Martin Rees Jewellers
Introduction
We are a Consumer Credit Business licensed by the FCA Ref number FRN 741025
We are registered with the ICO for Data Protection ref number Z5631672
We do not require a Data Protection Officer because we are a small business with relatively small amounts of data stored. However, our Information Leader, currently Samantha Whitley is the key contact for data protection.
Under FCA SYSC requirements we also have a senior manager who takes responsibility for data, their title is Director of Data Protection.
Cookies
For information about cookies we set when you visit our online shop (reesjeweller.uk), click here or for details of cookies set at our information site (reesjeweller.co.uk), click here
Basis of Processing Data
We retain data and relevant information about our customers on the following basis;
Pawnbroking, Purchases from customers - Legitimate Interest- We process - proof of name, address complying with AML requirements. We ask for driving license/ utility bill/official letter for all new customers and apply due diligence as per our AML policy.
Repairs and Insurance Valuations - Legitimate Interest- We process - name, address, mobile and landline phone numbers, and sometimes email address, so that we can contact our customers as required to clarify their requirements or update them on the progress of their job.
Investment gold coins sales - Legitimate Interest- We process - name, and address, plus suitable proof of identity, as required by law.
CCTV- is retained for three months as part of the legitimate process of preventing crime. Footage is shared with police on request to help ongoing investigations.
Data Controller
We, Martin Rees Jewellers, are the Data Controllers, and are responsible for all personal information retained, and are subject to audit by the Information Commission Office (ICO). We do not share our data with third parties.
Disclosure
Customers are made aware at point of transaction how, where and with whom their information will be shared.
Adequate Explanations
We show every customer the privacy notice via a laminated privacy notice on the Counter. Since the basis for processing data is Legitimate Interest the customer is not required to sign this.
Every Pawn Receipt has a Data Processing Clause (no. 6 on back of pawn Receipt). This is a shortened version of the privacy notice.
Data protection
The personal information we collect about you is used by us to fulfil our statutory obligations, to administer your agreement(s) and contact you, and when otherwise required by law or where permitted by Regulation (EU) 2016/679, the General Data Protection Regulation (GDPR). You will have already seen our privacy notice. It is important that you provide us with accurate information. If you provide false or inaccurate information or we suspect fraud, this information may be recorded. We will retain your data for three years after our account with you is closed, in the case of a Loan Contract it will be retained for six years or longer if required by law. This applies whether settled by you or in default.
You have the right to:
access the information we hold about you
ask us to make changes to your information to make sure it is accurate/up to date
ask us to stop or limit processing or delete your information (we are not obliged to do this in relation to information the law requires us to retain)
receive your information in a format that suits you
transfer your information to a third party
Please contact us using the details shown overleaf for further information.
We do not undertake CRA checks and we do not share data with third parties
Data collection
We have reviewed our business through our Information audit to identify the data that is processed and how it flows into the business.
We will ensure that data is collected within the boundaries defined in this policy. When collecting data, we will ensure that the customer clearly understands why the information is needed.
We will respect the following rights for individuals:
The right to be informed
The right of access- in the case of Pawnbroking, they are entitled to ask the details of their contract but cannot demand a replacement contract.
The right to rectification for example changing address
The right to erasure the customer cannot demand the erasure of a pawn contract, although it would be erased after 6 years of no contact as part of our policy
The right to restrict processing To temporarily stop proceedings because the customer has accidentally given incorrect information e.g. got the phone number wrong.
The right to data portability
The right to object
Rights in relation to automated decision making and profiling.
Data Storage
Information and records relating to service users will be stored securely and will only be accessible to authorised staff. Information will be stored for only as long as it is needed or required statute and will be disposed of appropriately. We store pawnbroking data for 6 years from the last point of contact, or longer if required by law. If your transactions with us do not include pawnbroking, all information about your account will be deleted 3 years after your last contact with us.
It is our responsibility to ensure all personal and company data is non-recoverable from any computer system previously used within the organisation, which has been destroyed or sold to a third party.
We will undertake periodic Information audits and Data Protection Impact Assessments to continually aim to improve systems, minimise risk and improve security.
Data access and accuracy
We will ensure that:
The Information Leader has the responsibility for data in their job description and that they are fully trained for the role to ensure compliance with Data Protection.
Everyone processing personal information understands that they are contractually responsible for following good data protection practice and are trained accordingly
Everyone processing personal information is appropriately trained to do so
Everyone processing personal information is appropriately supervised
We deal promptly with any enquiries about handling personal information
We annually review and audit the ways we hold, manage and use personal information through our Information Audit
All staff are aware that a breach of the rules and procedures identified in this policy may lead to disciplinary action being taken against them
This policy will be updated as necessary to reflect best practice in data management, security and control and to ensure compliance with any future changes or amendments made to the GDPR 2018.
Data Breaches
We will maintain a log of all data breaches no matter how small. A small breach would include overhearing account details, losing a small amount of data or accidental deletion, loss of CCTV footage.
Examples of a major breach would be loss or theft of entire database, web cyber security issue or hacking resulting in theft of e mails/ passwords/ financial data of a significant or unquantified number of people.
We will ensure we have robust breach detection, investigation and internal reporting procedures in place.
We will report serious breaches within 72 hours of becoming aware of the breach where feasible, to the ICO and explain;
what has happened;
when and how we found out about the breach;
the people that have been or may be affected by the breach;
what we are doing as a result of the breach; and
who ICO should contact for more information
advise who else we have told about the breach.
Contact
If you have question, want to exercise your rights or make a complaint, please contact us
If we cannot resolve your complaint, you may contact the Financial Ombudsman Service at:
Financial Ombudsman Service
Exchange Tower
London
E14 9SR
Tel: 08000 234 567
You also have the right to complain to the Information Commissioner's Office at Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF. www.ico.org.uk.