The following definitions are used in this policy:
Data Controller - A Data Controller determines the purposes and means of Processing Personal Data. For the purpose of managing your account and providing goods and services Stonehill would be defined as a Data Controller.
Data Processor - A Data Processor is responsible for Processing Personal Data on behalf of a Data Controller. For the purpose of sending an order direct to an End User on behalf of a Customer, Stonehill would be classed as a Data Processor.
Subprocessor - A 3rd party used by a Data Processor to fulfil purchase orders placed by the Data Controller. May include but not limited to couriers or hauliers, other suppliers and distributors.
Processing - The term "processing" is very broad. It essentially means anything that is done to, or with, personal data (including collecting, storing or deleting data).
Data Subject - An identifiable natural person who can be identified, directly or indirectly, in particular by reference to data. For example, an employee, customer end user etc.
Personal Data - Any information relating to an identified or identifiable natural person (‘Data Subject’).
Customer - Any organisation who purchases goods or services directly from Stonehill
End User - Any organisation or individual who purchases goods or services from a Customer.
Legal & Regulatory Obligations
Stonehill recognises the requirements of the current legislation relating to data protection & privacy and electronic communications.
EU Regulation 2016/679 General Data Protection Regulation(“GDPR”)
The General Data Protection Regulation (GDPR) is a legal framework that sets guidelines for the collection and processing of personal information of individuals within the European Union (EU). The GDPR sets out the principles for data management and the rights of the individual, while also imposing fines that can be revenue-based. The General Data Protection Regulation covers all companies that deal with data of EU citizens, so it is a critical regulation for corporate compliance officers at banks, insurers, and other financial companies. GDPR will come into effect across the EU on May 25, 2018.
Under the GDPR, the data protection principles set out the main responsibilities for organisations.
Lawfulness, fairness and transparency - Personal Data shall be processed lawfully, fairly and in a transparent manner in relation to the Data Subject.
Purpose limitation - Personal Data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
Data minimisation - Personal Data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
Accuracy - Personal Data shall be accurate and, where necessary, kept up to date.
Storage limitation - Personal Data shall be kept in a form which permits identification of Data Subjects for no longer than is necessary for the purposes for which the Personal Data are processed.
Integrity and confidentiality - Personal Data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
Accountability - The Data Controller shall be responsible for, and be able to demonstrate compliance with the GDPR.
Please read the ICO guide to General Data Protection Regulation for more details.
Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR 2003)
The Privacy and Electronic Communications Regulations are derived from European law. They implement European Directive 2002/58/EC, also known as ‘the e-privacy Directive’.
The e-privacy Directive complements the GDPR and sets out more-specific privacy rights on electronic communications. It recognises that widespread public access to digital mobile networks and the internet opens up new possibilities for businesses and users, but also new risks to their privacy.
PECR have been amended four times. The more recent changes were made in 2015, to allow emergency text alerts and to make it easier to take action for breaches of the marketing rules; and in 2016, to require anyone making a marketing call to display their number. This guide covers the latest version of PECR, which came into effect on 16 May 2016.
PECR covers the following areas:
Marketing by electronic means, including marketing calls, texts, emails and faxes.
Security of public electronic communications services.
Privacy of customers using communications networks or services as regards traffic and location data, itemised billing, line identification services (eg caller ID and call return), and directory listings.
What Personal Data Do We Collect?
Stonehill collect information about you when you register to use this website, place an order, request a return, or register for a account .The only Personal Data we collect about you the Customer are names and email addresses. Only email addresses where an individual can be identified are classed as personal data. For example email@example.com would not be classed as Personal Data, but firstname.lastname@example.org would be as it includes the individual's name through which the individual would be identifiable.
Where authorised by you the Customer, Stonehill can deliver direct to the End User, where delivery is to an individual the following Personal Data will be collected:
End User Personal Data will only be used for the purpose of processing and delivering orders, and honoring warranty obligations. Stonehill will never contact the End User directly without your permission. Telephone calls are recorded to monitor service levels. To comply with payment card industry data security standards call recording is paused while taking credit card payment details.
How We Use The Personal Data We Collect?
Personal Data is collected to manage your account, process your orders, and to provide customer services and consignment tracking.
To facilitate Processing & delivery of your order, it may be necessary to pass your contact name/address details to a Subprocessor. Such Subprocessor’s may include but not limited to couriers or hauliers, other suppliers and distributors.
In managing your account, we may send your details to, and also use information from credit reference agencies and fraud prevention agencies.
How Long Is Personal Data Retained?
Customer’s Personal Data will be kept for the term of their account with Stonehill, and will be deleted on termination of their account. Personal Data can be deleted on request of the Customer prior to termination of account, for example Personal Data belonging to an employee no longer working for the Customer.
How is Your Personal Data Protected?
A range of administrative, electronic and physical security measures are used to protect Customer and End User Personal Data. These measures protect Personal Data against loss, unauthorised access or alteration without permission.
Cloud services used by Stonehill for Processing Personal Data either have a Data Processing Agreement that meets the requirements of the GDPR or participate in the EU-U.S Privacy Shield Framework.
Stonehill will send you information about products, services, offers and promotions which may be of interest to you. If you no longer wish to be contacted for marketing purposes, please click on the unsubscribe button at the bottom of marketing emails.
Stonehill will not share your Personal Data with 3rd parties for marketing purposes.
Email marketing campaigns may contain tracking facilities within the actual email. Subscriber activity is tracked and stored in a database for future analysis and evaluation. Such tracked activity may include; the opening of emails, forwarding of emails, the clicking of links within the email content, times, dates and frequency of activity.
This information is used to refine future email campaigns and supply the user with more relevant content based around their activity.
Contact Legitimate Interests
Under the new data protection law starting in May 2018 we have a number of lawful reasons that we can use (or 'process') your personal information. For B2B accounts one of the lawful reasons is called 'legitimate interests'.
Broadly speaking Legitimate Interests means that we can process your personal information if we have a genuine and legitimate reason and we are not harming any of your rights and interests.
So, what does this mean? When you provide your personal details to us we use your information for our legitimate business interests to carry out our work of servicing businesses throughout our territory. Before doing this, though, we will also carefully consider and balance any potential impact on you and your rights.
Some typical examples of when we might use the approach are for preventing fraud, direct marketing, maintaining the security of our systems, data analytics, enhancing, modifying or improving our services, identifying usage trends and determining the effectiveness of our campaigns and sales.
We will process the personal information you have supplied to us to conduct and manage our business to enable us to give you the most appropriate marketing, information, service and products and provide the best and most secure experience. These are what we consider to be our 'Legitimate Interests'.
The following are some examples of when and why we would use this approach in our work:
Marketing: We will make best effort to ensure our marketing is tailored and relevant for you where-ever we deem you to be in the sales cycle.
Process Orders: In order for us to process an order, payment has to be taken and contact information collected, such as name, delivery address and telephone number, provided. Both the buyer and seller would need to record the transaction.
Your best interest: Processing your information to protect you against fraud when transacting on our website, and to ensure our websites and systems are secure.
Personalisation: Where the processing enables us to enhance, modify, personalise or otherwise improve our services/communications for the benefit of our customers and prospects.
Analytics: To process your personal information for the purposes of customer analysis, assessment, profiling and marketing, on a personalised or aggregated basis, to help us with our activities and to provide you with the most relevant information if this does not harm any of your rights and interests.
Research: To determine the effectiveness of promotional campaigns and advertising and to develop our products, services, systems and relationships with you.
Due Diligence: We may need to conduct investigations on supporters, potential customers and business partners to determine if those companies and individuals have been involved or convicted of offences such as fraud, bribery and corruption.
We will also hold information about you so that we can respect your preferences for being contacted by us.
When we process your personal information for our legitimate interests, we will consider and balance any potential impact on you and your rights under data protection and any other relevant law. Our legitimate business interests do not automatically override your interests – we will not use your personal data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law).
Remember, you can change the way you hear from us or withdraw your permission for us to process your personal details at any time by using our online Preference Centre at the bottom of our emails.
A cookie is a simple text file that is stored on your computer or mobile device by a website's server and only that server will be able to retrieve or read the contents of that cookie. Each cookie is unique to your web browser. It will contain some anonymous information such as a unique identifier and the site name and some digits and numbers. It allows a website to remember things like your preferences or what's in your shopping basket.
The www.stonehill.co.uk website uses session cookies. Session cookies are files that are needed to store information while a customer is browsing the website, such as that items are in their shopping basket. These cookies don’t record Personal Data.
You can set your web browser to disable cookies, please visit https://www.wikihow.com/Disable-Cookies for instructions. Please be aware some website features may not function with cookies disabled. For further information about cookies please visit http://www.allaboutcookies.org/.
Data Subject Rights
You have the right to request a copy of the information that we hold about you. If you would like a copy of some or all of your Personal Data, please write to us at the following address.
IT Manager . Stonehill , Unit 16 Chapel Way , St Annes , Bristol , BS4 4EU
Last amended: May 2018