EXERTIS IRELAND LIMITED - ESTORE PRIVACY STATEMENT
1. About this Privacy Statement
1.1 At Exertis Ireland Limited (“Exertis”) we are committed to protecting and respecting your privacy.
1.2 This Privacy Statement will let you know how we look after your personal data with regard to your use of this website, including your purchase of products on this website, and in the context of receiving marketing communications from us. It also informs you as to our obligations and your rights under data protection law.
1.3 Click on the headings below to find out more about how we collect and process your personal data:
1.4 Exertis contact details are as follows:
+ 353 01 408 7171
Exertis Ireland Limited
21 Fonthill Business Park,
2. WHO IS RESPONSIBLE FOR YOUR PERSONAL DATA?
2.1 Data protection provides rights to individuals with regard to the use of their personal information (personal data) by organisations, including Exertis.Irish and EU laws on data protection govern all activities we engage in with regard to our collection, storage, handling, disclosure and other uses of personal data.
2.2 Compliance with the data protection rules is a legal obligation. In addition, our compliance with the data protection rules helps individuals to have confidence in dealing with us and helps us to maintain a positive reputation in relation to how we handle personal information.
2.3 The data protection rules that apply to us are currently contained in the EU General Data Protection Regulation (EU Regulation 679/2016) (the “GDPR”), the Data Protection Act 2018, the ePrivacy Regulations 2011 and in related legislation (together the “Data Protection Legislation”).
“Data controllers” are the people who or organisations which determine the purposes for which, and the manner in which, any personal data is processed, who/which make independent decisions in relation to the personal data and/or who/which otherwise control that personal data.
“Data processors” are the people who or organisations which process personal data on behalf of, and on the instructions of, a data controller.
2.4 For the purposes of the Data Protection Legislation, Exertis is the Data Controller with regard to the personal data described in this Privacy Statement.
3. What personal data DO WE collect, HOW and WHY?
3.1 “Personal data” means any information relating to an identified or identifiable natural person. Personal data can be factual (for example, a name, address or date of birth) or it can be an opinion about that person, their actions and behaviour.
3.2 Categories of Personal Data we collect. We may collect, use, store and transfer different kinds of personal data about you which we have grouped together follows:
Identity Data includes first name, maiden name, last name, username or similar identifier, title and gender.
Contact Data includes billing address, delivery address, email address and telephone numbers.
Financial Data includes payment card details.
Transaction Data includes details about payments to and from you and other details of products and services you have purchased from us.
Technical Data includes internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access
Profile Data includes your username and password, purchases or orders made by you, your interests, preferences, feedback.
Usage Data includes information about how you use our website, products and services.
Marketing and Communications Data includes your preferences in receiving marketing from us and our third parties and your communication preferences.
4. How we collect your personal data:
4.1 We collect your personal data through the following means:
4.1.1 Direct interactions. You may give your personal data to us by entering your details through forms on our website or by corresponding with us by post, phone, email or otherwise. This includes personal data you provide when you:
(a) Purchase a product through this website;
(b) Contact us in relation to returns, complaints etc.; or
(c) Request marketing to be sent to you.
4.1.3 Third parties or publicly available sources. We may receive personal data about you from various third parties and public sources set out below:
(a)Technical Data from the following parties when you use our website:
(i) analytics providers such as Google based outside the EU
(ii) search information providers such as Google based outside the EU.
(b) Financial Data is collected by Realex on our behalf.
4.2 We have set out below, in a table format, a description of all the ways we plan to use your personal data, and which of the legal bases we rely on to doso.
Type of data
Lawful basis for processing
To manage your order of products from the eStore
(a) Identity Data
(b) Contact Data
(c) Financial Data
(d) Transaction Data
Necessary for the performance of our contract with you. We would not be able to fulfil your orders of product without this information.
To enter you onto our mailing lists where you have requested to be added
(a) Identity Data
(b) Contact Data
(c) Marketing and Communications Data
(d) Profile Data
To respond to you when you contact us through our website or by phone, post or email
(a) Identity Data
(b) Contact Data
To administer and protect our business and this website (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data)
(a) Identity Data
(b) Contact Data
(c) Technical Data
Necessary for our legitimate interests (for running our business, provision of administration and IT services, network security, to prevent fraud and in the context of a business reorganisation or group restructuring exercise)
To deliver relevant website content and advertisements to you and measure or understand the effectiveness of the advertising we serve to you
(a) Identity Data
(b) Contact Data
(c) Profile Data
(d) Usage Data
(e) Marketing and Communications Data
(f) Technical Data
Necessary for our legitimate interests (to study how customers use our products/services, to develop them, to grow our business and to inform our marketing strategy)
To use data analytics to improve our website, products/services, marketing, customer relationships and experiences
(a) Technical Data
(b) Usage Data
Necessary for our legitimate interests (to define types of customers for our products and services, to keep our website updated and relevant, to develop our business and to inform our marketing strategy)
4.3 This website may include links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements. When you leave our website, we encourage you to read the privacy notice of every website you visit.
4.4 Marketing: We strive to provide you with choices regarding certain personal data uses, particularly around marketing and advertising. We have established a privacy centre where you can view and make certain decisions about your personal data use following personal data control mechanisms:
Promotional offers from us: We may use your Identity, Contact, Technical, Usage and Profile Data to form a view on what we think you may want or need, or what may be of interest to you. This is how we decide which products, services and offers may be relevant for you (we call this marketing).
You will receive marketing communications from us if you have requested information from us or purchased goods or services from us and, in each case, you have not opted out of receiving that marketing.
Third-party marketing We will get your express opt-in consent before we share your personal data with any organisation outside the Exertis Group of companies for marketing purposes.
5. Information about Consent
5.1 By consenting to our processing your personal data in line with this Privacy Statement you are giving us permission to process your personal data specifically for the purposes identified.
5.2 You may withdraw consent at any time by providing an unambiguous indication of your wishes by which you, by a statement or by a clear affirmative action, signify withdrawal of consent to the processing of personal data relating to you.If you have any queries relating to withdrawing your consent please contact our Director Responsible for Data Protection whose details are set out below.You may withdraw your consent bycontacting us.
5.3 Withdrawal of consent shall be without prejudice to the lawfulness of processing based on consent before its withdrawal.
6. What are the data protection principles?
6.1 We must process personal data fairly, lawfully and transparently. This means that we must have a valid legal basis for our processing of personal data as set out under the DPAs or (when applicable) the GDPR.It also means that we must be transparent with individuals about our processing of their personal data (“lawfulness, fairness and transparency”);
6.2 We can only collect personal data for specified, identified and legitimate purposes. We can only then process the personal data that we have collected for the purposes which we have identified or for purposes that are compatible with the purposes that we have identified (“purpose limitation”);
6.3 The personal data that we collect and process must be adequate, relevant and limited to what is necessary for the purposes for which they are processed (“data minimisation”);
6.4 The personal data that we collect and process must be accurate and (where necessary) kept up to-date (“accuracy”);
6.5 We must not keep personal data any longer than is necessary, bearing in mind the purpose for which we collected it. This means that we should keep personal data in a form which permits identification of the data subject for no longer than is necessary (“storage limitation”); and
6.6 We must process personal data in a manner that ensures appropriate security of the personal data, including protection against unlawful or unauthorised processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (“integrity and confidentiality”).
7. Security of your personal data
7.1 We take appropriate security measures against unlawful or unauthorised processing of personal data, and against the accidental loss of, or damage to, personal data.
7.2 We have put in place procedures and technologies to maintain the security of all personal data from the point of collection to the point of destruction.Personal data will only be transferred to a data processor if they agree to comply with those procedures and policies, or if they put in place adequate measures themselves. In addition, we have appropriate written agreements in place with all of our data processors.
7.3 We maintain data security by protecting the confidentiality, integrity and availability of the personal data, defined as follows:
7.3.1 Confidentiality means that only people who are authorised to use the data can access it.
7.3.2 Integrity means that personal data should be accurate and suitable for the purpose for which it is processed.
7.3.3 Availability means that authorised users should be able to access the data if they need it for authorised purposes.
7.4 We follow strict security procedures in the storage and disclosure of your personal data, and to protect it against accidental loss, destruction or damage.
8. TRANSFERRING PERSONAL DATA ABROAD
8.1 There may be circumstances in which we will have to transfer your personal data out of the European Economic Area for the purposes of carrying out the services we provide to you. Where the need for such a transfer arises we will always comply with the provisions in Chapter V of the GDPR and ensure that there are appropriate safeguards in place to protect your personal data such as:
8.1.1 The European Commission has issued a decision confirming that the country to which we transfer the personal data ensures an adequate level of protection for the data subjects' rights and freedoms;
8.1.2 Appropriate safeguards are in place such as binding corporate rules (BCR), standard contractual clauses approved by the European Commission, an approved code of conduct or a certification mechanism, a copy of which can be obtained from the Director Responsible for Data Protection; or
8.1.3 The personal data is being transferred to a company in the US which has self-certified its compliance with the EU-US Privacy Shield which has been found by the European Commission to provide an adequate level of protection to the personal data of EU citizens.
9. How long will we keep your personal data?
9.1 Your personal data will be deleted when it is no longer reasonably required for the purposes describedaboveor you withdraw your consent (where applicable) and we are not legally required or otherwise permitted to continue storing such data.
9.2 Where you ask to be unsubscribed from marketing communications we may keep a record of your email address and the fact that you have unsubscribed to ensure that you are not sent any further emails in the future.
9.3 Further details on how long we retain personal data are contained in our Data Retention Standards which you can request from us bycontacting us.
10. Will we share your information with anyone else?
10.1 Your personal data may also be shared withthe following third parties:
Reason for sharing data
Internal Third Parties
Other companies in the “Exertis Group” (i.e. subsidiaries and/or holding companies of Exertis who are based in the UK and/or the EEA and provide IT and system administration services and undertake leadership reporting
External Third Parties
Service providers/Delivery partners acting as processors based in Ireland and/or the EEA who provide IT and system administration services
Professional advisers acting as processors or controllers including lawyers, bankers, auditors and insurers based in Ireland and/or the EEA who provide consultancy, banking, legal, insurance and accounting services to our business.
Regulators and other authorities based in Ireland and/or the EEA in circumstances where they are required by law to process your personal data.
Successors of our business
Third parties to whom we may choose to sell, transfer or merge parts of our business or our assets. Alternatively, we may seek to acquire other businesses or merge with them. If a change happens to our business, then the new owners may use your personal data in the same way as set out in this Privacy Statement
10.2 Please note that the above list may be amended from time to time and this Privacy Statement will be amended to reflect these changes.
10.3 We require all third parties to have appropriate technical and operational security measures in place to protect your personal data, in line with Irish and EU laws on data protection. Any such company or individual will have access to personal information needed to perform these functions but may not use it for any other purpose.
10.4 Specifically, we need to have written agreements in place with all of our data processors and, before we sign each agreement, we need to have vetted and be satisfied with the processor’s data security. The agreements also need to contain specific clauses that deal with data protection.
10.5 We may pass on your details if we are under a duty to disclose or share a data subject's personal data in order to comply with any legal obligation.
11. Your data protection rights
11.1 Under certain circumstances, by law you have the right to:
Request information about whether we hold personal information about you, and, if so, what that information is and why we are holding/using it.
Request access to your personal information (commonly known as a "data subject access request"). This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it.
Request correction of the personal information that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.
Request erasure of your personal information. This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing (see below).
Object to processing of your personal information. You also have the right to object where we are processing your personal information for direct marketing purposes.
Object toautomated decision-making including profiling, that is not to be subject of any automated decision-making by us using your personal information or profiling of you.
Request the restriction of processing of your personal information.This enables you to ask us to suspend the processing of personal information about you, for example if you want us to establish its accuracy or the reason for processing it.
Request transfer of your personal information in an electronic and structured form to you or to another party (commonly known as a right to “data portability”). This enables you to take your data from us in an electronically useable format and to be able to transfer your data to another party in an electronically useable format.
12. Requests by data subjects to exercise their rights
12.1 If you have any questions about this policy or about our data protection compliance, please contact our Director Responsible for Data Protection.
12.2 Data subjects should make a formal request for personal data we hold about them or otherwise to exercise their data protections rights whether to make an access request or otherwise by contacting our Director Responsible for Data Protection.
12.3 Our Director Responsible for Data Protectioncan be contacted as follows:-
+ 353 1 408 7171
Director Responsible for Data Protection
Exertis Ireland Limited
M50 Business Park
12.4 Note also that data subjects have the right to complain at any time to a data protection supervisory authority in relation to any issues related to our processing of their personal data. As our organisation is located in Ireland and we conduct our data processing here, we are regulated for data protection purposes by the Irish Data Protection Commissioner.You can also contact the Data Protection Commissioner as follows:
Go to their website www.dataprotection.ie
Phone on +353 57 8684800 or +353 (0)761 104 800
Address: Data Protection Office - Canal House, Station Road, Portarlington, Co.Laois, R32 AP23. Or 21 Fitzwilliam Square Dublin 2. D02 RD28 Ireland.
13. Changes to the Privacy Statement
13.1 Our Privacy Statement may change from time to time and any changes to the statementwill be posted on this page