GDPR Data Policy | B2B Mobile Wholesalers

[email protected]

Cookie Policy

Lorem ipsum dolor sit amet, consectetur adipiscing elit.

Home

GDPR Data Policy

Mobile Phones

Tablets

Laptops

Smart Watches

Accessories

Tech Gadgets

Gaming & Entertainment

GDPR Data Policy

B2B Mobile Wholesalers (Trade Customers Only)

Last updated: 2 February 2026

1. Purpose of this GDPR Data Policy

This GDPR Data Policy explains the data protection standards, governance and operational controls used by Orso Distribution NI Limited (trading as B2B Mobile Wholesalers) to ensure personal data is handled lawfully, securely and transparently across our business activities.

This policy is intended to:

demonstrate our commitment to data protection compliance in the UK and Europe;
provide clear information to trade customers, partners and business contacts;
describe how we embed the GDPR principles into day-to-day operations;
explain how we respond to requests, concerns and incidents.

This page is written for a B2B trade environment. We supply wholesale electronics to professional buyers (resellers, retailers, exporters, refurbishers and other commercial entities). While our services are B2B, we still process personal data (e.g., business contact details, delivery contacts, account manager communications and compliance checks) and we treat that data with appropriate care.

This GDPR Data Policy should be read together with our:

Privacy Policy (how we collect/use personal data)
Cookie Policy (how we use cookies and similar technologies)
Terms & Conditions (trade contracting framework)

2. Who we are and how to contact us

Data Controller: Orso Distribution NI Limited (trading as B2B Mobile Wholesalers)
Company Number: NI699955
VAT Number: XI485910755

Registered Office: 4 Hill Street, County Down, Newry, BT34 2BW, Northern Ireland
Trading Address: Weavers Business Park, Building 7, Linfield Road, Belfast, BT12 5GH, Northern Ireland
Email: [email protected]
Telephone: +353 89 944 4128

3. The legal framework we follow

We aim to comply with all applicable data protection laws and standards relevant to our operations, including:

UK GDPR and the UK data protection regime (including the Data Protection Act 2018)
EU GDPR (Regulation (EU) 2016/679) for relevant EU/EEA business interactions and cross-border processing contexts
UK rules on cookies and certain electronic marketing activities (PECR), where relevant to our website and communications

UK–EU data flows

Because we trade across the UK and Europe, we consider cross-border data transfers in our vendor management and systems design. The EU has recognised the UK’s data protection framework as essentially equivalent through an adequacy mechanism (subject to review and renewal cycles). We monitor regulatory change to ensure ongoing compliance.

4. GDPR principles: our baseline standards

We apply the GDPR principles as the foundation of how we handle personal data. These are set out in GDPR/UK GDPR Article 5 and form the core of our approach.

4.1 Lawfulness, fairness and transparency

We process personal data only when we have a lawful basis.
We communicate clearly through our Privacy Policy and related notices.
We avoid hidden processing and do not sell personal data.

4.2 Purpose limitation

We collect data for specified, explicit, legitimate purposes (e.g., trade account management, fulfilment, fraud prevention).
We do not reuse data for unrelated purposes without a lawful basis.

4.3 Data minimisation

We collect only what is relevant and necessary for trade operations.
We limit optional fields in forms and avoid collecting sensitive data unless essential.

4.4 Accuracy

We maintain reasonable measures to keep business contact and order data accurate.
We correct inaccurate personal data when notified.

4.5 Storage limitation

We keep data only as long as necessary for legal, operational, or contractual needs.
We apply retention rules (see section 12).

4.6 Integrity and confidentiality (security)

We implement technical and organisational measures appropriate to risk (see section 10).

4.7 Accountability

We document decisions, processes and controls.
We maintain policies, logs and evidence of compliance where appropriate, including vendor records and incident logs.

5. What personal data we handle in a B2B wholesale environment

Even in a B2B setting, we process personal data relating to identifiable individuals, commonly including:

5.1 Trade account and contact data

names, job titles, work email addresses, work phone numbers;
buyer and accounts contact details;
relationship history (account manager notes, communication logs).

5.2 Order and fulfilment data

shipping contacts and phone numbers;
delivery addresses where a named individual is a delivery recipient;
invoice references and transaction metadata.

5.3 Website and security data

IP addresses and technical identifiers (for security, performance and fraud prevention);
cookie identifiers where consented (see Cookie Policy).

5.4 Verification and risk controls

Depending on trade terms and risk profile, we may process:

VAT numbers and business registration information;
proof of trading details (e.g., address confirmation);
limited director/beneficial owner identifiers when necessary for anti-fraud and due diligence.

Note: We do not seek to collect “special category” data (e.g., health data) as part of normal operations. If we ever need to handle higher-risk data for a legitimate purpose, we apply stronger safeguards and legal tests.

6. Lawful bases: how we justify processing

We use lawful bases consistent with ICO guidance and GDPR Article 6, and we choose the most appropriate basis per purpose.

6.1 Contract necessity

We process personal data where necessary to:

set up and manage trade accounts;
provide quotations and handle orders;
arrange delivery and aftersales support.

6.2 Legal obligation

We process data to comply with legal requirements, such as:

tax, VAT and accounting record keeping;
responding to lawful requests from authorities.

6.3 Legitimate interests

We may process data to pursue legitimate business interests, such as:

preventing fraud and misuse;
maintaining network and account security;
improving business operations and service quality;
managing supplier/customer relationships.

Where we rely on legitimate interests, we consider proportionality and balance against individuals’ rights and expectations.

6.4 Consent

We rely on consent where the law requires it, especially for:

non-essential cookies and similar technologies;
certain marketing preferences, where applicable in context.

Consent can be withdrawn at any time (see section 14).

7. Transparency: what we tell people and when

We provide clear information about our processing through:

our website legal pages;
privacy notices within forms or trade onboarding;
contractual documentation and account communications.

We aim to ensure business contacts understand:

what data we collect;
why we collect it;
how long we keep it;
who we share it with;
their rights and how to exercise them.

8. Records of Processing Activities and documentation

We support the GDPR accountability principle by maintaining appropriate documentation.

8.1 Records of processing activities (RoPA)

We keep internal records of relevant processing activities in line with GDPR Article 30 expectations (where applicable to our scale and risk). Records typically include:

the purpose of processing;
categories of data and data subjects;
categories of recipients;
retention periods;
security controls at a high level.

8.2 Policy framework

We maintain and periodically review a policy set that may include:

data protection policy;
incident response and breach management procedure;
access control and acceptable use rules;
retention rules;
supplier/vendor due diligence practices.

8.3 Staff awareness and training

We treat data protection as an operational standard. Where relevant to role, staff are trained on:

handling trade account data securely;
identifying phishing and fraud risks;
secure communication habits;
reporting incidents promptly.

9. Data sharing and third parties

We share personal data only where necessary and proportionate and we select service providers carefully.

9.1 Typical categories of recipients

We may share data with:

couriers and logistics providers (delivery contact data);
payment providers (transaction processing);
IT hosting, security and operational support providers;
professional advisers (legal, accounting) where necessary;
compliance and verification providers (fraud prevention, due diligence) where required.

9.2 Vendor controls and contracts

Where third parties process personal data on our behalf, we aim to:

use reputable providers with appropriate security standards;
have contractual protections in place appropriate to the relationship;
limit shared data to what is required for the service;
review access and need periodically.

9.3 Data sharing lawful basis

Before sharing personal data, we ensure a lawful basis applies and we document the reasoning where appropriate, consistent with ICO guidance on lawful basis for sharing.

10. Security controls: technical and organisational measures

We aim to implement appropriate safeguards relative to risk, consistent with GDPR Article 32 security expectations.

10.1 Access controls

Role-based access: staff access is limited to what they need to perform duties.
Unique user accounts where systems support it.
Strong authentication practices where appropriate.

10.2 Device and system security

Updates and patching for systems and key tools.
Security monitoring and logs where appropriate.
Malware protection and secure configuration practices.

10.3 Data handling standards

Minimised sharing via unsecured channels.
Controlled access to order lists, customer lists and account manager notes.
Secure storage of documents used for trade verification.

10.4 Physical security

Where personal data is present in physical form (rare in a modern trade workflow), we apply:

controlled access to business premises and storage;
secure disposal (shredding or equivalent) where needed.

10.5 Payment security

We aim to avoid storing sensitive payment card data on our systems unless explicitly required and securely supported by compliant providers. Payment processing is typically handled by established payment partners with appropriate controls.

11. Data protection by design and by default

We apply “privacy by design” thinking in system choices and process improvements, including:

minimising the personal data we collect;
limiting retention where possible;
restricting default access permissions;
selecting vendors that support privacy and security features;
reviewing forms and onboarding steps to avoid unnecessary fields.

12. Data retention and disposal

We retain personal data only for as long as necessary, considering:

legal record-keeping obligations (e.g., tax and accounting);
contractual needs (e.g., order history, dispute resolution);
operational needs (e.g., account management);
security and fraud prevention.

12.1 Typical retention approach (examples)

Retention depends on the type of data and purpose. Examples (for guidance only):

Invoices and accounting records: retained for the period required by applicable law and standard accounting practice.
Trade account details: retained while the account is active and for a reasonable period thereafter, subject to legal or dispute needs.
Enquiries without an account: retained for a limited period to manage follow-ups and then deleted or minimised.
Security logs: retained for a defined period appropriate to security and troubleshooting needs.

12.2 Secure deletion and minimisation

When data is no longer required, we aim to:

delete it securely from active systems;
minimise it (e.g., remove personal identifiers) where full deletion is impractical due to integrity of financial records;
ensure processors delete or return data in line with contracts.

13. Cookies, website analytics and electronic marketing

13.1 Cookies and similar technologies

We follow cookie rules requiring clear information and consent for non-essential cookies.
Details are in our Cookie Policy, including how to manage preferences.

13.2 B2B marketing communications

We send trade communications (e.g., stock updates, service notices) in a proportionate way and offer opt-out mechanisms. PECR rules differ depending on whether marketing is directed to individuals vs corporate subscribers; we aim to follow applicable guidance.

14. Individual rights and how we handle requests

Business contacts still have rights under data protection law. We provide practical ways to exercise them and aim to respond within legal timeframes.

14.1 Rights we recognise

Where applicable, individuals may have rights including:

access to personal data;
rectification (correction);
erasure (in certain circumstances);
restriction of processing;
objection to processing;
data portability (in certain circumstances);
withdrawal of consent (where we rely on consent).

14.2 How to submit a request

Requests can be sent to: [email protected] We may ask for verification to protect the data from unauthorised disclosure.

14.3 Typical response approach

We log the request and confirm receipt.
We verify identity if necessary.
We search relevant systems and compile a response.
We respond within the applicable timeframe, subject to lawful extensions in complex cases.

14.4 Limits and exemptions

Some requests may be limited by:

legal obligations (e.g., we cannot erase records we must keep);
contractual necessity;
third-party rights (e.g., where data includes other individuals);
security and fraud prevention needs.

We explain our reasoning transparently if we cannot fully comply with a request.

15. Data breaches and incident response

We treat data security incidents seriously and maintain a process for detecting, investigating and responding to potential personal data breaches.

15.1 What counts as a personal data breach

A personal data breach is a security incident leading to accidental or unlawful:

destruction,
loss,
alteration,
unauthorised disclosure of,
or access to personal data.

15.2 Our breach response objectives

contain and secure systems;
assess scope and risk to individuals;
document the incident and decisions;
notify authorities and individuals when required.

15.3 Reporting timeframes

Where notification is required, GDPR/UK GDPR expects notification to the supervisory authority without undue delay and where feasible within 72 hours after becoming aware of a reportable breach.

15.4 Notification to affected individuals

If a breach is likely to result in a high risk to individuals’ rights and freedoms, affected individuals must be informed without undue delay, with practical guidance to help them protect themselves.

15.5 Documentation

We document breaches (including those not reported) as part of accountability and continuous improvement.

16. Data Protection Impact Assessments

Where processing is likely to result in high risk, we consider whether a Data Protection Impact Assessment (DPIA) is required and complete one where appropriate. ICO guidance describes DPIAs as a process to identify and minimise data protection risks and they are required for certain high-risk processing.

In practice, DPIAs are more likely to be relevant if we implement:

new high-scale monitoring or tracking technologies;
new systems processing large volumes of personal data;
automated decision-making that significantly affects individuals;
new verification tools with elevated privacy impact.

17. International transfers

Where personal data is transferred outside the UK or EEA (depending on context), we ensure appropriate safeguards are used, such as:

adequacy mechanisms where available;
contractual safeguards (e.g., standard contractual clauses or equivalent measures) where required;
vendor due diligence and security reviews.

18. Data processors and sub-processors

When suppliers act as “processors” handling personal data on our behalf, we require them to:

process data only on our instructions (where applicable);
implement appropriate security measures;
support data subject rights handling where relevant;
notify us promptly of incidents as required by contract.

We aim to maintain oversight of sub-processors where relevant to the risk profile and service.

19. Children’s data

Our services are designed for trade buyers and are not intended for children. We do not knowingly collect personal data from children.

20. Complaints and supervisory authorities

We aim to resolve concerns quickly and fairly. If you have questions or concerns about our data handling, contact us first at:

[email protected]

You also have the right to lodge a complaint with a supervisory authority. In the UK, this is the Information Commissioner's Office (ICO). ICO guidance is our primary reference point for UK compliance interpretation.

For EU/EEA contexts, individuals may contact their relevant national data protection authority.

21. Policy governance, review and version control

We review this GDPR Data Policy periodically and update it when needed to reflect:

legal changes and guidance updates;
changes to our processing activities;
changes to suppliers or technical platforms;
operational improvements and risk learnings.

The “Last updated” date at the top shows the current version.

22. Practical compliance commitments

To make this policy meaningful, we commit to the following operational standards:

Transparency: clear, accessible policies and notices.
Minimisation: collecting only data needed for trade operations.
Security: controls appropriate to risk (including access control and secure handling).
Incident readiness: documented response process and breach logging.
Rights handling: a practical route for requests and timely responses.
Vendor governance: proportionate due diligence and contractual safeguards.
Continuous improvement: policy review and operational upgrades over time.

23. Contact details

For any questions about this GDPR Data Policy or data protection matters, contact:

B2B Mobile Wholesalers
Orso Distribution NI Limited
4 Hill Street, County Down, Newry, BT34 2BW, Northern Ireland
Email: [email protected]
Tel: +353 89 944 4128