MAY 2018

Who Are We?

At Green Tornado, we are committed to maintaining the trust and confidence of our clients and visitors to our web site. We want you to know that Green Tornado is not in the business of selling, renting or trading email lists with other companies and businesses for marketing purposes. Below we have clearly outlined our procedures and strategy, to support GDPR and become compliant, and to safeguard everyone’s personal data. All our employees are aware and trained to deal with data in a responsible way under the guidelines of GDPR.

What types of data do we hold?

  • Database Data
    • Name
    • Address
    • Telephone number
    • Email Address
    • Card receipts from client
    • Website name

  • Website Cookies
  • When someone visits we use a third-party service called Google Analytics, to collect standard internet log information and details of visitor behaviour patterns. We do this to find out things such as the number of visitors to the various parts of the site. This information is only processed in a way which does not identify anyone. We do not make, and do not allow Google to make any attempt to find out the identities of those visiting our website.

    If we ever need to email a prospective client we always ensure that a clearly marked ‘unsubscribe’ button is available, and we do not send to individuals, only business, as per the guidelines for legitimate interest under the General Data Protection Regulations.

    We make every effort to make sure that anyone contacted has the ability to opt-out of any correspondence from us with ease. This is usually done by the presence of a link within an email or alternatively you can email

Who has access to my data?

  • All of Green Tornado staff.

Why are we holding it?

  • We use your data only for mailouts and campaigns to existing customers, business contracts and day to day reference to contact customers following guidleines set by GDPR.

How did we obtain it?

  • From the customer buying a product from us
  • A data company
  • Public domain (companies house)
  • From an online form with a consent checkbox

How long will we retain it?

  • We will not keep your personal data for any longer than is necessary.
  • We make daily backups and hold a total of 30 backups, therefore it will take a certain amount of time for your data to be excluded from our backups. If any of our backups were ever restored then your data also would be cross checked and deleted from the database before the database was deemed useable.

How secure is the data?

  • We never share data with third parties, and will never do so.
  • We use an antivirus software with endpoint security on our whole network, this includes malware and covers our Wi-Fi network also. The software auto updates and renews on a periodic basis.
  • We employ firewalls with a tightened security on all our servers.

How do we deal with security breaches?

  1. We will change any passwords within 24 hours of notification of any breach
  2. The legal obligation for companies to inform data authorities and consumers about breaches of data security, is within 72 hours of them occurring.
  3. We will email you the following information: –
    • A description of the nature of the breach, if affected.
    • A name and contact details of someone who is dealing directly with the breach.
    • A description of the likely consequences of the breach.
    • A description of the measures taken or proposed to be taken by the controller to address the breach, including, where appropriate, measures to mitigate its possible adverse effects.

Our password policy

We enforce a password policy that is secure and has a set period of time for passwords to be changed on our systems.

Do you share my personal data?

We will not share any of your personal data with any third parties for any purposes, except where it is necessary for the performance of a contract or where we may be legally required to share certain personal data, which might include yours, if we are involved in legal proceedings or complying with legal obligations, a court order, or the instructions of a government authority.

Where do you store my data?

We store your data internally on servers that are backed up daily. We also store an offsite back up incase fire risk. They are protected by a strong firewall and have antivirus and malware protection at all times.


Under the GDPR, you have the following rights, which we will always work to uphold:

1) Right to information

This right provides you with the ability to ask Green Tornado for information about what personal data is being processed and the rationale for such processing.

2) Right to access

This right provides you with the ability to get access to your personal data that is being processed. This request provides the right for you to see or view your own personal data, as well as to request copies of the personal data.

How can I access my personal data?

If you want to know what personal data we have about you, you can ask us for details of that personal data and for a copy of it (where any such personal data is held). This is known as a ‘Subject Access Request’.

All subject access requests should be made in writing and sent to the email or postal addresses provided in this Privacy Statement.

Who can make a rights request and how?

A rights request can be made by an individual or an individual’s legal representative. Such individual could be a customer, an employee, or personnel of a supplier working for the company. Also, such request should usually be made in writing and sent to the email or postal addresses provided in this Privacy Statement.

3) Right to rectification

This right provides you with the ability to ask for modifications to your personal data in case you believe that this personal data is not up to date or accurate.

4) Right to withdraw consent

This right provides you with the ability to withdraw a previously given consent for processing of your personal data for a purpose. The request would then require that Green Tornado stop the processing of the personal data that was based on the consent provided earlier.

5) Right to object

This right provides you with the ability to object to the processing of your personal data. Normally, this would be the same as the right to withdraw consent, if consent was appropriately requested and no processing other than legitimate purposes is being conducted. However, a specific scenario would be when you ask that your personal data should not be processed for certain purposes while a legal dispute is ongoing in court.

6) Right to object to automated processing

This right provides the data subject with the ability to object to a decision based on automated processing. Using this right, you may ask for your request to be reviewed manually, because you believe that automated processing may not consider the unique situation of the customer.

7) Right to be forgotten

Also known as right to erasure, this right provides you with the ability to ask for the deletion of your data. This will generally apply to situations where a customer relationship has ended. It is important to note that this is not an absolute right and depends on your retention schedule and retention period in line with other applicable laws.

8) Right for data portability

This right provides you with the ability to ask for transfer of his or her personal data. As part of such request, you may ask for his or her personal data to be provided back to you or transferred to another controller. When doing so, the personal data must be provided or transferred in a machine-readable electronic format.

Any questions relating to our ‘Data Processing’ activities should be sent by email to
or in writing to Green Tornado, Victoria House, 2 Britannia Road, Brentwood , Essex, RM14 5LD. Alternatively, you can call us on 01277 849161.