The Sturrock and Robson Group is committed to protecting and respecting your privacy. Everyone has rights with regards to the way in which their personal information is handled. During the course of our activities we will collect, store and process personal information about our employees, customers, suppliers and other third parties, and we recognise that the correct and lawful treatment of this data will maintain confidence in our organisation.
Please read the following carefully to understand our views and practices regarding your personal information and how we will treat it. For the purpose of UK data protection laws, the data controller is Sturrock and Robson UK Limited of Office 408, 1 Long Lane, London, SE1 4PG, United Kingdom.
For the purpose South African data protection laws, the responsible party is Sturrock and Robson Industries (Pty) Ltd of Block A, Tunney Ridge Business Park Sam Green Road, Elandsfontein Germiston 1429, South Africa.
DATA PROTECTION PRINCIPLES
When processing your information, we must comply with the eight enforceable principles of good practice or conditions of lawful processing. These provide that your personal information must be:
- processed lawfully, fairly and in a transparent manner,
- processed for specified, explicit and legitimate purposes,
- adequate, relevant and limited to what is necessary,
- accurate and kept up -to-date,
- kept for no longer than is necessary,
- processed in a manner than ensures appropriate security safeguards,
- any further processing must be compatible with the purpose for which the information was collected and
- processed with the requisite degree of data subject participation.
INFORMATION YOU GIVE TO US
We may collect, use, store and transfer different kinds of personal information about you, including:
- Identity Data, such as your name, title, date of birth, gender,
- Contact Data, such as your billing addresses, delivery addresses, email addresses and telephone numbers,
- Organisational Data, such as your company’s name, legal registration number, address and contact details,
- Transaction Data, including details about payments to and from your company via nominated bank accounts, tax registration information and other details of products and services your company purchases from us or supplies to us.
- Technical Data, including IP addresses, your log -in data, browser type and version, time – zone setting and location, browser plug in types and versions, operating system and platform and other technology on the devices you use to access our website,
- Usage Data, including information about how you use our website, products and services. Location Information, which includes geographical information from your Access Device (which is usually based on the GPS or IP location) and
- Marketing Data, such as your preferences in receiving marketing from us and our third parties, and your communication preferences.
‘SPECIAL CATEGORY’ DATA
- Information relating to your racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, criminal convictions, sex life or sexual orientation, or certain types of genetic or biometric data is known as ‘special category’ data or “special personal” information.
- During the course of dealing with you, we do not expect to collect any ‘special category’ data about you.
- However, should the processing of ‘special category’ data or “special personal” information be required, this will be conducted only with your consent, upon disclosure of the purposes for which such ‘special category’ data or “special personal” information is processed or if we are required to do so to comply with obligations imposed on us by law, or for making or defending legal claims.
- We do not knowingly collect information from children or other persons who are under 16 years old. If you are a minor under 16 years old, please do not provide us with any personal information without the express consent of a parent or guardian. If you are a parent or guardian and you know that your children have provided us with personal information, please contact us. If we learn that we have collected personal information from minor children without verification of parental consent, we will take steps to remove that information from our servers.
HOW WE COLLECT YOUR PERSONAL INFORMATION
We may obtain personal information by directly interacting with you, such as:
- placing orders for products and services,
- creating an account on our affiliate companies’ website,
- obtaining completed contractual onboarding forms from you
- participating in discussion boards or other social media functions on our website, or through our social media platforms,
- participating in any promotion or survey organised by us, or otherwise providing us with feedback,
- subscribing to our services or publications, or otherwise requesting marketing material to be sent to you, or
- corresponding with us by phone, email, letters or otherwise.
We may obtain personal information via automated technology when you interact with our website by using cookies, server logs and other similar technologies. We may also collect personal information about you from third parties or publicly available sources, such as:
- analytics providers (such as Google),
- advertising networks,
- search information providers,
- providers of technical, payment and delivery services,
- business references,
- recruitment agencies,
- Companies registration agencies (e.g. Companies House or Companies and Intellectual Property Commission), Credit Reference Agencies, LinkedIn and the electoral register.
HOW WE USE YOUR PERSONAL INFORMATION
We will only use your personal information when the law allows us to. Most commonly, we will use your personal information in the following circumstances:
- you have given us consent,
- we need to perform a contract we are about to enter into, or have entered into, with you,
- where it is necessary for our or a third party’s legitimate interests, and your interests and rights do not override those interests, or
- where we need to comply with a legal or regulatory obligation.
PURPOSES FOR WHICH WE WILL USE YOUR PERSONAL INFORMATION
- We may use your personal information for a number of different purposes. For each purpose, we are required to confirm the ‘legal basis’ that allows us to use your information, as follows:
|Purposes for which we will use the information you give to us||Legal basis|
|To register your company as a new customer or supplier.||It will be necessary for our legitimate business interests, namely with a view to providing / obtaining products and services to or from your company.
In certain circumstances, it may also be necessary for us to comply with a legal obligation where we are required to establish the identity of your company before commencing the supply of products and services.
|To process your company’s order and, if accepted, to deliver/receive the products to/from your company (including managing payments, fees and charges)||It will be necessary for our legitimate business interests, namely with a view to providing/obtaining products and services to/from your company.|
|To gain export approval for products and equipment that we have agreed to supply to you.||It will be necessary for our legitimate business interests, namely with a view to providing products and services to your company.|
In certain circumstances, it may also be necessary for us to comply with a legal obligation where we are required to comply with export control regulations before commencing the supply of products and services.
|To obtain further information about you, your company, and the matter that is the subject of our agreement with your company.||It will be necessary for our legitimate business interests, namely with a view to providing products and services to your company or during the course of your employment or potential employment with the Group.|
|To collect and recover money owed to us or pay money owed to you.||It will be necessary for our legitimate business interests, namely to ensure we receive payment for products that you have ordered from us.|
It will be necessary for your legitimate business interests, namely to ensure you receive payment for products that we have ordered from you or for services rendered.
|To enable you to complete business surveys.||It will be necessary for our legitimate business interests, namely to study how customers use our products, to develop them and help grow our business.|
|To provide you with information about special offers and other products we sell that are similar to those that you have already received from us.||Where you have previously received
marketing communications from us, then it will be necessary for our legitimate business interests, namely to ensure you continue to receive communications that you have previously agreed to receive.|
In all other cases, we will only do this if you give us your consent.
|To invite you to corporate events, such as seminars, workshops, site visits and corporate hospitality.||It will be necessary for our legitimate business interests, namely to develop our relationship with you outside of the working environment.|
Where you would not normally have a reasonable expectation of receiving such invites from us, we will only send you invites if you agree.
We will only use your personal information for the purpose(s) for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal information for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.
Please note that we may process your personal information without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.
WHAT IF YOU CANNOT OR WILL NOT PROVIDE US WITH YOUR PERSONAL INFORMATION
It is a contractual requirement for you to provide us with certain information. This will be clearly defined within the contractual terms and conditions, and can include names, addresses, payment information. Your consent is not required where we are required to process your personal information to fulfil our obligations under a contract with you or in terms of the other justifications prescribed by law.
If you do not provide us with that information, it may obstruct or prevent us from being able to render services to you and carry out our obligations, under contract or in law and we will be unable to accept and process your order and deliver the products to you. You may also be liable to pay additional costs, as explained in our terms of sale.
Please note that if you do limit or block cookie use on our Website the functionality of both the Website and our services will be affected.
DISCLOSURE OF YOUR INFORMATION
Sturrock and Robson is a global business that owns and operates a portfolio of companies within the industrial sector and as such, any personal information that we collect may be shared with and processed by any entity within our network, and our successors-in-title. We may also share personal information with certain third parties such as:
- other personnel within your company, or any other company that is party to or otherwise has a legitimate interest in the agreement between us and your company, this could include third parties,
- providers of IT and system administration services to our business,
- our professional advisers (including solicitors, bankers, auditors and insurers),
- Revenue & Customs, the Information Commissioner’s Office, regulators and otherauthorities who require reporting of processing activities in certain circumstances,
- shipping and freight agents, overseas customs agencies,
- Credit Reference Agencies.
- analytics and search engine providers that assist us in the improvement and optimisation of our website, and
- third parties to whom we may choose to sell, transfer, or merge parts of our business or our assets. Alternatively, we may seek to acquire other businesses or merge with them. If a change happens to our business, then the new owners may use your personal information in the same way as set out in this policy.
We require all third parties to respect the security of your personal information and to treat it in accordance with the law. We do not allow our third -party service providers to use your personal information for their own purposes and only permit them to process your personal information for specified purposes and in accordance with our instructions.
WHERE WE STORE YOUR PERSONAL INFORMATION
As a global group, personal information may be stored and processed in any country where we have facilities or in which we engage third party service providers (i.e. United States, United Kingdom, Australia and South Africa). Your consent to the transfer of information to countries outside your country of residence, which may have different data protection rules than in your country of residence. While such information is outside of your country of residence, it is subject to the laws of the country in which it is held, and may be subject to disclosure to the governments, courts or law enforcement or regulatory agencies of such other country, pursuant to the laws of such country.
- Building entry controls. Access to the building is restricted, all visitors must report toreception before entry.
- Firewalls and Encryption. We use industry -standard and up -to-date firewall andencryption technology.
- Overseas transfers. Whenever we transfer your personal information across borders, we ensure a similar degree of protection is afforded in ensuring that we apply appropriate safeguards.
If you are concerned about the levels of data security in any of those countries, please let us know and we will endeavor to advise what steps will be taken to protect your data when stored overseas.
Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal information, we cannot guarantee the security of your data transmitted to our website; any transmission is at your own risk. Once wehave received your information, we will use strict procedures and security features to try to prevent unauthorised access.
HOW LONG WE WILL STORE YOUR PERSONAL INFORMATION
The length of time that we will store your data will depend on the ‘legal basis’ for why we areusing that data, as follows:
|Legal basis||Length of time|
|Where we use/store your data because it is necessary for the performance of the contract between you and us.||We will use/store your data for as long as it is necessary for the performance of the contract between you and us.|
|Where we use/store your data because it is necessary for us to comply with a legal obligation to which we are subject.||We will use/store your data for as long as it is necessary for us to comply with our legal obligations.|
|Where we use/store your data because it is necessary for our legitimate business interests.||We will use/store your data until you ask us to stop. However, if we can demonstrate the reason why we are using/storing your data overrides your interests, rights and freedoms, then we will continue to use and store your data for as long as it is necessary for the performance of the contract between you and us (or, if earlier, we no longer have a legitimate interest in using/storing your data).|
|Where we use/store your data because you have given us your specific, informed and unambiguous consent.||We will use/store your data until you ask us to stop.|
To determine the appropriate retention period for personal information, we consider the amount, nature and sensitivity of the personal information, the potential risk of harm from unauthorised use or disclosure of your personal information, the purposes for which we process your personal information and whether we can achieve those purposes throughother means, and the applicable legal requirements.
You have various legal rights in relation to the information you give us, or which we collect about you, as follows:
- You have a right to access the information we hold about you, together with various information about why and how we are using your information, to whom we may have disclosed that information, from where we originally obtained the information and for how long we will use your information.
- You have the right to ask us to rectify any information we hold about you that is inaccurate or incomplete.
- You have the right to ask us to erase the information we hold about you (the ‘right to be forgotten’). Please note that this right can only be exercised in certain circumstances and, if you ask us to erase your information and we are unable to do so, we will explain why not.
- You have the right to ask us to stop using your information where: (i) the information we hold about you is inaccurate; (ii) we are unlawfully using your information; (iii) we no longer need to use the information; or (iv) we do not have a legitimate reason to use the information. Please note that we may continue to store your information, or use your information for the purpose of legal proceedings or for protecting the rights of any other person.
- You have the right to ask us to transmit the information we hold about you to another person or company in a structured, commonly used and machine -readable format. Please note that this right can only be exercised in certain circumstances and, if you ask us to transmit your information and we are unable to do so, we will explain why not.
- Where we use/store your information because it is necessary for our legitimate business interests, you have the right to object to us using/storing your information. We will stop using/storing your information unless we can demonstrate why we believe we have a legitimate business interest which overrides your interests, rights and freedoms.
- Where we use/store your data because you have given us your specific, informed and unambiguous consent, you have the right to withdraw your consent at any time.
- You have the right to object to us using/storing your information for direct marketing purposes.
If you wish to exercise any of your legal rights, please contact us by writing to the address at the top of this policy, or by emailing us at firstname.lastname@example.org
You also have the right, at any time, to lodge a complaint with the Information Commissioner’s Office for personal information processed in the UK or the Information Regulator for personal information processed in SA at email@example.com if you believe we are not complying with the laws and regulations relating to the use/storage of the information you give us, or that we collect about you.
AUTOMATED DECISION -MAKING
We do not use automated decision making processes.
THIRD PARTY LINKS
Our website may include links to third -party websites, plug -ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third -party websites and are not responsible for their privacy statements. When you leave our website, we encourage you to read the privacy notice of every website you visit.
CHANGES TO OUR POLICY
Any changes we make to our policy in the future will be posted on our website and, where appropriate, notified to you by email. Please check our website frequently to see any updates or changes to our policy.
policy, or by emailing us at firstname.lastname@example.org
STURROCK AND ROBSON GROUP BINDING CORPORATE RULES
OBJECTIVE AND SCOPE
- Binding Corporate Rules(“BCRs”) are legally binding and enforceable internal rules and policies for data transfers within multinational group companies. BCRs permit multinational companies to transfer personal information internationally within the same corporate group to countries that do not provide an adequate level of protection for personal data as required under the Protection of Personal Information Act, 2013 (“POPIA”) or other relevant data protection laws, such as General Data Protection Regulation (“GDPR”).
- The aim of Sturrock and Robson S.à r.l. (the “Company“) is to apply uniform, adequate and global data protection and privacy standards for the handling of personal information of data subjects throughout the Company, its affiliated companies, subsidiaries, partnerships joint ventures, successors and assigns, and their directors, officers and employees (collectively, the “Group”).
- These BCRs are corporate directives that apply to the processing and/or transferring of Personal Information by the Group.
- Personal information means information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person. An identifiable person is an individual or entity who can be identified, directly or indirectly, based upon the information collected about the individual (“Personal Information”).
- A User in these BCRs refer to the person to whom Personal Information relates and that has utilised a Service provided by a Group entity or provided a Service to a Group entity or been employed within the Group. The term Service applies to a service and/or product offered / procured by a Group entity by the Company for use by a User.
- Processing means any operation or activity or any set of operations, whether or not by automatic means, concerning personal information, including the
– collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation or use;
– dissemination by means of transmission, distribution or making available in any other form; or
– merging, linking, as well as restriction, degradation, erasure or destruction of information.
- The Group does not during the ordinary course of business process Personal Information revealing the religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health or sex life or biometric information or criminal records of a User (“Special Personal Information”). However, should the processing of ‘special category’ data or “special personal” information be required, this will be conducted only with your consent, upon disclosure of the purposes for which such ‘special category’ data or “special personal” information is processed or if we are required to do so to comply with obligations imposed on us by law to exercise a legal right, or for making or defending legal claims.
APPLICATION OF LAWS
- With varying legal requirements throughout the world relating to data protection, these BCRs establish a consistent set of requirements to help ensure the appropriate use of User Personal Information.
- All Group entities are obliged to comply with these BCRs when processing the Personal Information of Users. Additionally, all employees of the Group entities should follow these BCRs.
- These BCRs are global User Personal Information processing directives for the Group. Collection and processing of User Personal Information shall occur in accordance with the Service’s term and conditions, the law applicable to the User and the directives established by these BCRs. Where the applicable law is more protective than the directives set out in these BCRs, the Group entities will process User Personal Information in accordance with the applicable law. If the applicable law provides for a lower level of protection, the directives of the BCRs shall apply. Where an employee of the Group is not sure which of the two is more protective, they must email email@example.com for clarity.
- Where a Group entity has reason to believe that an applicable law may prevent compliance with the BCRs resulting in a substantial effect on the protections provided by the BCRs, the Group entity will promptly inform the Company Information Officer at firstname.lastname@example.org
PURPOSE OF PROCESSING PERSONAL INFORMATION
CONDITIONS FOR PROCESSING PERSONAL INFORMATION
The Group observes the following conditions for the lawful processing of Personal Information (the “Conditions”):
- Condition 1 – Accountability:
– The party collecting the Personal Information must ensure it is done so lawfully, fairly and in a transparent manner.
- Condition 2 – Processing Limitation:
– Personal Information can be collected or stored only if it is necessary for, or directly related to, a lawful, explicitly defined purpose and does not intrude on the privacy of the User to an unreasonable extent.
– Personal Information must be collected directly from and with the consent of the User.
- Condition 3 – Purpose Specification:
– Users must be informed of the purpose of any such collection and of the intended recipient of the Personal Information at the time of collection.
– Personal Information must not be kept for any longer than is necessary for achieving the purpose for which it was collected.
- Condition 4 – Further Processing Limitation:
– Personal Information must not be distributed in any way which is incompatible with the purpose for which it was collected.
- Condition 5 – Information Quality:
– Reasonable steps must be taken to ensure that the Personal Information processed is accurate, up to date and complete.
- Condition 6 – Openness:
– The User whose information you are collecting must be aware that the Company and/or Group is collecting and processing their Personal Information.
– They must be notified of the fact either before or as soon as reasonably possible after collection of the Personal Information, even if you get it from a third party.
- Condition 7 – Security Safeguards:
– Appropriate technical and organisation measures have to be taken to safeguard the User against the risk of loss, damage, destruction of or an authorised access to Personal Information.
- Condition 8 – Data Subject Participation:
– Users are allowed the right to access their Personal Information and have a right to demand correction of such information should it turn out to be inaccurate.
- Adherence to the Conditions may be limited in certain cases to the extent necessary to meet national security, public interest, or law enforcement requirements.
TRANSFERRING AND SHARING PERSONAL INFORMATION
- The Group entities share Personal Information in the normal course and scope of business with other the Group entities worldwide to facilitate the Services, prevent fraud, provide joint content and Services.
- The Group entities may transfer Personal Information to other Group entities worldwide when there is a legitimate business need, sufficient technical and organizational security measures exist and the recipient has complied with the BCRs or provides an adequate level of protection when processing Personal Information.
- According to applicable law, treaties or applicable international conventions, the Group entities may share Personal Information with law enforcement, regulatory authorities or other third parties when: required as a matter of law; it is necessary to protect the Company’s rights; it is necessary to keep the Services free from abuse; or there is a legitimate purpose (e.g., to prevent imminent physical harm, financial loss or to report suspected illegal activity).
- The Group entities may disclose Personal Information to other third parties for the third party’s own purposes in accordance with the User’s instructions or with the unambiguous informed consent of the User (where permissible under applicable law).
SECURITY, CONFIDENTIALITY AND AWARENESS TRAINING
- The Group uses physical, technical and organisational security controls commensurate with the amount and sensitivity of the Personal Information to prevent unauthorised access, use, loss, destruction and damage. The Group uses encryption, firewalls, access controls, Antivirus, Anti-Malware Software, operational security, and physical security controls and standards and other procedures to protect Personal Information from unauthorized access. Physical and logical access to electronic and hard copy files is further restricted based upon job responsibilities and business needs.
- The Group conducts privacy and information security awareness training to emphasise and inform employees of the need to protect and secure Personal Information. Access to Personal Information shall determine the need for additional training relating to specific policies as well as these BCRs.
- A copy of these BCRs and other relevant privacy and security related policies and procedures are available to employees at any time.
- Users must be afforded the following rights in relation to their Personal Information:
– The right to request the Group to confirm whether or not it holds any of the Users Personal Information;
– The right to request the Group to amend incorrect or incomplete Personal Information;
– The right to object to, or require the Group to stop, processing their Personal Information, for example where the processing of the Personal Information is no longer necessary;
– The right to request the Group require us to erase your Personal Information;
– Where the processing of User’s Personal Information is based solely on their consent, Users may withdraw that consent;
– Users may opt out of marketing related e-mail communication at any time; or
– The User may receive from the Group the Personal Information we hold about them, which they have provided to the Group including for the purpose of the Users transmitting that Personal Information to another responsible party.
- Please note that the above rights are not absolute, and the Group may be entitled to refuse
requests where exceptions apply.
- The Group does not sell Personal Information to third parties for their marketing purposes without the User’s prior consent.
- With the exception to those Users who have selected not to receive certain communications, the Group may use Personal Information to target communications to Users based on their interests according to applicable law.
COMPLAINT HANDLING PROCESS
- If a User wishes to exercise any of their legal rights, they may contact the Group by emailing the Group at email@example.com
- If a User has a complaint and you remains dissatisfied with how their complaint has been dealt with by the Group, the Group’s anonymous outsourced Speak Up line as detailed in the Whistleblowing policy should be used. You also have the right, at any time, to lodge a complaint with the Information Commissioner’s Office for personal information processed in the UK or the Information Regulator for personal information processed in SA at firstname.lastname@example.org if you believe we are not complying with the laws and regulations relating to the use/storage of the information you give us, or that we collect about you.
LIABILITY AND THIRD PARTY BENEFICIARY RIGHTS
- The Group will comply with these BCRs. The BCRs are binding obligations and failure to follow them may result in employee disciplinary action, including termination and other penalties as provided by law.
- The Global Information Officer Brian Rushe, as advised by the applicable Group privacy team, accepts responsibility for and agrees to oversee the Group’s adherence to the BCRs and shall help take the necessary action to remedy the acts of noncompliance relating to these BCRs.
- The Global Information Officer Brian Rushe, will investigate claims of non-compliance to determine if a violation of the BCRs has occurred. If the violation is confirmed, the Global Information Officer and other relevant officials within the Group shall work together to address and resolve the violation within a commercially reasonable time.
- The enforcement rights and mechanisms described above are in addition to other remedies or rights provided by the Group or available under applicable law.
- To help ensure compliance with the BCRs, the Company reviews, on a regular basis, Personal Information processing activities and practices or recommends that the Company’s internal audit team conduct a review of the identified activities and practices.
- The internal audit team shall, if necessary, require an action plan to ensure compliance with the BCRs. To the extent that internal audit or other internal departments do not resolve matters adequately, the Company may appoint independent external auditors for further resolution.
- The Company shall review and address matters relating to non-compliance with the BCRs identified in the course of a review or upon notice by a Group entity, User, employee or other individual. Audit findings are available to relevant data protection authorities upon request. The Company will redact portions of the audit to ensure confidentiality of proprietary or otherwise company confidential information. Further, the Company will only provide audit findings relating to privacy.
MODIFICATIONS OF THE BCRs
- The Company reserves the right to modify the BCRs as necessary in accordance with its internal procedures and applicable laws.
- Changes to the BCRs shall be applicable to all existing entities bound by the BCRs on the effective date of implementation. Newly formed or acquired entities shall be bound by the BCRs or guarantee an adequate level of protection prior to processing Personal
- The Company will provide notice of material changes to Users in accordance with their Service preferences and/or shall post the revised BCRs on the Group Website and on select external websites accessible by Users. Revisions to the BCRs are effective on their respective effective dates, set out in the BCRs but only after the Company notifies the User and/or posts the revised BCRs.