General Data Protection Regulation (GDPR) compliance
Welcome to Prism Innovations Limited’s (doing business as BackBliss Back Lotion & Cream Applicators) General Data Protection Regulation (GDPR) policy. We are dedicated to upholding GDPR and all other relevant data protection rules when it comes to the privacy and security of personal information.
Purpose of the policy:
This policy describes how we as an online seller of back lotion and cream applicators, gather, use, and safeguard personal data. It outlines your rights and our responsibilities under the GDPR and other pertinent data protection legislation.
Scope of the policy:
All personal information processed by Prism Innovations Limited, t/a BackBliss, is covered by this policy. It protects the personal information of clients, customers, suppliers, and other people we work with on a daily basis. This policy also applies to the processing of personal data by our staff members, subcontractors, and other people working for Prism Innovations Limited.
In this policy, the following terms and phrases have the following meanings:
- “Personal data” means any information relating to an identified or identifiable natural person.
- “Processing” means any operation or set of operations performed on personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment, or combination, restriction, erasure, or destruction.
- “Data controller” means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
- “Data processor” means a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the data controller.
- “Data subject” means the identified or identifiable natural person to whom the personal data relates.
- “Supervisory authority” means an independent public authority which is responsible for monitoring the application of GDPR and other data protection laws.
- “GDPR” means the General Data Protection Regulation (Regulation (EU) 2016/679).
In this policy, the terms “we,” “us,” and “our” refer to Prism Innovations Limited, trading as BackBliss, and the terms “you” and “your” refer to the data subjects whose personal data we process.
3. Principles of data protection:
We are committed to processing personal data in accordance with the principles of data protection under GDPR. These principles require that personal data be:
- Processed lawfully, fairly, and in a transparent manner.
- Collected for specified, explicit, and legitimate purposes and not further processed in a way that is incompatible with those purposes.
- Adequate, relevant, and limited to what is necessary in relation to the purposes for which it is processed.
- Accurate and, where necessary, kept up to date.
- Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed.
- Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage.
We will make sure that all personal data is treated in accordance with these principles and will only ever do so in a manner that is consistent with them.
4. Lawful basis for processing personal data:
In accordance with GDPR, we are only allowed to process personal data if we have a legitimate reason to do so. The particular facts and the objectives for which the personal data is being processed determine the legal justification for processing the data.
We will only process personal data if we have at least one of the following lawful bases:
- Consent: We have obtained your explicit consent to process your personal data for a specific purpose.
- Contract: The processing is necessary for the performance of a contract to which you are a party, or to take steps at your request before entering into a contract.
- Legal obligation: The processing is necessary for us to comply with a legal obligation to which we are subject.
- Vital interests: The processing is necessary to protect your vital interests, or the vital interests of another person.
- Public interest: The processing is necessary for the performance of a task carried out in the public interest, or in the exercise of official authority vested in us.
- Legitimate interests: The processing is necessary for our legitimate interests, or the legitimate interests of a third party, provided that your interests and fundamental rights do not override those interests.
We will only process personal data for the specific purposes for which we have obtained a lawful basis, and we will not use personal data for any other purposes without obtaining a new lawful basis. If we need to use personal data for a new purpose, we will assess whether we have a lawful basis for doing so and, if necessary, seek your consent or otherwise comply with GDPR requirements.
5. Rights of individuals:
Under GDPR, you have certain rights in relation to the personal data we process about you. These rights include the right to:
- Access your personal data: You have the right to request a copy of the personal data we hold about you, along with information about how we process that data.
- Rectify your personal data: If you believe that any of the personal data we hold about you is incorrect or incomplete, you have the right to request that we rectify it.
- Erase your personal data: In certain circumstances, you have the right to request that we erase your personal data. This is known as the “right to be forgotten.”
- Restrict the processing of your personal data: In certain circumstances, you have the right to request that we restrict the processing of your personal data. This means that we will only process your personal data in limited circumstances, such as with your consent or for the establishment, exercise, or defense of legal claims.
- Object to the processing of your personal data: In certain circumstances, you have the right to object to our processing of your personal data. This includes the right to object to processing for direct marketing purposes.
- Withdraw consent: If you have given us your consent to process your personal data, you have the right to withdraw that consent at any time.
If you wish to exercise any of these rights, please contact us using the contact details provided in this policy. We will respond to your request as soon as possible, and in any case within one month of receiving your request. Please note that we may need to request additional information from you in order to verify your identity and process your request.
6. Data security:
We take the security of personal information extremely seriously, and we have put in place the necessary organisational and technical safeguards to prevent unauthorised access, use, disclosure, modification, or destruction of personal information. These actions consist of:
- Encryption: We use secure socket layer (SSL) encryption to protect personal data when it is transmitted over the internet.
- Access controls: We have implemented strict access controls to ensure that only authorized individuals are able to access personal data.
- Data minimization: We only collect and process the minimum amount of personal data necessary for the purposes of our business.
- Regular backups: We regularly back up personal data to prevent data loss in the event of a technical failure.
- Security training: We provide training to our employees and contractors on data protection and data security best practices.
To make sure that our security precautions are still effective, we will regularly review and upgrade them. We cannot, however, guarantee the complete security of personal data due to the fact that no method of communication over the internet or technique of computer storage is 100% safe. Please get in touch with us using the information in this policy if you have any questions or concerns about the security of your personal information.
7. Data breaches:
We have implemented procedures for detecting, reporting, and responding to data breaches in accordance with GDPR. If we become aware of a data breach that is likely to result in a risk to the rights and freedoms of data subjects, we will notify the supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of the breach.
Additionally, we will take action to lessen the impact of the data breach and to neutralise any potential negative impacts on data subjects. This can entail doing things like temporarily limiting access to personal data or applying additional security measures.
Please get in touch with us using the information provided in this policy if you think your personal information has been compromised due to a data breach. We’ll look into the situation and take the necessary steps to remedy the incident and safeguard your personal information.
We shall also maintain records of any data breaches, including the type of breach, the categories and numbers of affected data subjects, the categories and numbers of affected personal data records, and the corrective actions taken. These documents will be maintained for at least two years following the breach.
8. International transfers:
We may transfer personal data to countries outside the European Economic Area (EEA) in the course of our business. When we transfer personal data to countries outside the EEA, we will ensure that the recipient provides an adequate level of data protection and that appropriate safeguards are in place to protect the personal data.
We will only transfer personal data to countries outside the EEA in one of the following circumstances:
- The country has been deemed to provide an adequate level of data protection by the European Commission.
- We have entered into standard contractual clauses with the recipient, which have been approved by the European Commission and provide appropriate safeguards for the transfer of personal data.
- The transfer is subject to other appropriate safeguards, such as binding corporate rules or the use of privacy shields.
We will take steps to ensure that any international transfer of personal data is carried out in accordance with GDPR and other applicable data protection laws. If you have any concerns about the international transfer of your personal data, please contact us using the contact details provided in this policy.
9. Retention of personal data:
We will only retain personal data for as long as is necessary for the purposes for which it was collected. We have implemented policies and procedures for determining the appropriate retention period for personal data based on the following criteria:
- The purpose for which the personal data was collected: We will retain personal data for as long as is necessary to fulfill the purpose for which it was collected.
- Legal requirements: We may be required to retain personal data for a certain period of time in order to comply with legal obligations.
- Statute of limitations: We may need to retain personal data for the duration of any applicable statute of limitations.
- Business purposes: We may need to retain personal data for business purposes, such as record keeping or to defend against legal claims.
We will review the retention periods for personal data on a regular basis, and we will delete or destroy personal data when it is no longer needed. If you have any questions about our retention policies, please contact us using the contact details provided in this policy.
10. Changes to the policy:
We may periodically update and modify this policy to reflect changes to our operational procedures or to ensure compliance with evolving data protection legislation. Any updates or modifications to this policy will be posted on our website, and if they are substantial, we may also let you know via email or another channel.
To be updated about our procedures for protecting personal information and your rights under GDPR, we advise you to routinely review this policy. Please get in touch with us using the information provided in this policy if you have any questions or complaints about this policy or our practises regarding data protection.
11. Contact information:
If you have any questions, concerns, or requests related to this policy or the processing of your personal data, please contact us using the following details:
Prism Innovations Limited t/a BackBliss
Phone: +44 (0) 1277 261 555
Address: 11 Baliol Road, Whitstable, Kent CT5 2EN
We’ll try our best to respond to your queries and address your problems in a prompt and agreeable way. You have the right to complain to the supervisory authority if you are dissatisfied with our response.
12. Making a complaint
If you think your data has been mis-used please contact us (Prism Innovations Limited t/a BackBliss) in the first instance.
If you’re unhappy with our response, you can make a complaint to the
Information Commissioner’s Office (ICO) or get advice from them.
Information Commissioner’s Office (ICO)
Wycliffe House Water Lane
Telephone: 0303 123 1113
Textphone: 01625 545860
Monday to Friday, 9am to 4:30pm