Your Data’s Journey Through the Online Shop
Discover how your data may be processed through our online shop.
What information may you be asked to provide
Buying a product via the online shop
At the point you buy a product via the online shop you will be asked to provide the following information:
- First name
- Last name
- Billing address
- Delivery address
- Email address
- Contact phone number
- Card details (please see further information below in relation to card details)
- Details about your order
Creating an account
When buying a product at the online shop, you will be given the option to create an account by providing the following information:
- First name
- Last name
- Postal address
- Delivery address
- Contact phone number
Where we may collect your information from
When you buy a product at the online shop or create an account, your information will be provided by you.
Why we need this information and how we might use it
We are required to collect the information that we have outlined above for a number of different purposes which are listed below.
You will be asked to input the account holder name, billing address, payment card number, card expiry date, and card security code (CVV) into the website. This information will be sent direct via Barclaycard to the relevant bank so your payment or refund can be processed. Payment authorisation code may also be required.
Goods delivery or return
A certain amount of information will be used so goods can be delivered to you or returns can be managed.
Setting up an account with Nuffield
To set you up an account, we will need to collect certain information from you to enable ease of checkout and access to previous purchase information.
Personal data is required so that we can complete appropriate checks, such as call verification, to ensure we are speaking to the right person, before we disclose any personal data. If you make enquiries via email you may also be asked to answer some questions before information is disclosed to you via email.
Who your information may be shared with
In order to provide the online shop service, we work with a number of different organisations. How they fit into the process and what personal information they might have access to is explained in more detail below:
SIPL will sit in the middle of all the organisations involved in the online shop process and they will liaise with the product suppliers, the IT provider and Mythbreaker. If you want to return an item or ask a question you will interact with SIPL acting on Mythbreaker’s behalf. In order to carry out their part of the process and to answer your queries or investigate something to do with your order, SIPL will only have access to a very limited amount of your personal data, including your full name, email address, delivery address, order number, order date, and telephone number.
We have a trusted and reputable selection of product suppliers who will do just that; they will be the organisation who are supplying the product, packaging, and sending out your order. Your name, postal address, and order details will be shared with the product supplier so they can process your order. Your address is a necessary piece of information so they can post your order to you.
Khoo Systems have built and will maintain the online shop website, provide IT systems support and hosting in relation to the IT systems on which your information is stored. Whilst you won’t interact with Khoo Systems directly, the information you populate in the online shop will be processed by Khoo Systems. The only information they won’t see are your bank details as they will be processed through Barclaycard (more on that below).
You will be asked to input your card details into the website to take payment up front. However, we will not store your card details but instead will use them to obtain an algorithmically generated token. Tokenisation is a method used to safeguard the security of your data by substituting your card details with non-sensitive information, and we use the services of Barclaycard’s secure payment gateway for this. Only the token will be stored by us and this will be used to pay any refund to you in the instance of you returning a product.
For the purposes of product transportation
Where a third-party is processing your information on our behalf (referred in the data protection legislation as a ‘Processor’), we will ensure that they operate under contractual provisions that require them to maintain the same standards of confidentiality, data protection and information security equal to our own.
Fair and lawful processing
Each organisation is required to demonstrate that they are processing your personal data lawfully, to do this we need to demonstrate that one of the six ‘conditions for processing’ within the GDPR applies.
The online shop will mainly be processing data based on the following lawful basis for processing:
- Article 6.1 (a) Consent: we will ask for your consent to process your information, for example: to send you direct marketing communications. Where we ask for your consent you can withdraw your consent at a later date, please see our privacy notice for more information on how to exercise your rights.
- Article 6.1 (b) The processing of your information is necessary to fulfil our part of a contract we have entered into with you, or for us to action something you have asked us to do before we enter into a contract.
- Article 6.1 (f) The processing of your information is necessary for us to pursue a legitimate interest. We are required to consider whether the interest we are pursuing is overridden by your interests and we can only proceed if your interests do not override the legitimate interest we are pursuing.
Your rights in respect of your personal data
The law gives you certain rights in respect of the information that we hold about you. Below is a short overview of the key rights available to you.
- Data Subject Access Request – with some exceptions designed to protect the rights of others, you have the right to a copy of the personal data that we hold about you. Where the data is data that you have given to us, you have the right to receive your copy of it in a common electronic format, and to provide copies of it to other people if you wish (Right to Data Portability).
- Right to Rectification – you have the right to have the personal data we hold about you corrected if it is factually inaccurate. This right does not extend to matters of opinion, such as assessments of performance or fitness to work.
- Right to Erasure – in some limited circumstances, you have the right to have personal data that we hold about you erased (the “right to be forgotten”). This right is not generally available where we still have a valid legal reason to keep the data (for example, because we are obliged to do so by law).
- Right to Restrict Processing – you also have the right in some circumstances to request that temporary restrictions are placed on how we process your personal data, for example if you contest its accuracy or where we are processing it on the basis of our legitimate interest and you contest our assessment that our interest overrides your rights.
The above is not a complete and exhaustive statement of the law.
When things go wrong
We pride ourselves with the quality of our services and consistent positive customer satisfaction, however, we understand that in a small number of cases you may have cause to raise a concern regarding an element of the service. It is important that we learn from these episodes to continually enhance services and as such we carry out thorough investigations. In order to fully investigate your concern, we may need to share information with our compliance team, senior leaders or other parties. For example, if you raised concerns about the delivery or quality of a product, we might need to share this information with our relevant product supplier. In any case, we will only share a limited amount of information, as little as is necessary to investigate the concern.
If the concern has come via a third party e.g. a regulator, body or solicitor, we may need to disclose your data with them in order to resolve, defend or investigate a concern.
How long we will keep your Personal Data for
The length of time that Personal Data is stored is set by national legislation and is outlined in the Policy. We will retain your Personal Data for a period of 6 years plus the remaining financial year from the point that you purchased the goods.
We do not rely on wholly automated decision taking for any part of your online shop journey.
The online shop is operated by Mythbreaker Limited (Company Number 05581441), a wholly owned subsidiary of Nuffield Health (Company Number 00576970) but is branded ‘Nuffield Health’ under licence from Nuffield Health.
Nuffield Health is the Data Controller of your Personal Data which means that it is responsible for the lawful, fair and transparent processing of your Personal Data.
I want to find out more information about how Nuffield Health process personal information
I want to find out more information about the rights I have over my data
I want to exercise a right over my information
To exercise one of your rights in relation to your data, you can email email@example.com.
I want to raise a concern or a complaint relating to my personal information
Please email our Data Protection Officer firstname.lastname@example.org. Should you remain dissatisfied, you have a right to complain to the Information Commissioner’s Office on 0303 123 1113 or through the ICO website.