Bare minimum info

[OMGVape]

We don’t do email promotions or any such things. We only keep sales invoices as required by HMRC so I presume our privacy policy will only use the ‘legal’ reason for keeping.

What about phone orders ? Do we need to quote this policy to each buyer ? How do we prove we have their permission ?

Does the policy need to explain how we store this info ?

 

[Keith Budden]

Correct re legal reason, but you would also probably satisfy the contractual reason too.

With phone orders, theoretically yes - hopefully it could be covered off in one sentence. If you have a phone system which already tells people calls may be recorded for training purposes etc, you could just add a sentence to that message.

Yes you will need to include in your privacy policy how you store the info and more particularly where you store it and how it is encrypted/password protected. You also need to include a section on data access requests, i.e how someone can request copies of their invoices and how they can request corrections to any errors or amendments, i.e. change of address etc. Remember if you have employees, they will each need an employee privacy policy too (saying that they give you permission to process their data for payroll etc).

 

[OMGVape]

Thanks Keith, it doesn’t sound so difficult but would we need to record every phone call to prove the customer has ‘opted in’.
Do I also need to explain on the phone, that when paying by credit card, personal details are also kept by our payment provider and our courier?

Come D-day I’m thinking of phoning my solicitor for some random reason to see what GDPR waffle they come out with.

Might even phone the BBC to order a county file calendar and see how they play it.

I’ll probably end up doing what I did for our T&Cs and cookie policy, I just copied them from a company bigger than us because they seemed to be ok.

 

[Keith Budden]

No I don't think you'd need to record the call. It would probably be worth keeping on the customer record the date and time they first called though so you could track it that way.

Yes you would need to advise about the payment provider and the courier. Again I would cover it off in as few words as possible and refer people to the full privacy policy on your website if they want to read all the words.

I won't comment on copying someone else's policy - I will pretend I didn't read that bit.....