Terms & Conditions

WEBSITE USE AGREEMENT AND TERMS AND CONDITIONS

PLEASE READ THIS AGREEMENT CAREFULLY AS IT GOVERNS YOUR USE OF THIS WEBSITE. IT EXEMPTS THE SHOP OWNERS AND OTHER PERSONS FROM LIABILITY OR LIMITS THEIR LIABILITY, AND CONTAINS OTHER IMPORTANT PROVISIONS THAT YOU SHOULD READ.

This Agreement contains the following provisions

  1. Your Acceptance of this Agreement
  2. Permission to Use the Website
  3. Changes to this Agreement
  4. Ownership and Permitted Use of the Website
  5. Misprints and Errors, Product Availability and Prices
  6. No Linking, Framing, Mirroring, Scraping, Data-Mining or Postings
  7. Login Names and Passwords
  8. Unsolicited Submissions
  9. Your Information
  10. Disclaimers, Liability Exclusions/Limitations and Indemnity
  11. Personal Information Privacy
  12. Other Sites/Resources
  13. Termination
  14. Governing Law and Dispute Resolution
  15. Other Matters

1. YOUR ACCEPTANCE OF THIS AGREEMENT

This is an Agreement between you and all persons you represent (and for purposes of this Agreement, “person” includes natural persons and any type of incorporated or unincorporated entity). (“The Shop Owner”) regarding your access to and use of this website and all content, information, products and services available on or through the website (collectively, the “Website”). This Agreement also provides benefits to this Shop Owners affiliates, service providers, suppliers and other persons. Each time you use the Website you signify your acceptance and agreement, and the acceptance and agreement of any person you purport to represent, to be bound by this Agreement as it then reads, and you represent and warrant that you have the legal authority to agree to and accept this Agreement on behalf of yourself and any person you purport to represent. If you do not agree with each provision of this Agreement, or you are not authorised to agree to and accept this Agreement on behalf of the person you purport to represent, you may not access or use the Website. The Website is for convenience and informational purposes only and is not intended to convey advice or recommendations, or an offer to sell any product or service.

This Agreement is in addition to any other agreement you may have with The Shop Owner, including a transaction agreement.

2. PERMISSION TO USE THE WEBSITE

You may use the Website only if you have reached the age of majority where you live and you can form legally binding contracts under applicable law. You may not use the Website if you live in a jurisdiction where access to or use of the Website or any part of it may be illegal or prohibited. It is solely your responsibility to determine whether your use of the Website is lawful, and you must comply with all applicable laws. The Shop Owner reserves the right to request proof of identification and age (for example, proof of your ability to purchase certain items).

3. CHANGES TO THIS AGREEMENT

The The Shop Owner may, in its sole discretion, change this Agreement from time to time as it relates to future use of the Website, by posting a revised Agreement on the Website. By using the Website after this revised Agreement has been posted, you signify your acceptance and agreement to be bound by the revised Agreement. You may not change this Agreement in any manner.

4. OWNERSHIP AND PERMITTED USE OF THE WEBSITE

The Website (including all content, page headers, custom graphics, button icons, and scripts and the presentation, arrangement, coordination, enhancement and selection of such and other information in text, graphical, video and audio forms, images, icons, software, designs, applications, data, and other elements available on or through the Website) is the property of The Shop Owner and others, and is protected by British and international copyright, trademark and other laws. Your use of the Website does not transfer to you any ownership or other rights in the Website or its content. The Website is made available to you for your lawful, personal use only. You may use the Website only in the manner described expressly in this Agreement and subject to all applicable laws. Using the Website for any other purpose or in any other manner is strictly prohibited. You may print Website pages provided that you do not modify any of the pages and you do not remove or alter any visible or non-visible identification, marks, notices, or disclaimers. The Website and its content may not be copied, imitated, reproduced, republished, uploaded, posted, transmitted, modified, indexed, catalogued, mirrored or distributed in any way, in whole or in part, without the express prior written consent of The Shop Owner. You may not sell or resell any part of the Website or access to the Website. You may not use any of the software that is used in the operation or provision of the Website except while you are using the Website in accordance with this Agreement.

5. MISPRINTS AND ERRORS, PRODUCT AVAILABILITY AND PRICES

The Shop Owner endeavors to provide current and accurate information on the Website. However, misprints, errors, inaccuracies, omissions (including incorrect specifications for products) or other errors may sometimes occur. The Shop Owner cannot guarantee that products and services advertised on the Website will be available when ordered or thereafter. The Shop Owner does not warrant that the content of the Website including, without limitation, product descriptions or photographs, is accurate or complete. The Shop Owner reserves the right to: (a) correct any error, inaccuracy or omission at any time without prior notice or liability to you or any other person; (b) change at any time the products and services advertised or made available for sale on the Website, the prices, fees, charges and specifications of such products and services, any promotional offers and any other Website content without any notice or liability to you or any other person; (c) reject, correct, cancel or terminate any order, including accepted orders for any reason and (d) limit quantities available for sale or sold. The advertisements on the Website are invitations to you to make offers to purchase products and services on the Website and are not offers to sell.

6. NO LINKING, FRAMING, MIRRORING, SCRAPING, DATA-MINING OR POSTINGS

Links to the Website without the express written permission of The Shop Owner are strictly prohibited. To request permission to link to the Website, please send an email to The Shop Owner via the contact page of this Website. The Shop Owner may in its discretion cancel and revoke any permission it may give to link to the Website at any time and without any notice or liability. The framing, mirroring, scraping or data-mining of the Website or any of its content in any form and by any means is strictly prohibited. You may not use any collaborative browsing or display technologies in connection with your use of the Website or to post comments, communications, or any other data of any kind to or on the Website with the intention that such postings may be viewed by other users of the Website.

7. LOGIN NAMES AND PASSWORDS

Certain areas and features of the Website are accessible only to users who have been issued a login name and password (collectively “User Details”) by The Shop Owner. For the purposes of accessing the Website, the User Details remain the property of The Shop Owner and may be cancelled or suspended at any time by The Shop Owner in its discretion without any notice or liability to you or any other person. The Shop Owner is not under any obligation to verify the actual identity or authority of any person using User Details to access and use the Website. The Shop Owner may act upon any communication that is given with the use of User Details. The Shop Owner may in its discretion at any time require proof of the identity of any person seeking to access and use the Website, and may deny access to and use of the Website or parts of it or refuse to accept or act upon any communication if The Shop Owner is not satisfied with such proof. If you have been issued User Details: (a) you are fully responsible and liable for the security of the User Details and any and all use and misuse of the User Details; (b) you will keep the User Details secure and confidential at all times and not disclose the User Details to any other person or permit any other person to use the User Details; (c) you will ensure that all uses of the User Details comply with this Agreement; (d) once you have logged-on to the Website using the User Details, you will not leave the computer terminal used to access the Website unless and until you have terminated the session and logged-off the Website; and (e) you will immediately notify The Shop Owner by telephone or email via the contact page of this Website if you know or suspect that any User Details have been lost or stolen or become known to or used by any other person.

8. UNSOLICITED SUBMISSIONS

In order to avoid potential misunderstandings or disputes, The Shop Owner does not accept or consider unsolicited ideas or suggestions (“Submissions”). If you send Submissions to The Shop Owner or the Website, you automatically grant (or warrant that the owner of the Submissions grants) to The Shop Owner and its successors, assigns and licensees a perpetual, royalty-free, irrevocable, unrestricted, non-exclusive, world-wide, assignable, sublicensable, right and license to use and exploit the Submissions or any ideas, concepts, know-how or techniques associated with the Submissions for any purpose whatsoever, commercial or otherwise, using any form, media or technology now known or later developed, without providing any attribution or compensation to you or any other person, without any liability whatsoever, and free from any obligation of confidence or other duties on the part of The Shop Owner or its successors, assigns and licensees, and you agree, represent and warrant that all moral rights in the Submissions are waived in favour of The Shop Owner and its successors, assigns and licensees.

9. YOUR INFORMATION

All information you provide through the Website, including registration information (name and email address), payment information (credit card numbers and expiration dates), and transaction-related information, must be true, accurate, current and complete. The Shop Owner will rely on the information you provide. You will be solely responsible and liable for any and all loss, damage, and additional costs that you, The Shop Owner or any other person may incur as a result of your submission of any false, incorrect or incomplete information or your failure to update your registration information and payment information within 30 days of any change.

10. DISCLAIMERS, LIABILITY EXCLUSIONS/LIMITATIONS AND INDEMNITY

DISCLAIMERS

YOUR ACCESS TO AND USE OF THE WEBSITE IS AT YOUR OWN RISK. THE WEBSITE IS PROVIDED ON AN “AS IS” AND “AS AVAILABLE” BASIS, WITHOUT ANY REPRESENTATIONS, WARRANTIES OR CONDITIONS OF ANY KIND, WHETHER EXPRESS OR IMPLIED, AND INCLUDING WITHOUT LIMITATION IMPLIED REPRESENTATIONS, WARRANTIES OR CONDITIONS OF OR RELATING TO ACCURACY, ACCESSIBILITY, FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABILITY, PERFORMANCE OR DURABILITY, ALL OF WHICH ARE DISCLAIMED BY THE SHOP OWNER TO THE FULLEST EXTENT PERMITTED BY LAW.

LIABILITY EXCLUSIONS

THE SHOP OWNER AND ITS PROVIDERS WILL NEVER BE LIABLE TO YOU OR ANY OTHER PERSON FOR ANY INDIRECT, INCIDENTAL, CONSEQUENTIAL, SPECIAL, PUNITIVE OR EXEMPLARY LOSS OR DAMAGE ARISING FROM, CONNECTED WITH, OR RELATING TO THE WEBSITE OR THIS AGREEMENT INCLUDING BUT NOT LIMITED TO LOSS OF DATA, BUSINESS, MARKETS, SAVINGS, INCOME, PROFITS, USE, PRODUCTION, REPUTATION OR GOODWILL, ANTICIPATED OR OTHERWISE, OR ECONOMIC LOSS, UNDER ANY THEORY OF LIABILITY (WHETHER IN CONTRACT, TORT, STRICT LIABILITY OR ANY OTHER THEORY OR LAW OR EQUITY), REGARDLESS OF ANY NEGLIGENCE OR OTHER FAULT OR WRONGDOING (INCLUDING WITHOUT LIMITATION GROSS NEGLIGENCE AND FUNDAMENTAL BREACH) BY THE SHOP OWNER OR ANY PERSON FOR WHOM THE SHOP OWNER IS RESPONSIBLE, AND EVEN IF THE SHOP OWNER HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH LOSS OR DAMAGE BEING INCURRED.

ACKNOWLEDGEMENT AND EXCLUSION BY STATUTE IN CERTAIN JURISDICTIONS

THE EXCLUSION OF CERTAIN WARRANTIES AND THE LIMITATION OF CERTAIN LIABILITIES IS PROHIBITED IN SOME JURISDICTIONS. THESE STATUTORY PROHIBITIONS MAY APPLY TO YOU.

11. PERSONAL INFORMATION PRIVACY

Privacy Notice

Here at Ambition Sport we respect your privacy and we are committed to processing personal information of our customers in a secure and manner in line with our legal obligations.

This Policy explains how Ambition Sport will use any personal information that we may collect about you when you use our website, applications, webforms, or when you use or are the recipient of our services.

By trading with Ambition Sport, you are accepting and consenting to the practices described in this Privacy Notice.

The information we learn from our customers helps us to personalise and continually improve your experience and our services. We use the information to handle orders, deliver products and services, process payments/ invoices, communicate with you about orders, products, services and promotional offers, update our records and generally maintain your accounts with us, and recommend products and services that might be of interest to you. We may use your information to prevent or detect fraud or because it is required by law or for the purposes of legal proceedings. And to enable third parties to carry out logistical or other functions on our behalf.

1. What Information we collect

Our Personal Data Protection Policy governs the use and storage of your data. You can see our Personal Data Protection Policy further down below.

Ambition Sport is a Controller of the personal data you (data subject) provide us. We may collect the following types of personal data from you:

In the operational use and maintenance of our services, Ambition Sport may collect personal information when:

  • you use our website,
  • you use our services,
  • you contact us, or;
  • you are a recipient of our services.

This may include information which is recorded on items being delivered to you or if you have:

  • completed an online form,
  • Set up an account or entered information on the Ambition Sport website,
  • provided information as part of a webform contact request / enquiry, or;
  • contacted Ambition Sport in writing or by phone.

We may collect the following types of information:

  • Your name, address, email address, telephone number(s) and other contact details,
  • information required to provide you with a service, and the details of the service that you have used,
  • information collected through your use of the Ambition Sport website; see Cookie Policy for further information,
  • details of any enquiry,
  • information about items delivered to, or;
  • signatory information when signing for receipt of a delivery.

2. Why we need it

Ambition Sport collects your personal information in order:

  • to provide you with our service(s),
  • to process your order and to provide after sales service, and;
  • to enhance or improve our services.

Ambition Sport will not sell or provide your data to any third party where you have not provided your consent to do so. All other information is processed in accordance with the Data Protection Act 1998, the General Data Protection Regulation (GDPR) 2018 and other applicable laws.

3. How Ambition Sport collects personal information:

  • Directly from customers, for example when a customer contacts Ambition Sport regarding a delivery, signs to confirm receipt of a delivery, or makes an enquiry.
  • From our retail partners, who provide Ambition Sport with information about the end customer, so that we may fulfil our delivery services.
  • When products or services are provided together with a business partner and the information is collected by the business partner in order for Ambition Sport to provide you with the service.

4. What we do with it Your personal data is processed in Ambition sport located in the United Kingdom. Hosting and storage of your data takes place within the European Economic Area (EEA).

In operating our services, it may become necessary to transfer the data that we collect from you to third parties and business partners who are located outside of the European Economic Area (EEA). Any such transfer of information will only be in connection with the services that Ambition Sport provides and Ambition Sport will ensure that the information is protected to a level which meets the requirements of UK law.

By providing your data to us you agree to this transfer taking place.

No third party providers have access to your data, unless specifically required by law, where you have consented with us to do so, or in order to fulfil our service to you.

5. How long we keep it

Any personal data held by us for marketing and service update notifications will be kept by us until such time that you notify us that you no longer wish to receive this information or terminate your account with us.

6. What are your rights?

You have the right to access to any information that we hold relating to you. Requests must be made in writing and Proof of identification is required to protect your information and to ensure it is not disclosed to unauthorised parties.

Should you believe that any personal data we hold on you is incorrect or incomplete, you have the ability to request to see this information, rectify it or have it deleted.

In the event that you wish to complain about how we have handled your personal data, please contact  in writing to Ambition Sport. We will then look-into your complaint and work with you to resolve the matter.

If you still feel that your personal data has not been handled appropriately according to the law, you can contact the Information Commissioner’s office ICO and file a complaint with them.


Personal Data Protection Policy

1. Purpose, Scope and Users

Ambition Sport, hereinafter referred to as the “Company”, strives to comply with applicable laws and regulations related to Personal Data protection in countries where the Company operates.

This Policy sets forth the basic principles by which the Company processes the personal data of consumers, customers, suppliers, business partners, employees and other individuals, and indicates the responsibilities of its business departments and employees while processing personal data. This Policy applies to the Company and its directly or indirectly controlled wholly-owned subsidiaries conducting business within the European Economic Area (EEA) or processing the personal data of data subjects within EEA.

The users of this document are all employees, permanent or temporary, and all contractors working on behalf of The Company.

2. Definitions

The following definitions of terms used in this document are drawn from Article 4 of the European Union’s General Data Protection Regulation:

Personal Data: Any information relating to an identified or identifiable natural person (“Data Subject“) who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Sensitive Personal Data: Personal data which are, by their nature, particularly sensitive in relation to fundamental rights and freedoms merit specific protection as the context of their processing could create significant risks to the fundamental rights and freedoms. Those personal data include personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.

Data Controller: The natural or legal person, public authority, agency or any other body, which alone or jointly with others, determines the purposes and means of the processing of personal data.

Data Processor: A natural or legal person, public authority, agency or any other body which processes personal data on behalf of a Data Controller.

Processing: An operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of the data.

Anonymization: Irreversibly de-identifying personal data such that the person cannot be identified by using reasonable time, cost, and technology either by the controller or by any other person to identify that individual. The personal data processing principles do not apply to anonymized data as it is no longer personal data.

Pseudonymization: The processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person. Pseudonymization reduces, but does not completely eliminate, the ability to link personal data to a data subject. Because pseudonymized data is still personal data, the processing of pseudonymized data should comply with the Personal Data Processing principles.

Cross-border processing of personal data: Processing of personal data which takes place in the context of the activities of establishments in more than one Member State of a controller or processor in the European Union where the controller or processor is established in more than one Member State; or processing of personal data which takes place in the context of the activities of a single establishment of a controller or processor in the Union but which substantially affects or is likely to substantially affect data subjects in more than one Member State;

Supervisory Authority: An independent public authority which is established by a Member State pursuant to Article 51 of the EU GDPR;

Lead supervisory authority: The supervisory authority with the primary responsibility for dealing with a cross-border data processing activity, for example when a data subject makes a complaint about the processing of his or her personal data; it is responsible, among others, for receiving the data breach notifications, to be notified on risky processing activity and will have full authority as regards to its duties to ensure compliance with the provisions of the EU GDPR;

Each “local supervisory authority” will still maintain in its own territory, and will monitor any local data processing that affects data subjects or that is carried out by an EU or non-EU controller or processor when their processing targets data subjects residing on its territory. Their tasks and powers includes conducting investigations and applying administrative measures and fines, promoting public awareness of the risks, rules, security, and rights in relation to the processing of personal data, as well as obtaining access to any premises of the controller and the processor, including any data processing equipment and means.

Main establishment as regards a controller” with establishments in more than one Member State, the place of its central administration in the Union, unless the decisions on the purposes and means of the processing of personal data are taken in another establishment of the controller in the Union and the latter establishment has the power to have such decisions implemented, in which case the establishment having taken such decisions is to be considered to be the main establishment;

Main establishment as regards a processor” with establishments in more than one Member State, the place of its central administration in the Union, or, if the processor has no central administration in the Union, the establishment of the processor in the Union where the main processing activities in the context of the activities of an establishment of the processor take place to the extent that the processor is subject to specific obligations under this Regulation;

Group Undertaking: Any holding company together with its subsidiary.

3. Basic Principles Regarding Personal Data Processing

The data protection principles outline the basic responsibilities for organisations handling personal data. Article 5(2) of the GDPR stipulates that “the controller shall be responsible for, and be able to demonstrate, compliance with the principles.”

3.1. Lawfulness, Fairness and Transparency
Personal data must be processed lawfully, fairly and in a transparent manner in relation to the data subject.

3.2. Purpose Limitation
Personal data must be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.

3.3. Data Minimization
Personal data must be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed. The Company must apply anonymization or pseudonymization to personal data if possible to reduce the risks to the data subjects concerned.

3.4. Accuracy
Personal data must be accurate and, where necessary, kept up to date; reasonable steps must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified in a timely manner.

3.5. Storage Period Limitation
Personal data must be kept for no longer than is necessary for the purposes for which the personal data are processed.

3.6. Integrity and confidentiality
Taking into account the state of technology and other available security measures, the implementation cost, and likelihood and severity of personal data risks, the Company must use appropriate technical or organisational measures to process Personal Data in a manner that ensures appropriate security of personal data, including protection against accidental or unlawful destruction, loss, alternation, unauthorized access to, or disclosure.

3.7. Accountability
Data controllers must be responsible for and be able to demonstrate compliance with the principles outlined above.

4. Building Data Protection in Business Activities

In order to demonstrate compliance with the principles of data protection, an organisation should build data protection into its business activities.

4.1. Notification to Data Subjects
(See the Fair Processing Guidelines section.)

4.2. Data Subject’s Choice and Consent
(See the Fair Processing Guidelines section.)

4.3. Collection
The Company must strive to collect the least amount of personal data possible. If personal data is collected from a third party, the Information Security Manager must ensure that the personal data is collected lawfully.

4.4. Use, Retention, and Disposal
The purposes, methods, storage limitation and retention period of personal data must be consistent with the information contained in the Privacy Notice. The Company must maintain the accuracy, integrity, confidentiality and relevance of personal data based on the processing purpose. Adequate security mechanisms designed to protect personal data must be used to prevent personal data from being stolen, misused, or abused, and prevent personal data breaches. [Job title] is responsible for compliance with the requirements listed in this section.

4.5. Disclosure to Third Parties
Whenever the Company uses a third-party supplier or business partner to process personal data on its behalf, the Information Security Manager must ensure that this processor will provide security measures to safeguard personal data that are appropriate to the associated risks such as misuse of personal data, unauthorised disclosure of personal data, data breaches, etc. For this purpose, the Processor GDPR Compliance Questionnaire must be used. The Company must contractually require the supplier or business partner to provide the same level of data protection. The supplier or business partner must only process personal data to carry out its contractual obligations towards the Company or upon the instructions of the Company and not for any other purposes. When the Company processes personal data jointly with an independent third party, the Company must explicitly specify its respective responsibilities of and the third party in the relevant contract or any other legal binding document, such as the Supplier Data Processing Agreement.

4.6. Cross-border Transfer of Personal Data
Before transferring personal data out of the European Economic Area (EEA) adequate safeguards must be used including the signing of a Data Transfer Agreement, as required by the European Union and, if required, authorization from the relevant Data Protection Authority must be obtained. The entity receiving the personal data must comply with the principles of personal data processing set forth in Cross Border Data Transfer Procedure.

4.7. Rights of Access by Data Subjects
When acting as a data controller, the Information Security Manager is responsible to provide data subjects with a reasonable access mechanism to enable them to access their personal data, and must allow them to update, rectify, erase, or transmit their Personal Data, if appropriate or required by law. The access mechanism will be further detailed in the Data Subject Access Request Procedure.

4.8. Data Portability
Data Subjects have the right to receive, upon request, a copy of the data they provided to us in a structured format and to transmit those data to another controller, for free. Information Security Manager is responsible to ensure that such requests are processed within one month, are not excessive (i.e. if the data subject sends requests daily) and do not affect the rights to personal data of other individuals.

4.9. Right to be Forgotten
Upon request, Data Subjects have the right to obtain from the Company the erasure of its personal data. When the Company is acting as a Controller, Information Security Manager must take necessary actions (including technical measures) to inform the third-parties who use or process that data to comply with the request.

5. Fair Processing Guidelines

Personal data must only be processed when explicitly authorised by the Information Security Manager.

The Company must decide whether to perform the Data Protection Impact Assessment for each data processing activity according to the Data Protection Impact Assessment Guidelines.

5.1. Notices to Data Subjects
At the time of collection or before collecting personal data for any kind of processing activities including but not limited to selling products, services, or marketing activities, the Information Security Manager is responsible to properly inform data subjects of the following: the types of personal data collected, the purposes of the processing, processing methods, the data subjects’ rights with respect to their personal data, the retention period, potential international data transfers, if data will be shared with third parties and the Company’s security measures to protect personal data. This information is provided through Privacy Notice.

If your company has multiple data processing activities, you will need to develop different notices which will differ depending on the processing activity and the categories of personal data collected – for example, one Notice might be written for mailing purposes, and a different one for shipping purposes.

Where personal data is being shared with a third party the Information Security Manager must ensure that data subjects have been notified of this through a Privacy Notice.

Where personal data is being transferred to a third country according to Cross Border Data Transfer Policy, the Privacy Notice should reflect this and clearly state to where, and to which entity personal data is being transferred.

Where sensitive personal data is being collected, the person responsible for Data Protection matters must make sure that the Privacy Notice explicitly states the purpose for which this sensitive personal data is being collected.

5.2. Obtaining Consents
Whenever personal data processing is based on the data subject’s consent, or other lawful grounds, the Information Security Manager is responsible for retaining a record of such consent. [Job title] is responsible for providing data subjects with options to provide the consent and must inform and ensure that their consent (whenever consent is used as the lawful ground for processing) can be withdrawn at any time.

When requests to correct, amend or destroy personal data records, the Information Security Manager must ensure that these requests are handled within a reasonable time frame. Person responsible for data protection matters must also record the requests and keep a log of these.

Personal data must only be processed for the purpose for which they were originally collected. In the event that the Company wants to process collected personal data for another purpose, the Company must seek the consent of its data subjects in clear and concise writing. Any such request should include the original purpose for which data was collected, and also the new, or additional, purpose(s). The request must also include the reason for the change in purpose(s). The Person responsible for Data Protection matters is responsible for complying with the rules in this paragraph.

Now and in the future, [Job title] must ensure that collection methods are compliant with relevant law, good practices and industry standards.

The Information Security Manager is responsible for creating and maintaining a Register of the Privacy Notices.

6. Organisation and Responsibilities

The responsibility for ensuring appropriate personal data processing lies with everyone who works for or with the Company and has access to personal data processed by the Company.

The key areas of responsibilities for processing personal data lie with the following organisational roles:

The board of directors makes decisions about and approves the Company’s general strategies on personal data protection.

The Information Security Manager the nominated person responsible for data protection matters is responsible for managing the personal data protection program and is responsible for the development and promotion of end-to-end personal data protection policies;

The Information Security Manager monitors and analyses personal data laws and changes to regulations, develops compliance requirements, and assists business departments in achieving their Personal data goals. This may include seeking legal advice or external counsel.

The Head of Technology is responsible for:

  • Ensuring all systems, services and equipment used for storing data meet acceptable security standards.
  • Performing regular checks and scans to ensure security hardware and software is functioning properly.

The Head of Marketing, is responsible for:

  • Approving any data protection statements attached to communications such as emails and letters.
  • Addressing any data protection queries from journalists or media outlets like newspapers.
  • Where necessary, working with the Person responsible for Data Protection Matters to ensure marketing initiatives abide by data protection principles.

The Head of Human Resources is responsible for:

  • Improving all employees’ awareness of user personal data protection.
  • Organising Personal data protection expertise and awareness training for employees working with personal data.
  • End-to-end employee personal data protection. It must ensure that employees’ personal data is processed based on the employer’s legitimate business purposes and necessity.

The Information Security Manager is responsible for passing on personal data protection responsibilities to suppliers and improving suppliers’ awareness levels of personal data protection as well as flow down personal data requirements to any third party a supplier they are using. The Procurement Department must ensure that the Company reserves a right to audit suppliers.

7. Guidelines for Establishing the Lead Supervisory Authority

7.1. Necessity to Establish the Lead Supervisory Authority
Identifying a Lead supervisory authority is only relevant if the Company carries out the cross-border processing of personal data.

Cross border of personal data is carried out if:
a)  processing of personal data is carried out by subsidiaries of the Company which are based in other Member States;or
b) processing of personal data which takes place in a single establishment of the Company in the European Union, but which substantially affects or is likely to substantially affect data subjects in more than one Member State. If the Company only has establishments in one Member State and its processing activities are affecting only data subjects in that Member State than there is no need to establish a lead supervisory authority. The only competent authority will be the Supervisory Authority in the country where Company is lawfully established.

7.2. Main Establishment and the Lead Supervisory Authority

7.2.1. Main Establishment for the Data Controller
The main establishment/ headquarters for Ralawise is Unit 112, Tenth Avenue, Deeside Industrial Estate, Deeside CH5 2UA

If the Company is based in an EU Member State and it makes decisions related to cross-border processing activities in the place of its central administration (headquarters), there will be a single lead supervisory authority for the data processing activities carried out by the Company. If Company has multiple establishments that act independently and make decisions about the purposes and means of the processing of personal data, [the Directors / top management of the Company] needs to acknowledge that more than one lead supervisory authority exists.

7.2.2. Main Establishment for the Data Processor
When the Company is acting as a data processor, then the main establishment will be the place of central administration. In case the place of central administration is not located in the EU, the main establishment will be the establishment in the EU where the main processing activities take place.

7.2.3. Main Establishment for Non-EU Companies for Data Controllers and Processors
If the Company does not have a main establishment in the EU, and it has subsidiarie(s) in the EU, then the competent supervisory authority is the local supervisory authority. If the Company does not have a main establishment in the EU nor the subsidiaries in the EU, it must appoint a representative in the EU, and the competent supervisory authority will be the local supervisory authority where the representative is located.

8. Response to Personal Data Breach Incidents

When the Company learns of a suspected or actual personal data breach the Information Security Manager must perform an internal investigation and take appropriate remedial measures in a timely manner. Where there is any risk to the rights and freedoms of data subjects, the Company must notify the relevant data protection authorities without undue delay and, when possible, within 72 hours.

9. Audit and Accountability

The Information Security Manager and Tech team are responsible for auditing how well business departments implement this Policy. Any employee who violates this Policy will be subject to disciplinary action and the employee may also be subject to civil or criminal liabilities if his or her conduct violates laws or regulations.

10. Conflicts of Law

This Policy is intended to comply with the laws and regulations in the place of establishment and of the countries in which Ralawise Ltd. operates. In the event of any conflict between this Policy and applicable laws and regulations, the latter shall prevail.

12. OTHER SITES/RESOURCES

For your convenience, the Website may include links or references to other Internet sites or resources and businesses operated by other persons (collectively “Other Sites”). Other Sites are independent from The Shop Owner, and The Shop Owner has no responsibility or liability for or control over Other Sites, their business, goods, services, or content. The Shop Owner does not sponsor or endorse Other Sites or their business, goods, services, or content, unless expressly indicated in writing. Your use of Other Sites and your dealings with the owners or operators of Other Sites is at your own risk, and you will not make any claim against The Shop Owner arising from, connected with, or relating to your use of Other Sites or your dealings with the owners or operators of Other Sites. As between you and The Shop Owner, this Agreement, with all necessary modifications, applies to your access and use of any Other Sites and their business, goods, services and content.

13. TERMINATION

Notwithstanding any other provision of this Agreement, The Shop Owner may in its discretion change, discontinue, modify, restrict, suspend or terminate the Website or any part of it without any notice or liability to you or any other person. The Shop Owner may in its discretion and for its convenience at any time immediately terminate, temporarily or permanently, this Agreement or your permission to access and use the Website without any notice or liability to you or any other person. If this Agreement or your permission to access or use all or any part of the Website is terminated for any reason, then this Agreement and all other then existing agreements between you and The Shop Owner will continue to apply and be binding upon you regarding your prior access to and use of the Website, and anything connected with, relating to or arising therefrom.

14. GOVERNING LAW AND DISPUTE RESOLUTION

This Agreement, your access to and use of the Website, and all related matters are governed solely by the laws of the United Kingdom. Any dispute between you and The Shop Owner or any other person arising from, connected with or relating to the Website, this Agreement, or any related matters (collectively “Disputes”) will be resolved before the British Court, and you hereby irrevocably submit and attorn to the original and exclusive jurisdiction of this court in respect of all Disputes.

15. OTHER MATTERS

If any provision of this Agreement is held to be invalid or unenforceable for any reason, then the provision will be deemed to be severed from this Agreement and the remaining provisions will continue in full force and effect . This Agreement ensures to the benefit of and is binding upon each of The Shop Owner and its successors, assigns and related persons, and you and your heirs, executors, administrators, successors, permitted assigns and personal representatives. You may not assign this Agreement or the rights and obligations under this Agreement. The Shop Owner may assign this Agreement and its rights and obligations under this Agreement without your consent. No consent or waiver by any party to or of any breach or default by any other party in its performance of its obligations under this Agreement will be: (a) deemed or construed to be a consent to or waiver of a continuing breach or default or any other breach or default of those or any other obligations of that party; or (b) effective unless in writing and signed by all parties. The parties have expressly requested and required that this Agreement and all other related documents be drawn up in the English language.

Any rights not expressly granted by this Agreement are reserved to The Shop Owner.

You may contact The Shop Owner by telephone, email, or postal mail via the contact page of this Website.