GDPR Policy Eco Natural Products

GDPR Compliant

Data Protection Policy

Eco Natural Products

Your Data ?

At Eco Natural products we have always handled your data with the utmost integrity. With the New GDPR update from the EU council, it seemed like a good opportunity for us to become completely transparent about what data we have and what exactly we do with it. I feel it is important to note we have had to change very little to be compliant with the new GDPR rules as we have always been extremely careful with out data policy not just from a security aspect but an ethical one too

Do we share your data ?

Yes we do. It's impossible to run a business without sharing data with a 3rd party. For instance if you place an order with us we will share your data with our bank, they are a third party.  Then we will share your data with the postal service. They are another 3rd party. There will be a complete disclosure and breakdown of who we share data with and why later in this document.

Your rights under GDPR

You have 8 rights under GDPR

Data Requests

If you would like to know what data of yours we have, you can apply for a Data Subject Access Request. This applications can be used for: Access, Rectification, Erasure, Processing restriction, Portability.

To start the application you can either email or write to:

FAO Data Protection officer

Eco Natural Products

Unit 3b

8 Cowley Rd




We will reply to all applications within 30 days.

When starting you application please be clear about whose data you are requesting and what outcome you desire. Please bare in mind that as part of our due diligence in data security we are likely going to ask for ID.

Data Sharing

As explained early we share your data with certain third parties. Here is all of the parties we share your data with and why

Order Management:

This is our order management system, Although its a 3rd party platform, access is restricted to us and only used by them for things like maintenance.


PayPal is an online payment provider, Depending on your choice of payment method. We may have to share your info with paypal to complete a payment transaction.

Courier (mostly Royal mail)

You info will be shared with any courier for purposes of delivering your order, This is normally name, delivery address, phone number and email. In this case this information is only used for the purposes of delivery. We normally use Royal mail who will use a 3rd party delivery service for most overseas deliveries.


Bigcommerce is the platform that runs our website.

Get site Control

Get site control is a 3rd party platform that we use to manage some of our pop ups and buttons. They use cookies to tell how many people look at and click on each button.

Email Marketing

This is the company we use for our marketing emails. Things like our monthly newsletter. So they will handle your email address and cookies when you sign up to things like our newsletter. They do share your email with other companies only us will be sending you emails using these lists.

They also use cookies to generate analytics. This means we can see how many people opened emails or clicked on links. This helps us maintain a high quality standard for relevant content and helps us in customer conversion.


We use google analytics. This does not capture personal data so much as uses delicious internet cookies to track your movement around our website. We can’t track you specifically but your data is included in statistics so we can see for example how long an average user spends on the home page. This is important to help our customer conversion rate but also identify faults and breakdowns.

Barclays PLC, Paypal, BrainTree (and maybe some other payment providers)

Naturally we share info with payment gateway providers for the purposes of charging you for an order.


I hope this helps put you at ease. I is my desire that by openly sharing this you can see we are only sharing your data for necessary purposes with reputable companies. I think this will also help you understand what sort of things we are doing with your data and the reasons we are doing this. If you have any questions or concerns please feel free to email 

Please see below our more in depth policies.


What is a cookie.

A cookie is a code, It works kind of like an id badge for your computer. When you visit our site, Our website will give a cookie to your browser to hold on to.

When you come back to our site on another occasion your web browser will show its cookie to our website. Our website will then recognize your computer.

What do cookies do ?

We use cookie for tracking, This can be in the form of analytics or automations, here is some examples of what we use cookies for.

Personal preferences - Our site is in GBP, But if you are shopping in the EU you likely want to shop in EUR, If change the currency to EUR our site will remember that, and when it see your cookie again will automatically swap to EUR for you.

Analytical/performance. They allow us to recognise and count the number of

visitors and to see how visitors move around our website when they are using it. This

helps us to improve the way our website works, for example, by ensuring that users are

finding what they are looking for easily.

Security - Our website will know if a computer without or with a different cookie tries to sign into your account.

Functionality, We use cookies to make sure we are not showing you the same pop up over and over. Say you sign up to our newsletter. Our website will recognize you cookie and know you have signed up to our newsletter, So it won't show you that pop up again.

You can see our full cookies policy at



Individuals have the right to access their personal data and supplementary information. The right of access allows individuals to be aware of and verify the lawfulness of the processing. Our business must comply with the requirements of the General Data Protection Regulations (GDPR) and we must be able to demonstrate compliance to the Information Commissioner’s Office (ICO).

Upon receipt of a request for information our internal policy is as follows:


Andrew Roberts is responsible for the handling of Subject Access Requests (SAR) in our business.

The duties of Andrew Roberts include but are not limited to:

Oral or written requests

Subject access requests can be made in writing, electronically or verbally.

If a member of staff is in any doubt if a certain situation has given rise to a SAR, contact Andrew Roberts by email ( providing full details of the incident. Staff should do this without delay and certainly within [TWO] business days.

Where a member of staff receives a subject access request, they must email the relevant information to Andrew Roberts| Email: | without delay and certainly within [TWO] business days.

How do we verify the requestor’s identity?

The requestor must supply valid evidence to prove their identity.

We may verify the requestor’s identity either through a phone call where we ask questions that only the requestor will know the answers to or by requesting forms of identification.

We accept the following forms of identification:

Named utility bills

Recognised photo ID

Statements from recognised bodys

Please bare in mind that the requirements for ID may vary on a case to case basis to ensure necessary security is being observed for each case.

[Examples include:

• Current UK/EEA Passport

• UK Driving Licence

• Financial Statement issued by bank, building society or credit card company

• Utility bill for supply of gas, electric, water or telephone landline]

How to process the request

Our aim is to determine what information the requestor is asking for. If the request is not clear, or where if we process a large quantity of information about an individual, the GDPR permits us to ask the individual to specify the information the request relates to. Where this applies, we will proceed with a request for additional information.

We must verify whether we process the data requested. If we do not process any such data, we must inform the data subject accordingly.

We must respond to the data subject within 30 days of receiving the request as valid. This is a requirement under the GDPR.

Any employee, who receives a request from Andrew Roberts to locate and supply information relating to a SAR, must make a full exhaustive search of the records which they are responsible for or owns. This may include but is not limited to emails (including archived emails and those that have been deleted but are still recoverable), Word documents, spreadsheets, databases, systems, removable media (for example, memory sticks), recordings, paper records in relevant filing systems.

Andrew Roberts should check whether the data requested also involves data on other data subjects and make sure this data is filtered before the requested data is supplied to the requestor; if data cannot be filtered, ensure that other data subjects have consented to the supply of their data as part of the SAR.

All the information that has been requested must be provided unless an exemption can be applied (see below). Information must be supplied in an intelligible form and we will explain acronyms, codes or complex terms.

No charge to comply with the request (with exceptions)

We will provide a copy of the information free of charge, as per the GDPR rules. However, we may charge a ‘reasonable fee’ when a request is manifestly unfounded or excessive, particularly if it is repetitive.

We may also charge a reasonable fee to comply with requests for further copies of the same information. We understand that this does not mean that we can charge for all subsequent access requests.

Where applicable, Andrew Roberts will determine the ‘reasonable fee’ that must be based on our administrative cost of providing the information.

Excessive, manifestly unfounded or repetitive requests

Where requests are manifestly unfounded, excessive and repetitive, we may refuse to act on the request or charge a reasonable administration fee. Andrew Roberts will make a decision on this.

Andrew Roberts must provide information on our decision to the requestor in writing within 30 days and must state how they reached their decision.

Complex requests

As stated we have to respond to a SAR within 30 days. If more time is needed to respond to complex requests, an extension of another two months is permissible, provided this is communicated to the data subject in a timely manner within 30 days.

Where we decide not take action on the request of the data subject, we need to inform the data subject of this decision without delay and at the latest within 30 days of receipt of the request.

Our response to the requestor

After processing the SAR, our response to the requestor should include:

How to handle exemptions?

If a member of staff believes that we have a valid business reason for an exemption, please inform the Andrew Roberts without delay by email to  

Exempt information must be redacted from the released documents with an explanation of why that information is being withheld.


Where a requestor is not satisfied with a response to a SAR, we must manage this as a complaint. We must advise the requestor that if they remain unhappy with the outcome they may complain to the Information Commissioners Office or take legal action against us.

Breach statement

Breaches of this policy by members of staff will be investigated and may result in disciplinary action. Serious breaches of policy may be considered gross misconduct and result in dismissal without notice, or legal action being taken against the relevant member of staff.


This is the Data Breach Policy of Eco Natural Products.


The General Data Protection Regulation (GDPR) is based around six principles of handling of personal data. We must comply with all six principles as a business; otherwise we’ll be in breach of the GDPR. We understand that the principles give people specific rights in relation to their personal information and place certain obligations on those organisations that are responsible for processing it.


The GDPR requires that we must take appropriate measures against unauthorised or unlawful processing and against accidental loss, destruction of or damage to personal data. This policy sets out how we deal with a data security breach.

What is a personal data breach?

The Information Commissioner’s Office states that a personal data breach can be broadly defined as a security incident that has affected the confidentiality, integrity or availability of personal data. In short, there will be a personal data breach whenever any personal data is lost, destroyed, corrupted or disclosed; if someone accesses the data or passes it on without proper authorisation; or if the data is made unavailable and this unavailability has a significant negative effect on individuals.

Action to be taken in the event of a data breach

1.        Containment and recovery

The immediate priorities are to:

In the event of a security incident or breach, staff must immediately inform Andrew roberts.

Andrew Roberts will take the lead on investigating the breach. In the event where Andrew Roberts is absent for whatever reason, Andrew Roberts  will take the lead on investigating a breach.

Steps to take where personal data has been sent to someone not authorised to see it:

2.         Assessing the risk

Perhaps most important is an assessment of potential adverse consequences for individuals, how serious or substantial these are and how likely they are to happen.

Examples of the type of questions to consider:

What type of data is involved?

How sensitive is it?

If data has been lost or stolen, are there any protections in place such as encryption?

What has happened to the data?

i.e. If stolen, could it be used for purposes which are harmful to the individuals to whom the data relate?; if it has been damaged, this poses a different type and level of risk

Estimate how many individuals’ personal data are affected by the breach

Who are the individuals whose data has been breached?

Whether they are staff, customers, clients or suppliers, for example, will to some extent determine the level of risk posed by the breach and, therefore, your actions in attempting to mitigate those risks

What harm can come to those individuals?

Are there risks to physical safety or reputation, of financial loss or a combination of these and other aspects of their life?

Are there wider consequences to consider such as a risk to public health or loss of public confidence in an important service you provide?

Establish whether there is anything you can do to recover any losses and limit the damage the breach can cause

3.         Notifying the ICO and individuals, where relevant

a) Who is responsible?

In our business, Andrew Roberts is the point of contact for staff and the ICO on this policy and on all matters relating to data protection.

Andrew Roberts is also responsible for notifying the ICO and individuals (where applicable) of relevant personal data breaches.

b) What breaches do we need to notify the ICO about?

When a personal data breach has occurred, we need to establish the likelihood and severity of the resulting risk to people’s rights and freedoms. If it’s likely that there will be a risk then we must notify the ICO; if it’s unlikely then we don’t have to report it.

If we decide we don’t need to report the breach, we need to be able to justify this decision, and we should document it.

c) When to notify the ICO and dealing with delays

Notifiable breaches must be reported to the ICO without undue delay, but not later than 72 hours after becoming aware of it.

If we don’t comply with this requirement, we must be able to give reasons for the delay.

In some instances it will not always be possible to investigate a breach fully within 72 hours to understand exactly what has happened and what needs to be done to mitigate it. Where that applies we should provide the required information in phases, as long as this is done without undue further delay.

d) Breach information to the ICO

When reporting a breach, we will provide the following information:

e) Individuals

Where notification to individuals may also be required, Andrew Roberts will assess the severity of the potential impact on individuals as a result of a breach and the likelihood of this occurring. Where there is a high risk, we will inform those affected as soon as possible, especially if there is a need to mitigate an immediate risk of damage to them.

g) Information to individuals

Andrew Roberts will consider who to notify, what we are going to tell them and how we are going to communicate the message. This will depend to a large extent on the nature of the breach but will include the name and contact details of our data protection officer (where relevant) or other contact point where more information can be obtained; a description of the likely consequences of the personal data breach; and a description of the measures taken, or proposed to be taken, to deal with the personal data breach and including, where appropriate, of the measures taken to mitigate any possible adverse effects.

The breach need not be reported to individuals if:

In the case of a breach affecting individuals in different EU countries, we are aware that the ICO may not be the lead supervisory authority. Where this applies, Andrew Roberts should establish which European data protection agency would be the lead supervisory authority for the processing activities that have been subject to the breach.

h) Third parties

In certain instances Andrew Roberts may need to consider notifying third parties such as the police, insurers, professional bodies, bank or credit card companies who can assist in reducing the risk of financial loss to individuals.

i) Document all decisions

Andrew Roberts must document all decisions that we take in relation to security incidents and data breaches, regardless of whether or not they need to be reported to the ICO.


4.         Evaluate our response and mitigation steps

We investigate the cause of any breach, decide on remedial action and consider how we can mitigate it. As part of that process we also evaluate the effectiveness of our response to incidents or breaches. To assist in this evaluation we consider:

  • What personal data is held, where and how it is stored
  • Risks that arise when sharing with or disclosing to others

  • This includes checking the method of transmission to make sure it‘s secure and that we only share or disclose the minimum amount of data necessary
  • Weak points in our existing security measures such as the use of portable storage devices or access to public networks
  • Whether or not the breach was a result of human error or a systemic issue and determine how a recurrence can be prevented – whether this is through better processes, further training or other corrective steps
  • Staff awareness of security issues and look to fill any gaps through training or advice
  • The need for a Business Continuity Plan for dealing with serious incidents
  • The group of people responsible for reacting to reported breaches of security