All UK orders are sent via Royal Mail TRACKED 48 *** INTERNATIONAL SHIPPING HAS BEEN RESUMED***

Privacy Policy

**The EU General Data Protection Regulation (GDPR)**

The General Data Protection Regulation (GDPR) will apply from 25 May 2018, when it supersedes the UK Data Protection Act 1998 (DPA).
The new law brings a 21st century approach to data protection. It expands the rights of individuals to control how their personal data is collected and processed, and places a range of new obligations on organisations and business’ to be more accountable for data protection.
Deadline for compliance: 25 May 2018
The business benefits of the GDPR;

•Build customer trust
•Improve brand image and reputation
•Improve data governance
•Improve information security
•Improve competitive advantage
UK organisations handling personal data will still need to comply with the GDPR, regardless of Brexit. The GDPR will come into force before the UK leaves the EU, and the government has confirmed that the Regulation will apply.
Personal data;

•Email address
•IP address
•Location data
•Online behaviour (cookies)
•Profiling and analytics data

Data protection principles;

Personal data must be processed according to the six data protection principles:

•Processed lawfully, fairly and transparently.
•Collected only for specific legitimate purposes.
•Adequate, relevant and limited to what is necessary.
•Must be accurate and kept up to date.
•Stored only as long as is necessary.
•Ensure appropriate security, integrity and confidentiality.
EVIE ROSE & CO only stores customer data for as long as it’s needed, which means once an order is complete the messages are deleted. EVIE ROSE & CO  does not print any information on any customers, and solely works from inbox.
EVIE ROSE & CO  does not share or screenshot any messages.
EVIE ROSE & CO  does however screenshots the address screen from Paypal and shares this direct with customers. This is to ensure the correct address and to confirm with the customer that payment has been received. Every day photos are deleted that aren’t needed, which includes all the screenshots of customer address’. The “deleted” photo album is also swept regularly and then customer data is permanently erased.

Accountability and governance;

Be able to demonstrate compliance with the GDPR.
EVIE ROSE & CO  demonstrates this by deleting all data compiled from customers, through the use of messaging the EVIE ROSE & CO  inbox folder, by deleting the message once the customer order is complete.
Customers pay using Paypal, Paypal have assured all business users they too are GDPR compliant and storage of customer data is kept to a minimum and not shared with any other third party.

Lawful processing;
•Identify and document the lawful basis for any processing of personal data. The lawful bases are:

•Direct consent from the individual;
•The necessity to perform a contract;
Protecting the vital interests of the individual;
•The legal obligations of the organisation;
•Necessity for the public interest
•The legitimate interests of the organisation.

By contacting EVIE ROSE & CO  you are giving direct consent that EVIE ROSE & CO  can store your personal data until the order is complete. If a customer just wants to ask a question please be assured once the conversation is finished all messages will be deleted. EVIE ROSE & CO  does not store any messages that are not active.

**PCI compliance**
What is PCI DSS and who needs to comply? (Payment Card Industry Data Security Standard)

Consumers are becoming increasingly aware of the dangers of identity theft and PCI compliance shows that a business has secure procedures in place that keeps customer payment information safe and secure.
•Payment Card Industry Data Security Standard (PCI DSS) is a set of 12 requirements that all businesses who handle credit or debit card payments must comply with. It provides a "minimum security standard".

As a merchant (business) accepting card payments, the business are required to comply with PCI DSS. As a service provider, PayPal is also required to comply with PCI DSS.
EVIE ROSE & CO  does not take payments direct from customers, EVIE ROSE & CO  uses a service provider. (PayPal, whom are PCI DSS compliant).