Our Commitment To Privacy
Data protection is of the utmost importance for the management of www.prestatynflowershow.co.uk. The processing of personal data, such as the name, address, e-mail address, or IP address of a data subject shall always be in line with the General Data Protection Regulation (GDPR), and in accordance with the country-specific data protection regulations applicable to www.prestatynflowershow.co.uk. By means of this data protection declaration, we aim to inform the general public of the nature, scope, and purpose of the personal data we collect, use and process. Furthermore, data subjects are informed, by means of this data protection declaration, of the rights to which they are entitled.
Who we are
This is a privately owned UK based website called www.prestatynflowershow.co.uk. The administrator and therefore the Data Processor of this website is Mr Graham Smith.
Our website address is: https://www.prestatynflowershow.co.uk
For any enquiries relating to privacy or GDPR, please contact us via:
privacy @ prestatynflowershow.co.uk
The Data Controller for the purposes of the General Data Protection Regulation (GDPR), other data protection laws applicable in Member states of the European Union and other provisions related to data protection is:
Prestatyn Flower Show
121 High Street,
What personal data we collect and why we collect it
We have identified an appropriate lawful basis (or bases) under GDPR for our processing, which primarily is Consent.
- Consent means offering individuals real choice and control. Genuine consent should put individuals in charge, build trust and engagement, and enhance our reputation.
- Consent requires a positive opt-in. We don’t use pre-ticked boxes or any other method of default consent.
- Explicit consent requires a very clear and specific statement of consent.
- We don’t do anything generally unlawful with personal data.
- We make it easy for individuals to withdraw your consent at any time, and publicise how to do so.
- We will act on withdrawals of consent as soon as we can.
- We don’t penalise individuals who wish to withdraw consent.
We have considered how the processing may affect the individuals concerned and can justify any adverse impact. We only handle people’s data in ways they would reasonably expect, or we can explain why any unexpected processing is justified. We do not deceive or mislead people when we collect their personal data.
We are open and honest, and comply with the transparency obligations of the right to be informed.
Collection of general data and information
This website collects general data and information when a data subject or automated system accesses the website. This general data and information is stored in the server log files. Collected may be (1) the browser types and versions used, (2) the operating system used by the accessing system, (3) the website from which an accessing system reaches our website (so-called referrers), (4) the sub-websites, (5) the date and time of access to the Internet site, (6) an Internet protocol address (IP address), (7) the Internet service provider of the accessing system, and (8) any other similar data and information that may be used in the event of attacks on our systems and infrastructure.
When using this general data and information, www.prestatynflowershow.co.uk does not draw any conclusions about the data subject. Rather, this information is needed to (1) deliver the content of our website correctly, (2) optimise the content of our website, (3) ensure the long-term viability of our systems and infrastructure and (4) provide law enforcement authorities with the information necessary for criminal prosecution in the event of a cyber-attack. Therefore, www.prestatynflowershow.co.uk analyses anonymously collected data and information statistically, with the aim of increasing the data protection and data security of our organisation, and to ensure an optimal level of protection for the personal data we process. The anonymous data within relevant logs are stored separately from all personal data provided by a data subject.
Registration on our website
The data subject may opt to register on the website of the controller with the indication of personal data. What personal data is transmitted to the controller is determined by the respective input mask used for the registration. The personal data entered by the data subject is collected and stored exclusively for internal use by the controller, and for our own purposes. The controller may request transfer to one or more processors or sub processors that also uses personal data for an internal purpose which is attributable to the controller.
By registering on the website of the controller, the IP address-assigned by the Internet service provider (ISP) and used by the data subject-date, and time of the registration is also stored. The storage of this data takes place in the background and is the only way to prevent the misuse of our services, and, if necessary, to make it possible to investigate misuse of our systems and services. Insofar, the storage of this data is necessary to secure the controller. This data is not passed on to third parties unless there is a statutory obligation to transmit the data, or if the transfer serves the aim of criminal prosecution.
The registration of the data subject, with the voluntary indication of personal data, is intended to enable the controller to offer the data subject contents or services that may only be offered to registered users due to the nature of the matter in question.
The data controller shall, at any time, provide information upon request to each data subject as to what personal data is stored about the data subject. In addition, the data controller shall correct or erase personal data at the request or indication of the data subject, insofar as there are no statutory storage obligations.
In the case of incomplete registrations, our community software deletes un-validated users and incomplete users automatically for us after 7 days.
When visitors leave public comments on the site we collect the data shown in the comments form, and also the visitor’s IP address and browser user agent string to help spam detection.
If you upload images to the website, you should avoid uploading images with embedded location data (EXIF GPS) included. Visitors to the website can download and extract any location data from images on the website.
Our website contains functionality that enables a quick electronic contact to our organisation, as well as direct communication with us, which also includes a general address of the so-called electronic mail (e-mail address).
If a data subject contacts the controller by e-mail or via a contact form, the personal data transmitted by the data subject is automatically stored. Such personal data transmitted on a voluntary basis by a data subject to the data controller is stored for the purpose of processing or contacting the data subject. There is no transfer of this personal data to third parties, unless necessary to deliver further correspondence or for mandatory legal compliance.
An automated check may be conducted for security reasons to reduce unlawful, unsolicited e-mail other wise known as spam. Details including username, email address and IP address will be processed accordingly.
We will keep contact form submissions for a certain period for customer service purposes (no longer than 12 months) or as required for compliance with other legislation, but we do not use the information submitted through them for marketing purposes.
The ICO states that session cookies stored for that session only (so they are deleted when the tab / window is closed) are OK as long as they are not used to profile users.
This is re-enforced by EUROPA:
Cookies clearly exempt from consent according to the EU advisory body on data protection- WP29 include:
- user‑input cookies (session-id) such as first‑party cookies to keep track of the user's input when filling online forms, shopping carts, etc., for the duration of a session or persistent cookies limited to a few hours in some cases
- authentication cookies, to identify the user once he has logged in, for the duration of a session
- user‑centric security cookies, used to detect authentication abuses, for a limited persistent duration
- multimedia content player cookies, used to store technical data to play back video or audio content, for the duration of a session
- load‑balancing cookies, for the duration of session
- user‑interface customisation cookies such as language or font preferences, for the duration of a session (or slightly longer)
- third‑party social plug‑in content‑sharing cookies, for logged‑in members of a social network.
The data subject may, at any time, prevent the setting of cookies through our website by means of a corresponding setting of the Internet browser used, and may thus permanently deny the setting of cookies. We utilise tools to create a floating cookie opt-in bar, and also a page showing which cookies are stored and why.
Further, existing cookies may be deleted at any time via an Internet browser or other appropriate software; a function that exists in all major Internet browsers. If the data subject deactivates the setting of cookies in the Internet browser used, not all functions of our website will be entirely usable.
Embedded content from other websites
Articles or user submitted content on this site may include embedded content (e.g. videos, images, articles, etc.). Embedded content from other websites behaves in the exact same way as if the visitor has visited the other website.
Who we share your data with and why
Google reCAPTCHA (Google Inc.)
Google reCAPTCHA is a SPAM protection service provided by Google Inc.
Personal Data collected: Cookies and Usage Data.
Invision Power Services (IPS.)
IPS Spam Protection is a SPAM protection service provided by Invision Power Services
Personal Data collected: Cookies and Usage Data.
How long we retain your data
If you leave a public content, a comment, the content, comment and its metadata are retained indefinitely. This is so we can recognise and approve any follow-up comments automatically instead of holding them in a moderation queue.
To comply with accounting and legal requirements, we keep data on financial transactions in the systems above for up to 10 years.
For users that register on our website (if any), we also store the personal information they provide in their user profile. All users can see, edit, or delete their personal information at any time (except they cannot change their username without permission). Website administrators can also see and edit that information.
Routine erasure and blocking of personal data
The data controller shall process and store the personal data of the data subject only for the period necessary to achieve the purpose of storage, or as far as this is granted by the European legislator or other legislators in laws or regulations to which the controller is subject to such as the UK.
If the storage purpose is not applicable, or if a storage period prescribed by the European legislator or another competent legislator expires, the personal data are routinely blocked or erased in accordance with legal requirements. If a statutory purpose for storing data no longer exists, all personal data and applicable purchase information is erased and purged from our system after a period of three (3) years.
What rights you have over your data
If you have an account on this site, or have left comments, you can request to receive an exported file of the personal data we hold about you, including any data you have provided to us. You can also request that we erase any personal data we hold about you. This does not include any data we are obliged to keep for administrative, legal, or security purposes.
Rights of the data subject
a) Right of confirmation / Right to be informed
Each data subject shall have the right granted by the European legislator to obtain from the controller the confirmation as to whether or not personal data concerning him or her is being processed. If a data subject wishes to avail themselves of this right of confirmation, he or she may, at any time, contact the controller.
b) Right of access
Each data subject shall have the right granted by the European legislator to obtain from the controller free information about his or her personal data stored at any time and a copy of this information. Furthermore, the European directives and regulations grant the data subject access to the following information:
- the purposes of the processing
- the categories of personal data concerned;
- the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
- where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
- the existence of the right to request from the controller rectification or erasure of personal data, or restriction of processing of personal data concerning the data subject, or to object to such processing;
the existence of the right to lodge a complaint with a supervisory authority;
where the personal data is not collected from the data subject, any available information as to their source;
- the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) of the GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and envisaged consequences of such processing for the data subject.
Furthermore, the data subject shall have a right to obtain information as to whether personal data is transferred to a third country or to an international organisation. Where this is the case, the data subject shall have the right to be informed of the appropriate safeguards relating to the transfer.
If a data subject wishes to avail himself of this right of access, he or she may, at any time, contact any employee of the controller.
c) Right to rectification
Each data subject shall have the right granted by the European legislator to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement. If a data subject wishes to exercise this right to rectification, he or she may, at any time, contact any employee of the controller.
d) Right to erasure (Right to be forgotten)
Each data subject shall have the right granted by the European legislator to obtain from the controller the erasure of personal data concerning him or her without undue delay, and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies, as long as the processing is not necessary (eg. in cases where a financial transaction has occurred):
- The personal data is no longer necessary in relation to the purposes for which they were collected or otherwise processed;
- The data subject withdraws consent to which the processing is based according to point (a) of Article 6(1) of the GDPR, or point (a) of Article 9(2) of the GDPR, and where there is no other legal ground for the processing;
- The data subject objects to the processing pursuant to Article 21(1) of the GDPR and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2) of the GDPR;
- The personal data have been unlawfully processed;
- The personal data must be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;
The personal data have been collected in relation to the offer of information society services referred to in Article 8(1) of the GDPR.
If one of the aforementioned reasons applies, and a data subject wishes to request the erasure of personal data stored by us, he or she may, at any time, contact the controller. www.prestatynflowershow.co.uk shall promptly ensure that the erasure request is complied with in accordance with applicable laws and regulations.
Where the controller has made personal data public and is obliged pursuant to Article 17(1) to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform other controllers processing the personal data that the data subject has requested erasure by such controllers of any links to, or copy or replication of, the personal data, as far as processing is not required. www.prestatynflowershow.co.uk will arrange the necessary measures on an individual basis.
When deleting members, we can elect to remove their content too. There is an option to keep it as Guest content, thus removing the author as identifiable.
e) Right of restriction of processing
Each data subject shall have the right granted by the European legislator to obtain from the controller restriction of processing where one of the following applies:
The accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;
The processing is unlawful and the data subject opposes the erasure of the personal data and requests instead the restriction of their use instead;
The controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims;
The data subject has objected to processing pursuant to Article 21(1) of the GDPR pending the verification whether the legitimate grounds of the controller override those of the data subject.
If one of the aforementioned conditions is met, and a data subject wishes to request the restriction of the processing of personal data stored by www.prestatynflowershow.co.uk, he or she may at any time contact any employee of the controller. The employee of www.prestatynflowershow.co.uk will take the appropriate steps to restrict further processing.
f) Right to data portability
Each data subject shall have the right granted by the European legislator, to receive the personal data concerning him or her, which was provided to a controller, in a structured, commonly used and machine-readable format. He or she shall have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, as long as the processing is based on consent pursuant to point (a) of Article 6(1) of the GDPR or point (a) of Article 9(2) of the GDPR, or on a contract pursuant to point (b) of Article 6(1) of the GDPR, and the processing is carried out by automated means, as long as the processing is not necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. Furthermore, in exercising his or her right to data portability pursuant to Article 20(1) of the GDPR, the data subject shall have the right to have personal data transmitted directly from one controller to another, where technically feasible and when doing so does not adversely affect the rights and freedoms of others. In order to assert the right to data portability, the data subject may at any time contact the site owner or website administrator staff.
We can provide your personal data in XML and CSV format upon receipt of positive proof of identification.
g) Right to object
Each data subject shall have the right granted by the European legislator to object, on grounds relating to his or her particular situation, at any time, to processing of personal data concerning him or her, which is based on point (e) or (f) of Article 6(1) of the GDPR.
This also applies to profiling based on these provisions. www.prestatynflowershow.co.uk shall no longer process the personal data in the event of the objection, unless we can demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject, or for the establishment, exercise or defence of legal claims.
If we process personal data for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing. This applies to profiling to the extent that it is related to such direct marketing. If the data subject objects to www.prestatynflowershow.co.uk to the processing for direct marketing purposes, www.prestatynflowershow.co.uk will no longer process the personal data for these purposes.
In addition, the data subject has the right, on grounds relating to his or her particular situation, to object to processing of personal data concerning him or her by www.prestatynflowershow.co.uk for scientific or historical research purposes, or for statistical purposes pursuant to Article 89(1) of the GDPR, unless the processing is necessary for the performance of a task carried out for reasons of public interest.
In order to exercise the right to object, the data subject may contact www.prestatynflowershow.co.uk. In addition, the data subject is free in the context of the use of information society services, and notwithstanding Directive 2002/58/EC, to use his or her right to object by automated means using technical specifications.
h) Automated individual decision-making, including profiling
Each data subject shall have the right granted by the European legislator not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her, or similarly significantly affects him or her, as long as the decision (1) is not is necessary for entering into, or the performance of, a contract between the data subject and a data controller, or (2) is not authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject's rights and freedoms and legitimate interests, or (3) is not based on the data subject's explicit consent.
If the decision (1) is necessary for entering into, or the performance of, a contract between the data subject and a data controller, or (2) it is based on the data subject's explicit consent, www.prestatynflowershow.co.uk shall implement suitable measures to safeguard the data subject's rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express his or her point of view and contest the decision.
If the data subject wishes to exercise the rights concerning automated individual decision-making, he or she may, at any time, contact www.prestatynflowershow.co.uk.
i) Right to withdraw data protection consent
Each data subject shall have the right granted by the European legislator to withdraw his or her consent to processing of his or her personal data at any time.
If the data subject wishes to exercise the right to withdraw the consent, he or she may, at any time, contact www.prestatynflowershow.co.uk.
Where we send your data
We do not knowingly send data to any third country without GDPR compliant, approved status and data protection. We utilise professional grade, servers based in secure USA located data centres, governed by the EU-US Privacy Shield agreement.
We also utilise Amazon S3 Cloud Storage and static content such as images are often distributed via professional CDNs (content delivery networks) provided by Amazon Web Services Cloudfront and Cloudflare with various international End-points. Your browser may connect to the endpoints to retrieve such static content and files from your nearest endpoint location, to improve performance, reduce download time, and for improved security such as Denial of Service or DDoS attacks.
Visitor comments and account registrations will be checked through an automated spam detection service. This is based in the United States.
Email and Notifications
Any and all existing mailing lists will commence afresh on May 25th 2018.
We may in future offer the opportunity to opt-in to receive occasional email marketing to communicate with customers and potential customers from time to time, such as a newsletter or content digest. Any current and future email lists and campaigns will be strictly and clearly “opt-in”, meaning we will not send you these sorts of emails unless you clearly indicate that you wish to receive them during signup or other interactions on our website, such as within your Account Settings dashboards.
Our software has the correct opt-in for bulk emails on registration that is not pre-checked. If the member checks this option, this is recorded with the member's history. Likewise, if they retract this permission, that action is also recorded.
We may send you regular transactional or “system” emails, such as new content, daily or weekly content digests where you have opted to follow content of interest or that you have contributed, automated password reset requests or payment notifications/receipts, even if you have not opted-in to email marketing lists.
When registering for an account, your email address, user/display name and IP address will be automatically checked against known internal and external spam and malware blacklist services for the protection of our website and its users. Your email address will then be used to send a validation email, to help you prove your identity and ensure you have entered correct details.
Registered members are always in full control of content notifications, whether they be browser-based or email-based. We conduct regular reviews to ensure any notification and contact emails are minimal and unobtrusive by default. You can tweak these settings to suit your preference at any time (via your account settings page).
All marketing and transactional emails sent by us will include an unsubscribe link in the footer of the email. Emails sent to you may include standard tracking, such as deliverability, open and click activity rates.
A notification is only ever sent after a user chooses to follow an item. This falls under legitimate interest.
There is also a clear way to stop receiving emails. The user can opt-in and opt-out of email as a notification device at their leisure.
How we protect your data
We only use professional software to provide and safeguard our services. We only use secure website hosting, content delivery networks, cloud hosting, SSL encryption and software. We subject our website and its encryption to regular third party security testing scans and audits. Further details available upon request.
We make regular backups of databases and website files.
We will never knowingly sell your personal data to third parties and never without your prior consent.
What data breach procedures we have in place
We will make every reasonable and expected effort to safeguard your public and personal data from physical and online theft, accidental loss, illegal or otherwise unauthorised activity, malware or hacking attempts as required by the GDPR, but ultimately no service provider can ever claim to be fully and completely secure. Therefore we encourage you to always adopt a sensible, risk based approach to your personal data sharing at all times, especially online and never share private or high risk information.
For advice on staying safe online, these are some recommended websites:
Should a data breach occur we will follow industry best practice, take immediate action to secure the affected service, and will notify you if we believe your personal data may have been affected or compromised. We will report any breach to the relevant authorities, both law enforcement and governing as required, including the ICO (Information Commissioners Office) accordingly.
Prestatyn Flower Show, c/o Bon, 121 High Street, Prestatyn, Denbighshire, LL19 9AS