Last updated: 10 September 2018
All data subjects whose data is processed by Sofa.com. This includes all customers that we provide services to, all potential customers who may be interested in our products and services and all business partners that assist us in the provision of our services.
For the purposes of data protection law, the “controller” is Sofa.com Limited, a company incorporated in England and Wales under company number 05222498 and having its registered office address at 35 Chelsea Wharf, 15 Lots Road, London SW10 0QJ (from now on referred to as “we” and by related words such as “us” and “our”).
Our Data Protection officer is Richard Holmes
The Data Protection Officer is responsible for ensuring that this notice is placed in front of potential data subjects prior to Sofa.com collecting/processing their personal data. All Employees/Staff of Sofa.com who interact with data subjects are responsible for ensuring that this notice is drawn to the data subject’s attention and their consent, if applicable, to the processing of their data is secured. We are committed to providing you with a high standard of customer service, throughout your time with Sofa.com.
3 PRIVACY NOTICE
We take your privacy very seriously. Please read this privacy notice carefully: it contains important information about
• who we are
• how and why we collect, store, use and share personal data, including any data you may provide when you sign up to our newsletter, purchase a product or service or take part in a competition
• your rights in relation to your personal data
• how to contact us.
Please note that this website is not intended for children and we do not knowingly collect data relating to children.
3.1 What we collect
We collect information about you when you register with us or place an order for products or services. We also collect information when you voluntarily complete customer surveys, provide feedback to us and participate in competitions with us. Website usage information is also collected using cookies on Sofa.com and during our business functions – namely, marketing, manufacturing and selling products for use in the home – we collect the following personal data when you provide it to us:
• personal details, such as
- name and title
- date of birth
• contact data, such as
- delivery address
- billing address
- e-mail address
- telephone and mobile number(s)
• payment details, such as
- bank account
- card details
• transaction data, such as
- details about payments to and from you
- details of products and services you have purchased from us
• technical data, such as
- internet protocol (IP) address
- your login data, browser type and version
- time-zone setting and location
- browser plug-in types and versions
- operating system and platform and other technology on the devices you use to access this website
• profile data, such as
- orders made by you
- feedback and survey responses
• usage data, such as
- information about how you use our website, products and services
• marketing data, such as
- your preferences in receiving marketing and communications.
• Any other information necessary to meet our contractual obligations or provision of a better service to meet your requirements
We do not collect “special category” personal data. This is a special type of sensitive data to which more stringent processing conditions apply, and comprises data concerning your racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, sex life or sexual orientation, and genetic data and/or biometric data.
We also do not collect information about criminal convictions or offences.
3.2 How we collect personal data
We obtain personal data from sources as follows:
directly from you when you interact with us (for example, when you create an account order products, subscribe to mailing lists, request information, enter a competition or provide feedback
from automated technologies when you use our website
from suppliers who may deliver products to you, in the event that they collect personal data from you in addition to the personal data that we collect
from third parties with whom we have a trading relationship, for example who may sell our products directly and who need to give us your information in order for us to be able to fulfil your order
The company use the following third party providers:
IBM United Kingdom Limited, PO Box 41, North Harbour, Portsmouth, Hampshire, PO6 3AU
Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland
More2 Ltd, 2 Valentine Place, London, SE1 8QH
We may monitor and record communications with you (including phone conversations and emails) for quality assurance and to make sure that we are meeting our legal and regulatory requirements. We may also use these recordings for training purposes.
3.3 How we use the Information
Sofa.com will process – that means collect, store and use – the information you provide in a manner that is compatible with the EU’s General Data Protection Regulation (GDPR). We will endeavour to keep your information accurate and up to date and not keep it for longer than is necessary. In some instances, the law sets the length of time information has to be kept, but in most cases Sofa.com will use its discretion to ensure that we do not keep records outside of our normal business requirements.
Our aim is not to be intrusive, and we undertake not to ask irrelevant or unnecessary questions. Moreover, the information you provide will be subject to rigorous measures and procedures to minimise the risk of unauthorised access or disclosure.
Sofa.com may use this information to understand your needs and provide you with a better service. This could mean:
• Internal record keeping.
• Sofa.com may use the information to improve the website.
• Sofa.com may occasionally send emails about other information which we think you may find interesting using the email address which you have provided. To provide you with an accurate quotation.
• To correctly set you up as a customer and to provide you with our products and services.
• To administer your account, including informing you of any changes.
• To carry out risk assessment, credit-referencing and fraud prevention.
• To remind you about the quotations we’ve provided you with for a certain period after having visited our site.
• To undertake market research with a view to better understanding the requirements of our customers.
• Most importantly, to generally provide the best service to you that we can.
3.4 Why do we need to collect, process and store personal data?
For us to provide you with a product or service we need to collect personal data for correspondence purposes and/or detailed service provision. In any event, we are committed to ensuring that the information we collect, and use is appropriate for this purpose, and does not constitute an invasion of your privacy. We may pass your personal data on to our service providers who are contracted to Sofa.com in the course of service provision. Our contractors are obliged to keep your details securely and use them only to fulfil the service they provide you on our behalf. Once your service need has been satisfied or the case has been closed, they will dispose of the details in line with Sofa.com’s procedures. If we wish to pass your sensitive personal data onto a third party, we will only do so once we have obtained your consent unless we are legally required to do so.
We will only use your personal data when the law allows us to. Most commonly, we will use personal data in the following circumstances:
• to perform a contract, we are about to enter or have entered into with you
• if it is necessary for our legitimate interests (or those of a third party) and these are not overridden by your rights and interests
• where we need to comply with a legal or regulatory obligation.
In order to process personal data, we must have a lawful reason. We always ensure that this is the case, and we set out our lawful bases below – note that more than one may apply: for example, if we inform you of changes to our privacy notice, we may process your personal data on the ground of complying with law and on the ground of legitimate interests.
We will only use your personal data for the purposes for which we collected it, unless we fairly consider that we need it for another reason that is compatible with the original purpose.
3.5 What are the lawful bases for processing?
The lawful bases for processing are set out in Article 6 of the GDPR. At least one of these must apply whenever you process personal data:
(a) Consent: the individual has given clear consent for you to process their personal data for a specific purpose.
(b) Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
(c) Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).
(d) Vital interests: the processing is necessary to protect someone’s life.
(e) Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
(f) Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)
The primary reason for collecting and processing data will be contractual, however we may utilise a combination of the above, dependent upon the circumstances. We will be transparent in any interactions and ensure that the lawful basis of processing for each circumstance are documented and available.
If you are our customer, we will process your personal data for the following purposes, on the legal basis that it is necessary for us to provide our products and services to you:
• to identify you
• to respond to your inquiries
• to the extent necessary to provide pre-contractual information about our products and services
• to provide our products and services, including enabling them to be delivered to you
• to carry out billing and administration activities.
Accordingly, your failure to provide such personal data may hinder or prevent us from being able to perform a contract for you.
We process your personal information for our legitimate business purposes, which include the following:
• to conduct and manage our business
• to enable us to carry out our services
• to ensure our website and systems are secure
• to improve and update our services for the benefit of our customers
• to let you know about our products or services that we consider may be of interest to you: we carry out this processing on the legal basis that we have a legitimate interest in marketing our products and services, and only to the extent that we are permitted to do so by applicable direct marketing laws.
Whenever we process your personal data for these purposes, we ensure that your interests, rights and freedoms are carefully considered.
Compliance with laws
We may process your personal data in order to comply with applicable laws (for example, if we are required to co-operate with an investigation pursuant to a court order).
Generally we do not rely on consent as a legal basis for processing your personal data other than in relation to sending third-party direct marketing communications to you via direct mail, email or text message. You have the right to withdraw consent to marketing at any time by contacting us.
We will always be clear whenever we intend to process on the basis of consent, and we will process lawfully and only for the purpose for which consent was given.
3.6 Do we share your personal data?
We may provide your personal data to the following recipients for the purposes set out in this notice:
• other companies in our group
• our officers, employees, consultants, workers and agents to the extent that they reasonably require it
• our service providers
• law enforcement agencies in connection with any investigation to help prevent unlawful activity.
We also work with Epsilon Abacus (registered as Epsilon International UK Ltd), a company that manages the Abacus Alliance on behalf of UK retailers. The participating retailers are active in the following product categories: clothing, collectables, food & wine, gardening, gadgets & entertainment, health & beauty, household goods, and home interiors. They share information on what their customers buy. Epsilon Abacus analyses this pooled information to help retailers understand consumers’ wider buying patterns. From this information, retailers can tailor their communications, sending people suitable offers that should be of interest to them, based on what they like to buy
3.7 Do you have to supply your personal data and if so WHY?
In short, the answer is no: however, it may affect your ability to receive our products and services if you do not do so.
To form a contract with you, we will need some or all the personal data described above so that we can perform that contract or the steps that lead up to it: this is set out above in this notice. If we do not receive the data, the contract could not be performed.
If you sign up to our mailing list, you will have to provide certain personal data. Of course, you may decide to stop receiving our mailings at any time.
3.8 How long will your personal data be kept for?
We carefully consider the personal data that we store, and we will not keep your information in a form which identifies you for longer than is necessary for the purposes set out in this notice.
We use the following criteria to determine data retention periods for your personal data:
• Retention in case of queries. We will retain your personal data as long as is necessary to deal with your queries.
• Retention for providing products or services. We will retain your personal data as long as is necessary for us to provide relevant products and services.
• Retention in case of claims. We will retain your personal data for as long as we may require it to defend claims that may be brought against us or our customers.
• Retention for marketing purposes. We may, where we are permitted to do so, retain your personal data to enable us to carry out our business activities and always subject to your right not to receive marketing communications.
• Retention in accordance with legal and regulatory requirements. We will retain your personal data after we have provided products or services based on our legal and regulatory requirements: for example, UK tax law currently specifies a six-year period for retention of some of your personal data.
3.9 What is Personal Data
Under the EU’s General Data Protection Regulation: Personal Data is defined as “any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”.
3.10 Online Identifiers
IP Addresses and Cookies
Sofa.com.com use traffic log cookies to identify which pages are being used. This helps us analyse data about web page traffic and improve our website in order to tailor it to website users’ needs. Sofa.com.com only uses this information for statistical analysis.
Overall, cookies help sofa.com.com to provide you with a better website, by enabling us to monitor which pages you find useful and which you do not. A cookie in no way gives us access to your computer or any information about you, other than the data you choose to share with us.
We collect the information requested by any of our web forms as well as the information you provide on our website. We also collect information about how people use our website via analytic tools. This is so we can continually improve the online customer experience.
4 DATA PROTECTION PRINCIPLES
We handle any information you provide us responsibly and securely. Sofa.com complies with the Data Protection Act 1998 and EU General Data Protection Regulations coming into force on the 25th of May 2018. We collect, store and use personal data carefully, and ensure that it is kept secure. We do not, and will not, pass the information that you give us to any organisations except our agents and relevant industry service providers unless you expressly give us your permission to do so.
To comply with the law, information must be collected and used fairly, stored safely and not disclosed to any other person unlawfully. This means we must comply with the Data Protection Principles set out in the Data Protection Act 1998 and GDPR. These principles require that personal data must be:
1. Obtained fairly and lawfully and shall not be processed unless certain conditions are met
2. Obtained for specific and lawful purposes and not further processed in a manner incompatible with that process
3. Adequate, relevant and not excessive
4. Accurate and up to date
5. Kept for no longer than is necessary
6. Protected by appropriate security
7. Not transferred to a country outside the European economic area without adequate protection
Sofa.com is committed to ensuring that your information is secure. In order to prevent unauthorised access or disclosure, we have put in place suitable physical, electronic and managerial procedures to safeguard and secure the information we collect online. To ensure we keep your personal details secure, and restrict unauthorised access to your account, we will always ask you key security questions before discussing your account with you. Only named account holders can discuss or request changes to be made on your Sofa.com account. Please cooperate with us when establishing your identity, to help combat identity fraud.
Please let us know if any of your personal details change, for example a change of name, email address, or other details. You can do this by contacting us by post, email, or telephone at our usual contact details.
We would like to send you information about products and services of ours and other business units in our group which may be of interest or a direct benefit to you. If you have consented to receive marketing, you may opt out at a later date. You have a right at any time to stop us from contacting you for marketing purposes. If you no longer wish to be contacted for marketing purposes, you have a right to unsubscribe. We may contact you by email, Telephone, SMS or by post. You have the right to object or opt out to any of the above forms of communication for marketing purposes. There will be occasions where we will contact you to inform you of special offers or promotions which may benefit you. We may utilise the provisions of legitimate interest under the GDPR regulations. Our communications are designed to tell you about the benefits we can offer so that you have access to our best deals. We use the information we have about you to tailor the content and try to ensure that the offers are as relevant to you as possible. Under the Data Protection Legislation, this might qualify as profiling. If you do not wish us to use your data for this purpose, please call on 0345 400 2222, or email us at firstname.lastname@example.org. Where we use legitimate interest provisions, we will ensure that all checks and balances are thoroughly performed including the appropriate assessments. If you have given your consent, or if we are otherwise permitted to do so, we may contact you about our products or services that may be of interest to you. If you prefer not to receive any direct marketing communications from us, you can opt out at any time by sending an email to our contact centre.
7 CONTROLLING YOUR PERSONAL INFORMATION
With Sofa.com you are in total control of your personal information.
We will not sell, distribute or lease your personal information to third parties unless we have your permission, or are required by law to do so. We may use your personal information to send you further information, which we think you may find interesting if you tell us that you wish this to happen.
7.1 Data Subject Access Request
You may request details of personal information which we hold about you. If you would like a copy of the information held on you, or you think it is incorrect or incomplete, please contact us at:
Data Protection, Sofa.com, 35 Chelsea Wharf, 15 Lots Road, London SW10 0QJ
Or email us at: email@example.com
Sofa.com will promptly correct any information found to be incorrect.
You can also get details of the credit agencies from which we get, and which we record, information about you.
The information that you request will be provided within a maximum of one calendar month and we will not charge unless the request requires a lot of effort. We try to ensure that the information we hold is accurate, up to date and relevant and we’ll be happy to correct any inaccuracies.
Priority service customers:
Where we believe that you, or a member of your household, need extra care due to factors such as age, health, disability or financial insecurity, we may record this fact on our records.
We will use this information specifically for protecting these customers and their household from loss of service.
If you give us information on behalf of someone else, you confirm that you have given them the information set out in this document and that they have not objected to their personal information being used in the way described in it.
7.2 Your rights as Data Subjects
Under the General Data Protection Regulations, you have the right to know and access the following.
• The purposes of the processing
• The categories of personal data concerned
• The recipients to whom the personal data has been or will be disclosed
• The period for which the personal data will be stored;
• The right to rectification, erasure, restriction or objection;
• The right to lodge a complaint with a supervisory authority;
• Where the personal data are not collected from the data subject, any available information as to their source
7.3 Do we transfer data outside the EU?
Although we are based in England, we may transfer your personal information to a location (for example, to a secure server) outside the European Economic Area, if we consider it necessary or desirable for the purposes set out in this notice. In such cases, to safeguard your privacy rights, transfers will be made to recipients to which a European Commission “adequacy decision” applies (this is a decision from the European Commission confirming that adequate safeguards are in place in that location for the protection of personal data), or will be carried out under standard contractual clauses that have been approved by the European Commission as providing appropriate safeguards for international personal data transfers, copies of which are available to view on the Commission’s website (https://ec.europa.eu/info/index_en).
For further information please write to the
Data Protection Manager
35 Chelsea Wharf, 15 Lots Road, London SW10 0QJ
Or email firstname.lastname@example.org