Privacy Summary

To view our full data protection policy online, please click here

At The Pen Warehouse, we believe that privacy is a fundamental human right and that respect for an individual’s privacy should apply in all walks of life but especially so in business. As a trade-only supplier, the company recognises the need to protect not just the privacy of trade customers but also the privacy of all individuals involved in the supply chain.

In order to operate our business, we do need to collect some personal data. We only ever collect what is necessary and we do not store the data for any longer than we need to.

What if I’m not a trade customer?

If you don’t fit our strict requirements as a trade customer, then we can suggest a local distributor for you to contact instead. Using the “distributor search” function on our website will show you the name and contact details for your nearest distributor. You can choose which distributor you want to speak to and we’ll securely send them your contact details.

If you place an order with one of our distributors, they’ll need to give us your name and address so that we can arrange delivery of goods. They should notify you first that we’ll be processing your data for that purpose.

What type of data do we store?

If you’re a registered trade customer of The Pen Warehouse, we’ll hold some or all of the following types of information about you:

Your name.
Your company/employer’s name.
Your email address.
Your telephone number, which may include direct dial or mobile numbers.
Your business/work address.
Your IP address (if you visit our websites).
Website cookies (if you visit our websites).

Legal Basis

We rely upon a number of different legal bases for processing personal information – these include processing personal information where it is in our legitimate interests to do so and where this is necessary for the fulfilment of a contract. Where we rely on our legitimate interests, this means that we use personal information to run our business and to provide the services we have been asked to provide. We only collect information that has been supplied voluntarily; you do not have to provide us with personal information. However, if you do not provide us with information we need by law or require to do work, we may not be able to offer certain products and services.

Your Rights

You have several important rights in relation to your data:

The right to be informed – We’ll always try to be as transparent as possible about how your data is being stored and processed by us.
The right to access – If you’d like to know what information we store about you, you can exercise your right to access, often known as a “subject access request”. We usually prefer to get these in writing and sometimes we may need to ask for additional proof of identity. We will respond to all access requests within one calendar month but if we do need to ask you for ID, that one month period won’t start until we’ve received it.
The right to rectification – If you believe that we hold some incorrect information about you, then you have the right to request that we amend your personal information across all of our systems. We’ll try and complete any such requests as quickly as possible but you should allow us up to one calendar month.
The right to erasure – You can ask us at any time to remove your personal data from our systems. In some cases, for example if required to do so by HMRC, we might need to keep a few records even after you’ve asked us to delete your information. We’ll let you know about this when you request removal, as well as telling you how long we’ll be keeping the data for.
The right to restrict processing – You can ask us not to use your data in particular ways. This is different than the right to erasure because it lets you specify that you’re happy for us continue using your data in other ways.
The right to data portability – You can ask us to export your personal information in a commonly-understood file format, such as CSV. This is particularly useful if you wanted to give the data to someone else to process. The same one-month period and need for identification applies to these requests as it does to a subject access request.
The right to object – You can raise an objection at any time to the way in which we’re using your data. For example, you might want to remain a trade customer but opt out of receiving marketing communications. You have the right to do so without it affecting your legal status with us.

You can read more about these rights on the ICO website:

https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/

Who has access to your data?

Within The Pen Warehouse, staff members who might have access to your personal data have all been provided with relevant GDPR training. We only allow our staff access to customer data when it’s absolutely necessary for them to do their jobs.

In regards to electronic communication, all of our email services are provided by Google LLC. Google provide a very secure email platform that encrypts all communications between their servers and our office PCs. In order to provide support on our email services, some Google employees do have access to our email system. This is only to provide technical support and they don’t perform any processing or collection on emails coming through our system.

Please note that we also contract out some I.T. development and support services to the following companies. In order to support our software, employees of these companies will sometimes be granted access to our secure systems on which your data is stored.

Google LLC - 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States

Snap Products Ltd - Company number 06719081 - Charles Lake House, Claire Causeway, Crossways Business Park, Dartford, Kent, DA2 6QA

Systems Supported Ltd - Company number 04351046 - Unit 1 Bourne Mill Business Park, Guildford Road, Farnham, Surrey, GU9 9PS

First Data Europe Limited - Company number 02012925 - Legal Department, Janus House, Endeavour Drive, Basildon, Essex, SS14 3WF

Eiger Group Ltd - Company number 03727605 - Kenward House High Street, Hartley Wintney, Hook, Hampshire, RG27 8NY

Eureka Solutions (Scotland) Limited - Company number SC165567 - 29 Portland Road, Kilmarnock, Ayrshire, KA1 2BY

The Soil Association Ltd - Company Number 00409726 - Spear House, 51 Victoria Street, Bristol, England, BS1 6AD

If you visit our websites, then your activities on the site are anonymised and sent to Google Analytics with a tracking cookie. This data lets us know how well our websites are working and which parts still need improvement. If you’d prefer not to take part in this anonymous usage tracking, then you should set your browser to “do not track” mode.

What do we do with your data?

Apart from using your data to process and despatch orders, we’ll also use it to keep in touch about our latest developments and services. We often run reports on our sales orders so that we can spot purchasing trends. Identifying trends helps us ensure that our prices and product range are competitive. You can opt out of any specific types of data processing if you wish to.

When visiting our websites, cookies will be created and stored on your computer. These cookies provide important functionality like allowing you to log in and access trade prices.

Where do we store your data?

Your personal data may be stored in physical files located on one of our premises in Aldershot. Any files that contain personally identifiable information are stored securely, under lock and key. Access to those files is only available to staff members who require it to complete their assigned duties. Physical files are only kept as long as necessary by law and are then destroyed.

Electronic storage of your personal data is mostly situated on our in-house servers. Our I.T. systems are compliant to the Cyber Essentials scheme, meaning that everything is firewalled and encrypted and that access to the systems is highly restricted.

Since we run a few busy websites, we may also have some of your personal information stored off-site in a data centre. Our websites are also compliant with Cyber Essentials and we regularly review the security protocols in place.

Data Breaches

A data breach will be deemed to have occurred whenever an unauthorised party gains access to ours records or systems. Our staff have been trained to recognise a data breach and report them internally. Upon receiving such a report, a thorough investigation will take place. We will assess the severity of the breach and report it to the ICO with 72 hours, including reference to the steps which we will take to prevent future breaches of a similar nature. Where the breach may have allowed the unauthorised third party to gain access to personal information relating to our customers, we will notify affected customers and explain what data may have been accessed and what steps they may need to take (e.g. resetting passwords).

Your responsibilities as a trade customer

As a trade customer, it’s your responsibility to ensure GDPR compliance for the client data you hold on file. When passing us that data for an order, you should ensure that your clients have been informed about the transfer of data and that you have designated us as a “Data Processor” for this purpose.

Who should you talk to if you have further questions?

If you’d like to exercise any of your rights in regards to your data or if you simply want to ask us a question about our privacy policy and practices, then please get in touch.

Email: dpo@pens.co.uk

Telephone: +441252 400270

Address:

FAO: Data Protection Officer

The Pen Warehouse

Innovations House

4 Christy Estate

Ivy Road

Aldershot

Hampshire

GU12 4TX