GDPR & Privacy Policy
Total Disc Repair Limited (‘we’ or ‘us’) are committed to protecting and respecting your privacy. This policy (together with our terms of use and any other documents referred to on it) sets out how we process your personal data and your rights in respect of that data. The data controller is Total Disc Repair Limited of Unit 1,Christchurch Business Park, Radar Way, Christchurch, Dorset, BH23 4FL.
GDPR
The GDPR legislation introduced by EU Parliament requires all companies who hold data to be compliant. TDR makes it compulsory for all its customers to opt-in to have their details saved and stored. You must give us consent to hold this information, which comprises name, address, email address, phone number, order history and IP address. If you have any questions on this, please contact us.
Data we may collect from you
We may collect and process the following data about you: Information that you provide by filling in any forms on our sites – www.totaldiscrepair.co.uk, www.repack-it.co.uk or any others that we own and may from time to time use to collect data or when otherwise contacting us; if you contact us, we may keep a record of that correspondence; details of transactions you carry out through our site and of the fulfilment of your orders; details of your visits to our site and the resources that you access.
You are able to opt out of us holding this information at any point. Please contact us to request this.
IP Addresses and Cookies
We may collect information about your computer, including where available your IP address, operating system and browser type, for system administration. This is statistical data about our users’ browsing actions and patterns, and does not identify any individual. For the same reason, we may obtain information about your general internet usage by using a cookie file which is stored on your hard drive of your computer. Cookies enable us to improve our service to you, estimate our audience size and usage pattern, store information about your preferences, and recognise you when you return to our site. You can set your browser up to refuse the setting of cookies. However, if you do this you may be unable to enjoy full use of the site and you may not be able to take advantage of certain promotions we may run from time to time. Please note that entities who advertise on our site may also use cookies, but we do not have access to them or control over them.
Using your Data
We use information held about you in the following ways:
To ensure that content from our site is presented in the most effective manner for you and for your computer. To provide you with information, products, services or offers via e-mail, SMS, phone or post, that you request from us or which we feel may interest you, where you have consented to be contacted for such purposes
To notify you about changes to our service.
Third Parties
We do not and never will sell or pass your data on to third parties.
Opt In
As well as legally having to opt in to continue a business relationship with TDR you also are given the opportunity to opt out at any point and have your data removed from our records. To effect this, please contact us.
Disclosure of your Data
We may disclose your personal information to third parties:
In the event that we sell or buy any business or assets, in which case we may disclose your personal data to the prospective seller or buyer of such business or assets;
If Total Disc Repair Limited or substantially all of its assets are acquired by a third party, in which case personal data held by it about its customers will be one of the transferred assets
If we are under a duty to disclose or share your personal data in order to comply with any legal obligation, or in order to enforce or apply any of our terms and conditions.
Third Party Websites
Our site may, from time to time, contain links to third party websites. If you follow a link to any of these websites, please note that these websites have their own terms and privacy policies and that we do not accept any responsibility or liability for these sites and their terms and policies.
Where we Store your Data
We use some third party websites to help process and fulfil customer orders, including shipstation.com, hubspot.com, google drive and dearsystems.com. Please note that these websites are responsible for securely storing some customer data and have their own terms and privacy policiesfor whichwe do not accept any responsibility or liability. We never capture or hold customer payment information or account passwords.
Access to Information
Regulation (EU) 2016/679 of the European Parliament gives you the right to access the information that we hold about you at any point. Should you wish to receive details that we hold about you please contact us.
Scope of Processing.
Customer’s Instructions. By entering into this Data Processing Amendment, The customer instructs TDR to process Customer Personal Data only in accordance with applicable law: (a) to provide the Services and related technical support; (b) as further specified via Customer’s use of the Services and related technical support; (c) as documented in the form of the applicable Agreement, including this Data Processing Amendment; and (d) as further documented in any other written instructions given by Customer and acknowledged by TDR as constituting instructions for purposes of this Data Processing Amendment.
TDR’s Compliance with Instructions. As from the Full Activation Date, TDR will comply with the customer instruction (including with regard to data transfers) unless EU or EU Member State law to which TDR is subject requires other processing of Customer Personal Data, in which case TDR will inform Customer For clarity, TDR will not process Customer Personal Data for Advertising purposes or serve Advertising in the Services.TDR will only retain data from Customers who have made a purchase and thus have given consent.
Data Deletion
Deletion During Term. TDR will enable Customer and/or End Users to delete Customer Data during the applicable Term.TDR will comply with this instruction as soon as reasonably practicable and within a maximum period of 180 days, unless EU or EU Member State law requires storage.
Deletion on Term Expiry. On expiry of the applicable Term Customer instructs TDR to delete all Customer Data (including existing copies) from TDR’s systems in accordance with applicable law. TDR will comply with this instruction as soon as reasonably practicable and within a maximum period of 180 days, unless EU or EU Member State law requires storage.
Data Security
TDR’s Security Measures, Controls and Assistance.
TDR’s Security Measures. TDR will implement and maintain technical and organizational measures to protect Customer Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access as described in Appendix (the “Security Measures”). As described in Appendix , the Security Measures include measures to encrypt personal data; to help ensure ongoing confidentiality, integrity, availability and resilience of TDR’s systems and services; to help restore timely access to personal data following an incident; and for regular testing of effectiveness. TDR may update or modify the Security Measures from time to time provided that such updates and modifications do not result in the degradation of the overall security of the Services.
Security Compliance by TDR Staff. TDR will take appropriate steps to ensure compliance with the Security Measures by its employees to the extent applicable to their scope of performance, including ensuring that all persons authorized to process Customer Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
TDR’s Security Assistance. Customer agrees that TDR will (taking into account the nature of the processing of Customer Personal Data and the information available to TDR) assist Customer in ensuring compliance with any of Customer’s obligations in respect of security of personal data and personal data breaches, including if applicable Customer’s obligations pursuant to Articles 32 to 34 (inclusive) of the GDPR, by:
(a) implementing and maintaining the Security Measures in accordance with TDR’s Security Measures
(b) complying with the terms of Data Incidents) and
(c) providing Customer with the Security details requested in any SAR
Data Incidents
Incident Notification. If TDR becomes aware of a Data Incident, TDR will: (a) notify Customer of the Data Incident promptly and without undue delay; and (b) promptly take reasonable steps to minimize harm and secure Customer Data.
Details of Data Incident. Notifications made pursuant to this section will describe, to the extent possible, details of the Data Incident, including steps taken to mitigate the potential risks and steps TDR recommends Customer take to address the Data Incident.
Delivery of Notification. Notification(s) of any Data Incident(s) will be delivered to the Notification Email Address or, at TDR’s discretion, by direct communication (for example, by phone call or an in-person meeting). Customer is solely responsible for ensuring that the Notification Email Address is current and valid.
No Assessment of Customer Data by TDR. TDR will not assess the contents of Customer Data in order to identify information subject to any specific legal requirements. Customer is solely responsible for complying with incident notification laws applicable to Customer and fulfilling any third party notification obligations related to any Data Incident(s).
No Acknowledgment of Fault by TDR. TDR’s notification of or response to a Data Incident will not be construed as an acknowledgement by TDR of any fault or liability with respect to the Data Incident.
Customer’s Security Responsibilities and Assessment.
Customer’s Security Responsibilities.
Customer agrees that, without prejudice to TDR’s obligations under TDR’s Security Measures, Controls and Assistance :
(a) Customer is solely responsible for its use of the Services.
(b) TDR has no obligation to protect Customer Data that Customer elects to store or transfer outside of TDR’s systems (for example, offline or on-premise storage), or to protect Customer Data by implementing or maintaining Additional Security Controls except to the extent Customer has opted to use them.
Customer’s Security Assessment.
(a) Customer is solely responsible for reviewing the Security Documentation and evaluating for itself whether the Services, the Security Measures, the Additional Security Controls and TDR’s commitments under this Section 7 (Data Security) will meet Customer’s needs, including with respect to any security obligations of Customer under the European Data Protection Legislation and/or Non-European Data Protection Legislation, as applicable.
(b) Customer acknowledges and agrees that (taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the processing of Customer Personal Data as well as the risks to individuals) the Security Measures implemented and maintained by TDR as set out in(TDR’s Security Measure provide a level of security appropriate to the risk in respect of the Customer Data.
Customer’s Audit Rights.
If the European Data Protection Legislation applies to the processing of Customer Personal Data, TDR will allow Customer to apply via Subject Access Request (SAR)to verify TDR’s compliance with its obligations under this Data Processing Regulation.TDR will submit to such audits within thirty days.
Impact Assessments and Consultations
Customer agrees that TDR will (taking into account the nature of the processing and the information available to TDR) assist Customer in ensuring compliance with any obligations of Customer in respect of data protection impact assessments and prior consultation, including if applicable Customer’s obligations pursuant to Articles 35 and 36 of the GDPR, by providing the information contained in the applicable Agreement including this Data Processing Amendment.
Data Subject Rights; Data Export.
Access; Rectification; Restricted Processing; Portability. During the applicable Term, TDR will, in a manner consistent with the functionality of the Services, enable Customer to access, rectify and restrict processing of Customer Data, including via the deletion functionality provided by TDR as described above, and to export Customer Data.
Data Subject Requests.
Customer’s Responsibility for Requests. During the applicable Term, if TDR receives any request from a data subject in relation to Customer Personal Data, TDR will advise the data subject to submit his/her request to Customer, and Customer will be responsible for responding to any such request including, where necessary, by using the functionality of the Services.
TDR’s Data Subject Request Assistance. Customer agrees that (taking into account the nature of the processing of Customer Personal Data) TDR will assist Customer in fulfilling any obligation to respond to requests by data subjects, including if applicable Customer’s obligation to respond to requests for exercising the data subject’s rights laid down in Chapter III of the GDPR
Data Transfers.
Data Storage and Processing Facilities. Customer agrees that TDR may, store Customer Data in the United States and any other country in which TDR or any of its Parent Companies maintains facilities.
Transfers of Data Out of the EEA.
TDR’s Transfer Obligations. If the storage and/or processing of Customer Personal Data involves transfers of Customer Personal Data out of the EEA and the European Data Protection Legislation applies to the transfers of such data (“Transferred Personal Data”), TDR will:
(a) if requested to do so by Customer, ensure that TDR as the data importer of the Transferred Personal Data enters into Model Contract Clauses with Customer as the data exporter of such data, and that the transfers are made in accordance with such Model Contract Clauses; and/or
(b) offer an Alternative Transfer Solution, ensure that the transfers are made in accordance with such Alternative Transfer Solution, and make information available to Customer about such Alternative Transfer Solution.
Customer’s Transfer Obligations. In respect of Transferred Personal Data, Customer agrees that:
(a) if under the European Data Protection Legislation TDR reasonably requires Customer to enter into Model Contract Clauses in respect of such transfers, Customer will do so; and
(b) if under the European Data Protection Legislation TDR reasonably requires Customer to use an Alternative Transfer Solution offered by TDR, and reasonably requests that Customer take any action (which may include execution of documents) strictly required to give full effect to such solution, Customer will do so.
Appendix 1: Subject Matter and Details of the Data Processing
Subject Matter
TDR’s provision of the Services and related technical support to Customer.
Duration of the Processing
The applicable Term plus the period from expiry of such Term until deletion of all Customer Data by TDR in accordance with the Data Processing Amendment.
Nature and Purpose of the Processing
TDR will process Customer Personal Data submitted, stored, sent or received by Customer, its Affiliates or End Users via the Services for the purposes of providing the Services and related technical support to Customer in accordance with the Data Processing Amendment.
Categories of Data
Personal data submitted, stored, sent or received by Customer, its Affiliates or End Users via the Services may include the following categories of data: user IDs, email, IP address, address, gender. TDR do not store payment details (Bank accounts, debit or credit card numbers)
Appendix 2: Security Measures
As from the Amendment Effective Date, TDR will implement and maintain the Security Measures set out in this Appendix 2 to the Data Processing Amendment. TDR may update or modify such Security Measures from time to time provided that such updates and modifications do not result in the degradation of the overall security of the Services.
Office & Network Security.
Infrastructure. TDR stores all production data in physically secure office building.
Power. The office electrical power systems are designed to be redundant and maintainable without impact to continuous operations, 24 hours a day, and 7 days a week. In most cases, a primary as well as an alternate power source, each with equal capacity, is provided for critical infrastructure components in the office. Backup power is provided by various mechanisms such as uninterruptible power supplies (UPS) batteries, which supply consistently reliable power protection during utility brownouts, blackouts, over voltage, under voltage, and out-of-tolerance frequency conditions. If utility power is interrupted, backup power is designed to provide transitory power to the office, at full capacity,for upto an hour.
Server Operating Systems. TDR servers use a Windows based implementation. Data is stored using Sage Database and the Google cloud.
Businesses Continuity. TDR replicates data over multiple systems to help to protect against accidental destruction or loss. TDR has designed and regularly plans and tests its business continuity planning/disaster recovery programs.
Networks & Transmission.
Data Transmission TDR transfers data via Internet standard protocols, in encrypted form.
Intrusion Detection
Intrusion detection is intended to provide insight into ongoing attack activities and provide adequate information to respond to incidents. TDR’s intrusion detection involves:
1. Tightly controlling the size and make-up of TDR’s attack surface through preventative measures;
2. Employing intelligent detection controls at data entry points; and
3. Employing technologies that automatically remedy certain dangerous situations.
Incident Response. TDR monitors a variety of communication channels for security incidents, and TDR’s security personnel will react promptly to known incidents.
Encryption Technologies. TDR makes HTTPS encryption (also referred to as SSL or TLS connection) available, and also uses E2EE.
Access and Site Controls.
Site Controls.
On-site Security. TDR maintain on-site security 24 hours a day, 7 days a week. TDR monitor Closed Circuit TV (CCTV) cameras and all alarm systems.
Access Procedures. TDR maintains formal access procedures for allowing physical access to the offices. The servers are housed in facilities that require electronic card key access, with alarms. All entrants to the office are required to identify themselves as well as show proof of identity. Only authorized employees, contractors and visitors are allowed entry to the servers. Only authorized employees and contractors are permitted to request electronic card key access to these facilities. office electronic card key access requests must be made through e-mail, and require the approval of the requestor’s manager and the director. All other entrants requiring temporary office access must: (i) obtain approval in advance from the office managers (ii) sign in
On-site office Security Devices. TDR’s offices employ an electronic card key access control system. The access control system monitors and records each individual’s electronic card key and when they access doors, Unauthorized activity and failed access attempts are logged by the access control system and investigated, as appropriate. Authorized access throughout the business operations and offices is restricted based on zones and the individual’s job responsibilities. The fire doors at the offices are alarmed. CCTV cameras are in operation both inside and outside the offices. The positioning of the cameras has been designed to cover strategic areas including, among others, the perimeter, doors to the office building, and shipping/receiving. On-site security operations personnel manage the CCTV monitoring, recording and control equipment. Secure cables throughout the offices connect the CCTV equipment. Cameras record on site via digital video recorders 24 hours a day, 7 days a week. The surveillance records are retained for up to 7 days based on activity.
Access Control
Access Control and Privilege Management. Customer’s Administrators and End Users must authenticate themselves via a central authentication system or via a single sign on system in order to use the Services. Each application checks credentials in order to allow the display of data to an authorized End User or authorized Administrator.
Internal Data Access Processes and Policies – Access Policy. TDR’s internal data access processes and policies are designed to prevent unauthorized persons and/or systems from gaining access to systems used to process personal data. TDR aims to design its systems to: (i) only allow authorized persons to access data they are authorized to access; and (ii) ensure that personal data cannot be read, copied, altered or removed without authorization during processing, use and after recording. The systems are designed to detect any inappropriate access. TDR employs a centralized access management system to control personnel access to production servers, and only provides access to a limited number of authorized personnel. LDAP, Kerberos and SSH certificates are designed to provide TDR with secure and flexible access mechanisms. These mechanisms are designed to grant only approved access rights to site hosts, logs, data and configuration information. TDR requires the use of unique user IDs, strong passwords, and carefully monitored access lists to minimize the potential for unauthorized account use. The granting or modification of access rights is based on: the authorized personnel’s job responsibilities; job duty requirements necessary to perform authorized tasks; and a need to know basis. The granting or modification of access rights must also be in accordance with TDR’s internal data access policies and training. Approvals are managed by workflow tools that maintain audit records of all changes. Access to systems is logged to create an audit trail for accountability. Where passwords are employed for authentication (e.g., login to workstations), password policies that follow at least industry standard practices are implemented. These standards include password expiry, restrictions on password reuse and sufficient password strength.
Data Storage, Isolation & Authentication.
TDR stores data on TDR-owned servers. TDR logically isolates data on a per End User basis at the application layer. TDR logically isolates each Customer’s data, and logically separates each End User’s data from the data of other End Users, and data for an authenticated End User will not be displayed to another End User (unless the former End User or an Administrator allows the data to be shared).
Decommissioned Disks and Disk Erase Policy.
Certain disks containing data may experience performance issues, errors or hardware failure that lead them to be decommissioned (“Decommissioned Disk”). Every Decommissioned Disk is subject to a series of data destruction processes (the “Disk Erase Policy”) before leaving TDR’s premises either for reuse or destruction. Decommissioned Disks are erased in a multi-step process. If, due to hardware failure, the Decommissioned Disk cannot be erased, it is securely stored until it can be destroyed.
Personnel Security.
TDR personnel are required to conduct themselves in a manner consistent with the company’s guidelines regarding confidentiality, business ethics, appropriate usage, and professional standards. TDR conducts reasonably appropriate backgrounds checks to the extent legally permissible and in accordance with applicable local labor law and statutory regulations.
Personnel must acknowledge compliance with TDR’s confidentiality and privacy policies. Personnel handling Customer Data are required to complete additional requirements appropriate to their role.TDR’s personnel will not process Customer Data without authorization.
Contact
Questions, comments and requests regarding this privacy policy are welcomed and should be emailed to gdpr@totaldiscrepair.co.uk or addressed to TDR Limited, Unit 1, Christchurch Business Park, Radar Way, Christchurch, Dorset, BH23 4FL