Data Protection & Privacy Policy (GDPR)

HomeData Protection & Privacy Policy (GDPR)


Roughliving Furniture Limited may be required to collect and use information about the individuals and businesses we work with. Whether information is collected on paper, in computer records or by any other means, we will always handle the information with care.

We recognise that the lawful treatment of personal information is integral to our operations and in maintaining trust between us and those we work with. Roughliving will always treat information in the lawful and correct way. As such, we fully endorse and adhere to the principles of the GDPR.

Our Data Protection & Privacy Policy applies to the processing of personal data in both written and digital records kept by us in connection with our Human Resources department also. Additionally, it covers our response to any data breaches which may occur and other rights under the GDPR.

This policy, in its entirety, applies to all Roughliving employees, operatives, sub-contracted labour, clients and suppliers.


“Data” – Information that you submit to Roughliving Furniture Limited. Where applicable, this incorporates the definitions provided in the Data Protection Act 1998.

“Personal Data” – Information that relates to an identifiable person who can be directly or indirectly identified from that information.

“Data Processing” – Any operation that is performed on personal data including: collection, recording, organisation, storage, adaption, retrieval, use, disclosure by transmission, dissemination or otherwise making available, alignment, restriction or destruction.

“Roughliving Furniture Limited” “We” “Us” “Company” – Roughliving Furniture Limited, a company incorporated in England and Wales with registered number 10744987 and registered at 167 Turners Hill, Cheshunt, Waltham Cross, EN8 9BH.


This Data Protection & Privacy Policy applies only to the actions of Roughliving Furniture Limited and the individuals and/or businesses we work with.

With regards to our website, this Data Protection & Privacy Policy does not extend to any websites that can be accessed from this website including (but not limited to) any links we provide to social media websites, manufacturers websites and so on.

Data Protection Principles

In line with GDPR, all personal data collected and stored by us must be processed according to a set of core principles. Therefore, we will ensure that:

1. Processing will be fair, lawful and transparent.

2. Data will be collected for specific, explicit and legitimate purposes.

3. Data collected will be adequate, relevant and limited to what is necessary for the purposes of processing.

4. Data will be kept accurate and up to date. Data which is found to be inaccurate will be rectified or erased without delay.

5. Data is not kept for longer than is necessary for its given purpose.

6. Data will be processed in a manner that ensures appropriate security of personal data including protection against unauthorised or unlawful processing, accidental loss, destruction or damage by using appropriate technical or organisation measures.

7. We will comply with the relevant GDPR procedures for international transferring of personal data.

Types of Data Held

As a Company, it is necessary for us to collect certain information in order to carry out functions such as making payment, receiving payment, writing contracts, producing purchase orders and so on. The data we collect includes (but is not limited to):

1. Company Name

2. Individual’s Name

3. Job Titles

4. Email Address

5. Company and/or Personal Phone Numbers including Mobiles

6. Financial Information including Bank Name, Account Number, Sort Code, Credit Card information

Our Company website automatically collects IP addresses. Our website does not automatically collect any other data. If an individual uses one of the contact forms based on our website or purchases goods on the website, then we will collect:

1. Name

2. Company Name

3. Email Address

4. Telephone Number

5. Payment Information

6. Invoice & Delivery Address details for Order Processing

7. IP Address of Sender

Our Use of Data

1. For purposes of the Data Protection Act 1998, Roughliving Furniture Limited is the “data controller.”

2. Unless we are obliged or permitted by law to do so, personal data will not be disclosed to third parties.

3. All personal data is stored securely in accordance with the principles of the Data Protection Act 1998.


To protect the personal data of relevant individuals, all employees within our business who process data as part of their role have been inducted and trained in our policy on Data Protection & Privacy.

Access to Data

All individuals have a right to access the personal data that we hold on them. To exercise this request, individuals should make a Subject Access Request. We will fulfil the request without delay (within one month) unless, in accordance with legislation we decide an extension is required. If an extension is required, we will inform the individual.

There is no charge for a Subject Access Request unless the request is manifestly unfounded, excessive or repetitive or unless a request is made for duplicate copies to be provided to the individual. In these circumstances, a reasonable charge will be applied.

Data Disclosures

The Company may be required to disclose certain data to any person. Disclosures will only be made when strictly necessary for the purpose. The circumstances leading to such disclosures include:

1. To assist law enforcement or a relevant authority to prevent or detect crime or prosecute offenders or to assess or collect any tax or duty.

Data Security

All employees of the company are instructed to store files or written information of a confidential nature in a secure manner so they are only available to be accessed by people who have a specific need and right to access them.

Screen locks and passwords are implemented on all PCs, laptops, tablets etc and all employees are instructed to ‘lock’ their devices when unattended.

Employees are instructed to ensure that no files or written information of a confidential nature are left where they can be accessed by unauthorised individuals.

All data held digitally is password protected both on our local hard drive and company network drive that is regularly backed up. We limit the use of ‘removable storage media’ such as USBs.

All employees are issued with passwords, which cannot be altered without our notice. All employees are instructed that they are not permitted to disclose these passwords.

Failure to follow the Company’s standards on Data Security may be dealt with via the Company’s Disciplinary Policy & Procedure.

Third Party Processing

If we are required to engage with third parties to process data on our behalf, we will implement a data processing agreement with the third party, which will dictate the measures we expect the third party to carry out in order to maintain our commitment to protecting data.

Website Specific Data

Third Party Websites and Services
We employ the services of a third party to deal with certain technical processes necessary for the operation of our Company website. As such, this third-party provider has access to certain personal data provided by users of our Company website.

Any data used by this third party is used only to the extent required by them to perform services upon our request. Any use for other purposes is strictly prohibited.

Links to Other Websites

Our Company website does provide links to other websites. We do not have control over any website other than our own and are therefore not responsible for the content of any other websites. This Data Protection & Privacy Policy does not extend to the use of any websites other than our own.

We advise you to read the Privacy Policy of other websites prior to using them.

Requirement to Notify Breaches

If any data breaches occur, we will record them on our Data Breach Register. Where legally required, we will report the breach to the Information Commissioner within 72 hours of discovery. Additionally, we will inform the individual whose data was subject to breach, where legally required.


All employees must read and understand our Data Protection & Privacy Policy as part of their induction. During the induction, employees will also receive training on confidentiality, data protection and the actions to take upon identifying a breach. Additionally, all employees are trained in our policies regarding digital data and are given an understanding of the consequences, which all parties are subject to, should a lapse or breach of the Company’s Data Protection & Privacy Policy should occur.


You are not permitted to transfer any of your rights under this Data Protection & Privacy Policy to any other individual. We may chose to transfer our rights under this Data Protection & Privacy Policy where we reasonably believe your rights will not be affected.

If a court or competent authority finds that any provision of this Data Protection & Privacy Policy is invalid, illegal or unenforceable, that provision (or relevant part of the provision) will, to the extent legally required, be deemed to be deleted. The validity and enforceability of the other provisions within this Data Protection & Privacy Policy will remain unaffected.

This Agreement is governed by and interpreted according to the law of England and Wales. All disputes arising under the Agreement are subject to the exclusive jurisdiction of the English and Welsh courts.

Policy Alterations

We reserve the right to alter this Data Protection & Privacy Policy as we deem necessary or as may be required by law. All alterations will be immediately posted onto our Company website.

You are deemed to have accepted the terms of this Data Protection & Privacy Policy on your first use of the Company website following the alterations.

Loading posts...
Sort Gallery