GDPR

This article provides information about your data processed by or through our website in a more accessible, descriptive and friendly way than our Privacy Policy.
Under the GDPR (General Data Protection Regulation) legislation introduced in May 2018, you have a right to know what information we hold about you, how we process that information, who we share the information with and also gives you the right to edit or delete any information about you that we hold.

Any personal information we hold is stored in a database on our website hosting server. Access to the database is restricted to the site admin/developer (1 person) and through automated processes associated with the shop or account functions of the website.

Definitions:
Guest – a person who orders and checks out without logging in.
Account Holder – a person who has registered an account on the JPB Music website and who orders and checks out whilst logged in.

Guests

If you visit our website, make an order and checkout as a Guest, this section details the information we store about you and how we use your information in our processes.
As a Guest we process your data under the lawful basis of ‘Contract’. As such, all information taken is necessary for us to fulfil the contract.
Please note the following quote from the GDPR guidance:

‘Necessary’ does not mean that the processing must be essential for the purposes of performing a contract or taking relevant pre-contractual steps. However, it must be a targeted and proportionate way of achieving that purpose.

The details you enter in the checkout form (name, billing address, shipping address, telephone number, email address) are used solely to process your order. The information marked as required on the form is essential for us to fulfil our side of the sales contract with you. The other information is optional and allows us to more easily deal with any issues that arise with the order. The name and address are used to ensure delivery of the order to the correct person and address.
The email address is used to inform you of any problems with payment, to let you know we have received the order and to let you know when the order is sent out. The phone number may also be used to contact you regarding any problems with payment or the order details.
The personal data associated with your checkout is not used for any other purpose and is only held in relation to that specific order. Order details are retained for the purposes of company accounting and to allow us to identify customers in order to process refunds or exchanges. All personal information provided whilst checking out is stored only as part of the order details and is only processed or used in relation to that specific order.

Information that will be held as part of the order details:
-Name
-Billing Address
-Shipping Address
-Email Address

Information that may be held as part of the order details (if given by the customer):
-Phone Number
-Company Name

Account Holders

If you register an account on the JPB Music website, you will have read a paragraph of text informing you that your details are stored as ‘account data’.
Storing and processing the account data allows you to view previous orders and re-order quickly, and allows us to detect if you are eligible for discounted pricing or other special offers and possible other account holder privileges such as a points and rewards system. The account data is NOT shared with any 3rd party and is used only by JPB Music in relation to JPB Music account privileges and activities.

Your data as an Account Holder is held and processed under the lawful basis of Legitimate Interests.
For more information on the Legitimate Interests basis please visit this link. A copy of our Legitimate Interests Assessment (LIA) can be supplied on request.

The account data we store allows us, when you are logged in, to prefill checkout information. The actual processing of the checkout, however, is still under the basis of Contract and the information is used for the same purposes as per a guest checkout. The name and address are used to deliver your order to you, the email address is used to confirm your order, let you know when the order has been sent out and to let you know if there are any problems with your order. Your email address is also used as an alternative identifier to your username allowing you to log in to your account. Your details are stored as part of the order information for the purposes of processing that order and to process any refunds/exchanges or sort any problems in relation to that order.

Your account id is also linked (by associating it with the order id) to any orders you make whilst logged in so that we can allow you to view your previous orders easily (for your reference, accounting purposes, ability to quickly re-order etc.) and your account type is checked in order to display the correct discount pricing if applicable and any other special offers restricted to account holders.

Payment Information

Payment information is not entered through our systems and therefore neither processed or held by us. When you are taken to the payments page, that page is held on and served by the Inspire Payments (our payment processor) servers who process the entire transaction. We do not have access to any of the personal data used to make the payment. The data passed back to JPB Music is not classified as personal data (the amount of the transaction, success or otherwise of the transaction including any associated reasons given, order number etc.)

Sharing of Data

Put simply, there is no sharing of data with any 3rd parties with the exception being when legally obliged to do so. All personal information entered through the JPB Music website, whether as part of the checkout process or as part of your registration and account details, is processed solely by JPB Music.

GDPR Requests

In order to exercise your rights to view, edit, have edited, have removed, withdraw consent or object to processing of your data, you need to send us a request (with the exception of account holders who wish to edit their account information which they can do easily themselves from their My Account page).
In order to make a request, please contact us via gdpr@jpbmusic.com
We will review the request and reply no later than 28 days later.
If we need you to prove your identity, you may be asked a question or two about a previous order so we can confirm you are indeed the person you claim to be.

Viewing The Data We Hold About You

Part of the GDPR is your right to view the data an organisation holds in relation to you.
When we approve your request to view your data, you will be sent an email with a unique link to a page which will show you all the data we hold about you.
This link will automatically expire in 48 hours.
The data is provided free of charge for the first request in any 3 month period. Any further requests within that 6 month period will incur an administration charge of £5. The 3 month period runs from the last date you asked to view your data.

Editing Your Data

Another right given to you by the GDPR is the right to be able to easily rectify or complete the data we hold about you.
If you are an account holder, please login and in your account dashboard you are able to change your name, username, email address, telephone number, company name, shipping address and billing address. In short, all the personal details we hold about you for account purposes.

Please note that changing details in your account page will not retro-actively change details on your previous orders that are linked to that account as order data is held seperately from account data. If you were known as John Smith for an order and subsequently change your account name to Judy Smith, the previous order linked to your account will still have John Smith on the order details. If you wish us to make changes to details on previous orders, please put in a request in the usual way.

If you are not an account holder, you can still change the details we hold about you. If you wish to do so, please contact us with the details you wish to change and we will make the changes.

You will be contacted via your chosen method within 28 days with confirmation of the actions taken or, if we have refused the request, details of the refusal and the reasons.

Deleting Your Data

You also have the right to have deleted any data an organisation holds about you. However, this right does have exceptions and only applies in certain situations.
To quote the ICOs guidance on this right: “The right [to have your data deleted] is not absolute and only applies in certain circumstances

In our case, we need to retain order information for a certain length of time in order to fulfil contractual obligations and abide by other laws, for example your rights to return or refund. We hold personal details as part of the order data for the length of 6 years after the transaction has completed, after which personal data is automatically anonymised.

Caveat

All requests to edit or remove data are subject to refusal on the grounds that the data is to be kept either to comply with legal obligation, or for the establishment, exercise or defense of legal claims as set out in the legislation and summarised in the ICO guidance.