Data protection

Drinx.com T/A Drinx!



Introduction to GDPR

The General Data Protection Regulation will come into effect on the 25th of May 2018 and will replace the existing Data

Protection Act (1998). GDPR is designed to protect personal data and the privacy of citizens across Europe. The UK’s decision to leave the EU will not affect the Regulation.


Our Commitment

We are committed to ensuring the security and protection of the personal information that we process and to achieving compliance with GDPR prior to the implementation deadline in May. We have an effective data protection programme in place however we recognise our obligations in updating and expanding this programme to meet the demands of the GDPR.


Our preparation and objectives for GDPR compliance include the development and implementation of new data protection policies, procedures and controls to ensure maximum compliance.


Overview of the steps we are taking










The GDPR defines personal data breach as ‘a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed’ (Article 4(12)).


The data Controller provides the data records, then determines the purposes and means of processing personal data.


A Processor is responsible for processing personal data on behalf of a Controller.


Typically for Drinx.Com Ltd this will involve receiving the relevant data, uploading to our sales ordering system for the sole purpose of dispatching the goods via a courier.


The data required by Drinx.Com Ltd as a Processor is both billing title, full name and address, postcode plus e-mail and contact telephone number and delivery title, full name and address, postcode with the additional option of providing a telephone number purely to be used in the event of a delivery query.


Who should Drinx.Com Ltd notify a data breach to and when?

Within its role as a data Processor, Drinx.Com Ltd shall notify the Controller without undue delay after becoming aware of a data breach. Both organisations will maintain documentation on data breaches, their nature and the remedial actions taken.


As per article 33 of the GDPR: In the case of a personal data breach, the Controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.


The breach resulting in a risk to the rights and freedoms of individuals also has to be communicated to the individuals affected. The notification has to be made without undue delay and within 72 hours after the Controller becomes aware of it.


Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay. Should it not be possible to provide the information at the same time, the information may be provided in phases without undue further delay.


What should the notification include?

The GDPR specifies that the notification to the ICO, and therefore communicated between the Processor and Controller, must include:


Steps taken by Drinx.Com Ltd to avoid a data breach

To avoid a data breach occurring Drinx.Com Ltd have taken the following steps:


This website uses cookies to ensure you get the best experience on our website. Learn More.
Got it