For the purposes of this privacy statement, “Request To Pay”, “NPSO”, “we”, “us” or “our” means NPSO Limited, a private company limited by guarantee, responsible for developing and maintaining payment systems and standards in the United Kingdom, and its affiliates, successors and assigns. NPSO Limited was incorporated in England and Wales under the company number 10872449 and has its registered office at 2 Thomas More Square, London E1W 1YN.
Your privacy is very important to us and we take our privacy commitments to our users very seriously. We are the controller and responsible for your personal data. We have appointed a data protection officer (DPO) who is responsible for overseeing questions in relation to this privacy notice. If you have any questions about this privacy notice, including any requests to exercise your legal rights, please contact us using the details set out in Clause 8.
Your rights and obligations are defined by the Data Protection Act 2018 and EU Regulation of 27 April 2016 General Data Protection Regulation (GDPR), hereafter “the Acts”. All information provided by you to us is dealt with in accordance with the Acts.
This statement will be updated and amended from time to time so please check it on a regular basis. Please refer to our Website Terms and Conditions for details on the basis on which you may use the Website and its contents and the extent of our responsibility for such content.
1. Personal Information
If you provide us with any Personal Information, which is defined as Sensitive Data under the Acts, then we will not disclose this to any third party for any reason without your consent.
You must at all times ensure that the Personal Information you provide is accurate and complete and all registration details (where applicable) shall contain your real name, address and other requested details. You will notify us of any changes to these as soon as you are able so that we can update our records.
You are solely responsible for your Personal Information and we may take any action with respect to your Personal Information we deem necessary or appropriate if we believe it may cause us to suffer any loss, liability or commercial damage.
Whilst we will take all reasonable steps to protect your Personal Information, we cannot guarantee the security of any Personal Information you disclose online. You accept the inherent security implications of dealing on-line over the Internet and will not hold us responsible for any breach of security unless we have been negligent and then only to the limits set out in the Website Terms and Conditions.
Your Personal Information will be kept in accordance with our Data Retention Policy. You can exercise your individual rights in accordance with Clause 4 below.
2. Why we collect Personal Information
You are not obliged to give us any Personal Information in order to use the majority of our Website. We may, however, require certain Personal Information in order to offer you some services through our Website such as where you want to purchase products from us, subscribe to a service or request information or advice.
Personal Information is valuable in helping us to improve the design and range of the products and services provided by NPSO. The use of your information will be kept to the minimum required in order for us to continue to provide the Website and our products and services.
NPSO will not sell, share with or transfer to third parties any information you provide except as set out in this privacy statement. NPSO may however share your personal information as stated in Clause 3.2.
3. What do we do with your Personal Information?
You acknowledge and understand that NPSO may use your Personal Information:
- to identify you;
- to administer, maintain and host the Website and related business;
- to administer any services we provide to you;
- to compile statistical analysis of the pages of the Website which you visit;
- to help us develop our business, products, services and the Website;
- to consider any applications or requests for information or advice made by you;
- to comply with any legal or regulatory obligations.
3.1 IP Tracking
We use IP addresses to analyse trends, administer the Website, track users' movements and gather broad demographic information for aggregate use. We also aggregate statistics, traffic patterns and related Website information. Such information is primarily used to provide you with an enhanced online experience. This information is generally not capable of personally identifying you. However, where it does, you have Individual rights as set out in Section 4 below.
3.2 Third Parties
Other than to those third parties listed below, we will not disclose your Personal Information to any third party unless either we have your permission to do so, or we are, or consider ourselves to be, under a legal or regulatory obligation to do so. Your Personal Information may be disclosed to the following recipients:
- our parent company and our sister companies;
- our subsidiaries;
- our third party service providers for the purposes of carrying out their services;
- Any person to whom we propose to transfer any of our rights and obligations under any agreement we have with you;
- our professional advisers and external auditors.
3.3 Data Export and Google analytics
Your Personal Information (which includes transfers to other parts of the NPSO) held by NPSO shall be held in the EEA, and NPSO will not send any of your Personal Information to countries outside the EEA.
4. Individual Rights
The GDPR grants individuals (data subjects) the following rights:
- The right to be informed - Right to have confirmed whether personal data concerning the subject is held or processed and information as to the purposes of the processing, categories of personal data, recipients, period of retention and rights described below.
- The right of access - Right to access (or receive a copy) of personal data.
- The right to rectification - Right to have personal data rectified when it is inaccurate or incomplete.
- The right to erasure (right to be forgotten) - Right to request the deletion or removal of personal data where there is no legal basis for its continued processing.
- The right to restrict processing - Right to request restriction or suppression of processing of personal data in certain circumstances.
- The right to data portability - Right to obtain and reuse personal information (e.g. move, copy or transfer personal data from one IT environment to another).
- The right to object - The absolute right to object to personal data being used in direct marketing; limited rights to object to other processing.
- Rights concerning automated decisions and profiling - Right for human intervention or challenges to decisions made by automated means without any human involvement subject to exceptions.
We will reply to any such request without undue delay and at the latest within one month. We may require that more information be provided to us before we can grant your request, in order to identify you or for any other reason that we may state.
Under the Acts, you have a right to access, rectify and delete personal data which have been collected concerning you, and to exercise that right easily and at reasonable intervals. Your right of access means that you have a right to be aware of, and verify, which personal data are held about you and to what purpose.
When the consent you have given us is the sole basis for the processing of your personal data, you have a right to withdraw your consent and to be “forgotten”. This means that upon request by you, we will delete your Personal Information when we have no legitimate interest to keep it. If we have a legitimate interest to keep your Personal Information, we will inform you without undue delay of our intentions and of the legal grounds for the retention of your Personal Information.
These rights can be exercised free of charge. However, in certain circumstances, in particular when a request is manifestly unfounded or repetitive, we may charge you a reasonable fee to grant your request.
5. Direct Marketing
Where personal data are processed for the purposes of direct marketing, you have the right to object to such processing. This right can be exercised at any time and free of charge.
Cookies are small text files that are placed on your computer by websites that you visit. They are widely used in order to make websites work, or work more efficiently, as well as to provide information to the owners of the Website.
- recognise you (by reference to your IP address) whenever you visit this Website; and
- compile statistics and to help us to improve our Website.
NPSO may collect information about your computer including operating system and browser type for the purposes of, but not limited to system administration, aggregating information and statistical and auditing purposes.
You may refuse to accept cookies or be alerted as to when a cookie is being sent by activating the relevant setting on your browser. If you choose not to accept cookies this Website may not function properly or may be considerably slower.
Most web browsers allow some control of most cookies through the browser settings. To find out more about cookies, including how to see what cookies have been set and how to manage and delete them, visit www.allaboutcookies.org.
Complaints about our processing of your data and your individual rights, as described above, should be lodged with us at the address of notice below.
If you are unhappy with the outcome of your complaint to us, you have a right to contact the Information Commissioner’s Office (ICO) which is the Supervisory Authority for data protection of individuals in the United Kingdom. You will find information about the ICO and their complaint procedure on their Website accessible at https://ico.org.uk.
All notices shall be given to us via e-mail at email@example.com or by post at NPSO, 2 Thomas More Square, London, E1W 1YN; or to you at either the e-mail or postal address you provide during any ordering process.
Notice will be deemed received when an e-mail is received in full (or else on the next business day if it is received on a weekend or a public holiday in the place of receipt) or 3 days after the date of posting.