Momentum Instore Limited (referred to in this document as “we” or the “Company”) is committed to protecting the privacy and security of your personal information.
The Company is a “data controller”. This means that we are responsible for deciding how we hold and use personal information about you.
It is important that you read this policy, together with any other privacy notice we may provide on specific occasions when we are collecting or processing personal information about you, so that you are aware of how and why we are using such information.
The Company’s contact details are:
(Registered in England under Company Number 2875057
The Data Privacy Manager’s role is to inform & advise on data protection and GDPR, monitor compliance within the organisation, cooperate & liaise with the ICO and be the point of contact for data subjects.
If you have any questions or queries regarding this policy please direct these to our Data Privacy Manager at GDPR@momentuminstore.com.
While browsing our website we don’t capture any personally identifiable information that can be used to contact or identify you unless you:
All form data is securely stored on a dedicated page provided by our website developer, Optiva. From there your data can be accessed and downloaded by our sales & marketing team and stored in our CRM software, which may then be used for marketing purposes. In completing either of the forms you will have been asked to ‘consent’ to your data being used for this purpose. Personally identifiable information may include, but is not limited to your name, company & email address.
We may collect, use, store and transfer different kinds of personal data about you which we have grouped together follows:
|Identity Data||Includes first name, last name, username or similar identifier, title, gender & social media links.|
|Contact Data||Includes company billing address, delivery/store/branch address(s), email address and telephone numbers.|
|Financial Data||Includes company bank account details and spend.|
|Transaction Data||Includes details about payments to and from you or your organisation or business and other details of products and services you or your organisation or business have purchased from us (clients), or we have purchased from you (suppliers).|
|Technical Data||Includes your login data (time, date, number of logins etc.) you use to access our systems.|
|Profile Data||Includes your system username and password, purchases or orders made by you, your interests, preferences, feedback and survey responses.|
|Usage Data||Includes information about how you use our website, products and services (clients) and how we use your products and services (suppliers).|
|Marketing and Communications Data||Includes your preferences in receiving marketing from us and your communication preferences.|
We do not collect any Special Categories of Personal Data about you (this includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health and genetic and biometric data). Nor do we collect any information about criminal convictions and offences.
Where you have completed one of the two forms on our website you will have been asked to ‘consent’ to your data being used for marketing purposes. You have the option to ‘opt out’ at any point by contacting us and asking for your personal data records to be deleted.
|Purpose / Activity||Type of data||Lawful basis for processing, including basis of legitimate interest|
|CRM System/Database: To keep you informed of our services for business-to business marketing in relation to prospects where we aren’t currently engaged in a contract with you or your company and for existing clients who may be interested in additional services||(a) Identity
(c) Marketing and Communications Data
|Necessary for our legitimate interests (to promote our products/services and grow our business)
Where you are a sole trader, it is necessary to perform our contract with you
Note that where we are required by applicable data protection laws to obtain your consent to contact you for marketing, we will also obtain such consent from you in the manner required by data such protection laws.
Cookies are files with small amount of data, which may include an anonymous unique identifier. Cookies are sent to your web browser from a web server and stored on your computers device's hard drive.
We will only use your personal information for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal information for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.
Please note that we may process your personal information without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.
In order for the Company to carry out the points listed above (under “How we use your personal data”), some of your information will be shared internally on a need to know basis. This includes with members of serval different departments including:
We will share your personal information with third parties where required by law, where it is necessary to administer the working relationship with you or where we have another legitimate interest in doing so.
We also share your data with third parties that process data on our behalf, in connection with outsourced system provision. For example, your personal data may be shared with:
We require all third parties to respect the security of your data and to treat it in accordance with the law.
Third parties will only process your personal information on our instructions and where they have agreed to treat the information confidentially and to keep it secure.
We will not transfer your data to countries outside the European Economic Area without your further explicit consent.
We treat the security of your data with the utmost importance. We have internal policies and controls in place to ensure that your data is not lost, accidentally destroyed, misused or disclosed, and is not accessed in an unauthorized way. The ability to access data is restricted to employees, agents, contractors and other third parties who have a business need to know. Some of the key measures in place to ensure this include:
Where we engage third parties to process personal data on its behalf, they do so on the basis of written instructions, are under a duty of confidentiality and are obliged to implement appropriate technical and organisational measures to ensure the security of data.
We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
We will only retain your personal information for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. Details of retention periods for different aspects of your personal information are available in our retention policy which information is available by request from our Data Privacy Manager (please send an email to firstname.lastname@example.org). To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
In some circumstances, we may anonymise your personal information so that it can no longer be associated with you, in which case we may use such information without further notice to you.
Once no longer have dealings with you (because for example you are no longer a client or supplier), we will retain and securely destroy your personal information in accordance with our data retention policy or applicable laws and regulations.
The Company may need to keep certain information to respond to and defend against legal claims for up to 6 years. We will review your personal data regularly during any retention period to ensure that it is still needed, is accurate and not excessive. Your personal information will be kept securely and in any event destroyed after 6 years (unless required by law to be maintained for longer).
As a data subject, under certain circumstances, you have a number of rights under data protection laws in relation to your personal data:
DATA SUBJECT ACCESS REQUESTS
All data subject access requests from individuals to view their data being held by Momentum Instore should be addressed to GDPR@momentuminstore.com. The Company will firstly ask you to complete a Subject Data Access Request form for the purposes of properly verifying the identity of the individual making the request, ensuring it is lawful for us to provide the individual with the requested information and to understand specifically what data is being requested. The Company will then supply the electronic information requested within 1 month from the date of request for standard information requests. More complex information requests may take up to 3 months.
If you want to review, verify, correct or request erasure of your personal information, object to the processing of your personal data, or request that we transfer a copy of your personal information to another party, please contact the Data Protection Officer in writing at GDPR@momentuminstore.com.
RIGHT TO BE FORGOTTON
The Company recognises an individual’s “Right to be forgotten”, and such requests should be sent to GDPR@momentuminstore.com.
RIGHT TO COMPLAIN
You have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues (www.ico.org.uk). We would, however, appreciate the chance to deal with your concerns before you approach the ICO so please contact us in the first instance.
NO FEE USUALLY REQUIRED
You will not have to pay a fee to access your personal information (or to exercise any of the other rights). However, we may charge a reasonable fee if your request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.
RIGHT TO WITHDRAW CONSENT
In the circumstances where you may have provided your consent to the collection, processing and transfer of your personal information for a specific purpose, you have the right to withdraw your consent for that specific processing at any time. To withdraw your consent, please contact the Data Protection Officer at GDPR@momentuminstore.com. Once we have received notification that you have withdrawn your consent, we will no longer process your information for the purpose or purposes you originally agreed to, unless we have another legitimate basis for doing so in law.
GDPR - General Data Protection Regulation is a legal framework that sets guidelines for the collection and processing of personal information of individuals within the European Union (EU). ... GDPR is effective across the EU on May 25, 2018.
Data Controller - a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed.
Data Subjects - means an individual who is the subject of personal data. In other words, the data subject is the individual whom particular personal data is about. The Act does not count as a data subject an individual who has died or who cannot be identified or distinguished from others.
Lawful bases for data processing – The lawful bases we use for processing data, as set out in Article 6 of the GDPR are:
ICO – Information Commissioner’s Office (https://ico.org.uk). The UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
Prospect (Sales Lead) – Potential customer or client qualified on the basis or their buying authority, financial capacity, and willingness to buy. The personal data of multiple data subjects may be held by us relating to a single customer or client.
Client – Customer or client for whom we are contractually engaged to provide and deliver a service(s) or have done work for in the past and are likely to do work for in the future. Multiple data subjects may be held by us relating to a single active customer or client.
Supplier (Vendor) – A person or company that provides goods &/or services to Momentum Instore. The personal data of multiple data subjects may be held by us relating to a single supplier.
Insite – Our Client reporting and Estate management portal, hosted and developed by or 3rd party partner, Emphasys.
ERP – Our Enterprise resource planning tool delivering integrated core business processes.
CRM – Our Customer relationship management tool used to store and analyse prospect and client data subjects and relationships.
AD – Active Directory (“AD”) is a Microsoft technology that allows networks administrators to manage users, computers and other devices on a network. It is a primary feature of Windows Server, an operating system that runs both local and Internet-based servers.