    Your Email (required)

    Phone Number (required)

    Company (required)

    Job Title (required)

    Industry

    How can we help you? (required)

    Exertis Supply Chain Services (SCS) is committed to protecting and respecting your privacy, and we’ll only use your personal information to administer your account and to provide the products and services you requested from us. From time to time, we would like to contact you about our products and services, as well as other content that may be of interest to you. If you consent to us contacting you for this purpose, please tick below to say how you would like us to contact you:

    You may unsubscribe from these communications at any time. For more information on how to unsubscribe, our privacy practices, and how we are committed to protecting and respecting your privacy, please review our Data Protection & Privacy Policy.

    By clicking the button below, you consent to allow Exertis SCS to store and process the personal information submitted above to provide you the content requested.