Personal data means data which relates to a living person who may be identified directly or indirectly from that data (“Personal Data”). The processing of Personal Data is governed by the General Data Protection Regulation 2016/679 (“GDPR”) and other applicable data protection laws (“Data Protection Law”).
Emo Oil Ltd t/a Certa Ireland (“Certa” “we” or “us”) is a data controller. This means that Certa determines how Personal Data is used (“Processed” / “Process” / “Processing”).
2. Categories Of Personal Data Processed
Certa Processes the following categories of Personal Data:
|Customers||Name, address(es), telephone, mobile, email, order history, credit/payment history, direct debit details – bank a/c, sort codes, customer delivery notes/special instructions, customer requests/queries by email, customer note/message log, credit and debit card details for payments & refunds, marketing permission preferences, call recordings and Certa Rewards: gender, age range, day born and month born).|
|Individual contact persons in suppliers and other business contacts||Name, business address, telephone, mobile and email.|
|Name, business address, telephone, mobile and email.|
Certa will ordinarily obtain or Process Special Categories of Data (“SCD”) in very limited circumstances. Where it does so it shall Process such Personal data in accordance with Data Protection Law.
3. Purposes For Which Personal Data Is Processed
We may Process Personal Data for any of the following purposes:
- Fulfilment of orders, delivery notifications (email and SMS), marketing and service updates, Certa Rewards scheme, sales reporting and analysis, payment processing, payment analysis, refunds, credit notes, credit control purposes, legal requirements, customer complaints, operating of customer budget plans, to third party service providers for purchasing, polling, and invoicing purposes, sending of customer information to/ from third party distributors/hauliers for delivery of customer orders, etc.;
- Complying with applicable law, including anti-money laundering legislation;
- For administrative purposes, including to securing and maintaining our internal systems, platforms and digital applications;
- Upholding an adequate level of security;
- Carrying out controls to prevent fraud; and/or
- Managing business relationships.
Legal basis for Processing Personal Data
We use Personal Data when:
- We have consent to use Personal Data for a specific purpose;
- We are, or are considering, making an agreement;
- We have to comply with certain legal obligations; and/or
- We or the business are pursuing a legitimate interest. This could be where we have a business or commercial reason to use Personal Data. We will only do so if our interest clearly overrides the data subject’s interest in not having his/her Personal Data Processed by us.
From time to time, we may also Process Sensitive Personal Data (“SPD”) if required to do so by law. We will seek explicit consent to Process SPD, unless the law permits us to register such data without consent.
|To manage our customer relationship|
|To administer and protect our business|
|To deliver relevant website content and advertisements and measure or understand the effectiveness of our advertising.|
|To make suggestions and recommendations about products services that may be of interest.|
4. Data Processors
Certa will engage certain service providers to perform certain services on its behalf which may involve the Processing of Personal Data. To the extent that such Processing is undertaken based on the instructions of Certa and gives rise to a data controller and data processor relationship, Certa will ensure that such relationship is governed by a contract which includes the data protection provisions prescribed by Data Protection Law.
5. Record Keeping
As part of our record keeping obligations under the GDPR, Certa retains a record of the Processing activities under its responsibility. This comprises the following:
- Name and contact details of the controller
- The purposes of the Processing
- Description of the categories of data subjects and of the categories of Personal Data.
- The categories of recipients to whom the Personal Data have been or will be disclosed.
- Where applicable, transfers of Personal Data to a third country outside of the EEA.
- Where possible, the envisaged time limits for erasure of the different categories of Personal Data.
- Where possible, a general description of the technical and organisational security measures adopted.
6. Individual Data Subject Rights
Data Protection Law provide certain rights in favour of data subjects. The rights in question are as follows (the “Data Subject Rights”): the right of a data subject to receive information on the Processing; the right of access to Personal Data; the right to rectify or erase Personal Data (right to be forgotten); the right to restrict Processing; the right of data portability; the right of objection; and the right to object to automated decision making, including profiling.
These Data Subject Rights will be exercisable subject to limitations as provided for under Data Protection Law. You may make a request to Certa to exercise any of the Data Subject Rights by contacting firstname.lastname@example.org. Your request will be dealt with in accordance with Data Protection Law.
7. Data Security And Data Breach
We have technical and organisational measures in place to protect Personal Data from unlawful or unauthorised destruction, loss, change, disclosure, acquisition or access. Personal Data are held securely using a range of security measures including, as appropriate, physical measures such as locked filing cabinets, IT measures such as encryption, and restricted access through approvals and passwords. The GDPR obliges Data Controllers to notify the Data Protection Commission and affected data subjects in the case of certain types of Personal Data security breaches. Any data breaches identified in respect of Personal Data controlled by Certa will be dealt with in accordance with Data Protection Law.
8. Disclosing Personal Data
From time to time, we may disclose Personal Data to third parties, or allow third parties to access Personal Data which we Process (for example where a law enforcement agency or regulatory authority submits a valid request for access to Personal Data). We may also disclose Personal Data to: (a) selected third parties including certain government bodies such as the Revenue Commissioners; and (b) service providers, such as distributors, hauliers, website providers, payment processing providers, IT support providers, etc.
9. Data Retention
We will keep Personal Data only for as long as the retention of such Personal Data is deemed necessary for the purposes for which that Personal Data are Processed (as described in this Privacy Notice). We will keep Personal Data for as long as we have a relationship with the data subject, and for a period of up 6 years thereafter. We will only retain Personal Data after this time if we are required to do so to comply with the law, or if there are outstanding claims or complaints that will reasonably require such Personal Data to be retained.
10. Data Transfers Outside The EEA
From time to time, Certa may transfer Personal Data to countries outside the EEA which may not have the same or equivalent Data Protection Law as Ireland. If such transfer occurs, Certa will ensure that such Processing of Personal Data is in compliance with Data Protection Law and, in particular, that appropriate measures are in place such as entering into Model Contractual Clauses (as published by the European Commission) or ensuring that the recipient is Privacy Shield certified, if appropriate. If you require more information on the means of transfer of Personal Data or would like a copy of the relevant safeguards, please contact email@example.com .
11. Further Information/Complaints Procedure
For further information about this Privacy Notice and/or the Processing of Personal Data by or on behalf of Certa please contact firstname.lastname@example.org. While you may make a complaint in respect of our compliance with Data Protection Law to the Irish Data Protection Commission, we request that you contact email@example.com in the first instance to give us the opportunity to address any concerns that you may have.