Last Updated: 10th August 2018
At Halcyon Drives, your privacy is very important to us. We want you to be confident that the information you provide when conducting business with us is safe and secure either as a customer, supplier, a user of our website or any other 3rd party.
All personal data stored and processed by us will be in line with the applicable European and UK regulations:
- The General Data Protection Regulation (GDPR) - (EU) 2016/679
- The Privacy and Electronic Communications (PECR) - EC Directive Regulations 2003
The data controller is Halcyon Drives Ltd whose head office is based in the UK.
This policy applies to all individuals who have contact with us where their personal information would need to be collected, stored and processed in line with our standard commercial needs, as detailed in sections 2 & 3.
We are a business-to-business (B2B) engineering company and our scope does not require us to collect, store and process personally sensitive information.
- the personal information we collect and why;
- the personal information we collect and why;
- why we process your personal information;
- when and why we will disclose your personal information to other organisations;
- your personal information rights and responsibilities;
- general website use – cookies and site links;
- how we keep your information secure and confidential;
- how long we will hold your information for;
- how to contact us or the data protection regulator;
2. Personal information we collect and why
For us to provide/request quotes, process orders, provide support for goods/services and generally manage your account, personal information stored for these purposes is limited to that needed including:
- job title;
- company email address;
- company related mobile/direct-dial numbers;
Details of your interactions with us regarding quotes, orders or other commercial reasons e.g. copies of emails or notes from conversations held, feedback or complaints.
This information will be stored alongside the general company name, company postal & billing address etc as necessary.
Some individuals may provide other non-work related personal information such as home addresses, alternate phone numbers etc. for work related purposes e.g. they work from home and require information sent direct to them. Information of this kind will only be stored and used as instructed by them. You should always take care when volunteering non-work related personal information.
Credit card details may be required to complete delivery/collection of an order. Credit card details are not stored by Halcyon Drives.
As a customer of our products & services, your name and email address you provide to us for commercial purposes may be used to keep you updated about our company or related products/services you have purchased from us via our e-Newsletter. This only applies to known B2B customer contacts, sole traders and some partnership are exempt (see Section 3 – Why we process your personal information).
Where we have obtained your details lawfully as a prospective customer of our goods and services or you have a current/past customer relationship with us, we may use your personal information to keep you directly updated (by email, telephone or post) about our goods or services, including new products, promotions and events.
Request/Send information or feedback
Subscription and Contact Us forms etc. are available throughout the website to request/send information or give feedback to Halcyon Drives. The personal data needed from the user will only be that necessary to fulfil the function stated e.g.
- Contact Us will require an individual’s name, email address and message as minimum. Other information such as company name, phone number etc. may be needed if dealing with a company related issue requiring a follow-up action.
- Newsletter Subscribes only require a valid email address, company name and the name of an individual (allowing us to give a more personalised service). Regrettably, due to the current ePrivacy regulation, we are unable to provide our e-Newsletter to non-commercial subscribers.
Visitors to our company premises
For security purposes, CCTV operates around the company premises. Your image may be recorded in and around our building which may also include your vehicle registration number when using our car park. The CCTV operates on a continuous loop, so all recorded images will be overwritten within 30 days of recording. Copies of CCTV images may be made if required by law or other legal proceedings and shared with the appropriate authorities where necessary.
In the interests of security and as required by our health & safety policies, all our visitors are required to sign-in when entering our company. We will only require an individual’s name, arrival & leave times and the person visited. This information is required so:
- we know who is on site for safety reasons i.e. roll call after building evacuation etc.;
- we can be sure who is authorised to be on site;
All visitors will be required to wear a badge number linked to their sign-in details to confirm they are authorised to be on Halcyon Drives premises.
Sign-in details are kept no longer than 30 days unless required by law or any other legal proceedings.
3. Why we process your personal information
Your personal information is only collected and used (as described in section 2) in accordance with the European GDPR. Our processing of your personal information is based on the following grounds:
- Contractual – where your personal data is required to quote or enter into/fulfil a contract for our goods & services.
- Consent – an individual has consented to their information been stored and processed to complete the task relevant to the consent given e.g. subscription to our newsletter for non-commercial individuals. Consent to store an individual’s information will be overridden where there is a contractual/legal need to do.
- Legitimate Interests – As a B2B company, Halcyon Drives have and use the concept of “legitimate interests” to keep our customers up-to-date with other industry related goods & services that they may find of interest based on a past/current contractual relationship with them. This may include:
- contact from a representative responsible for a customer’s account;
- delivery of our newsletters or other relevant emails campaigns; non-commercial private individuals, sole traders and some partnerships will still be required to give their explicit opt-in consent as required by ‘The Privacy & Electronic Communication Regulations (PECR)’.
- where we have lawfully obtained personal information of a prospective customer, we may use our legitimate interest to store and process this information for direct marketing purposes (by email, telephone or post) about our goods or services, including new products, promotions and events that we think would be of interest. E-marketing is not covered under this basis and would require opt-in consent from any prospective customer.
An individual may withdraw their permission for us to use their personal information for our legitimate interest at any time by contacting us directly (see Section 10 – How to contact us) or can simply unsubscribe from any of our e-marketing newsletters they do not wish to receive by clicking on the unsubscribe link at the bottom of each email.
4. When and why personal information is disclosed to other organisations
The personal information we collect from you is confidential.
We work closely with other 3rd party providers and partners (referred in this policy as “data processors”) to support the goods & services we supply. It may be necessary for us to share an individual’s details with them to provide a tailored service on our behalf. All data processors acting on our behalf, will have to comply with all applicable European data protection regulations. It is not permitted for a data processor to use your personal information we provide them for their own marketing purposes unless they have direct legitimate basis with you for doing so.
Primary partners we use, information we provide and their basis for processing an individual’s information on our behalf include:
TNT Courier Service - name and contact information (email, phone etc.)
- provided to allow completion of a requested personally named delivery.
ABB Group, Rockwell Automation, Riello UPS, PULS – name and contact information (email, phone etc.)
- provided to allow completion of any required/requested direct deliveries.
- to allow individual contact for other requested support services i.e. sales/technical product support etc.
Wired Marketing – name and email address
- a trusted company for the electronic distribution of our personalised newsletter or other email campaigns an individual may be subscribed to. An individual’s data is kept secure, not distributed across the email platform and used only to deliver our email an individual has been subscribed to.
- provides us statistics around email opening and clicks using industry standard technologies to help us monitor and improve our e-newsletter.
- with an easy unsubscribe option, the email address is held as reference to prevent accidental adding to an already unsubscribed campaign.
Your personal information may also be shared:
- if required to do so by law;
If necessary as part of any legal or potential legal proceedings;
5. Your personal information rights and responsibilities
The General Data Protection Regulation (GDPR) - (EU) 2016/679 describes how organisations, including Halcyon Drives must collect, handle and store personal information. Under this regulation, an individual has certain rights with the regard to the personal information we hold on them.
The right to be informed
The right of access
Personal information of an individual is stored securely in-house on our CRM database system and, in most cases, is linked directly to the company to which they belong. On written request via email or letter, we can provide free of charge, a copy of the personal information we hold on you and the purpose if its use (see Section 10 – How to contact us). Halcyon Drives reserves the right to validate any such request before sending personal information to an individual. A small administration fee will be chargeable where a request is deemed to be manifestly unfounded or excessive.
The right to rectification
The personal information we hold on an individual is strictly limited to that needed as detailed in this policy.
Where we have regular contact with individuals (usually on a contractual basis), we can validate and rectify, where necessary, the personal information we hold.
If an individual is aware of data inaccuracies related to them, a request to rectify these details can be made (see Section 10 – How to contact us).
The right to be forgotten
All individuals in certain circumstances have the right to have their personal data erased from our systems.
When a request is made, we aim to remove the personal information within one month from our active systems.
To protect our data, Halcyon Drives has a long-term backup and archive retention policy in place for data stored electronically. It is not possible to immediately remove an individual’s data from the complete backup (see section 8 - How long do we keep your personal information).
Where the data forms part of a complete or active contract, we are required to keep copies of all documentation that form part of that contract under a commercial, legal or regulatory basis. Under these circumstances the full right to be forgotten would not apply, but where applicable we would restrict any access and future use of your data.
The right to restrict processing
We only store and use an individual’s data for the reasons specified in section 2 & 3. Therefore, there is limited scope for the restriction of an individual’s data. Your restriction rights may include:
- where you believe your personal information to be incorrect and requires updating before use;
- where we are unable to fully comply with a ‘right to be forgotten’ request on contractual or legal grounds. This would not preclude us processing your data if needed on a contractual or legal basis;
The right to data portability
As a B2B organisation an individual's data we collect is limited to that needed as specified in section 2 & 3. All other information is company-wide and not directly related to an individual e.g. purchase orders, transactions etc and generally falls outside the scope of data portability.
The right to object
You have the right to object to and restrict certain processing of your data including where we use it for our legitimate interests. This includes:
- no contact request - you have or are dealing with us on a contractual basis, but do not want a company representative to contact you for any other reason than that needed to discuss a contract or potential contract you are involved in. This would not preclude us from contacting other individuals within the same organisation;
- the right to object to our processing of your data for direct marketing, which you can exercise by using the "unsubscribe" link in such marketing communications;
Your personal data may still be processed if we are contractually or legally obliged to do so.
Rights in relation to automated decision making and profiling
Decision making & profiling of an individual is not conducted within our organisation.
6. General use of our website and other third-party sites
Cookies and why we use them
- What is a cookie? - A cookie is a small amount of data, often including a unique identifier, sent to the browser and stored on the device connected to a website. To protect your privacy, your browser only permits a website to access the cookies it has already sent to you, and not the cookies sent to you by other websites. Cookies are harmless files which can help improve your experience of using a website because, among other things, they help us to:
- understand your browsing habits;
- respond to you as an individual by tailoring our operations to your needs, likes and dislikes by gathering and remembering information about your preferences;
- monitor which pages you find useful and which you do not;
- understand the number of visitors so that we can analyse data about web traffic which helps us improve our site;
A cookie in no way gives us access to your computer or any information about you, other than the data you choose to share with us.
Many websites do this whenever a user visits them to track online traffic flows. On the Halcyon Drives website, our cookies record information about your online preferences, so we can tailor the site to your interests. You can set your device’s preferences to accept all cookies, notify you when a cookie is issued, or not receive cookies at all. Selecting the last option means you will not receive certain personalised features, which may result in you being unable to take full advantage of all the website's features.
- Required - we use a set of cookies which are critical to the functionality of the site.
- They are used to keep a user logged in and remember previous preferences for our logged in users. These are more seen in support of our own website administrators.
Google Analytics - used to help us to understand how you make use of our content and work out how we can make things better. These cookies follow your progress through our website, collecting anonymous data on where you have come from, which pages you visit, and how long you spend on the site. This data is then stored by Google to create reports. These cookies do not store your personal data.
The information generated by the cookie about your use of the website, including your IP address, may be transmitted to and stored by Google on servers in the United States. Google may use this information for evaluating your use of the website, compiling reports on website activity for us and providing other services relating to website activity and internet usage. Google may also transfer this information to third parties where required to do so by law, or where such third parties process the information on Google's behalf. Google will not associate your IP address with any other data held by Google. By using our website, you consent to the processing of data about you by Google in the manner and for the purposes set out above.
- Social Sharing – We also use social media buttons and/or plugins on this site that allow you to connect with your social network in various ways. For these to work the following social media sites including; Facebook, Twitter and Google+, will set cookies through our site which may be used to enhance your profile on their site or contribute to the data they hold for various purposes outlined in their respective privacy policies.
- Required - we use a set of cookies which are critical to the functionality of the site.
Alternatively, you may wish to visit www.aboutcookies.org which contains comprehensive information on how to do this for a wide variety of browsers. You will also find details on how to clear cookies from your computer as well as more general information about cookies. For information on how to do this on your mobile phone’s browser, you will need to refer to your handset manual.
Third party websites
As part of our service, we may provide links from our website or emails to other third-party websites which may have their own privacy policies and terms & conditions. We are not responsible for the privacy policies or practices of third-party websites and we encourage you to read them before continuing to use these sites.
7. How we keep your information secure and confidential
Keeping information about you secure is very important to us.
We store, process and restrict unauthorised access to your personal information in accordance with the high standards required under the European GDPR as detailed in our ‘Data Protection’ and ‘Information Security’ policies (copies available on request).
Our primary data servers are located in-house at our offices based in the UK. We have access to cloud storage facilities through Microsoft’s O365 with servers located within European Economic Area ("EEA").
From time to time and for operational reasons the personal information we collect from you may be transferred to and stored in countries outside of the European Economic Area ("EEA"). Your information may also be processed by some of our service providers which operate outside the EEA. Different countries have different data protection and security laws and some of these do not offer the same level of protection as you enjoy under European GDPR. However, when we appoint our service providers to help us provide products and services to you (which may include some based in the USA), we take care to ensure that they have appropriate security measures in place to the minimum standards required under the European GDPR.
8. How long do we keep your personal information?
Personal information of an individual may be held as part of a wider organisation’s contact listings acquired either through consent, legitimate interest or on a contractual basis.
Where there is an ongoing contractual relationship, the data will be held for a period 3 years on our CRM system.
To fulfil any future safety or legal obligations, data of individuals involved in design, build and implementation of bespoke projects could be held separately and indefinitely as part of the projects engineering files.
Direct Marketing/Account Management
An individual’s information obtained and used for direct marketing and/or account management will be held for:
- 5 years for individuals with no established contractual relationship.
- 12 years for individuals from date of last contract for customers. This would include prospective customers who have requested and received quotations from us in the past.
Revalidate, update or delete
If you have contacted us in the past regarding our products and services, we may get in touch with you to ensure you're still happy to remain on our database and for us to stay in contact with you. We are only able to contact you providing we have not been restricted otherwise (see section 5 - Your personal information rights and responsibilities).
Where possible, an individual’s details are revalidated at least every three years and, if necessary updated or deleted if requested to do so or the individual is no longer available. Revalidation may be part of an ongoing process when dealing with an individual e.g. through active quoting or face-to-face contact with an account manager etc.
After deletion an individual’s personal information may persist on back-up or archival media for legal, tax or regulatory purposes or until full rotation of our backup cycle.
Backup and archive
To protect our data, Halcyon Drives has a long-term backup and archive retention policy in place for data stored electronically. It is not possible to remove an individual’s personal data from a complete backup set. Our normal backup rotation will see all data removed gradually over a period of two years. Processes and protection are in place to ensure that an individual’s erased data from our active systems is not generally accessible, restored and made available for use from our backup data.
9. Policy amendments
10. How to contact us or the data protection regulator
If you have any queries relating to our use of your personal information or any other related data protection questions, you can discuss this with your account manager, our sales team or email our Data Protection Manager at or write to:
Data Protection Manager
Halcyon Drives Ltd
Leeds, LS28 6EA
If you feel that your data has not been handled correctly, or you are unhappy with our response to any requests you have made to us regarding the use of your personal data, you have the right to lodge a complaint with the data protection regulator. In the UK, this is the Information Commissioner’s Office (ICO).
You can contact them by calling their helpline on 0303 123 1113
Or online at www.ico.org.uk/concerns