We want you to feel comfortable using our website.
- We understand that you may have concerns over what data we collect about you and the purposes for which we use it. We want you to feel comfortable using our website without having to worry about your privacy.
- At Nelsons, we are deeply committed to protecting your privacy, which is why we have set out this Privacy Notice describing the information we collect and what may happen to that information. By doing this we hope to address any concerns you may have about sending us your personal details.
- We take great care of your (or your family’s) health details, if you provide us with this information. In case you have any concerns, please be aware that if you send us sensitive information by any of our social media channels (like Twitter, Facebook or Instagram), we cannot guarantee they will keep your personal data as secure as we do. Instead, we recommend you to contact us by email at email@example.com.
- We process your personal information to:
- Provide you with information, products or services that you request from us;
- Carry out our obligations arising from any contracts entered into between you and us;
- Send you information about our products or services that we believe it will be of your interest, if you consent to us doing so;
- Allow you to participate in interactive features of our service, when you choose to do so;
- Deal with a competition or prize draw you have entered into;
- Carry out research if you have responded to one of our surveys;
- Ensure that content from our website is presented in the most effective manner for you and for your computer
- To generate public relations, if you are a journalist or social media influencer;
- To notify you about changes to our service; and
- To comply with a legal or regulatory obligation.
This Privacy Notice explains in detail what data we process, why, how it is legal and your rights.
About Us and this Privacy Notice
- This Privacy Notice is provided by Nelsons, which is a trading name of A Nelson & Co Limited (" or "we" or "us"). A company incorporated in England under number 249879 with registered office at Nelsons House, 83 Parkside, Wimbledon, London, SW19 5LP, who is a 'controller' for the purposes of the UK General Data Protection Regulation. This Privacy Notice applies to website users, customers, Nelsons' patients, suppliers, participants who enter into competitions or respond to surveys, journalists and social media influencers.
- We are responsible for looking after the personal data you give to us, and take your privacy very seriously. We ask that you read this Privacy Notice carefully as it contains important information about our processing and your rights.
HOW TO CONTACT US
- If you need to contact us about this Privacy Notice, please use the details set out below.
- We have a Data Protection Officer who is responsible for overseeing questions in relation to this Privacy Notice. You can contact them using the details below.
- Address: Nelsons House, 83 Parkside, Wimbledon, London, SW19 5LP
- Telephone number: +44(0)20 8780 4200
- Email: firstname.lastname@example.org
- If you would like this Privacy Notice in another format (for example: audio, large print, braille), please contact us.
CHANGES TO THIS PRIVACY NOTICE
- The Privacy Notice will be provided to you when you provide personal data to us for any reason and the latest version can always be found in our website footer.
- We may change this Privacy Notice from time to time. We will alert you by posting a notice on our website when changes are made.
- Current version: 21 June 2021
USEFUL WORDS & PHRASES
Please familiarise yourself with the following words and phrases (used in bold) as they have particular meanings in the Data Protection Laws and are used throughout this Privacy Notice:
- Controller - This means any person who determines the purposes for which, and the manner in which, any personal data is processed.
- Criminal offence data - This means any information relating to criminal convictions and offences committed or allegedly committed.
- Data Protection Laws - This means the laws which govern the handling of personal data. This includes the UK General Data Protection Regulation, the General Data Protection Regulation (EU) 2016/679, the Data Protection Act 2018, the Privacy and Electronic Communications Regulations 2003 (SI 2003/2426) and any other legislation that relates to data protection and privacy.
- Data subject - The person to whom the personal data relates.
- ICO - This means the UK Information Commissioner's Office which is responsible for implementing, overseeing and enforcing the Data Protection Laws.
- Personal data - This means any information from which a living individual can be identified. This will include information such as telephone numbers, names, addresses, e-mail addresses, photographs and voice recordings. It will also include expressions of opinion and indications of intentions about data subjects (and their own expressions of opinion/intentions). It will also cover information which on its own does not identify someone but which would identify them if put together with other information which we have or are likely to have in the future.
- Processing - This covers virtually anything anyone can do with personal data, including:
- obtaining, recording, retrieving, consulting or holding it;
- organising, adapting or altering it;
- disclosing, disseminating or otherwise making it available; and
- aligning, blocking, erasing or destroying it
- Processor - This means any person who processes the personal data on behalf of the controller.
- Special categories of data This means any information relating to:
- racial or ethnic origin;
- political opinions;
- religious beliefs or beliefs of a similar nature;
- trade union membership;
- physical or mental health or condition;
- sexual life; or
- genetic data or biometric data for the purpose of uniquely identifying you.
WHAT PERSONAL DATA DO WE COLLECT?
We collect the following information from you:
- When purchasing our products, or subscribing to our mailing list we will collect the following: name, address, the products you order, credit card details, payment and sales history, e-mail address, telephone number, occupation and if relevant fax number.
- If you are a journalist/social media influencer in addition to the above, we also collect the following: your place of work, interests, online presence and content displayed across your social media channels..
- We also collect details of your visits to our website, including traffic data, location data, weblogs and other communication data when necessary to provide you with a service.
SPECIAL CATEGORIES OF DATA
- When contacting us regarding any of our products, if necessary to provide you with the service you are requesting, we will collect: data related to your health conditions, including medical records and prescriptions and photographs and/or videos of any ailment/symptoms that you may have and require advice on.
PERSONAL INFORMATION PROVIDED BY THIRD PARTIES
- All the information we process about you has been provided by you, or a member of your family acting on your behalf. We do not receive or share personal information about you from third parties, with the exception of the following circumstances:
- If you are a journalist, or a social media influencer, we collect data from third parties such as Meltwater, Cision (Gorkana) and Sprinklr who will provide us with publicly available information about you, such as gender, job title, email addresses, contact location/address and phone number, social media handles and social media audience demographics..
- If you have subscribed to our newsletter, we will receive data from Mailchimp.
- If you have subscribed to our e-learning modules, Excsien will have access to your data.
If you fail to provide personal data
Where we need to collect personal data by law, or under the terms of a contract we have with you, and you fail to provide that data when requested, we may not be able to perform the contract we have or are trying to enter into with you (for example, to provide you with goods or services). In this case, we may have to cancel a product or service you have with us but we will notify you if this is the case at the time.
Why do we process your personal data?
We use your personal data for the following purposes listed in this section. We are allowed to do so on certain legal bases (please see section 'How is processing your data lawful' for further detail).
- When you contact us for any reason;
- When you register to use our website;
- When you place an order with us;
- When you subscribe to any of our services;
- To provide you with information, products or services that you request from us;
- To carry out our obligations arising from any contracts entered into between you and us;
- To send you information about our products or services that we believe it will be of your interest, if you consent us to do so;
- To allow you to participate in interactive features of our service, when you choose to do so;
- To deal with a competition or prize draw you have entered into;
- To carry out research if you have responded to one of our surveys;
- To ensure that content from our website is presented in the most effective manner for you and for your computer;
- When you report a problem with our website;
- To generate public relations, if you are a journalist or social media influencer;
- To notify you about changes to our service; and
- To comply with a legal or regulatory obligation.
How is processing your personal data lawful?
We are allowed to process your personal data for the following reasons and on the following legal bases:
- We are permitted to process your personal data if it is based on our ‘legitimate interests’ i.e. we have good, sensible, practical reasons for processing your personal data which is in the interests of Nelsons. We have a legitimate interest in carrying out marketing activities and we will only do so if you consent or in certain circumstances permitted by law according to your expectations. We have considered the impact on your interests and rights, and have placed appropriate safeguards to ensure that the intrusion on your privacy is reduced as much as possible. Below explains the personal data processed on this basis.
- We have an interest in understanding the performance of our website, to improve the way it is presented and improve customers' services managed through the website.
- We have an interest in gaining a better knowledge on our customers' interests so we can display targeted advertising.
- You can object to processing that we carry out on the grounds of legitimate interests. See the section headed "Your Rights" to find out how
- It is necessary for our performance of the contract you have agreed to enter with us. If you do not provide your personal data to us, we will not be able to carry out our obligations under the terms of your contract.
- We are subject to legal obligations to process your personal data for the purposes of complying with applicable regulatory, accounting and financial rules, health and safety and to make mandatory disclosures to government bodies and law enforcements.
- Sometimes we want to use your personal data in a way that is entirely optional for you, such as to send you our promotions and news. On these occasions, we will ask for your consent to use your information. You can withdraw this consent at any time.
SPECIAL CATEGORIES OF DATA
We are allowed to process your special categories of personal data for the following reasons and on the following legal basis:
- Data manifestly made public - Although this sounds like your data is "in the public domain", it does not mean such thing. When you voluntarily provide Nelsons with data related to your (or those who are under your care) health, in order for us to deal with your concerns or enquiries, as you are providing this information to those professionals/ employees/ members of our organisation who needs to deal with your enquiry (as opposed to a singular person who is under a duty of secrecy, for example a doctor). If you do so, it is considered that you are making this data sufficiently public in a way that you allow us to deal with your enquiry. Of course we will keep such data secure and the data will only be processed by the departments who need to know, in order to deal with your request.
- Health care services - If we need to process your data to provide you with health care services, pursuant to a contract with one of our health professionals, who, according to law, is subject to a duty of secrecy.
- Consent - You have given your explicit consent for us to process your (or those who are under your care) health conditions' data to provide you with a service. You can withdraw this consent at any time.
- Legal claims - We need to process your personal data if, we are required to process your personal data to defend or establish a legal claim.
Change of purpose
We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If you wish to get an explanation as to how the processing for the new purpose is compatible with the original purpose, please contact us.
If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.
Please note that we may process your personal data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.
Who will have access to your personal data?
Below lists some of our key service providers that act as our processors who, if necessary, will have access to your personal data.
If you would like to know the names of our other service providers (e.g. IT service providers) please contact us using the details at the start of this Privacy Notice.
- Birchman provide enterprise resource planning system support on behalf of A Nelson & Co Limited.
- Sage Pay provides secure payments for online purchases.
- Mailchimp acts as a data processor for the Nelsons’ newsletter.
- Excsien acts as a data processor for the Nelsons’ professional education site.
We share your personal data with members of the Nelsons group, this being our subsidiaries, our ultimate holding company and its subsidiaries and with associated companies and marketing partners.
In addition, we share your personal data in the following circumstances:
- In the event that we sell or buy any business or assets, we would disclose your personal data to the prospective seller or buyer of such business or assets.
- If we or substantially all of our assets are acquired by a third party, personal data held by Nelsons about our customers will be one of the transferred assets.
- We will also share your personal data with the police, other law enforcements or regulators where we are required by law to do so.
WHO INFORMATION IS SHARED WITH: CONTROLLERS
- Freelancers operating our social media accounts; and
- Analytics agencies including Google analytics, Facebook analytics and 7Dots.
TRANSFERS OF YOUR PERSONAL DATA OUTSIDE THE EEA
- The data that we collect from you will be transferred to, and stored at, a destination outside the UK or the European Economic Area ("EEA"):
- when it is necessary to be processed by staff operating outside the UK or the EEA who work for us,
- because we have suppliers who are multinational companies, or are located out of the UK or the EEA, or have staff working from different locations.
- This is mainly because they are engaged in the fulfilment of your order, the processing of your payment details and the provision of support services.
- In most of the cases we have agreements in place which are approved by the European Commission's or the UK Government’s approved countries list (as applicable). You can find a maintained list of European Commission approved countries here http://ec.europa.eu/justice/data-protection/international-transfers/adequacy/index_en.htm and UK government approved countries here: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/international-transfers-after-uk-exit/#adequacy. This is to ensure your data is treated in the same way that we do. In any case, any transfer of your data will be carried out in accordance with the law to safeguard your privacy rights and give you remedies in the unlikely event of a security breach or to any other similar approved mechanisms.
If you want to know more about how data is transferred, please contact us using the details in the section above.
HOW WE KEEP YOUR PERSONAL DATA SECURE
We strive to implement appropriate technical and organisational measures in order to protect your personal data against accidental or unlawful destruction, accidental loss or alteration, unauthorised disclosure or access and any other unlawful forms of processing. We aim to ensure that the level of security and the measures adopted to protect your personal data are appropriate for the risks presented by the nature and use of your personal data. We follow recognised industry practices for protecting our IT environment and physical facilities.
- all information you provide to us is stored on secure servers;
- any payment transactions will be encrypted using SSL technology;
- we use encryption to protect your data from unlawful access.
Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted to our website; any transmission is at your own risk.
Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access.
WHEN WILL WE DELETE YOUR DATA?
Our main rule is not to keep your data for longer than we need to in order to meet all the purposes we included in the section "Why do we process your personal data?".
For example, if you buy our products online, we will keep your data for the time we need it to place the order and deliver them; then, we will keep that data if we need it to comply with a legal obligation, or for research or statistics purposes, but if we do not need all the data you provided then, we will delete the remaining data. For most of the purposes and legal obligations we have stated a retention period of 7 years.
In general, we have set out that the following categories of personal data and special categories of data will be kept for the following periods.
- Contact details of users - As long as it is required by law
- Contact details of customers/patient - As long as it is required by law
- Medical records - As long as it is required by law
- Card, payment details of customers - 6 years
As a data subject, you have the following rights under the Data Protection Laws:
- the right to object to processing of your personal data;
- the right of access to personal data relating to you (known as data subject access request);
- the right to correct any mistakes in your information;
- the right to ask us to stop contacting you with direct marketing;
- the right to prevent your personal data being processed;
- the right to have your personal data ported to another controller;
- the right to withdraw your consent;
- the right to erasure; and
- rights in relation to automated decision making.
- These rights are explained in more detail below. If you want to exercise any of your rights, please contact us (please see "How to contact us").
- We will respond to any rights that you exercise within a month of receiving your request, unless the request is particularly complex or you have made a number of requests, in which case we will respond within three months.
Please be aware that there are exceptions and exemptions that apply to some of the rights which we will apply in accordance with the Data Protection Laws.
RIGHT TO OBJECT TO PROCESSING OF YOUR PERSONAL DATA
- You may object to us processing your personal data where we rely on a legitimate interest as our legal grounds for processing.
- If you object to us processing your personal data we must demonstrate compelling grounds for continuing to do so. We believe we have demonstrated compelling grounds in the section headed "How is processing your personal data lawful".
RIGHT TO ACCESS PERSONAL DATA RELATING TO YOU
You may ask to see what personal data we hold about you and be provided with:
- a copy of the personal data;
- details of the purpose for which the personal data is being or is to be processed;
- details of the recipients or classes of recipients to whom the personal data is or may be disclosed, including if they are overseas and what protections are used for those overseas transfers;
- the period for which the personal data is held (or the criteria we use to determine how long it is held);
- any information available about the source of that data; and
- whether we carry out an automated decision-making, or profiling, and where we do information about the logic involved and the envisaged outcome or consequences of that decision or profiling.
- To help us find the information easily, please provide us as much information as possible about the type of information you would like to see.
RIGHT TO CORRECT ANY MISTAKES IN YOUR INFORMATION
- You can require us to correct any mistakes in your information which we hold. If you would like to do this, please let us know what information is incorrect and what it should be replaced with.
RIGHT TO RESTRICT PROCESSING OF PERSONAL DATA
You may request that we stop processing your personal data temporarily if:
- you do not think that your data is accurate. We will start processing again once we have checked whether or not it is accurate;
- the processing is unlawful but you do not want us to erase your data;
- we no longer need the personal data for our processing, but you need the data to establish, exercise or defend legal claims; or
- you have objected to processing because you believe that your interests should override our legitimate interests.
RIGHT TO DATA PORTABILITY
- You may ask for an electronic copy of your personal data which we hold electronically and which we process when we have entered into a contract with you. You can also ask us to provide this directly to another party.
RIGHT TO WITHDRAW CONSENT
- You may withdraw any consent that you have given us to process your personal data at any time. This means that we will not be able to carry out any processing which required use of that personal data.
RIGHT TO ERASURE
You can ask us to erase your personal data where:
- you do not believe that we need your data in order to process it for the purposes set out in this Privacy Notice;
- if you had given us consent to process your data, you withdraw that consent and we cannot otherwise legally process your data;
- you object to our processing and we do not have any legitimate interests that mean we can continue to process your data; or
- your data has been processed unlawfully or have not been erased when it should have been.
RIGHTS IN RELATION TO AUTOMATED DECISION MAKING
- You have the right to have any decision that has been made by automated means and which has a significant effect on you reviewed by a member of staff and we will consider any objections you have to the decision that was reached.
WHAT WILL HAPPEN IF YOUR RIGHTS ARE BREACHED?
- You may be entitled to compensation for damage caused by contravention of the Data Protection Laws.
Complaints to the regulator
- It is important that you ensure you have read this Privacy Notice. If you do not think that we have processed your data in accordance with this Privacy Notice, you should let us know as soon as possible. You may also complain to the ICO.
- Information about how to do this is available on the ICO website: ico.org.uk