DATA PROTECTION INFORMATION FOR CUSTOMERS
INFORMATION ACCORDING TO ARTICLES 13, 14 AND 21 OF THE EU GENERAL DATA PROTECTION REGULATION (GDPR)
In the following, we provide information about the processing of your personal data by the Stampin’ Up! group and the claims and rights to which you are entitled under the applicable data protection regulations in order to enable you to understand and assess the permitted uses of your data – including the data processing as per your consent.
I. WHO IS RESPONSIBLE FOR DATA PROCESSING AND WHOM CAN I CONTACT?
The responsible party is:
Stampin’ Up! UK Limited
A4 Lancaster Court Coronation Road Cressex Business Park High Wycombe
Bucks HP12 3TD
Phone: 00800 31 81 82 00
II. WHAT SOURCES AND DATA DO WE USE?
We process personal data that we receive from you in the course of our business relationship, in particular via our Customer Order Forms or information entered on our website. In addition, to the extent necessary for the provision of our services, we process personal data that we have legitimately received from you (for the execution of orders, for the fulﬁlment of contracts or on the basis of consent given by you, for example).
Relevant personal data is your personal data (name, address and other contact data, bank details). In addition, this may include order data (e.g. from a product order), data from the fulﬁlment of our contractual obligations, and other comparable data.
III. WHAT DO WE PROCESS YOUR DATA FOR (PURPOSE OF PROCESSING) AND ON WHAT LEGAL BASIS?
We process personal data in accordance with the provisions of the European General Data Protection Regulation (GDPR) and the UK Data Protection Act 1998.
1. FOR THE FULFILMENT OF CONTRACTUAL OBLIGATIONS (ARTICLE 6 PARA. 1B GDPR)
The processing of personal data (Article 4 No. 2 GDPR) takes place for the execution of our contracts with you and the execution of your orders, as well as all activities necessary with the operation and administration of a company.
The purposes of data processing are primarily based on the speciﬁc order and may include, among other things, order acceptance and execution and evaluation of sales data–also by our aﬃliated companies, insofar as this is necessary for the performance of the contract.
Further details for the purpose of data processing can be found in the respective contractual documents and terms and conditions.
2. IN THE CONTEXT OF BALANCING INTERESTS (ARTICLE 6 PARA. 1F GDPR)
If necessary, we process your data beyond the actual performance of the contract to protect our legitimate interests or the legitimate interests of third parties.
- Review and optimization of procedures for needs analysis and direct customer approach
- Advertising or market and opinion research, unless you have objected to the use of your data
- Assertion of legal claims and defense in legal disputes
- Ensuring IT security and IT operation
- Data transfer in the case of sale of the company and shareholdings
- Measures for business management and further development of services and products
- Transfer of personal data within the Stampin’ Up! group for internal administrative purposes, including the processing of personal data of demonstrators and customers
At the time of collecting the data, we will inform you of the legitimate interests pursued by the responsible party or a third party. Our legitimate interest in transferring data within the Stampin‘ Up! group arises—if no consent has been given—from an interest in the optimised evaluation of order and sales data and in central, optimised data storage and, on the other hand, from the fact that a data subject can reasonably foresee that processing for this purpose will possibly take place at the time the personal data is collected and in view of the circumstances under which it takes place (in particular the measures we have implemented for data security).
3. ON THE BASIS OF YOUR CONSENT (ARTICLE 6 PARA. 1A GDPR)
If you have given us your consent to process personal data for speciﬁc purposes (such as passing on data within the Stampin‘ Up! group also outside of the EU/EEA association/group, evaluation of payment transaction data for marketing purposes), the legality of this processing is given on the basis of your consent.
In addition, the Independent Stampin’ Up! Demonstrator may—if you have consented to this—send you advertising material or communications about Stampin’ Up! oﬀers (e.g. new products, promotions, events) and their own oﬀers via mail and email.
A given consent can be withdrawn at any time. Please note that the withdrawal will only take eﬀect for the future. Processing that took place before the withdrawal is not aﬀected by this.
4. DUE TO LEGAL REQUIREMENTS (ARTICLE 6 PARA. 1C GDPR)
In addition, we are subject to various legal obligations, i.e. legal requirements (such as tax laws). The purposes of the processing include, among other things, the fulﬁlment of tax control and reporting obligations as well as the assessment and
control of risks.
IV. WHO GETS MY DATA?
Within the responsible party, those parties receive their data which they need to fulﬁl our contractual and legal obligations. Contractors used by us (Article 28 GDPR) may also receive data for these purposes. These are companies in the categories of IT services, logistics, printing services, telecommunications, debt collection, consulting, sales and marketing.
We may only disclose information about you to recipients outside the responsible party if this is permitted or required by law or if you have given your consent. Under these conditions, recipients of personal data may be, for example, public authorities and institutions subject to a legal or oﬃcial obligation.
Other recipients of data may be those parties for which you have given us your consent to the transfer of data.
V. HOW LONG WILL MY DATA BE STORED?
If necessary, we process and store your personal data for the duration of our business relationship, which also includes, for example, the run- up to and processing of a contract.
In addition, we are subject to various storage and documentation obligations, which result, among other things, from the EU Consumer Rights Directive, the Companies Act 2006, and UK Income Tax Act. The periods for storage and documentation speciﬁed there range from two to ten years.
Finally, the storage period is also assessed according to the statutory limitation periods, which may vary from one year to indeﬁnite under the Companies Act 2006 and the Data Protection Act 1998.
VI. IS DATA BEING TRANSMITTED TO A THIRD COUNTRY OR AN INTERNATIONAL ORGANISATION?
Data will only be transmitted to third countries (countries outside the European Economic Area (EEA)) if this is necessary for the execution of your orders, is required by law, or you have given us your consent, for example for data transmission to Stampin’ Up! Inc. in the USA. Stampin’ Up! Inc. adheres to the EU-US Privacy Shield Framework approved by the US Department of Commerce, which relates to the collection, use, and storage of personal data from the European Union in the United States, and declares, by means of self-certiﬁcation, compliance with the principles applicable under this Privacy Shield. To learn more about the Stampin’ Up! Privacy Shield program and to view Stampin’ Up!’s certiﬁcation, visit www.privacyshield.gov.
We will inform you separately about details, where required by law.
VII. WHAT DATA PROTECTION RIGHTS DO I HAVE?
As a data subject, you have the right of access under Article 15 GDPR, the right to rectiﬁcation under Article 16 GDPR, the right of erasure under Article 17 GDPR, the right to restriction of processing under Article 18 GDPR and the right to data portability
under Article 20 GDPR. In addition, there is a right of appeal to a data protection supervisory authority (Article 77 GDPR).
VIII. AM I OBLIGATED TO PROVIDE DATA?
In the context of our business relationship you only have to provide the personal data which is necessary for the establishment and implementation of a business relationship or which we are legally obliged to collect. Without this data, we will generally
have to refuse the conclusion of the contract or the execution of the order, or we will no longer be able to execute an existing contract and may have to terminate it.
IX. TO WHAT EXTENT IS THERE AUTOMATED DECISION-MAKING IN INDIVIDUAL CASES?
The decision to establish a contractual relationship may be based on automated processing of personal data for the purpose of assessing individual personality traits. In the event of a decision rejecting the application, you have the right to assert your
position against us and to have the decision reviewed. However, there is no obligation to conclude a contract.
INFORMATION ABOUT THE RIGHT TO OBJECT UNDER ARTICLE 21 OF THE GENERAL DATA PROTECTION REGULATION (GDPR)
1. You have the right to object at any time, for reasons arising from your particular situation, to the processing of personal data concerning you that takes place based on Article 6 paragraph 1 letter f of the General Data Protection Regulation (data processing on the basis of a balance of interests); this also applies to proﬁling based on this provision within the meaning of Article 4 No. 4 GDPR, which we use for credit assessment or for advertising purposes.
If you object, we will no longer process your personal data, unless we can prove compelling reasons worthy of protection for the processing, which outweigh your interests, rights and freedoms, or the processing serves to assert, exercise or defend legal claims.
2. In individual cases we process your personal data for direct marketing purposes. You have the right to object at any time to the processing of personal data concerning you for the purpose of such advertising; this also applies to proﬁling, insofar as it is associated with such direct advertising.
If you object to the processing for direct advertising purposes, we will no longer process your personal data for these purposes.