Skip to main content

Language: English / GĂ idhlig

Loading…

Online shop

This privacy statement explains how we collect and use personal information as a data controller for the Scottish Parliament Online Shop.

Some of the language used in privacy notices can be specialised.  The Information Commissioner's website provides a useful introduction to key terms and concepts.

When you make an online purchase from the Scottish Parliament Online Shop your personal data will be processed by the Scottish Parliament in order to process your purchase and to fulfil and dispatch orders.

  • We use a third-party commercial platform, Shopify, to host the Scottish Parliament Online Shop.

Read Shopify's privacy notice

  • We use a third-party, WorldPay (Direct) to process payments.

Read the WorldPay (Direct) privacy notice

  • We use a third-party company, the Royal Mail, to process deliveries

The purpose of the processing

We may use your information for a number of different purposes, including;

  • Processing online sales
  • Conducting market research and analysis to understand how we can improve our online shop products and services

Your data will normally remain on our system either for 6 months from dispatch of the goods or you can contact us to ask for your details to be removed. It is then securely deleted. 

Categories of information processed

The information we collect and process is:

  • Your name, shipping and billing address, telephone number, email address and payment method
  • Information about your activity on the website and about the device used to access it, including your IP address and geographical location – this helps our operating platform, Shopify, spot potentially fraudulent transactions to safeguard online shopping for all customers.
  • Payment information is processed by trusted third party payment providers WorldPay (Direct) and we do not have access to this.

Source of the information

Personal data is provided to us directly by you (our customers) via the Online Shop. We collect the data when you:

  • Register online or place an order for any of our products or services
  • Use or view our website via your browser’s cookies

Legal basis for data processing

Data protection law states that we must have a legal basis for handling your personal data.

The legal basis for the processing of personal data for online purchases is that it is carried out with the consent of the data subject in terms of Article 6(1)(a) of the UK General Data Protection Regulation (UK GDPR).

Your consent must be given through a tick box prior to any orders being placed or accepted so that we can:

  • Supply our products to you
  • Process your payment for the products you order
  • Improve our services and products to you

Consequences of not providing personal data.

Not providing personal information will result in orders not being fulfilled or cancelled by us.

Automated decision making

Most of our processes are manual, however Shopify might automatically block a payment card number or IP address after a certain number of unsuccessful payment attempts. The automated blocking only lasts for a short period and is beyond the control of the SPCB.

Read Shopify's help pages

Data sharing

Your information is primarily accessed by the Scottish Parliament Shop team to process orders and analyse website and marketing performance.

Access to the online shop is restricted to nominated and trained SPCB personnel and is password protected. Only the store owner can access personal data to make any requested changes.

  • We will only share your personal data with third parties for the purposes of fulfilling our contractual agreements with you (for example, our delivery partners, Royal Mail)
  • We use Shopify to operate our online store - read more about how Shopify uses your Personal Information.
  • We use WorldPay (Direct) so you can make payments securely on our Shopify online shop website.
  • Personal data is only shared with other areas within the Scottish Parliament where necessary for example, our mailroom who send out orders through Royal Mail.

Retention of data

Your personal data is held securely on the Scottish Parliament IT systems for as long as we require it to process an order. This is normally 6 months from dispatch of the goods. It is then securely deleted.

We are legally obliged to hold some information for regulatory obligations i.e. financial and accounting reporting. Financial data is held for 6 years before being securely deleted.

Access to the online shop is restricted to nominated and trained SPCB personnel and password protected. Only the store owner can access personal data to make any requested changes.

By default, Shopify will not erase personal data if a customer has made an order within the last 6 months in case a chargeback occurs. This is when there is a dispute over a credit card payment. If a request for erasure is submitted in that time frame, then it will sit pending and Shopify will action it once the appropriate time has passed.

Transfer of data

European economic Area (EEA) data is received and initially processed by Shopify’s Irish entity, Shopify International Ltd.

Data is exported from the EEA to Shopify’s Canadian parent entity, Shopify Inc. This export takes place within Shopify’s corporate structure. Data within Shopify Inc. is protected under Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA), which is considered adequate under the GDPR.

Cookies

Cookies are small text files that the Scottish Parliament website puts on your computer.

Cookies collect information about how you use this site so we can make sure it meets your needs. They do not collect information that could be used to identify you personally. More information about how Cookies work and how the Scottish Parliament uses them can be found on the Parliament website.

Shopify Cookies

We use Shopify to run our online shop. We use Shopify cookies to improve your experience. You can set your browser to accept cookies by a tick box or you can choose not to accept them.

All the information we collect is anonymous. 

Find out the list of cookies Shopify uses 

Your rights

Data protection legislation sets out the rights which individuals have in relation to personal data held about them by data controllers. Applicable rights are listed below. You can exercise your data subject rights in particular circumstances depending on the purpose for which the data controller is processing the data and the legal basis upon which the processing takes place.

The following rights may apply:

Access to your information

You have the right to request a copy of the personal information about you that we hold.

See information on how to make a data protection subject access request.

Correcting your information 

You have the right to ask us to correct the personal data we hold about you. We want to make sure that your personal information is accurate, complete and up to date and you may ask us to correct any personal information about you that you believe does not meet these standards.

Objecting to how we may use your information

You have the right at any time to require us to stop using your personal information for direct marketing purposes. In addition, where we use your personal information to perform tasks carried out in the public interest then, if you ask us to, we will stop using that personal information unless there are overriding legitimate grounds to continue.

  • Please note that the right to object to the processing of personal data does not apply where the data subject has consented to the processing, subject to the right to withdraw consent.
  • The right to object to the processing of personal data for the purposes of a public interest task is restricted if there are legitimate grounds for the processing which override the interest of the data subject.
  • The right of erasure and the right to object to processing of personal data do not apply where personal data is processed for the performance of a legal obligation. This will be considered on a case-by-case basis and depends on what personal data is involved and the risks further processing of that data could pose to you.

Deletion of your information 

You have the right to ask us to delete personal information about you where:

  • You consider that we no longer require the information for the purposes for which it was obtained.
  • We are using that information with your consent and you have withdrawn your consent – see Withdrawing consent to using your information below.
  • You have validly objected to our use of your personal information – see Objecting to how we may use your information above.
  • Our use of your personal information is contrary to data protection law or our other legal obligations.
  • Please note that the right allowing for deletion or erasure of personal data (right to be forgotten) does not apply in cases where personal data is processed for the purposes of the performance of a task carried out in the public interest.
  • The right of erasure and the right to object to processing of personal data do not apply where personal data is processed for the performance of a legal obligation. This will be considered on a case-by-case basis and depends on what personal data is involved and the risks further processing of that data could pose to you.

Restricting how we may use your information

In some cases, you may ask us to restrict how we use your personal information. This right might apply, for example, where we are checking the accuracy of personal information about you that we hold or assessing the validity of any objection you have made to our use of your information. The right might also apply where there is no longer a basis for using your personal information, but you don't want us to delete the data. Where this right is validly exercised, we may only use the relevant personal information with your consent, for legal claims or where there are other public interest grounds to do so.

Withdrawing consent to using your information 

Where we use your personal information with your consent, you may withdraw that consent at any time and we will stop using your personal information for the purposes for which consent was given.
Please contact us in any of the ways set out below if you wish to exercise any of these rights.

Changes to our privacy statement

We keep this privacy statement under regular review and will place any updates on this website. Paper copies of the privacy statement may also be obtained using the contact information below.

This privacy statement was last updated on 8 March 2022.

Contact information and further advice

If you have any further questions about the way in which we process personal data, or about how to exercise your rights, please contact the Head of Information Governance at:


The Scottish Parliament
Edinburgh
EH99 1SP

Telephone: 0131 348 6913 (Calls are welcome through the Text Relay service).

Call in British Sign Language through contactScotland-BSL.

Email: [email protected]

Complaints

We seek to directly resolve all complaints about how we handle personal. You also have the right to lodge a complaint with the Information Commissioner's Office online or by phone at: 0303 123 1113


 

 

Share this page

Share this page on x Share this page on pinterest Share this page on linkedin