By clicking ‘Accept’, you agree to the storing of cookies on your device for an enhanced experience as well as analytical and commercial purposes. To learn more about how we use cookies, please see our privacy policy.

Privacy and Data Protection Policy

Overview

KRCS have measures in place to protect rights of, and the personal information that we hold for individuals and organisations. We work hard to comply with all relevant laws including the UK Data Protection Act (1998) and the General Data Protection Regulations (GDPR) introduced in May 2018. We maintain internal data protection and privacy policies on which all our staff are trained to ensure that we meet our obligations under these laws. Additionally, we seek contractual commitments from all third party data processors to which we provide personal information for the day-to-day transaction of our business and marketing activities, to ensure that they meet or exceed the standards that we apply.

We review and change our policies and processes regularly to ensure that we continue to meet any changing demands of the applicable laws. We encourage our staff to be vigilant and to reports to the Directors any suspected non-compliance with our policies, and are committed to taking actions whenever these reports are made.


Data security

We are committed to ensuring that your data is secure. In order to prevent unauthorised access or disclosure, we have put in place suitable physical, electronic and managerial procedures to safeguard and secure the information we collect.

This includes:

  • Router/firewall hardware that is kept up-to-date with the latest firmware
  • Best-practice 2 factor security policies on Microsoft 365, Google and any other cloud-based service
  • Managed Apple ID’s to ensure control of data
  • Fully managed devices, with security policies enforcing disk encryption, passwords and other behaviour to ensure data security
  • Authenticated access with 2nd factor to access databases and systems containing customer data.
  • Remote lock and wipe capability on all internal devices
  • Full end point protection on devices to protect against malware, phishing and other online threats against data security

Information that we gather and your rights

In particular with reference to the GDPR regulations individuals have eight important rights. Following is information on how KRCS treat each of these rights.

  1. The right be informed
  2. You have the right to know what we do with your data and why, how you can withdraw your consent for us to do that, and exactly who we are. This policy applies to KRCS Group Ltd, Queens Court, Lenton Lane, Nottingham, NG7 2NR. The person responsible for the privacy policy and it’s application is the Managing Director. There are a number of lawful reasons that we may hold information about an individual. The main two reasons that we do this are

    • To transact our business, and hold sufficient data for us to be able to process orders and deliver goods on those orders
    • To send, with consent, promotional marketing emails regarding products and services that we think may be of interest to you. We gather consent in a number of ways including asking the question face to face in our retail stores, asking the question over the phone when taking orders in that way, and seeking affirmative confirmation of your consent on our web site when you place an online order.

    We retain this information for as long as one of those two lawful reasons continues to be applicable. If we do not have your permission to send emails, and we have not transacted an order with you for a period of six years, then we delete the personal information from our systems, and request that any third party data processors that we may have sent that data to also delete it from their systems.

    If at any time you wish to withdraw your consent or make a complaint about our handling of personal data then you can email info@krcs.co.uk, or write to us at the address given above, and we will remove that consent, or contact you regarding your complaint within one month, but normally sooner.

  3. The right of access
  4. If you wish to know what data we store about you, in order to check that it is accurate or being used lawfully, then you may email info@krcs.co.uk, or write to us at the address given above, and we will provide you with any data that we hold about you in the same format in which you made the request.

    We will do this within one month, unless the request is complex, or we have too many requests to deal with, in which case we will inform you within one month that we may need an extension of time.

  5. The right to rectification
  6. If you believe the information we hold about you to be inaccurate then you may email us on info@krcs.co.uk or write to us at the address above to let us know.

    We will correct the information we store, and inform any third parties that we may have provided that information to requesting them to rectify the information they hold too.

    We will do this within one month of the request, unless the request is complex, or we have too many requests to deal with, in which case we will inform you within one month that we may need an extension of time.

  7. The right to erasure
  8. You may request that we erase the information that we hold about you (also known as the right to be forgotten). You may request this if you believe that we no longer need the information for which it was originally lawfully collected, and that you have withdrawn or never gave your consent for us to use the data for marketing purposes, or you feel that it was unlawfully processed.

    Please contact us with your request on info@krcs.co.uk or write to us at the address above to let us know.

    We will consider these requests and take appropriate action within one month of the request, unless the request is complex, or we have too many requests to deal with, in which case we will inform you within one month that we may need an extension of time.

  9. The right to restrict processing
  10. You may ask us to restrict the processing of your personal information if you think it is inaccurate, you object to the processing, or you wish us to retain the information past the point at which we would normally remove it as you wish to establish or defend a legal claim.

    Please contact us with your request on info@krcs.co.uk or write to us at the address above to let us know.

    We will consider these requests and take appropriate action within one month of the request (including where appropriate informing any third parties of this restriction), unless the request is complex, or we have too many requests to deal with, in which case we will inform you within one month that we may need an extension of time.

  11. The right to data portability
  12. You may request a copy of the data that we hold about you in a machine-readable format (for example an Excel spreadsheet or text file) for the purposes or re-using that data for any reason. Examples include using your data to understand your spending habits, or for use on price comparison web sites.

    Please contact us with your request on info@krcs.co.uk or write to us at the address above to let us know.

    We will provide this free of charge within one month, unless the request is complex, or we have too many requests to deal with, in which case we will inform you within one month that we may need an extension of time.

  13. The right to object
  14. If you object to our handling of your data in the areas of direct marketing, processing orders, or for any other reason then you may inform us of your objection by emailing us on info@krcs.co.uk or write to us at the address above to let us know.

    If we agree with your written objection, and whilst we consider it, that we have no legal right to use the data in the way to which you are objecting, then we will restrict the processing of that data free of charge and within one month, unless the request is complex, or we have too many requests to deal with, in which case we will inform you within one month that we may need an extension of time.

    You will also be given the option to object to us sending you marketing information at the point at which you place an order with us or give us your personal information, and this is addressed in section 1. The right to be informed.

  15. Rights in relation to automated decision making and profiling
  16. We may make automated decisions (via a computer algorithm) on certain aspects of the marketing materials that we send to you. We do not make any other automated decisions on your information.

    We do not make any decision on what the GDPR regulations suggest is ‘special categories of personal information’ nor make any decisions based on ethnicity, race, sex, gender or disability. Our automated decision making is based purely on your geographical location (address) and the products that you have bought from us.

    If you object to the automated data processing that we perform on your personal information, then you may ask us not to do this. Since this decision making is integral to how we send marketing materials, then we will simply remove any marketing consent that you have given to us, which will result in your data not being processed in this way.

    Please contact us with your request on info@krcs.co.uk or write to us at the address above to let us know.

    We will do this free of charge within one month, unless the request is complex, or we have too many requests to deal with, in which case we will inform you within one month that we may need an extension of time.


Data relating to recruitment

KRCS receive personal information in the form of CV’s and covering letters from applicants for roles within our business. This information is shared internally only with the line manager responsible for undertaking that recruitment process, and also the directors of the business.

For successful candidates we retain the information (either in electronic format, or on paper, or both) in our personal records for the legitimate purpose of holding enough information to contact the staff member, their next of kin, make salary payments and other legitimate HR activities.

For unsuccessful candidates we retain the information for three months following the conclusion of the recruitment, for the purpose of resolving any questions, appeals or reviews of that recruitment process. After three months time the information is permanently deleted or destroyed.

Any applicant wishing to enquire as to whether we still have their data on file, based on the above policy, should enquire to info@krcs.co.uk and we will respond free of charge within one month, but usually sooner.


Third party organisations that we share data with

In the interests of transparency, we are guiding you here to the third party organisations that we regularly share personal information with. In every case we only do this if there is a lawful reason do so so, which is always with regard to processing orders and required data sharing to do that, and for the purpose of sending marketing materials to you if you have given consent.

These organisations each have their own privacy policy, over which we have no control, and we have reviewed those statements to ensure that we believe they comply with the current data protection regulations. You should read these company’s statements to ensure you are happy with them if you believe we may have shared your information with them.

You may request to know if we have done that by emailing us on info@krcs.co.uk or write to us at the address above.

  • Apple (www.apple.com)
  • We share information with Apple regarding repairs to hardware for the purpose of maintaining records on the service history of those devices.

    We also share information on purchases made by education establishments, which may include the names of individuals involved with that purchase, for the purpose of tracking sales rebates that may be due to KRCS, and the eligibility of the education discount that has been applied to those sales.

    We may also share information with Apple if they request it for other legitimate reasons, such as establishing the eligibility of a warranty claim.

  • Opayo formerly SagePay (www.opayo.co.uk)
  • We share personal information with Opayo from our online store for the purpose of taking payment for online purchases.

  • Klarna (www.klarna.com/uk)
  • We share personal information with Klarna from our online store for the purpose of fulfilling the customers’ request for personal finance to make a purchase on our online store.

  • TD Synnex (uk.tdsynnex.com)
    Westcoast (www.westcoast.co.uk)
  • We share information with TD Synnex and Westcoast from our sales order processing system, to allow us to arrange direct deliveries of goods that have been purchased from any of our points of sale (online, high street store or sales teams). We share names and delivery addresses to allow those deliveries to be completed.

  • MailingManager (www.mailingmanager.co.uk)
  • We send information to MailiingManager to allow us to send marketing emails to those individuals who have given us consent to do so. We regularly synchronise the information between our own databases and theirs to ensure that we have up to date information on both with regard to marketing consent.

  • CHG Meridian (www.chg-meridian.co.uk)
    Midlands Asset Finance (www.midlandsassetfinance.co.uk)
  • We share information on businesses and their authorised individuals for the purpose of obtaining quotations for lease finance and lease purchase agreements.

  • TradeDoubler (www.tradedoubler.com/en)
  • We send information about a purchase (transaction ID, goods purchased and value of purchases) to TradeDoubler to allow us to credit affiliates associated with the TradeDoubler platform for transactions where the individual has arrived on our site via an affiliate link. No personally identifiable information is released to TradeDoubler or the affiliate partners as a part of our use of the TradeDoubler platform.

  • Google (www.google.co.uk)
  • We use Google's analytics, Shopping and Ad platforms for the purpose of analysing use of our site, as well as advertise our products and services to interested. No personally identifiable information is shared with us by Google in our use of their services.

  • Other organisations
  • There may from time to time be other organisations to which we share personal information, and we will apply the same rigorous checks to ensure we are happy with their data processing and privacy policies, however there are no others at the time of writing of this policy that are significant or regular.


Our cookie policy

Our website uses cookies to distinguish you from other users of our website. This helps us to provide you with a good experience when you browse our website and also allows us to improve our site.

A cookie is a small file of letters and numbers that we store on your browser or the hard drive of your computer if you agree. Cookies contain information that is transferred to your computer's hard drive.

We use the following cookies:

  • Strictly necessary cookies
  • These are cookies that are required for the operation of our website. They include, for example, cookies that enable you to log into secure areas of our website, use a shopping cart or make use of e-billing services.

  • Analytical/performance cookies
  • They allow us to recognise and count the number of visitors and to see how visitors move around our website when they are using it. This helps us to improve the way our website works, for example, by ensuring that users are finding what they are looking for easily.

  • Functionality cookies
  • These are used to recognise you when you return to our website. This enables us to personalise our content for you, greet you by name and remember your preferences (for example, your choice of language or region).

  • Targeting cookies
  • These cookies record your visit to our website, the pages you have visited and the links you have followed. We will use this information to make our website and the advertising displayed on it more relevant to your interests. We may also share this information with third parties for this purpose.


Cookie NameCookie Description
FORM_KEYStores randomly generated key used to prevent forged requests.
PHPSESSIDYour session ID on the server.
GUEST-VIEWAllows guests to view and edit their orders.
PERSISTENT_SHOPPING_CARTA link to information about your cart and viewing history, if you have asked for this.
STFInformation on products you have emailed to friends.
STOREThe store view or language you have selected.
USER_ALLOWED_SAVE_COOKIEIndicates whether a customer allowed to use cookies.
MAGE-CACHE-SESSIDFacilitates caching of content on the browser to make pages load faster.
MAGE-CACHE-STORAGEFacilitates caching of content on the browser to make pages load faster.
MAGE-CACHE-STORAGE-SECTION-INVALIDATIONFacilitates caching of content on the browser to make pages load faster.
MAGE-CACHE-TIMEOUTFacilitates caching of content on the browser to make pages load faster.
SECTION-DATA-IDSFacilitates caching of content on the browser to make pages load faster.
PRIVATE_CONTENT_VERSIONFacilitates caching of content on the browser to make pages load faster.
X-MAGENTO-VARYFacilitates caching of content on the server to make pages load faster.
MAGE-TRANSLATION-FILE-VERSIONFacilitates translation of content to other languages.
MAGE-TRANSLATION-STORAGEFacilitates translation of content to other languages.
Third-Party CookiesFacilitate functionality for finance quotations, applications and video playback from Klarna, CHG Meridian, Midland Asset Finance and Vimeo.

Please note that third parties (including, for example, advertising networks and providers of external services like web traffic analysis services) may also use cookies, over which we have no control. These cookies are likely to be analytical/performance cookies or targeting cookies

You block cookies by activating the setting on your browser that allows you to refuse the setting of all or some cookies. However, if you use your browser settings to block all cookies (including essential cookies) you may not be able to access all or parts of our site.


Links to other websites

Our website may contain links to other websites of interest. However, once you have used these links to leave our site, you should note that we do not have any control over that other website. Therefore, we cannot be responsible for the protection and privacy of any information which you provide whilst visiting such sites and such sites are not governed by this privacy statement. You should exercise caution and look at the privacy statement applicable to the website in question.


Data breach policy

This Data Breach Policy outlines the procedures to be followed in the event of a data breach within KRCS. A data breach is defined as any unauthorized access to or disclosure of personal data held by the company, which compromises the security, confidentiality, or integrity of that data.

Reporting a breach

Any employee who becomes aware of or suspects a data breach must immediately report it to the Data Protection Officer (DPO), and company Director or another designated member of the Data Protection Team.

The report must include details of the breach, including the nature of the breach, the data affected, and any potential impact on individuals or the organization.

If the DPO or designated member of the Data Protection Team is unavailable, the breach should be reported to the next level of management.

Investigating a Data Breach

Upon receiving a report of a data breach, the DPO or designated member of the Data Protection Team will initiate an investigation into the breach. The investigation will determine the cause and extent of the breach, assess the potential risks and impact, and identify any necessary remedial actions.

The investigation will be conducted promptly and thoroughly, with appropriate documentation maintained throughout.

Notification of Authorities and Individuals

If the breach is likely to result in a risk to the rights and freedoms of individuals, the Information Commissioner's Office (ICO) will be notified within 72 hours of becoming aware of the breach.

Individuals affected by the breach will also be notified without undue delay if the breach is likely to result in a high risk to their rights and freedoms. The notification to individuals will include details of the breach, the potential risks involved, and any steps they can take to protect themselves.

Mitigating the Impact of a Data Breach

KRCS will take all necessary steps to mitigate the impact of a data breach, including implementing measures to prevent further unauthorized access or disclosure of data.

This may include temporarily suspending affected systems or services, conducting security assessments, and providing support and assistance to affected individuals.

Review and Update

This Data Breach Policy will be reviewed and updated regularly to ensure its effectiveness and compliance with relevant laws and regulations. Any changes to the policy will be communicated to all employees and relevant stakeholders.


Disclaimer

This information is correct at the time of writing, errors and omission accepted. KRCS will regularly review and update this policy, and you should check back on our web site periodically to ensure you are happy with any changes that may be made.


Policy download

Please click here to download a copy of this policy.