GENERAL INFORMATION AND MANDATORY DISCLOSURES

What is personal data?
Personal data in this sense is any information relating to personal or material circumstances that relates to an identified or identifiable individual. This includes, for example, your name, date of birth, e-mail address, postal address, or telephone number as well as online identifiers such as your IP address. In contrast, information of a general nature that cannot be used to determine your identity is not personal data. This includes, for example, the number of users of a website.

Person responsible
The person responsible for processing pursuant to the UK`s Data Protection Act (“DPA”) and the General Data Protection Regulation (“GDPR”) is:

Jenny Marshall
9 Dragwell,
Kegworth, DE74 2EL
Derbyshire, UK

Web: www.jennymarshallarts.com
E-Mail: [email protected]

RELEVANT LEGAL BASES:
In accordance with the DPA and GDPR, the following legal bases, unless specifically described below apply to the processing of your personal data: 

Consent

To fulfil services and carry out contractual measures and respond to enquiries,

To fulfil legal obligations, and

To protect my legitimate interests.

Your rights

You have the following rights with regard to personal data concerning you, which you can assert against me:
Right of access,
Right to rectification or erasure,
Right to restriction of processing,
Right to object to processing,
Right to withdraw your consent,
Right to receive the data in a structured, common, machine-readable format.

You can assert your rights by notifying me using the contact details provided.

You also have the right to complain to a data protection supervisory authority about the processing of your personal data carried out by me. The Information Commissioner`s Office (ICO) is the supervisory authority in the UK. I would, however, appreciate the chance to deal with your concerns before you approach the ICO or any other supervisory authority.

AUTOMATIC COLLECTION OF GENERAL DATA AND INFORMATION

Hosting
The hosting services used for the purpose of operating my website is Bluehost (Newfold Digital Inc). In doing so Bluehost, processes all data and communication data of my customers, interested parties and visitors of our website and services that is provided through the website. I use Bluehost, on the basis of my legitimate interests in an efficient and secure provision of the website and services in conjunction with the provision of contractual services and the conclusion of the contract for my services.

Logfiles
Each time you visit my website, a number of general data and information is transmitted – even if you use my website for purely informational purposes. Bluehost collects the general data and information that your browser transmits to my website`s server. This data and information are collected are technically necessary for the display my website to you and that serve the stability, security and danger or threat prevention in the event of attacks on my website, such as:

IP address
Date and time of an access to the website
Type and version of browser used
Operating system used and its interface
The website from which an accessing system arrives at my website (so-called referrer)
Sub-websites that are accessed via an accessing system on my website,
Internet service provider of the accessing system.

This data is deleted after the storage is no longer necessary for error analysis or danger or threat prevention. The legal basis for this data processing is my legitimate interest. When analysing these general data and information, I do not draw any conclusions about you as a data subject.

Use of cookies
We use so-called cookies on our web site. Cookies are small text files that are stored on your respective device (PC, smartphone, tablet, etc.) and saved by your browser. For further details on the use of Cookies, please refer to my Cookie Policy. The legal basis for the use of cookies is your consent as well as our legitimate interest.
Google Analytics
We use Google Analytics, a service provided by Google Inc. This means that the data collected can in principle be transmitted to a Google server in the USA, whereby the IP addresses are anonymised by means of IP anonymisation so that an allocation is not possible. The IP address transmitted by your browser as part of Google Analytics will not be merged with other Google data. You can object to the collection and processing of this data by Google Analytics by setting an opt-out cookie that prevents the future collection of your data when you visit this website: http://tools.google.com/dlpage/gaoptout?hl=en. The legal basis for this processing is our legitimate interest.
Content Management System (CMS)
We also use the Content Management System (CMS) of WordPress a service provided by Automattic Inc, to publish and maintain the created and edited Content and texts on our website and to provide the forms used. This means that all content and texts submitted to us by users for publication is transferred to WordPress. In addition to texts, this also includes, for example your data in our forms. This represents a legitimate interest.

Content Delivery Network (CDN)
We also use the content delivery network (CDN) of Cloudflare, Inc.. A content delivery network (CDN) refers to a geographically distributed group of servers which work together to provide fast delivery of Internet content and to protect from common malicious attacks, such as Distributed Denial of Service (DDOS) attacks. This represents a legitimate interest.

WooCommerce
To provide my web shop, we use the WooCommerce service developed and operated by Automattic Inc, WooCommerce creates a device ID based on your device data, which can be used to recognise your access device (e.g., PC, tablet or laptop) when you visit my shop again. WooCommerce may also sets a cookie for this purpose. The cookie contains the device ID, but no personal usage or transaction data about you. This means that your access device can be recognised without identifying you by name and linking it to your device ID. This represents a legitimate interest.

COLLECTION OF PERSONAL DATA AND INFORAMTION WHEN PROVIDED

Contact options via the website
Contacting me is made possible by e-mail, or social media. If you contact me, your transmitted personal data will be automatically stored for the purpose of processing the request or contacting you. Data processing for the purpose of contacting me is carried out on the basis of your voluntarily given consent or, in the case of a (pre-)contractual relationship with me, the initiation of a contractual service. I delete the data accruing in this context after the storage is no longer necessary for the processing of your request or restrict the processing if there are legal retention obligations.

Buying my Art
In my shop I offer you two options for purchase processing: a) Creation of a customer account, and b) Placing an order as a guest. For both options, the data required for order and payment processing and fraud prevention are requested, marked as mandatory fields:

Name, street, postcode, city and e-mail address.
If the delivery address is different, the name, street, postcode, and town are requested separately.
In addition, the user’s IP address, the date and time of registration are stored (technical background data).

If you decide to register, you have the advantage that you can view your order history and manage your master data, and your specified data will be stored for future order transactions. Once you have completed the registration process, your data is stored with us for use in the protected customer area. The online shop naturally offers you the possibility to make changes to your master data and to use the account function. You can of course revoke your consent to the use of your account, your customer account in the shop will then be deactivated. If you on the other hand, decide to place a guest order, no customer account will be created and if you place another order, you will have to enter your data again for order processing. Accordingly, the data is processed on the basis of our contractual relationship.

Financial Information
To make a purchase, you may need to provide a valid payment method (e.g., credit or debit card). Your payment information will be collected and processed by my authorised payment vendor PayPal. We do not directly collect or store credit or debit card numbers ourselves in the ordinary course of processing transactions. Accordingly, the data is processed on the basis of our contractual relationship.

Contractual notifications and Newsletter
By making a purchase, I will need to send you because of my legal obligation an invoice and other contractual documents and for this purpose I will use your e-mail address. Equally, you may also sign up for my newsletter. Those typically include administrative information as well as service and product updates. I use MailPoet (Automattic Inc.) for the dispatch of these e-mails. The legal bases are to provide you with my services, my legal obligation, and your consent in the case of the newsletter.

Administration and contact management
I process data within the scope of administrative tasks as well as organisation of my business, financial accounting, and compliance with legal obligations, such as archiving. In doing so, I process the same data that I process in the context of providing our contractual services. The purpose and my interest in the processing thus lies in the administration, financial accounting, archiving of data, i.e., tasks that serve the maintenance of our business activities, performance of our tasks and provision of our services. In this context, I disclose or transmit data to the tax authorities, consultants such as tax advisors or auditors as well as other fee offices and payment service providers.

DISCLOSURE OF DATA TO THIRD PARTIES, SECURITY AND STORAGE

Disclosure of data to third parties
I will only share your personal data with third parties if:

you have given your express consent to do so,
the disclosure is necessary for the assertion, exercise or defence of legal claims and there is no reason to assume that you have an overriding interest worthy of protection in the non-disclosure of your data,
in the event that there is a legal obligation for disclosure, as well as
this is legally permissible and necessary for the processing of contractual relationships with you.

General technical organisational measures (Security)
I have taken a variety of security measures to protect personal data to an appropriate extent and adequately. All information held by me is protected by physical, technical, and procedural measures that limit access to the information to specifically authorised persons and in accordance with the DPA and GDPR and this Privacy Policy.
In addition, where I use third parties to carry out processing only those who need the information to perform a specific job are granted access to personal data. If this is the case these companies act on my behalf by way of commissioned processing and may therefore use the data provided exclusively in accordance with our instructions. In this case, I`m legally responsible for appropriate data protection measures at the companies I commission. I therefore agree on specific data security measures with these companies and monitor them regularly.

If I use service providers in third countries, I take additional measures to ensure an adequate level of data protection for the transfer of personal data and thus ensure that the transfer is generally permissible and that the special requirements for a transfer to a third country are met (e.g., by concluding standard contracts and additional guarantees, supplementary technical and organisational measures such as encryption or anonymisation).

Finally, I may need to disclose your data to authorities or government agencies if I`m legally obliged to do so, for example, due to official or court orders, or because this is necessary for the prosecution of criminal offenses or for the exercise and enforcement of my rights and claims.

Duration of storage
I store your personal data for as long as necessary to achieve the respective storage purpose. Afterwards, your data will be deleted, unless I am obliged to store it for a longer period of time due to tax, commercial or other legal storage or documentation obligations, or you have agreed to a storage beyond this period.

MISCELLANEOUS AND CLOSING

Links to others
My website contains so-called hyperlinks to websites of other providers. When you activate these hyperlinks, you will be redirected from my website directly to the website of the other provider. You will recognise this by the change of URL, among other things. I cannot accept any responsibility for the confidential handling of your data on these third-party websites, as I have no influence on whether these companies comply with data protection regulations. Please inform yourself about the handling of your personal data by these companies directly on these websites.

Social Media
I`m present in social media to communicate with my customers, interested parties and users registered there and to be able to inform them about my offers there. I would like to point out that you use these platforms and their functions on your own responsibility. This applies in particular to the use of the interactive functions (e.g., commenting, sharing, rating). The processing of users’ personal data is based on my legitimate interests in providing users with effective information and communicating with users.

Accuracy and updating your information
It is important that the data I hold about you is accurate and current, therefore please keep me informed of any changes to your personal data. If you believe that the information, I hold about you is inaccurate or that I am no longer entitled to use it and want to request its rectification, deletion, or object to its processing, please do so by contacting me.

For your protection and the protection of all of users, I may ask you to provide proof of identity before I can answer your requests. Also please keep in mind, that I may reject requests for certain reasons, including if the request is unlawful or if it may infringe on trade secrets or intellectual property or the privacy of another user. Lastly, I may not be able to accommodate certain requests to object to the processing of personal data, notably where such requests would not allow me to provide my service to you anymore.

Data Breaches/Notification
Databases or data sets that include personal data may be breached inadvertently or through wrongful intrusion. Upon becoming aware of a data breach, I will notify all affected individuals whose personal data may have been compromised, and the notice will be accompanied by a description of action being taken to reconcile any damage as a result of the data breach. Notices will be provided as expeditiously as possible after which the breach was discovered.

Personal data and children
I will not knowingly collect, use, or disclose personal data from minors under the age of 18 without first obtaining consent from a legal guardian through direct offline contact.

Advertising and Marketing
Insofar as you have also given me your consent to process your data for marketing and advertising purposes, we are entitled to contact you for these purposes via the communication channels you have given your consent to.

You may give us your consent in a number of ways including by selecting a box on a form where we seek your permission to send you marketing information, or sometimes your consent is implied from your interactions or contractual relationship with us. Where your consent is implied, it is on the basis that you would have a reasonable expectation of receiving a marketing communication based on your interactions or contractual relationship with me.

Direct Marketing generally takes the form of e-mail but may also include other less traditional or emerging channels. These forms of contact will be managed by my, or by my contracted service providers. Every directly addressed marketing sent or made by me or on our behalf will include a means by which you may unsubscribe or opt out.

Changes
I reserve the right to adapt this privacy policy with effect for the future, in particular in the event of further development of the website, the use of new technologies or changes to the legal basis or the relevant case law.

Questions or Comments
If you have any questions or comments about our Privacy Policy or wish to exercise your rights under applicable laws, please contact me at [email protected]