GDPR Statement

Owned by Sarah Stalley (Unlicensed)
Aug 06, 2020
9 min read

Issued 05/01/2018 

Modified 10/05/2018 



Ontech Role within the GDPR

What data does Ontech hold?
We hold your first name, surname, business email addresses, and business contact numbers

Why do we have this data?
We obtained this data through business dealings with yourselves e.g. You are a customer, or have been a customer or are a prospective customer of Ontech or you are a supplier to Ontech.

What do we do with this data?
We use this data to contact you with regards to our mutual business interests e.g.

  • to contact you to provide support for our software or services

  • to contact you to advise when updates are available for our software or services

  • to contact you with regards to services we are providing to you on behalf of a mutual client 

  • to contact you for contractual or financial purposes i.e. Invoices and statements 


What is GDPR?
GDPR will replace the Data Protection Act 1998, which was brought into law as a way to implement the 1995 EU Data Protection Directive. GDPR seeks to give people more control over how organisations use their personal data and to ensure that data protection law is almost identical across the EU.
The GDPR deems that any data which can be used to identify an individual is classed as personal data. It includes genetic, mental, cultural, economic, or social information. The GDPR also brings a new set of “digital rights” for EU citizens to protect against the growing value of personal data in the digital economy.
Organisations who do fail to comply with GDPR regulations are subject to receive hefty penalties.

What counts as personal data under the GDPR?
The EU has expanded the definition of personal data to reflect the types of data organisations now collect about people, online identifiers such as IP addresses now qualify as personal data. Other data, like economic, cultural or mental health information, are also considered personally identifiable information.
Pseudonymised personal data may also be subject to GDPR rules, depending on how easy or hard it is to identify whose data it is. Anything that counted as personal data under the Data Protection Act also qualifies as personal data under the GDPR.

But what about Brexit?
The UK is leaving the EU – Article 50, which sets in motion the act of leaving the EU within a two-year timeframe was triggered in March 2017. This means GDPR will take effect before the legal consequences of the Brexit vote, meaning the UK must still comply.
Your rights

  • You can ask for access to your data, and Ontech must respond within one month.

  • Ontech must be transparent about how we collect data, what we do with the data, and how we process this data.

  • You have the right to access any information we hold, know why that data is being processed, how long it’s stored for, and who gets to see it.

  • You can also ask for this data, if incorrect or incomplete, to be rectified.

  • You have the right to have this data deleted if it’s no longer necessary to the purpose for which it was collected. For the right to be forgotten please contact us  

  • You have the right to have any data we hold erased.

  • Should you wish for this data to be transferred elsewhere Ontech must provide this information.

Ontech and your data
Ontech have undertaken a systems review and are in the process of implementing procedures which ensure that personal data is only stored where permission has been granted and directly relates to the nature of the business we have with our customers.

We do and will …

  • Use your data to contact you with regards to support call requests logged through our service desk

  • Use your data to provide account status updates

  • Use your data to provide information regarding software updates and promotional / training opportunities

  • Utilise robust and secure data processing procedures to protect your privacy

We don’t and won’t ever …

  • Sell your data to third parties

  • Store your data unnecessarily

  • Bombard you with unnecessary communications

Vision Software and GDPR

Our Vision Software terms and conditions have been modified to include provisions for GDPR and can be accessed by downloading the file below

We have provisioned as if we are a potential data processor, however we neither handle nor maintain the personal data you keep wiithin the Vision system.

There will be times whereby you request data to be extracted from the system, we are then governed by Article 29 of the GDPR which states

Article 29 – Processing under the authority of the controller or processor

The processor and any person acting under the authority of the controller or of the processor, who has access to personal data, shall not process those data except on instructions from the controller, unless required to do so by Union or Member State law.

s such when you make any request from us to alter, modify or extract any data, we already record these transactions within our change control register which we have to maintain for HMRC purposes, in addition to this we also request that you sign off any such work using a sales order which we send to you electronically, these documents are only sent to recognised members of your organisation, we will continue to follow this existing policy.

Should you feel the need to specifically state who should sign off your authorisations please let us know and we will update our records to reflect this change.

We will always assume that the person you choose to be the authoriser of such sales orders will act with the full authority of your data controller.

We will not act on the authority of any instructions we receive from any person outside your company including your customers or suppliers, all requests must come directly from yourselves. The only exception to this rule would be the request by law enforcement through local, national or prevailing laws applicable at the time of the request.

We will not act on the authority of any instructions we receive from any person outside your company including your customers or suppliers, all requests must come directly from yourselves. The only exception to this rule would be the request by law enforcement through local, national or prevailing laws applicable at the time of the request.



Within the Application

Implementation of GDPS has been split into two sections

  1. Vision WMS  this includes  Distribution, EDI, Bond, Invoicing

  2. Vision Commerce



Vision WMS

As all control emanates from Vision Warehousing (WMS) then this is key to the control, auditing and maintenance of GDPR requirements.

This is split into two distinct areas

  • Customer Records (including contacts and delivery address points)

  • Order Records

Customer Records

There are a number of areas which we have addressed

Warehousing

  • The ability to view the information - this is achieved by the ability on the VCIS site and we will also have a report which can be output and emailled or posted to the customer

  • The ability to correct the information - this is achieved by allowing the customer to submit changes on the VCIS site and you have the ability to also make changes on behalf of the customer, these changes will not be automated as there is a need for you to verify the information before it is entered

  • Auditing of the customer tables - when a record is opened and viewed we will record who did this and when, when a change is made on the account we ask for a reason and record who did it and when this will all be available to both you and the customer.

  • Right of anonymity - if a customer has requested that their data be restricted, we will then hide this data on the screen and on any output on reports, however you will be able to view this restricted information if you have the correct rights to do so and only on re-entry of your password, again this will be logged and on the audit log it will show whether the customer was "anonymous" at the time the record was opened.  Once selected there is no way to reverse this setting.

  • Right of erasure - once a customer account is marked as archived you will have the ability to remove the personal content from the record, this deletion is final, the customer record remains but the name, address 1, address 2, emails and phone numbers will be removed from the record and replaced with wording "GDPR Erasure" or similar, before you can do this with a customer though the system will have to check to ensure that all stock has been removed and all transactions finalised and closed.

  • Customer Contacts will have the right to be removed, once removed they will have to be re-entered there is no recovery, whilst this does not identify an address, it has email and name so this has been added to the protection.  

  • Customer Delivery Points - you will have the ability to remove these from the store, the erasure of these is final and can not be recovered.

  • Ordering will have a new flag against the order, which will be the right to be forgotten, this will also be an EDI field and 28 days after the goods have been pick confirmed/despatched the details of who, where and contact will no longer be accessible nor will they be printed on any documentation.

  • Ordering will also have the ability added where the customer can also be marked as erased where the customer data name, address1, address2, contact, email will be removed from the record.  The record will remain you will only know the postcode the goods went to.

  • It should be noted that paper POD will still be available, for proof of delivery we can not remove the addressing on this paperwork and this will be retained for as long as you define your retention periods for with your customers.

  • GDPR last checked dates / times and users will be stored against each customer record, this is a record whereby you mark when you last checked this customer record for correctness, there will also be a search facility to find those which have not been checked for a time to allow you to update and perform the validation checking needed for the customers.

Distribution

  • A delivery record will have a marker which will allow the delivery to become anonymous, if this is checked the delivery information will be restricted when the delivery is archived, this is generally 2 weeks after the end of a month when the delivery has been invoiced.

  • There will also be a search facility to allow you to find other archived deliveries and mark them as anonymous or erased, it will carry out the changes required but there is no method to reverse this.

Invoicing

  • This will be driven from warehousing, if the customer has requested to be anonymous the customer details will be restricted, however they will still print on a reprinted invoice up to the point where the UK tax authorities require this to take place, thereafter it will be hidden.

  • If the customer also requests for erasure this will only take place once the record has gone one year beyond the UK tax authorities require this to be maintained for, the right of erasure will only delete the customer details, it will not remove the invoice, the invoice will always remain on the system able to be printed but the details on the invoice will have in place of the personal details the wording "GDPR Erasure" or similar

EDI

  • There are no details stored here so this is not applicable

  • A new field will be added for inbound orders which will allow an order to be marked as anonymous which will implement as per the guidelines mentioned above.

Bond

  • We will maintain the information within this module for the 7 years past the point when the stock went to zero as per HMRC requirements. 

  • As access to this information is restricted to only key personnel we will not make any further changes to this at this time.

VCIS (this only applies to the standard core program - if you have a customised site you will have to request changes as you see fit)

  • As all data in here comes from the respective main systems and nothing is stored the VCIS

  • VCIS will have the ability to see the customer data

  • You will be able to remove customer delivery points from the DB

  • You will be able to provide an update to the customer record which is then sent to the warehouse for verification.

  • You will be able to mark an order as restrict the delivery details which will implement once the delivery has been completed.

  • You will be able to remove contacts from the list

  • You will be able to mark your account as restricted data views (but there will be no way to undo this if the customer chooses this option) and it will restrict the information seen by the users of the warehouse unless they have additional rights to do so.

Vision Commerce

We already have many of the controls to make remove customers from mailing lists and archive the customer in addition to this we will need to implement

  • Archived customer right to be forgotten - where the name but the address and contact details will be replaced with "GDPR Removed"

  • Delivery Point - right to be forgotten  - where the name remains but the address and contact details will be replaed by "GDPR Removed"

  • There is also a need for customer privacy and a new filter will be added to the customer record which will remove the ability to view the vital details, this will also remove that customer from mailing lists, in order to view the customer details or maintain them this will then be logged in an audit table of who looked at the address.

Copyright Ontech Solutions 2017-2024. All rights reserved, no part may be replicated or distributed without the express permission of the owner.