MyPillow Limited

Data Protection & Privacy Policy (GDPR)

  1. Introduction

    1. MyPillow Ltd. will from time to time need to obtain, store and appropriately manage information on individuals including and not limited to customers, staff, contractors and suppliers. Information relating to a living individual is considered to be ‘personal information’ for the purposes of the GDPR and Data Protection laws.
    2. The Data Protection legislation including the General Data Protection Regulation (GDPR) sets out the obligations and responsibilities of organisations that manage personal information. MyPillow Ltd has adopted this Policy to ensure compliance with GDPR and other Data Protection legislation.
    3. This Policy should be updated annually or when is deemed appropriate to accommodate any key changes in legislation or practice. 

  2. Purpose of this Policy

    1. This Policy sets out the responsibilities of MyPillow Ltd and its staff including contractors, that are in place to ensure compliance with the provisions of GDPR and other Data Protection legislation. Additional training, guidance and support may be necessary in some cases, for certain individuals to ensure effective compliance. Individuals should consult with the Managing Director to determine what may be suitable.

  3. Policy Statement

    1. MyPillow Ltd. is committed to protecting the rights and freedoms of individuals in respect of processing their personal information and will do so in accordance with GDPR legislation and good practice.
    2. This document sets out responsibilities and actions that MyPillow Ltd will take to meet this commitment.

  4. Scope

    1. This Policy applies to all staff and contractors when appropriate. All personal data created, collected, stored and processed through the business dealing of MyPillow Ltd. will be managed in line with this Policy, where MyPillow Ltd holds the role of Data Controller. (A Glossary of Terms is provided in Appendix A).

  5. Responsibilities of Staff

    1. The Managing Director as overall responsibility for, and ownership of, the Policy.
    2. Members of the Board of Directors are responsible for endorsing, implementing and supporting the Policy and any amendments.
    3. All staff and contractors must take responsibility for ensuring that the processing of personal data is in accordance with the Policy.

  6. Data Protection Principles

    1. To comply with Data Protection legislation the business must operate in accordance with the six Data Protection Principles set out in GDPR. These Principles ensure that personal information is collected and used fairly, stored safely and not disclosed unlawfully. The principles are:
      1. Lawfulness, fairness and transparency: Personal data shall be processed lawfully, fairly and in a transparent manner.
      2. Purpose limitation: Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in any manner incompatible with those purposes. Further processing for archiving or statistical purposes is permissible.
      3. Data minimisation: Personal data shall be adequate, relevant and limited to what is necessary in relation to the purpose for which it is processed.
      4. Accuracy: Personal data shall be accurate and where necessary kept up to date.
      5. Storage Limitation: Personal data processed for any purpose shall not be kept for longer than is necessary for that purpose.
      6. Integrity and confidentiality: Personal data shall be processed in a manner that ensures appropriate security including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

  7. Records of Processing Activities

    1. GDPR requires Data Controllers to maintain a register of processing activities that record information relating to the processing of personal data carried out.
    2. MyPillow Ltd. will maintain an Information Asset Register (IAR) to capture these requirements which include: the purpose of the processing, the types of individuals about which information is held, who the personal information is shared with and when personal information is transferred to countries outside the UK.

  8. Transferring Data Outside the European Union

    1. Personal data can only be transferred out of the European Union to third countries under certain circumstances. This also applies to data transferred via cloud services. MyPillow Ltd. will assess whether an adequate level of protection is provided for the data, taking into consideration information security arrangements and implementing contracts and/or Data Processing Agreements. Post Brexit, the UK will likely be treated as a third country and any information sent to it from the EU will be subject to the adequacy test and will require legal safeguards to be in place. UK Data Protection Law will still apply.

  9. Legal basis for Processing Information

    1. MyPillow Ltd. will ensure that there is a legal basis to process personal data and special categories of data. This will be recorded in the Information Asset Register (IAR). (The conditions for lawful processing are provided in Appendix C).

  10. Consent

    1. MyPillow Ltd. will ensure that where consent is the legal basis for processing this consent meets the standards required within GDPR. In particular:
      • Data Subject will take a positive action to provide consent that is explicit and freely given.
      • Consent will be separate from other terms and conditions.
      • Consent will not be a precondition of a service.
      • Consent will be specific and granular.
      • Data Subjects will be able to withdraw consent at any time and the process for withdrawing consent will be as easy as it was to give consent.
      • Evidence of consent will be retained.
      • Consent will be kept under review and renewed as required.
      • Where the data subject is under the age of 18, special protections will be put in place whereby consent is obtained from a parent or guardian who is allowed to provide that consent on the individuals behalf. Further, privacy notices must be written in wording that is understandable to a child.

  11. Individuals Rights

    1. MyPillow Ltd. will ensure arrangements are made to provide for the rights available to Data Subjects under GDPR. Data subjects have rights to request the following information about their data:
      • identity and contact details of the Data Controller
      • purposes and legal basis of the processing
      • legitimate interests where appropriate
      • any recipients
      • any data portability, overseas transfers
      • the storage period or criteria for deletion
      • the right of access (the organisation will ensure it can identify a subject access request and comply with it within a month of the request)
      • the right to rectification or erasure
      • the right to restrict processing and withdraw consent if it is based on processing
      • whether the provision of data is required and possible consequences of failure to provide the data
      • whether any automated decision making and profiling is carried out
    2. Data Subjects have the right to complain to the supervisory authority (e.g. the ICO in the UK) and should be informed of this right.

  12. Direct Marketing

    1. MyPillow Ltd. will comply with the requirements of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) when undertaking direct marketing via telephone, text and email.
    2. MyPillow Ltd. will ensure that Data Subjects give the necessary consent for direct marketing. Data subjects will also be informed of, and able to request that, the use of their information for direct marketing purposes ceases. Consent should be refreshed every 36 months.

  13. Retention & Disposal

    1. MyPillow Ltd. will develop, maintain and implement procedures to retain personal data for the length of time the data is required for the specific purpose for which it was collected.
    2. Certain personal data will be retained permanently by MyPillow Ltd. as part of the MyPillow Ltd. archive.

  14. Privacy by Design

    1. MyPillow Ltd. will consider the impact on data privacy during all processing activities. This includes implementing measures to ensure that privacy and the protection of data is considered during the design stage of a process, programme, activity and initiative, and to use appropriate technical and organisational measures to minimise the risk to personal data.
    2. Data Protection Impact Assessments (DPIAs) may be undertaken as a method through which to identify and examine the impact of new initiatives and putting in place measures to minimise or reduce privacy risks.
    3. To reduce the risks associated with handling personal data, techniques such as pseudonymisation and anonymisation will be implemented.

  15. Information Security

    1. MyPillow Ltd. staff and contractors must ensure
      • any personal data which they hold is kept securely, protecting the confidentiality, integrity and availability of information;
      • personal information is not disclosed either orally or in writing, accidentally or otherwise, to any unauthorised third party; and
      • any data breaches are detected, investigated and reported to the ICO (and in some instances the individual too).

  16. Information Breach Management

    1. Information Incident Management reports will record information breaches and enable breaches to be reported. Procedures will ensure that MyPillow Ltd. personnel or associated personnel is able to report any breach that is likely to result in a risk to the rights and freedoms of Data Subjects to the Information Commissioner’s Office promptly, and within 3 business days of becoming aware of the breach.

  17. CCTV

    1. CCTV is used for the purposes of public safety and security and where consent has been received. CCTV footage may be used for investigations or proceedings arising under the relevant regulations and MyPillow Ltd. policies.

  18. Cookies

    1. operates on the Shopify platform and as such, calls upon Shopify technology to manage the functionality of our web site. The following link offers all of our site visitors information as to the Cookie Policy that we have in place as a merchant operating with Shopify technology.

Appendix A – Glossary of Terms

Anonymisation The process of turning data into a form which does not identify individuals and where identification is not likely to take place. This allows for a much wider use of the information.
Automatic decision-making Making a decision solely by automated means without any human involvement.
Data Controller Natural or legal person, public authority, agency or other body who determines the purposes and means of processing personal data.
Data Processor Natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
Data Protection Impact Assessment (DPIA) A tool which can help organisations identify the most effective way to comply with their data protection obligations and meet individuals’ expectations of privacy. An effective DPIA will allow organisations to identify and fix problems at an early stage, reducing the associated costs and damage to reputation, which might otherwise occur.
Data Subject Identified or identifiable natural person.
Direct Marketing The communication (by whatever means) of any advertising or marketing material which is directed to particular individuals. This covers all advertising or promotional material.
Personal data Any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Processing Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Profiling Automated processing of personal data to evaluate certain things about an individual.
Pseudonymisation Procedure by which the most identifying fields within a data record are replaced by one or more artificial identifiers or pseudonyms.
Special Categories of Data Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation. Information relating to criminal convictions and offences are not included but should be offered the same level of protection.
Staff Staff includes employees, casual workers and any other individual temporarily fulfilling a role normally held by a member of staff (e.g. agency worker, self-employed contractor).
Third Country Country outside the European Union.

Appendix B – Data Protection Officer

The contact details are:
Alex Wade
Managing Director MyPillow Ltd
Unit E, Quinn Close
Seven Stars Industrial Estate Coventry CV3 4LH ENGLAND

Appendix C – Conditions for Processing Data

Conditions for Processing Personal Data (Article 6 (1), GDPR)

  1. the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
  2. processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
  3. processing is necessary for compliance with a legal obligation to which the controller is subject;
  4. processing is necessary in order to protect the vital interests of the data subject or of another natural person;
  5. processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
  6. processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party; except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject; which require protection of personal data, in particular where the data subject is a child.

Point (6) of the first subparagraph shall not apply to processing carried out by public authorities in the performance of their tasks.

Conditions for Processing Special Categories of Data (Article 9 (2))

  1. the data subject has given explicit consent to the processing of those personal data for one or more specified purposes, except where Union or Member State law provide that the prohibition referred to in paragraph 1 may not be lifted by the data subject;
  2. processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by Union or Member State law or a collective agreement pursuant to Member State law providing for appropriate safeguards for the fundamental rights and the interests of the data subject;
  3. processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent;
  4. processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body without the consent of the data subjects;
  5. processing relates to personal data which are manifestly made public by the data subject;
  6. processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity;
  7. processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject;
  8. processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3;
  9. processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy; L 119/38 EN Official Journal of the European Union 4.5.2016;
  10. processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) based on Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.
Call to order