All personal and secure & confidential data handled by Orion Print.
Under the new EUGDPR requirements Orion Print are a processor for our client’s data and are registered with the Information Commissioners Office.
Orion Print undertakes to only collect, store and use your personal information for defined purposes. At Orion Print we take your privacy seriously and will only use your personal information to administer your account and provide the products and services you have requested from us.
Orion Print will not sell your personal information. We will only share your personal data if required to by law, or in order to protect Orion Print, its customers, or the public, or with companies that help Orion Print fulfil its services to you, and then only with partners who share our commitment to protecting your privacy and data.
You may contact Orion Print in writing to the Data Protection Officer Jim Richardson at Orion Print, Merlin Way, Quarry Hill Industrial Estate, Ilkeston DE7 4RA with any privacy questions or concerns you may have.
You may ask at any time to see the personal data you have given us and request that we correct or delete it.
Orion Print is committed to protecting the security of your personal data by the use of appropriate measures and processes throughout our business to meeting its data protection obligations; and being transparent about how it collects and uses that data.
What information does the Company collect?
The Company collects and processes a range of information about you. This includes:
- Your name, company address and company contact details, including your company email address and company telephone number.
The company also holds personal information about 3rd parties that you have provided to us for the purpose of fulfilling an order you have requested from us.
Personal data sent to us must be sent via secure means such as SFTP.
A log of how personal information is collected, stored and processed is kept by the company.
Data will be stored in a range of different places, including physically in and/or on job bags stored in secure ISO27001 accredited locations owned by Orion Print; and digitally in ISO27001 and Cyber Essentials Plus accredited IT systems including our MIS.
Why does the Company process personal data?
The company needs to process data to administer your account and provide the products and services you have requested from us.
The company needs to process personal data provided by yourselves regarding 3rd parties in order to fulfil an order you have requested from us.
Who has access to data?
Your information may be shared internally amongst our CTC or SC Cleared staff for the purposes of fulfilling the product and services for which you have requested from us.
The Company will not transfer your data to countries outside the European Economic Area.
How does the Company protect data?
The Company takes the security of your data seriously. The Company has internal policies and controls in place to try to ensure that your data is not lost, accidentally destroyed, misused or disclosed, and is not accessed except by its employees in the performance of their duties.
Data stored and managed locally by Orion Print sits on an IT Infrastructure that is within scope of the companies ISO27001:2013 Information Security certification and is independently audited by a UKAS accredited organisation. The internet facing infrastructure for Orion Print locations including firewalls, routers and end user devices are Cyber Essentials Plus certified and independently assessed both internally and externally by a CREST-accredited organisation. The Company operates a strict access control policy with access rights granted on a ‘need to know’ basis.
Where the Company engages third parties to process personal data on its behalf, they do so on the basis of written instructions, are under a duty of confidentiality and are obliged to implement appropriate technical and organisational measures to ensure the security of data.
For how long does the Company keep data?
A data classification & retention log is maintained for each data asset. Data will not be retained by Orion Print for longer than is necessary in relation to the purpose for which is was originally collected, or for which it was processed.
The Company will hold personal information provided to us by you regarding 3rd parties for the purpose of fulfilling an order for the lifecycle of the production job unless requested otherwise.
How does the Company delete data?
The Company will manually delete personal information about you stored digitally in its MIS and securely shred personal information stored physically about you at the end of the retention period or upon request.
Data you provide to us digitally regarding a 3rd party for the purpose of fulfilling an order is destroyed securely using PGP shredder and physical data is securely shredded at the end of the retention period or upon request.
As a data subject, you have a number of rights. You can:
- access and obtain a copy of your data on request;
- require the Company to change incorrect or incomplete data;
- require the Company to delete or stop processing your data, for example where the data is no longer necessary for the purposes of processing; and
- object to the processing of your data where the Company is relying on its legitimate interests as the legal ground for processing.
If you would like to exercise any of these rights, please contact the Managing Director/Data Protection Officer, Jim Richardson.
If you believe that the Company has not complied with your data protection rights, you can complain to the Information Commissioner’s Office.
Subject access requests
You have the right to make a subject access request. If you make a subject access request, the Company will tell you:
- Whether or not your data is processed and if so why, the categories of personal data concerned and the source of the data if it is not collected from the yourself;
- To whom your data is or may be disclosed, including to recipients located outside the European Economic Area (EEA) and the safeguards that apply to such transfers;
- For how long your personal data is stored (or how that period is decided);
- Your rights to rectification or erasure of data, or to restrict or object to processing;
- Your right to complain to the Information Commissioner if you think the Company has failed to comply with their data protection rights; and
- Whether or not the Company carries out automated decision-making and the logic involved in any such decision-making.
The Company will also provide you with a copy of the personal data undergoing processing.
The Company will normally respond to a request within a period of one month from the date it is received. In some cases, such as where the Company processes large amounts of your data, it may respond within three months of the date the request is received.
The Company will write to you within one month of receiving the original request to tell them if this is the case.
If a subject access request is manifestly unfounded or excessive, the Company is not obliged to comply with it. Alternatively, the Company can agree to respond but will charge a fee, which will be based on the administrative cost of responding to the request. A subject access request is likely to be manifestly unfounded or excessive where it repeats a request to which the Company has already responded. If you submit a request that is unfounded or excessive, the Company will notify you that this is the case and whether or not it will respond to it.
If the Company discovers that there has been a breach of personal data that poses a risk to the rights and freedoms of individuals, it will report it to the Information Commissioner within 72 hours of discovery. The Company will record all data breaches regardless of their effect.
If the breach is likely to result in a high risk to the rights and freedoms of individuals, it will tell affected individuals that there has been a breach and provide them with information about its likely consequences and the mitigation measures it has taken.
Data protection principles
The Company processes personal data in accordance with the following data protection principles:
- The Company processes personal data lawfully, fairly and in a transparent manner.
- The Company collects personal data only for specified, explicit and legitimate purposes.
- The Company processes personal data only where it is adequate, relevant and limited to what is necessary for the purposes of processing.
- The Company keeps accurate personal data and takes all reasonable steps to ensure that inaccurate personal data is rectified or deleted without delay.
- The Company keeps personal data only for the period necessary for processing.
- The Company adopts appropriate measures to make sure that personal data is secure, and protected against unauthorised or unlawful processing, and accidental loss, destruction or damage.
- The Company tells individuals the reasons for processing their personal data, how it uses such data and the legal basis for processing in its privacy notices. It will not process personal data of individuals for other reasons.
- The Company will update personal data promptly if an individual advises that their information has changed or is inaccurate.