Here at Springfield Of Burton Ltd we respect your privacy and we are committed to processing personal
information of our customers in a secure manner in line with our legal obligations.
This Policy explains how Springfield Of Burton Ltd will use any personal information that we may collect about you when you use our website, application forms, marketing platform or when you use any of our services.
By trading with Springfield Of Burton Ltd, you are accepting and consenting to the practices described
The information we collect from our customers helps us to personalise and continually improve your experience and our services.
We use the information to handle orders, deliver products, process payments/ invoices, and communicate with you about orders, products, services and promotional offers.
We may use your information to prevent or detect fraud or because it is required by law or for the purposes of legal proceedings. We may also use your information to enable third parties to carry out logistical or other functions on our behalf, for example couriers address database.
We may transfer your data to other third parties (including the police, law enforcement agencies, credit reference and fraud prevention agencies and other bodies) to protect our or another person's rights, property, or safety, in connection with the prevention and detection of crime.
1 . What Information we collect
Our Personal Data Protection Policy governs the use and storage of your data.
Springfield Of Burton Ltd is a Controller of the personal data you provide us.
In the operational use and maintenance of our services, Springfield Of Burton Ltd may collect personal
You use our website
You place an order or use any of our services
You contact us
You are a recipient of our services
You sign up to our E-flyer marketing platform (Constant Contact)
This may include (but not limited to) information which is recorded for items being delivered to you or if you have:
Completed an online form
Set up an account or entered information on any part of the Springfield Of Burton Ltd website
Completed the E-flyer sign up with our marketing platform, Constant Contact
Provided information as part of a webform contact request / enquiry
Contacted Springfield Of Burton Ltd in writing or by phone
We may collect (but not limited to) the following types of information:
Your name, address, email address, telephone number(s) and other contact details
Information required to provide you with a service, and the details of the service that you have used
Details of any enquiry
Information about items delivered to
Age verification data
Signatory information when signing for receipt of a delivery
2. Why we need it / how we will use your information:
Springfield Of Burton Ltd collects your personal information in order:
To provide you with our service(s)
To process your order and to provide after sales service
To enhance or improve our services
To provide you with promotional offers
Springfield Of Burton Ltd will not sell or provide your data to any third party where you have not provided your
consent to do so. All other information is processed in accordance with the Data Protection Act 1998, the
General Data Protection Regulation (GDPR) 2018 and other applicable laws.
Your personal data is processed by Springfield Of Burton Ltd located in the United Kingdom. Hosting and
storage of your data takes place within the European Economic Area (EEA).
In operating our services, it may become necessary to transfer the data that we collect from you to third parties and business partners who are located outside of the European Economic Area (EEA). Any such transfer of
information will only be in connection with the services that Springfield Of Burton Ltd provides and Springfield Of Burton Ltd will ensure that the information is protected to a level which meets the requirements of UK law.
By providing your data to us you agree to this transfer taking place.
No third party providers have access to your data, unless specifically required by law, where you have
consented with us to do so, or in order to fulfil our service to you.
We may send you information about products and services which may be of an interest to you, including any
promotions. This information is sent via our marketing platform, Mail Chimp. If you have consented to receive
marketing, you have the right to opt out at any time. If you no longer wish to be contacted for marketing
purposes please unsubscribe via the any email sent to you or contact us at firstname.lastname@example.org.
Cookies are text files placed on your computer to collect standard internet log information and visitor behaviour
information. This information is used to track visitor use of the website and to compile statistical reports on
website activity. You can set your browser not to accept cookies and the below websites tell you how to remove
cookies from your browser. If cookies are disabled some features of our website may not function. For further
When purchasing age restricted goods from our website, age verification will performed using the electoral roll. If
no result can be found we will use your data to search companies’ house and previous orders for a matching
postcode. Other data sources may be used to aid identification if the process of age verification falls outside of the usual protocol for checking age or validity of order. If all other methods fail you will be contacted on the numbers provided on your order to request ID to
be sent. ID will be stored off site on secure servers, using two step authentication. You may request your photo
6. Payment Information
7. How long we keep it
Any personal data held by will be kept by us until such time that you notify us that you no longer wish to receive this information or terminate your account with us. Unless otherwise requested your order data will be kept for a minimum of 7 years to comply with financial regulations.
9. What are your rights?
You have the right to access to any information that we hold relating to you. Requests must be made in writing and Proof of identification is required to protect your information and to ensure it is not disclosed to unauthorised parties. Should you believe that any personal data we hold on you is incorrect or incomplete, you have the ability to request to see this information, rectify it or have it deleted.
In the event that you wish to complain about how we have handled your personal data, please contact us at email@example.com or Springfield Of Burton Ltd, Cross Street, Burton, DE14 1EG. We will then look-into your complaint and work with you to resolve the matter. If you still feel that your personal data has not been handled appropriately according to the law, you can contact the Information Commissioner's office ICO and file a complaint with them.
Cookies Collected By:
Springfield Of Burton Ltd & Google (May display as doubleclick.net) these serve to save baskets, improve user experience and for Google: ads, chrome functionality and google search.
Royal Mail - Data is sent to Royal Mail on the face of a parcel, no electronic data is sent to them.
If you would like to request a deletion of any data we hold on you, you can send the request to firstname.lastname@example.org
Personal Data Protection Policy
1. Purpose, Scope and Users:
Springfield Of Burton Ltd Ltd, hereinafter referred to as the "Company", strives to comply with
applicable laws and regulations related to Personal Data protection in countries where the
Company operates. This Policy sets forth the basic principles by which the Company processes the personal data of consumers, customers, suppliers, business partners, employees and other individuals, and indicates the responsibilities of its business departments and employees while processing
personal data. This Policy applies to the Company and its directly or indirectly controlled wholly-
owned subsidiaries conducting business within the European Economic Area (EEA) or
processing the personal data of data subjects within EEA.
The users of this document are all employees, permanent or temporary, and all contractors
working on behalf of The Company.
The following definitions of terms used in this document are drawn from Article 4 of the European
Union's General Data Protection Regulation:
Personal Data: Any information relating to an identified or identifiable natural person ("Data
Subject") who can be identified, directly or indirectly, in particular by reference to an identifier
such as a name, an identification number, location data, an online identifier or to one or more
factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity
of that natural person.
Sensitive Personal Data: Personal data which are, by their nature, particularly sensitive in
relation to fundamental rights and freedoms merit specific protection as the context of their
processing could create significant risks to the fundamental rights and freedoms. Those personal
data include personal data revealing racial or ethnic origin, political opinions, religious or
philosophical beliefs, or trade union membership, genetic data, biometric data for the purpose of
uniquely identifying a natural person, data concerning health or data concerning a natural
person's sex life or sexual orientation.
Data Controller: The natural or legal person, public authority, agency or any other body, which
alone or jointly with others, determines the purposes and means of the processing of personal
Data Processor: A natural or legal person, public authority, agency or any other body which
processes personal data on behalf of a Data Controller.
Processing: An operation or set of operations which is performed on personal data or on sets of
personal data, whether or not by automated means, such as collection, recording, organization,
structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by
transmission, dissemination or otherwise making available, alignment or combination, restriction,
erasure or destruction of the data.
Anonymization: Irreversibly de-identifying personal data such that the person cannot be identified
by using reasonable time, cost, and technology either by the controller or by any other person to
identify that individual. The personal data processing principles do not apply to anonymized data
as it is no longer personal data.
Pseudonymization: The processing of personal data in such a manner that the personal data can
no longer be attributed to a specific data subject without the use of additional information,
provided that such additional information is kept separately and is subject to technical and
organizational measures to ensure that the personal data are not attributed to an identified or
identifiable natural person. Pseudonymization reduces, but does not completely eliminate, the
ability to link personal data to a data subject. Because pseudonymized data is still personal data,
the processing of pseudonymized data should comply with the Personal Data Processing
Cross-border processing of personal data: Processing of personal data which takes place in the
context of the activities of establishments in more than one Member State of a controller or
processor in the European Union where the controller or processor is established in more than
one Member State; or processing of personal data which takes place in the context of the
activities of a single establishment of a controller or processor in the Union but which
substantially affects or is likely to substantially affect data subjects in more than one Member
Supervisory Authority: An independent public authority which is established by a Member State
pursuant to Article 51 of the EU GDPR;
Lead supervisory authority: The supervisory authority with the primary responsibility for dealing
with a cross-border data processing activity, for example when a data subject makes a complaint
about the processing of his or her personal data; it is responsible, among others, for receiving the
data breach notifications, to be notified on risky processing activity and will have full authority as
regards to its duties to ensure compliance with the provisions of the EU GDPR;
Each "local supervisory authority" will still maintain in its own territory, and will monitor any local
data processing that affects data subjects or that is carried out by an EU or non-EU controller or
processor when their processing targets data subjects residing on its territory. Their tasks and
powers includes conducting investigations and applying administrative measures and fines,
promoting public awareness of the risks, rules, security, and rights in relation to the processing of
personal data, as well as obtaining access to any premises of the controller and the processor,
including any data processing equipment and means.
"Main establishment as regards a controller" with establishments in more than one Member
State, the place of its central administration in the Union, unless the decisions on the purposes
and means of the processing of personal data are taken in another establishment of the
controller in the Union and the latter establishment has the power to have such decisions
implemented, in which case the establishment having taken such decisions is to be considered to
be the main establishment;
"Main establishment as regards a processor" with establishments in more than one Member
State, the place of its central administration in the Union, or, if the processor has no central
administration in the Union, the establishment of the processor in the Union where the main
processing activities in the context of the activities of an establishment of the processor take
place to the extent that the processor is subject to specific obligations under this Regulation;
Group Undertaking: Any holding company together with its subsidiary.
3. Basic Principles Regarding Personal Data Processing:
The data protection principles outline the basic responsibilities for organisations handling
personal data. Article 5(2) of the GDPR stipulates that "the controller shall be responsible for,
and be able to demonstrate, compliance with the principles."
3.1. Lawfulness, Fairness and Transparency
Personal data must be processed lawfully, fairly and in a transparent manner in relation to the
3.2. Purpose Limitation
Personal data must be collected for specified, explicit and legitimate purposes and not further
processed in a manner that is incompatible with those purposes.
3.3. Data Minimization
Personal data must be adequate, relevant, and limited to what is necessary in relation to the
purposes for which they are processed. The Company must apply anonymization or
pseudonymization to personal data if possible to reduce the risks to the data subjects concerned.
Personal data must be accurate and, where necessary, kept up to date; reasonable steps must
be taken to ensure that personal data that are inaccurate, having regard to the purposes for
which they are processed, are erased or rectified in a timely manner.
3.5. Storage Period Limitation
Personal data must be kept for no longer than is necessary for the purposes for which the
personal data are processed.
3.6. Integrity and confidentiality
Taking into account the state of technology and other available security measures, the
implementation cost, and likelihood and severity of personal data risks, the Company must use
appropriate technical or organisational measures to process Personal Data in a manner that
ensures appropriate security of personal data, including protection against accidental or unlawful
destruction, loss, alternation, unauthorized access to, or disclosure.
Data controllers must be responsible for and be able to demonstrate compliance with the
principles outlined above.
4. Building Data Protection in Business Activities:
In order to demonstrate compliance with the principles of data protection, an organisation should
build data protection into its business activities.
4.1. Notification to Data Subjects
(See the Fair Processing Guidelines section.)
4.2. Data Subject's Choice and Consent
(See the Fair Processing Guidelines section.)
The Company must strive to collect the least amount of personal data possible. If personal data
is collected from a third party, the Information Security Manager must ensure that the personal
data is collected lawfully.
4.4. Use, Retention, and Disposal
The purposes, methods, storage limitation and retention period of personal data must be
consistent with the information contained in the Privacy Notice. The Company must maintain the
accuracy, integrity, confidentiality and relevance of personal data based on the processing
purpose. Adequate security mechanisms designed to protect personal data must be used to
prevent personal data from being stolen, misused, or abused, and prevent personal data
breaches. Information Security Manager is responsible for compliance with the requirements
listed in this section.
4.5. Disclosure to Third Parties
Whenever the Company uses a third-party supplier or business partner to process personal data
on its behalf, the Information Security Manager must ensure that this processor will provide
security measures to safeguard personal data that are appropriate to the associated risks such
as misuse of personal data, unauthorised disclosure of personal data, data breaches, etc. For
this purpose, the Processor GDPR Compliance Questionnaire must be used. The Company must
contractually require the supplier or business partner to provide the same level of data protection.
The supplier or business partner must only process personal data to carry out its contractual
obligations towards the Company or upon the instructions of the Company and not for any other
purposes. When the Company processes personal data jointly with an independent third party,
the Company must explicitly specify its respective responsibilities of and the third party in the
relevant contract or any other legal binding document, such as the Supplier Data Processing
4.6. Cross-border Transfer of Personal Data
Before transferring personal data out of the European Economic Area (EEA) adequate
safeguards must be used including the signing of a Data Transfer Agreement, as required by the
European Union and, if required, authorization from the relevant Data Protection Authority must
be obtained. The entity receiving the personal data must comply with the principles of personal
data processing set forth in Cross Border Data Transfer Procedure.
4.7. Rights of Access by Data Subjects
When acting as a data controller, the Information Security Manager is responsible to provide data
subjects with a reasonable access mechanism to enable them to access their personal data, and
must allow them to update, rectify, erase, or transmit their Personal Data, if appropriate or
required by law. The access mechanism will be further detailed in the Data Subject Access
4.8. Data Portability
Data Subjects have the right to receive, upon request, a copy of the data they provided to us in a
structured format and to transmit those data to another controller, for free. Information Security
Manager is responsible to ensure that such requests are processed within one month, are not
excessive (i.e. if the data subject sends requests daily) and do not affect the rights to personal
data of other individuals.
4.9. Right to be forgotten
Upon request, Data Subjects have the right to obtain from the Company the erasure of its
personal data. When the Company is acting as a Controller, Information Security Manager must
take necessary actions (including technical measures) to inform the third-parties who use or
process that data to comply with the request.
5. Fair Processing Guidelines:
Personal data must only be processed when explicitly authorised by the Information Security
The Company must decide whether to perform the Data Protection Impact Assessment for each
data processing activity according to the Data Protection Impact Assessment Guidelines.
5.1. Notices to Data Subjects
At the time of collection or before collecting personal data for any kind of processing activities
including but not limited to selling products, services, or marketing activities, the Information
Security Manager is responsible to properly inform data subjects of the following: the types of
personal data collected, the purposes of the processing, processing methods, the data subjects'
rights with respect to their personal data, the retention period, potential international data
transfers, if data will be shared with third parties and the Company's security measures to protect
personal data. This information is provided through Privacy Notice.
If your company has multiple data processing activities, you will need to develop different notices
which will differ depending on the processing activity and the categories of personal data
collected for example, one Notice might be written for mailing purposes, and a different one
for shipping purposes.
Where personal data is being shared with a third party the Information Security Manager must
ensure that data subjects have been notified of this through a Privacy Notice.
Where personal data is being transferred to a third country according to Cross Border Data
Transfer Policy, the Privacy Notice should reflect this and clearly state to where, and to which
entity personal data is being transferred.
Where sensitive personal data is being collected, the person responsible for Data Protection
matters must make sure that the Privacy Notice explicitly states the purpose for which this
sensitive personal data is being collected.
5.2. Obtaining Consents
Whenever personal data processing is based on the data subject's consent, or other lawful
grounds, the Information Security Manager is responsible for retaining a record of such consent.
The Information Security Manager is responsible for providing data subjects with options to
provide the consent and must inform and ensure that their consent (whenever consent is used as
the lawful ground for processing) can be withdrawn at any time.
When requests to correct, amend or destroy personal data records, the Information Security
Manager must ensure that these requests are handled within a reasonable time frame. Person
responsible for data protection matters must also record the requests and keep a log of these.
Personal data must only be processed for the purpose for which they were originally collected. In
the event that the Company wants to process collected personal data for another purpose, the
Company must seek the consent of its data subjects in clear and concise writing. Any such
request should include the original purpose for which data was collected, and also the new, or
additional, purpose(s). The request must also include the reason for the change in purpose(s).
The Person responsible for Data Protection matters is responsible for complying with the rules in
Now and in the future, the Information Security Manager must ensure that collection methods are
compliant with relevant law, good practices and industry standards.
The Information Security Manager is responsible for creating and maintaining a Register of the
6. Organisation and Responsibilities:
The responsibility for ensuring appropriate personal data processing lies with everyone who
works for or with the Company and has access to personal data processed by the Company.
The key areas of responsibilities for processing personal data lie with the following organisational
The board of directors makes decisions about and approves the Company's general strategies
on personal data protection.
The Information Security Manager the nominated person responsible for data protection matters
is responsible for managing the personal data protection program and is responsible for the
development and promotion of end-to-end personal data protection policies;
The Information Security Manager monitors and analyses personal data laws and changes to
regulations, develops compliance requirements, and assists business departments in achieving
their Personal data goals. This may include seeking legal advice or external counsel.
The Head of Technology is responsible for:
Ensuring all systems, services and equipment used for storing data meet acceptable security
Performing regular checks and scans to ensure security hardware and software is functioning
The Head of Marketing, is responsible for:
Approving any data protection statements attached to communications such as emails and letters
Addressing any data protection queries from journalists or media outlets like newspapers
Where necessary, working with the Person responsible for Data Protection Matters to ensure marketing initiatives abide by data protection principles
The Head of Human Resources is responsible for:
Improving all employees' awareness of user personal data protection
Organising Personal data protection expertise and awareness training for employees workingwith personal data
End-to-end employee personal data protection. It must ensure that employees' personal datais processed based on the employer's legitimate business purposes and necessity
The Information Security Manager is responsible for passing on personal data protection
responsibilities to suppliers and improving suppliers' awareness levels of personal data
protection as well as flow down personal data requirements to any third party a supplier they are
using. The Procurement Department must ensure that the Company reserves a right to audit
7. Guidelines for Establishing the Lead Supervisory
7.1. Necessity to Establish the Lead Supervisory Authority.
Identifying a Lead supervisory authority is only relevant if the Company carries out the cross-
border processing of personal data.
Cross border of personal data is carried out if:
a) processing of personal data is carried out by subsidiaries of the Company which are based in
other Member States; or
b) processing of personal data which takes place in a single establishment of the Company in the
European Union, but which substantially affects or is likely to substantially affect data subjects in
more than one Member State. If the Company only has establishments in one Member State and
its processing activities are affecting only data subjects in that Member State than there is no
need to establish a lead supervisory authority. The only competent authority will be the
Supervisory Authority in the country where Company is lawfully established.
7.2. Main Establishment and the Lead Supervisory Authority
7.2.1. Main Establishment for the Data Controller
The main establishment/ headquarters for Springfield Of Burton Ltd is Cross Street, Burton,
If the Company is based in an EU Member State and it makes decisions related to cross-border
processing activities in the place of its central administration (headquarters), there will be a single
lead supervisory authority for the data processing activities carried out by the Company. If
Company has multiple establishments that act independently and make decisions about the
purposes and means of the processing of personal data, [the Directors / top management of the
Company] needs to acknowledge that more than one lead supervisory authority exists.
7.2.2. Main Establishment for the Data Processor
When the Company is acting as a data processor, then the main establishment will be the place
of central administration. In case the place of central administration is not located in the EU, the
main establishment will be the establishment in the EU where the main processing activities take
7.2.3. Main Establishment for Non-EU Companies for Data Controllers and Processors
If the Company does not have a main establishment in the EU, and it has subsidiarie(s) in the
EU, then the competent supervisory authority is the local supervisory authority. If the Company
does not have a main establishment in the EU nor the subsidiaries in the EU, it must appoint a
representative in the EU, and the competent supervisory authority will be the local supervisory
authority where the representative is located.
8. Response to Personal Data Breach Incidents
When the Company learns of a suspected or actual personal data breach the Information
Security Manager must perform an internal investigation and take appropriate remedial
measures in a timely manner. Where there is any risk to the rights and freedoms of data
subjects, the Company must notify the relevant data protection authorities without undue delay
and, when possible, within 72 hours.
9. Audit and Accountability
The Information Security Manager and Tech team are responsible for auditing how well business
departments implement this Policy. Any employee who violates this Policy will be subject to
disciplinary action and the employee may also be subject to civil or criminal liabilities if his or her
conduct violates laws or regulations.
10. Conflicts of Law
This Policy is intended to comply with the laws and regulations in the place of establishment and
of the countries in which Springfield Of Burton Ltd operates. In the event of any conflict between
this Policy and applicable laws and regulations, the latter shall prevail.
11. The Reduction of Knife Crime
In order to help the reduction of knife crime, orders which are placed with a fake or edited ID or
method of verification may be passed to any publicly funded body including but not limited to
The Police or Trading standards. If we suspect an order has been placed in order to supply knives
to anyone who would otherwide but unable to purchase them legally your details may be passed on also.