Privacy Policy

Lifestiles Limited take your privacy seriously and this Privacy Policy is to help you understand how and what information we collect, how we use it and how your personal data can be updated and managed.  We understand that people have different privacy concerns so our aim is to be clear about what we collect so you can make a choice on how we use it.

Please contact our Data Controller, David Osborn directly by emailing:  dave@lifestiles.co.uk if you would like to discuss our handling of your data.

1. What Personal Data do we collect?

For account customers we may collect and process personal data such as name, address, email and phone number, payment details, date of birth and proof of identity which may include driving licence, utility bill or passport.

For non-account customers we may still collect personal data such as name, address, email and phone number when you place an order, use our website or take advantage of a promotion.

2. How we use your information

Lifestiles Limited will collect and use your personal data for credit checks with third party suppliers for account applications, correspondence and for any account or product related queries, request or changes.

From time to time we may use your contact details to advise you of goods or services of legitimate interest to you, based on the information you have provided to us and only supplied by us. We will never willingly share or sell any of your details with third party market companies without your consent.

3. Why does Lifestiles Limited need to collect and store personal data?

In order of us to provide you with a service we need to collect personal data for correspondence and purchasing purposes.  In any event, we are committed to ensuring that the information we collect and use is appropriate for this purpose, and does not constitute an invasion of your privacy.

4. Recording of Communications

We do not record verbal communications but may take handwritten notes in the interest of efficiency and providing a better service.  Emails will be recorded for the purpose of quality assurance, training, fraud protection and compliance.

5. Your rights as a Data Subject

At any point while we are in possession of or processing your personal data, the data subject, have the following rights:

• Right of access – you have the right to request a copy of the information that we hold about you.
• Right of rectification – you have a right to correct data that we hold about you that is inaccurate of incomplete.
• Right to be forgotten – in certain circumstances you can ask for the data we hold about you to be erased from our records.
• Right to restriction of processing – where certain conditions apply to have a right to restrict the processing.
• Right of portability – you have the right to have the data we hold about you transferred to another organisation.
• Right to object – you have the right to object to certain types of processing such as direct marketing.
• Right to object to automated processing, including profiling – you also have the right to be subject to the legal effects of automated processing or profiling.
• You have the right to complain direct to Lifestiles at dave@lifestiles.co.uk or the ICO through their website ico.uk if you feel your rights have been breached.

6. How we use your Personal Data

Lifestiles Limited will process (collect, store and use) the information you provide in a manner compatible with the EU’s General Data Protection Regulation (GDPR).  We will endeavour to keep your information accurate and up-to-date, and not keep it for longer than is necessary.  Lifestiles Limited is required to retain information in accordance with the law, such as information needed for income tax and audit purposes.  How long certain kinds of personal data should be kept may also be governed by specific business-sector requirements and agreed practices.  Personal data may be held in addition to these periods depending on individual business needs.

We collect and process your personal data in order to:

• Perform contractual obligations between you and us, such as processing orders
• Conduct statistical analysis
• Improve the goods and services we offer to you
• Carry out security checks to prevent fraud
• Review purchasing preferences so we can better communicate to you
• Contact you with promotions, newsletters and competitions if you agree

7. Cookies

We use cookies to monitor how many times you visit our website, what pages you visit and where you are connecting from.  This helps us build a profile of our use base.  Cookies are a small text file that we store locally on your connecting device.

You can disable cookies on any browser but if you chose to do so some of our website functions may not work.

For further information please see our Website Cookie Policy.

8. Will Lifestiles Limited share your data?

We may share your Personal Data with third parties to provide services on our behalf such as delivery of goods, email communications and analysis of data to improve our goods and services we offer.

If we wish to pass any sensitive personal data onto a third party we will only do so once we have obtained your consent unless we are legally required do to otherwise.

We may also pass your details onto external agencies including law enforcement to help prevent unlawful activities.

9. Securing Personal Data

• Data is stored securely by RIO (IT) Ltd an ISO27001 company
• Nightly backups by Rio IT Ltd to AWS to ensure no data is lost
• Rio’s and AWS statements regarding GDPR can be viewed in Appendix I and II
• Payments are encrypted with trusted providers

Appendix I

GDPR DATA PROTECTION COMPLIANCE POLICY

Rio IT’s Policy For Processing Data

To ensure GDPR compliance Rio 9 (IT) Ltd. will:

• Only act upon the written instructions of our Clients (normally the Data Controllers).
• Be subject to a duty of confidence in regard to our Client’s (Lifestiles) data, and ensure the same of all relevant staff members.
• Ensure the appropriate measures are taken to ensure the security of the processing activities we carry out.
• Only engage a sub‐processor after provision of the sub‐processors privacy policy to the Data Controller for their approval and having obtained the written consent of the Data Controller.
• Assist the Data Controller in providing subject access and allowing data subjects to exercise their rights under the GDPR.
• Assist the Data Controller in meeting its GDPR obligations in relation to the security of data storage and processing, the notification of personal data breaches and data protection impact assessments.
• Ensure to delete or return all personal data to the Data Controller as requested at the end of any relevant contracts.
• Submit to audits and inspections, provide the Controller with whatever information it needs to ensure that they are both meeting their Article 28 obligations, and tell the Controller immediately if it is asked to do something infringing the GDPR or other data protection law of the EU or a member state.
• Train our staff to comply with these regulations.

Our Direct Responsibilities as a Data Processor under GDPR are to:

• Only act on the written instructions of the Controller (Article 29).
• Not use a sub‐processor without the prior written authorisation of the Controller (Article 28.2).
• Co‐operate with supervisory authorities (such as the ICO) in accordance with Article 31.
• Ensure the security of its processing in accordance with Article 32.
• Keep records of its processing activities in accordance with Article 30.2.
• Notify any personal data breaches to the Controller in accordance with Article 33 immediately on discovery

Rio IT’s Policy For Controlling Data

To ensure GDPR compliance as a Data Controller Rio IT Ltd will:

• Only collect & retain information necessary to transact with our customers and prospects.
• Ensure that revoked consent requests are managed with 48 working hours of revocation.
• Manage right to access within 7 days of request, unless otherwise specified in writing.
• Train our staff to comply with the regulations.

Subject Access Requests (Rio IT as the Data Controller)

Upon receiving a written subject access request Rio IT will:

• Ensure to verify the identity of the person requesting the information.
• Respond in writing within 30 calendar days with the requested information.
• If requested, initiate the right to erasure process.

Data Protection Breaches (Data Controller or Data Processor)

• Should there be a data breach, staff are trained to inform the Directors immediately. If the breach relates to our role as a Data Processor, they will without undue delay inform an authorised member of personnel at the Client (normally the Data Controller) and in either case will also inform the ICO within 72hours.

The information provided to the Client and the ICO will include:

• What has happened?
• When and how we found out about the breach?
• The people that have been or may be affected by the breach?
• What we are doing in response to the breach?

The Directors at Rio IT Ltd. are responsible for the compliance and maintenance of this policy.

Appendix II

Today, I’m very pleased to announce that AWS services comply with the General Data Protection Regulation (GDPR). This means that, in addition to benefiting from all of the measures that AWS already takes to maintain services security, customers can deploy AWS services as a key part of their GDPR compliance plans.

This announcement confirms we have completed the entirety of our GDPR service readiness audit, validating that all generally available services and features adhere to the high privacy bar and data protection standards required of data processors by the GDPR. We completed this work two months ahead of the May 25, 2018 enforcement deadline in order to give customers and APN partners an environment in which they can confidently build their own GDPR-compliant products, services, and solutions.

AWS’s GDPR service readiness is only part of the story; we are continuing to work alongside our customers and the AWS Partner Network (APN) to help on their journey toward GDPR compliance. Along with this announcement, I’d like to highlight the following examples of ways AWS can help you accelerate your own GDPR compliance efforts.

Security of Personal Data
During our GDPR service readiness audit, our security and compliance experts confirmed that AWS has in place effective technical and organizational measures for data processors to secure personal data in accordance with the GDPR. Security remains our highest priority, and we continue to innovate and invest in a high bar for security and compliance across all global operations. Our industry-leading functionality provides the foundation for our long list of internationally-recognized certifications and accreditations, demonstrating compliance with rigorous international standards, such as ISO 27001 for technical measures, ISO 27017 for cloud security, ISO 27018 for cloud privacy, SOC 1, SOC 2 and SOC 3, PCI DSS Level 1, and EU-specific certifications such as BSI’s Common Cloud Computing Controls Catalogue (C5). AWS continues to pursue the certifications that assist our customers.

Compliance-enabling Services
Many requirements under the GDPR focus on ensuring effective control and protection of personal data. AWS services give you the capability to implement your own security measures in the ways you need in order to enable your compliance with the GDPR, including specific measures such as:

• Encryption of personal data
• Ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services
• Ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident
• Processes for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of processing

This is an advanced set of security and compliance services that are designed specifically to handle the requirements of the GDPR. There are numerous AWS services that have particular significance for customers focusing on GDPR compliance, including:

• Amazon GuardDuty – a security service featuring intelligent threat detection and continuous monitoring
• Amazon Macie – a machine learning tool to assist discovery and securing of personal data stored in Amazon S3
• Amazon Inspector – an automated security assessment service to help keep applications in conformity with best security practices
• AWS Config Rules – a monitoring service that dynamically checks cloud resources for compliance with security rules

Additionally, we have published a whitepaper, “Navigating GDPR Compliance on AWS,” dedicated to this topic. This paper details how to tie GDPR concepts to specific AWS services, including those relating to monitoring, data access, and key management. Furthermore, our GDPR Center will give you access to the up-to-date resources you need to tackle requirements that directly support your GDPR efforts.

Compliant DPA
We offer a GDPR-compliant Data Processing Addendum (DPA), enabling you to comply with GDPR contractual obligations.

Conformity with a Code of Conduct
GDPR introduces adherence to a “code of conduct” as a mechanism for demonstrating sufficient guarantees of requirements that the GDPR places on data processors. In this context, we previously announced compliance with the CISPE Code of Conduct. The CISPE Code of Conduct provides customers with additional assurances regarding their ability to fully control their data in a safe, secure, and compliant environment when they use services from providers like AWS. More detail about the CISPE Code of Conduct can be found at: https://aws.amazon.com/compliance/cispe/

Training and Summits
We can provide you with training on navigating GDPR compliance using AWS services via our Professional Services team. This team has a GDPR workshop offering, which is a two-day facilitated session customized to your specific needs and challenges. We are also providing GDPR presentations during our AWS Summits in European countries, as well as San Francisco and Tokyo.

Additional Resources
Finally, we have teams of compliance, data protection, and security experts, as well as the APN, helping customers across Europe prepare for running regulated workloads in the cloud as the GDPR becomes enforceable. For additional information on this, please contact your AWS Account Manager.

As we move towards May 25 and beyond, we’ll be posting a series of blogs to dive deeper into GDPR-related concepts along with how AWS can help. Please visit our GDPR Center for more information. We’re excited about being your partner in fully addressing this important regulation.

Chad Woolf
Vice President, AWS Security Assurance