STAFFORD FUELS LIMITED
PRIVACY POLICY

1. Introduction

This is the Privacy Policy of Stafford Fuels Limited(“Stafford Fuels”) which is referred to as the “Stafford Fuels”, “us” or “we” throughout this Privacy Policy. This Privacy Policy provides details of the way in which we Process Personal Data in line with our obligations under Data Protection Law.

Capitalised terms used in this Privacy Policy are defined in the Glossary in Annex I.

2. Background and Purpose

The purpose of this Privacy Policy is to explain what Personal Data we Process and how and why we Process it. In addition, this Privacy Policy outlines our duties and responsibilities regarding the protection of such Personal Data. The manner in which we Process data will evolve over time and we will update this Policy from time to time to reflect changing practices.In addition, in order to meet our transparency obligations under Data Protection Law, we will incorporate this Privacy Policy by reference into various points of data capture used by us.

3. Stafford Fuelsas a Data Controller

Stafford FuelsProcesses the following categories of Personal Data:

Customers/customers Name, address(es), telephone, mobile, email, order history, credit/payment history, direct debit details – bank a/c, sort codes, customer delivery notes/special instructions, customer requests/queries by email, customer note/message log, credit and debit card details for payments & refunds, marketing permission preferences, call recordings: gender, age range, day born and month born).
Individual contact persons in suppliers and other business contacts Name, business address, telephone, mobile and email.
Employees Name, address(es), telephone, mobile, email, salary details, pension membership, union membership, DOB, contract, next of kin, CV, references, driving licenses (drivers & staff with company cars), GPS tracking for drivers of company vehicles.
Candidates for employment / Contractors Name, telephone, mobile, email, CV and references.
Other
  • Orders completed by Stafford Fuelsfor third party distributors to their customers and vice versa.
  • Preferences for various types of marketing events.
  • CCTV images.
  • Digital information related to use of our websites, platforms and digital applications, including, traffic data, location data and other communication data.

4. Purposes for which Personal Data is Processed

We may Process Personal Data for any of the following purposes:

  • customer data – fulfilment of orders, delivery notifications (email and SMS), marketing and service updates, scheme, sales reporting and analysis, payment processing, payment analysis, refunds, credit notes, credit control purposes, legal requirements, customer complaints, operating of customer budget plans, to third party service providers for purchasing, polling, and invoicing purposes, sending of customer information to/ from third party distributors/hauliers for delivery of customer orders, etc.;
  • employee/contractor/staff/candidate data – recruitment and reference checking, legal requirements, payroll, pension, payment of union subscriptions, contact details for next of kin for emergency purposes, requirements for use of company vehicles, etc.;
  • complying with applicable law, including anti-money laundering legislation;
  • for administrative purposes, including to securing and maintaining our internal systems, platforms and digital applications;
  • upholding an adequate level of security;
  • carrying out controls to prevent fraud; and/or
  • managing business relationships.

5. Legal basis for Processing Personal Data

We use Personal Data when:

  • we have consent to use Personal Data for a specific purpose;
  • we are, or are considering, making an agreement;
  • we have to comply with certain legal obligations; and/or
  • we or the business are pursuing a legitimate interest. This could be where we have a business or commercial reason to use Personal Data. We will only do so if our interest clearly overrides the data subject’s interest in not having his/her Personal Data Processed by us.
Purpose/Activity Lawful basis for processing
To manage our customer relationship
  • Performance of a contract
  • Necessary to comply with a legal obligation
  • Necessary for our legitimate interests (to keep our records updated and to study how customers use our services)
To administer and protect our business
  • Necessary for our legitimate interests (for running our business, provision of administration and IT services, network security, to prevent fraud and in the context of a business reorganisation or group restructuring exercise)
  • Necessary to comply with a legal obligation.
To deliver relevant website content and advertisements and measure or understand the effectiveness of our advertising.
  • Necessary for our legitimate interests (to study how customers use our services, to develop them, to grow our business and to inform our marketing strategy).
To make suggestions and recommendations about products services that may be of interest.
  • Necessary for our legitimate interests (to develop our services and grow our business).

6. Special Categories of Data

Stafford Fuelsprocesses Special Categories of Data and criminal data (“SCD”) in certain circumstances, such as the ordinary course of employee administration, e.g. for trade union subscriptions, in relation to accident/ claims history, in relation to penalty points for company cars and truck drivers, and as medical certs for certified absences. Such Processing is necessary for the employment relationship or is justified by law.Stafford Fuelsshall Process such SCD in accordance with Data Protection Law.

7. Sources

Personal data is collected from the following sources:

  1. Directly from individuals
    • Customer/ Client: name, address(es), telephone, mobile, email, order history, credit/ payment history, direct debit details – bank a/c, sort codes, customer delivery notes/ special instructions, customer requests/ queries by email, customer note/ message log, credit & debit card details for payments & refunds, marketing permission preferences, call recordings, (gender, age range, day born and month born).
    • Employee: name, address(es), telephone, mobile, email, salary details, pension membership, union membership, DOB, contract, next of kin, CV, references, driving licenses (drivers & staff with company cars).
    • Candidates for Employment: name, telephone, mobile, email, CV and references.
    • Individual contact persons in suppliers: name, business address, telephone, mobile, email.
  2. From other employers
    • Candidates for Employment: references
    • Individual contact persons in suppliers: name, business address, telephone, mobile, email,
  3. Third parties
    • Candidates for Employment: name, telephone, mobile, email, CV and references

8. Record Keeping

As part of our record keeping obligations under Art. 30 GDPR, Stafford Fuelsretains a record of the Processing activities under its responsibility. This comprises the following:

Art. 30 GDPR Requirement Stafford Fuels’ Record
Name and contact details of the Controller Stafford Fuels Limited, Stafford Fuels Ltd,
Raheen,New Ross,Co. Wexford.
The purposes of the processing See Section 4 of this Privacy Policy.
Description of the categories of data subjects and of the categories of personal data. See Section 3 of this Privacy Policy.
The categories of recipients to whom the Personal Data have been or will be disclosed. See Section 11 of this Privacy Policy.
Where applicable, transfers of personal data to a third country outside of the EEA. See Section 14 of this Privacy Policy.
Where possible, the criteria for retention periods for the different categories of data. See Section 12 of this Privacy Policy.
Where possible, a general description of the technical and organisational security measures referred to in Article 32(1). Encryption, locked offices and filing cabinets.

9. Individual Data Subject Rights

Data Protection Law provide certain rights in favour of data subjects. The rights in question are as follows (the “Data Subject Rights”):

  • The right of a data subject to receive detailed information on the processing (by virtue of the transparency obligations on the Controller);
  • The right of access to Personal Data;
  • The right to rectify or erase Personal Data (right to be forgotten);
  • The right to restrict Processing;
  • The right of data portability;
  • The right of objection; and
  • The right to object to automated decision making, including profiling, and where Stafford Fuelsrelies on its legitimate interests to Process your Personal Data (for example, for marketing purposes) ;

These Data Subject Rights will be exercisable by you subject to limitations as provided for under Data Protection Law. You may make a request to Stafford Fuelsto exercise any of the Data Subject Rights by contacting the Managing Director. Your request will be dealt with in accordance with Data Protection Law.

10. Data Security and Data Breach

We have technical and organisational measures in place to protect Personal Data from unlawful or unauthorised destruction, loss, change, disclosure, acquisition or access.  Personal Data are held securely using a range of security measures including, as appropriate, physical measures such as locked filing cabinets, IT measures such as encryption, and restricted access through approvals and passwords.

The GDPR obliges Data Controllers to notify the Data Protection Commission and affected data subjects in the case of certain types of personal data security breaches. Any Data Breaches identified in respect of Personal Data controlled by Stafford Fuelswill be dealt with in accordance with Data Protection Law and Stafford FuelsData Breach Procedure.

11. Disclosing Personal Data

From time to time, we may disclose Personal Data to third parties, or allow third parties to access Personal Data which we Process (for example where a law enforcement agency or regulatory authority submits a valid request for access to Personal Data).  We may also disclose Personal Data to: (a) selected third parties including certain government bodies such as the Revenue Commissioners; and (b) service providers, such as distributors, hauliers, website providers, payment processing providers, IT support providers, etc.

12. Data Retention

Stafford Fuelswill keep Personal Data for as long as is necessary for the purposes for which Stafford Fuelscollects it. This mean Stafford Fuelswill retain Personal Data for so long as we have a relationship with the individual to whom the Personal Data relates. Once this relationship comes to an end Stafford Fuelswill retain such Personal Data for a period of time that allows it to: (a) comply with legal record retention requirements; (b) defend or bring legal claims; (c) maintain records for business analyses and audit; and (d) address complaints and other issues regarding its business.

Where Stafford Fuelsholds Personal Data to comply with a legal or regulatory obligation, Stafford Fuelswill keep the information for at least as long as is required to comply with that obligation. In some cases a retention period will apply once the initial purpose has ceased e.g. payroll files are required to be kept for current year plus 6 years.

Where Stafford Fuelsholds Personal Data in order to provide a product or service, Stafford Fuelswill keep the information for at least as long as Stafford Fuelsprovides the product or service, and for a number of years thereafter.  The number of years varies depending on the nature of the product or service provided.

Stafford Fuelsendeavours to ensure that Personal Data will only be kept which is relevant and not excessive to achieve the purposes for which it is being held.  Personal Data will be deleted once that purpose is achieved or it is no longer required as set out.

13. Data Processors

Stafford Fuelswill engage certain service providers to perform certain services on its behalf which may involve the Processing of Personal Data. To the extent that such Processing is undertaken based on the instructions of Stafford Fuelsand gives rise to a data controller and data processor relationship, Stafford Fuelswill ensure that such relationship is governed by a contract which includes the data protection provisions prescribed by Data Protection Law.

14. Data Transfers outside the EEA

Stafford Fuelstransfers some Personal Data to countries outside the European Economic Area. If such transfer occurs, Stafford Fuelswill ensure that such processing of your Personal Data is in compliance with Data Protection Law and, in particular, that appropriate measures are in place such as entering into Model Contractual Clauses (as published by the European Commission) or ensuring that the recipient is Privacy Shield certified, if appropriate. If you require more information on the means of transfer of your data or would like a copy of the relevant safeguards, please contact the Managing Director.

15. Further Information/Complaints Procedure

For further information about this Privacy Policy and/or the Processing of your Personal Data by or on behalf of Stafford Fuelsplease contact the Managing DirectorWhile you may make a complaint in respect of our compliance with Data Protection Law to the Irish Data Protection Commission, we request that you contact the Managing Director in the first instance to give us the opportunity to address any concerns that you may have.

ANNEX I
Glossary

In this Privacy Policy, the terms below have the following meaning:

Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed.

Data Controller” means the entity which, alone or jointly with others, determines the purposes and means of the processing of Personal Data.

Data Processor” means the party that Processes Personal Data on behalf of the Data Controller.

Data Protection Law” means the General Data Protection Regulation (No 2016/679) (“GDPR”) and the Data Protection Acts 1988 to 2018 and any other laws which apply to Stafford Fuelsin relation to the Processing of Personal Data.

European Economic Area” or “EEA” means Austria, Belgium, Bulgaria, Croatia, Republic of Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, the UK, Iceland, Liechtenstein, and Norway.

Personal Data” is any information relating to a living individual which allows the identification of that individual. Personal Data can include:

  • a name, an identification number;
  • details about an individual’s location; or
  • any other information that is specific to that individual.

Processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. “Process” and “Processing” are interpreted accordingly.

Special Categories of Personal Data” are types of Personal Data that reveal any of the following information relating to an individual: racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership. Special Categories of Personal Data also include the Processing of genetic data, biometric data (for example, fingerprints or facial images), health data, data concerning sex life or sexual orientation and any Personal Data relating to criminal convictions or offences.

Download