This privacy notice governs the collection, storage and use of personal information about our suppliers, contractors and customers by Powershop UK Limited ("we", "us" or "our" for short). It was last updated on December 2017. Please ensure you read this privacy notice carefully. The aim of this privacy notice is to let you know what personal information we collect from your employees, contractors and officers ("the personal information") when we interact with you in a business capacity, how we store and use it, and how you and they can access and manage this information.
As different companies within our group may also be involved in the business activities that we interact with our suppliers, customers and contractors to conduct, it may be that the personal information is passed to them. They are our parent Flux Federation Limited, our sister company Powershop New Zealand Limited and, occasionally, our ultimate holding company Meridian Energy Limited.
So, what personal information do we collect about our suppliers, contractors and customers?
From you: We collect and record the personal information that is relevant to conducting business with our suppliers, contractors and customers directly from their employees, contractors and officers. This is likely to include their name, position, email address and phone numbers.
From you about other people: If you provide information about anyone else (such as contact details for other employees or contractors of your company or business) then in doing so you are confirming that you have explained how their information may be used by us and those other people have given them permission for us to do so.
You should let us know if your information (for example your phone number, address or email address) changes so that we can keep this information up to date.
How do we use your personal information?
To conduct business with our suppliers, contractors and customers
We will use the personal information to conduct business with our suppliers, contractors and customers. The legal basis we rely on to use your personal information in these ways is on our legitimate interests as a company to set up, optimise, maintain, improve, increase or reduce our business, and maximise the profitability of the business for our shareholders. This includes but is not limited to the following:
- to enquire about goods or services;
- for credit-checking your business (or the business of the company you work for or contract to);
- to negotiate, manage and terminate contracts including the supply of goods and services;
- to make payments and recover any overpayments;
- to supply and be paid for our services;
- to manage disputes and litigation;
- to provide information required under a contract, or receive any such information; and
- to facilitate and enter into any joint venture or business arrangement, including where we are approached by a potential buyer of our business or assets (but always with appropriate confidentiality arrangements).
If you do not wish us to use your personal information in these ways, we will need to have substitute information from other relevant employees, contractors or officers or we will not be able to do business with the company or business you work for or contract to.
To comply with our legal obligations
Sometimes we must use your personal information as required by law. The legal basis we rely on to do this is compliance with a legal obligation to which we are subject. Some instances of this include:
- to comply with general laws and regulations that apply to our business such as health and safety;
- to comply with any lawful government requests, e.g. from the Police.
When do we transfer your information out of the European Economic Area?
We may pass your personal information outside of the European Economic Area (EEA), but only ever with the relevant legal and security protection in place. Instances where we do this include emails to other members of our Group via the Gmail suite, which may involve transfers to the US and to other countries. We do this under Privacy Shield certification and a GDPR compliant Data Processing Addendum with Google. We may also share your information with our parent company Flux Federation Limited in New Zealand. New Zealand holds an adequacy decision from the European Commission.
We will keep the personal information for the length of the business relationship we have with you, plus until the beginning of the calendar year following. We may ask you for your consent to hold your information longer, in which case we will hold it as long as we have agreed.
Automated decision-making and profiling
Under law, we must tell you when we use fully automated decision-making which produces legal effects for you or similarly significantly affects you. We do not do this.
We must also tell you if we conduct profiling, which involves the use of your personal information to evaluate certain personal aspects relating to you, such as analysing or predicting aspects of your performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements. We do not do this either.
We take security seriously, and we comply with the law to take adequate technical and organisation measures to keep your personal information secure.
What rights do you have over your personal data?
Access: You are entitled to see the personal information that we hold about you at any time. (If you write to, email or phone us and ask to see this information, it is known as a 'subject access request' or 'SAR' for short). When we receive your request we will send you a form to fill in, and possibly also phone you to check your identity. If you do not return the form and/or answer our phone calls to verify you have made this request, we will not be able to deal with your request.
Changing or deleting: You can check that the personal information that we hold is accurate, or to let us know of any changes to your personal information. We always try to ensure that the information that we hold is accurate, up to date and relevant. We'll be more than happy to make changes or to correct any inaccuracies.
Restriction on use: You can ask us to temporarily stop using the personal information in the following circumstances:
- where you think their personal information is not accurate, we will temporarily stop using your personal information until you have verified the accuracy of it, if we cannot resolve the accuracy of it straight away;
- where you have objected our use of the personal information (in circumstances where it was necessary for the performance of a public interest task or for our legitimate interests as a business), and we are considering whether our legitimate interests as a business override your rights to object to our use of it;
- when processing is unlawful and you don't want us to erase it, and request restriction instead; or
- if we no longer need the personal information but you want it to establish, exercise or defend a legal claim.
If we have shared the personal information in question to third parties, we must inform them about the restriction on the processing of the personal information, unless it is impossible or involves disproportionate effort to do so. We must also inform them when we decide to lift a restriction on processing.
Data Portability: You can request the personal information you provided to us in a commonly used and machine-readable format.
Consent to store personal information: Most of the personal information we require is necessary to conduct business with you, and we don't rely on consent to use and retain it (we detail the legal grounds we rely on to use the personal data under each sub-heading in the section 'How do we use the personal information'?). If you (or anyone you have supplied personal information for, such as another employee in your business) no longer wish for us to have some of this personal information, then it is possible that we will no longer be able to do business with you (or your company or business), and we will still retain what personal information we already have, in accordance with the data retention period set out above.
Complain: If you think we are using or processing the personal information in a way that is not consistent with this privacy notice or with the law, you can lay a complaint with their local regulatory authority responsible for data protection. In the United Kingdom, this is the Information Commissioner's Office.
You can exercise any of these rights by contacting us as set out below under 'Who is your data controller?' below.
Who is your data controller?
Powershop UK Limited is the data controller for the personal information. You can contact us to exercise any of your rights by emailing firstname.lastname@example.org.
What if we update our privacy notice or you have any questions?
We do keep our privacy notices under regular review. If you have any questions or if you feel that we are not complying with the terms of this privacy notice please contact us using the same method as set out above under 'Who is your data controller'?.