TSO Privacy Notice
Who we are
We are The Stationery Office Limited (referred to in this document as We, Us, Our and TSO).
We are a member of the Williams Lea Group of companies.
We sell and publish products on behalf of a number of organisations. In the majority of cases, we are the Data Controller under the Data Protection Legislation for any information that you share with us when accessing our products and services.
In certain circumstances we are acting as a Data Processor for an organisation whose products and services we provide through this website.
Our office address is:
18 Central Avenue
St. Andrews Business
Park
Norwich
England
NR7
0HR.
We are registered with the ICO under Registration number; Z717712X.
Introduction
We understand the importance of your personal data and are committed to meeting the requirements of the Data Protection Legislation. To help us meet our obligations, and your expectations, we have developed this privacy notice to ensure that you are fully aware of:
- the personal data we collect about you
- what we do with your information
- what we do to keep your information secure, and
- the rights and choices you have over your personal information.
This notice applies to all of our data collection and processing activities including:
- any interaction with our customer services team and
- your use of our website, including the purchase of goods or services.
Throughout this notice, where we refer to Data Protection Legislation, we mean the Data Protection Act 2018 (DPA2018), United Kingdom General Data Protection Regulation (UK GDPR), the Privacy and Electronic Communications (EC Directive) Regulations 2003 and any legislation implemented in connection with this legislation.
When you are based in the EU, it also includes the EU General Data Protection Regulation (EU GDPR). This includes any replacement legislation coming into effect from time to time.
We will use your information as set out in this Privacy Policy. If we need to use your personal information for any other purpose, we will take steps to provide you with additional information and we will update this privacy notice.
The personal data we collect
We only collect personal information that we genuinely need to provide our services to you and in accordance with the Data Protection Legislation.
We collect information about you from various sources depending on the services that you are engaging with - some information is collected directly from you; some is generated when you interact with our website.
Information we collect directly from you may include:
- Name
- Telephone Number
- Email Address
- Postal Address
- Home Address
- Payment Information (bank or payment card information)
- Any information you share in interactions with our customer services team over the phone, by email or via our social media presence.
If you are a business customer, we may also collect information about your employer and your role.
In your use of our services, we may generate information about you such as:
- purchase history,
- service access history,
- your interests and preferences,
- technical information such as IP address, log in information and your devices.
We collect limited technical information about your visit to our site, this helps us to better understand how our customers move around, and interact with, our website.
We do not routinely collect or process any Special Category information about you in the provision of our services.
Lawful basis for processing your personal data
We will only ever process your personal data if we have a lawful basis to do so. The lawful bases we rely on are:
-
Contract - This is where we process your information to fulfil a contractual arrangement, we have made with you such as the delivery of any Items that you purchase.
-
Consent - This is where we have asked you to provide permission to process your data for a particular purpose such as to send you marketing material. Please note, if we are relying on your Consent, you can withdraw your consent at any time by contacting us or using the opt out link in any emails that we send to you.
-
Legitimate interests - This is where we rely on our interests as a reason for processing, generally this is to provide our service in the most secure and appropriate way.
-
Legal obligation - This is where we have a statutory or other legal obligation to process the information, such as for the investigation of crime.
Your Rights
You have a number of Rights under the Data Protection Legislation. If you would like to exercise any of these rights, you can contact us using the contact details in the "Contact Us" Section.
Your rights under the Legislation are:
The right to be informed about our collection and use of personal data
You have the right to be informed about the collection and use of your personal data. This privacy notice gives you this information.
Right to access your personal information
You have the right to access the personal information that we hold about. This is sometimes termed 'Subject Access Request.' If we agree that we are obliged to provide personal information to you (or someone else on your behalf), we will provide it to you or them free of charge and aim to do so within 1 month from the point that we are able to confirm your identity. We will ask for proof of identity and sufficient information about your interactions with us that we can locate your personal information.
Right to correction of your personal information
If any of the personal information we hold about you is inaccurate, incomplete or out of date, you can ask us to correct it. You can update your information thorough your online account or by contacting our customer services team.
In some cases, we are not responsible for the content of the documents that are available through our website and as such we are unable to make corrections. In such circumstances we will seek to assist you in contacting the relevant company or organisation.
Right to restrict processing
You have the right to ask us to restrict the processing of your personal data. For example, this may be because you have issues with the accuracy of the data we hold or the way we have processed your data. The right is not absolute and only applies in certain.circumstances. As with the right to correction, in some cases we are not responsible for the content of the documents that are available through our website and as such we are unable to make corrections.
Right to erasure
You have the right to have personal data erased. This is also known as the 'right to be forgotten'. The right is not absolute and will only apply in certain circumstances.
Right to portability
The right to portability gives you the right to receive personal data you have provided to us in a structured, commonly used and machine-readable format. It also gives you the right to request that we transmit this data directly to another controller.
Right to object
You have the right to object to our processing of some or all of the personal data that we hold about you. This is an absolute right when we use your data for direct marketing but may not apply in other circumstances where we have a compelling reason to do so, for example if we have a legal obligation.
For more information about your privacy rights
The Information Commissioner's Office (ICO) regulates data protection and privacy matters in the UK. They make lots of information accessible to consumers on their website and they ensure that the registered details of all data controllers such as ourselves are available publicly. You can access the ICOs consumer information at https://ico.org.uk/for-the-public.
Your Right to make a complaint
You can make a complaint to the ICO at any time about the way we use your information. However, we hope that you would consider raising any issue or complaint you have with us first. Details of how to contact us can be found in the Contact Us section of this notice.
Your satisfaction is extremely important to us, and we will always do our absolute best to solve any problems you may have.
How we use your personal data
We will use your personal information for a number of purposes namely to ensure we are providing our services to you in the ways that you would expect. We will particularly use personal information for the below purposes:
To process orders that you place and facilitate any returns
- We will take payment card details to process payments made to us, this is then processed by our chosen payment processors, we do not collect or store debit credit card numbers, other than the last four digits.
- We will use your address to deliver your purchases to you and to facilitate any returns.
- We will use your contact information to keep you up to date on the status of your order.
To provide you with a TSO Account
- To register an account with us we capture information such as your name, contact and delivery information, and a password to protect your account.
- We use this information on an ongoing basis to manage and provide secure access to your account and provide you with the services you request.
To answer any questions that you have or to follow up with you on any customer services enquiries
- If you contact us through email, social media, phone or through our website we will use your information to answer your questions and to correspond with you.
- We may record phone calls and maintain copies of your interactions with us and will use this on an ongoing basis for quality monitoring and to help us improve our services.
To Manage and improve our business and our interactions with you
We will use certain personal and technical information including information from Cookies to:
- analyse and understand our consumer base
- understand the effectiveness of our advertising campaigns
- develop new products and services
- secure our network
- investigate and respond to service or security issues
- ensure our website operates on multiple platforms
- troubleshoot, test, support and maintain our website and other business services
- for logistical and demand forecasting.
To meet our legal and regulatory obligations
- We use your data to ensure we comply with any requirements imposed on us by law or court order, including disclosure to law or tax enforcement agencies or pursuant to legal proceedings.
- We will share data with regulatory and other official bodies if they make formal requests.
- We will maintain records to meet regulatory and tax requirements
To Prevent and Detect Crime
- We use your account information, order history and payment history to assist in monitoring for fraudulent transaction.
- When you register an account or contact our customer services team, we use your account information and previous purchase history information to assist in confirming your identity.
- We use device identifiers and IP addresses in fraud prevention and investigation, and to maintain network and data security.
To keep in touch with you and promote our products and services (Consumers)
- If you give us your permission, we will use your information to send you promotional material and newsletters that we believe will be relevant to you.
Note - You can unsubscribe from marketing communications at any time using the unsubscribe link in our email, by contacting our customer services team or through your online account by navigating to "Email Preferences" and follow the instruction to "Unsubscribe!.
- We will also use your contact information to send you service message such as changes to this policy, updates to our terms and conditions or information about your account - these communications are not marketing messages.
- We may also contact you to take part in satisfaction surveys or for you to leave a review on a product that you have purchased - we will also use this information to help in developing our products and services.
To keep in touch with you and promote our products and services (Business Subscribers)
- If you are a business customer, or a reseller of TSO's products, we may send you marketing emails or contact you via telephone to keep you up to date on products, services and events that we feel may be of interest to you.
- We may also use your personal information to keep you informed of new and/or existing products that are similar to those which you have previously purchased.
- If you, or your business does not wish to receive such communications you can contact our customer services division on Tel: +44 (0)333 202 5070 or by sending an email to [email protected]
How long we retain your personal data
We retain a record of your personal information in order to provide you with a high quality and consistent service and to evidence the actions we have taken on your behalf.
In line with the Data Protection Legislation, we only keep your personal information for the length of time we need it to:
- Deliver our services to you
- Meet our Business needs
- Meet our legal obligations.
Who we may share your personal data with
In some circumstances we may need to share your personal data with third parties in order to:
- Provide you with the service that you have asked for
- Meet our legal obligations
- Run and manage our business.
We may share your personal information with:
- Law Enforcement or other public authorities that require us to release information
- To any organisation where it is necessary for us to establish a legal claim or to defend ourselves against such a claim
- Other members of our group of companies as required for them to provide management services to us
- Our professional advisors including accountants, legal professionals or insurers
- Payment services providers who process payments on our behalf
- Delivery service companies who deliver your goods to you
- Providers of ancillary business support services such as Information Technology services (as a processor on our behalf)
- Marketing service providers (as processors on our behalf) including organisations that help us communicate with you
- Online Advertising providers that help us in showing advertising material to you on our site, on the internet and on social media (if you are opted into Marketing)
- Any organisation in the event of the sale, merger, reorganisation, dissolution or disposal of our business. We will inform you of any such transfer or disclosure as required by law.
In some cases, the products offered for sale on our site are published by an independent third party, in these cases we are acting as a reseller only. In such cases, depending on our relationship with the organisation, we may share limited information about the products and services that you have ordered along with personal information, with these third parties in order for them to manage demand, dispatch goods to you directly or to manage their business.
We may also provide such information back to these organisations if we cease to be a reseller for their goods or services. In these situations, you will be provided with additional privacy information by the organisation directly.
In all cases we:
- only provide the minimum personal information that each party requires to carry out their duties
- only disclose personal information to organisations who we have a contractual relationship with or have an overriding legal requirement to hold the information.
International transfers of personal data
In some instances, your personal information may be processed outside the UK and the European Economic Area. For example, we work with suppliers and partners who may make use of cloud and /or hosted technologies across multiple geographies and jurisdictions.
If and when this is the case, we take steps to ensure there is an appropriate level of security so your personal information is protected in the same way as if it was being used within the UK or the EEA.
Where we need to transfer your data outside the UK or EEA, we will use one of the following safeguards:
- The use of standard contractual clauses in contracts for the transfer of personal data to third countries or
- Transfers to a non-EEA country with privacy laws that give the same protection as the EEA.
How we protect your personal data
Data security is of great importance to Us and to protect your data we have put in place suitable physical, electronic and managerial procedures to safeguard and secure any information that we control. TSO hold ISO27001 certification, covering our information governance and security standards and are audited against this standard annually.
At a high level we have put the below measure in place:
- Limiting access to our buildings to those that are entitled to be there
- Implementing access controls to across our technology estate
- Limiting the availability of personal information to those that require access to that information
- All our employees and agents who have access to or are involved in the processing of personal information are contractually obliged to protect the confidentiality of personal information.
Our websites may include links to external websites operated by other organisations. They may collect personal information from visitors to their site. We cannot guarantee the content or privacy practices of any external websites and does not accept responsibility for those websites.
Changes to this notice
We may change this privacy notice from time to time (for example, if the law changes). If the changes are material, we will take steps to inform you via email or through our services.
How to contact us
If you would like to:
- exercise one of your rights as set out above
- have a question or a complaint about this notice, or
- have a question or complaint about the way your personal information is processed.
You can contact us using the details below:
- By emailing our Customer Services Team at - [email protected]
- By emailing our Data Protection Team at - [email protected]