Under the General Data Protection Regulation (GDPR) there is a requirement for data to be processed only for the purposes intended and not to be kept any longer than is necessary for that particular purpose. When you use our services, we want you to feel assured that we manage your data appropriately, confidentially, safely and securely.
Appendix 1 provides key definitions to help you understand some of the terminology used in this Notice.
As a customer, you are advised that personal and sensitive data about you may be collected, transferred, processed, stored, and retained in a manual and/or computerised form in a fair and lawful manner by the Company and/or by its third-party representatives. This is necessary for lawful purposes, for the performance of the contract/legitimate business interests so we can deliver our services to you.
You are advised that for reasons other than set out above, we are required to seek your consent to collect, hold, process and retain other data. If this applies you will be informed and you may opt not to consent. In any such circumstances, we will work out how we may best work with to you/deliver those services to you.
We may also use the information we collect to enable us to provide, maintain, protect and improve our services to you, as well as enabling us to develop new services and solutions to meet your needs.
Content of our Privacy Notice
- The Data We Collect and Why We Collect It
- Data Security
- Data Disclosures
- Your Rights
- Making a Data Subject Access Request (DSAR)
- Making a Complaint
- Customer Data Schedule
The Data We Collect and Why We Collect It
We collect certain data to enable us to provide our services to you in both our bakery and restaurant. This relates to either information you provide to us or data we collect from you.
For retail customers the data is mostly limited to some basic identifier and financial data (if paying electronically).
However, depending on our relationship with you as a customer, this may include personal and/sensitive data pertinent to providing our services to you including:
- Basic identifier information (such as company name/your name, contact details, address, email address, telephone number)
- Customer enquiry (such as general information about your request including contact name and details of your requirements)
- Customer order (such as type of service e.g. birthday cake/funeral order, name/surname, telephone number, as well as general order history; quantities, types and dates)
- Suppliers (such as address, telephone number and email address)
- Economic or financial data (such as bank details, credit card information)
- Communications (such as emails sent and received, post/letters and electronic documents)
When you use our services, we collect data relating to what type of services you have used, when, where and how often. We will also retain financial information in relation to those transactions.
Our website also collects you customer IP address in relation to when you visit our site.
The Customer Data Schedule outlined later in this Notice provides further information on the types of data we collect, why we process it and what we do with it.
We confirm that we have appropriate security measures in place to manage and restrict access to your personal information. This data is only available to authorised personnel who need to know that information in order to process it for us. These individuals are subject to strict contractual confidentiality obligations and may be subject to disciplinary and other action, including termination of their contract/employment, if they fail to meet these obligations.
We wish to reassure you that we also have processes in place to protect against your data being shared with someone who is not authorised. Your confidentiality, safety and security are a priority for us.
The Company may also be required to disclose certain information to other persons. These kinds of disclosures will only be made when strictly necessary and for the purpose required. You are advised that for lawful purposes there are circumstances whereby we are required by law to share data (including sensitive data) including with other government agencies without an individual’s consent. This includes our lawful requirement to provide sensitive information to external government bodies.
Outside of the conditions set out above, we will obtain your consent before sharing the data.
Subject to certain exceptions, you have the following rights:
1. To be informed through a Privacy Notice to ensure there is transparency over how we use personal data.
2. To access your own personal data and supplementary data that we hold. It allows you to be aware of and verify the lawfulness of the processing.
3. To rectification of your personal data if it is inaccurate or incomplete.
4. To erasure/ ‘the right to be forgotten’ by requesting the deletion or removal of personal data where there is no compelling reason for its continued processing.
5. To restrict processing by requesting a ‘block’ or suppression of the processing of your personal data. When processing is restricted, we are still permitted to store the personal data, but not to further process it. We can retain just enough information about the individual to ensure that the restriction is respected in future.
6. To data portability which allows you to obtain and reuse your personal data for your own purposes. This only applies in the following circumstances:
• that the information pertains to personal data that you have provided to us;
• where the processing is based on your consent or for the performance of a contract; and
• when processing is carried out by automated means.
7. To object to the processing of data based on legitimate interests or the performance of a task in the public interest/exercise of official authority; direct marketing; and processing for purposes of scientific/historical research and statistics.
Making a Data Subject Access Request (DSAR)
You have a right to access information we may hold on you to confirm its accuracy, to check the lawfulness of its processing or to allow you to exercise your rights including to correct or object if necessary.
If you wish to make a request for information we hold on you, this should be made in writing addressed to the Data Co-ordinator, Christine Ferguson at 57-59 Sloan St, Lisburn BT27 5AG, email address firstname.lastname@example.org including the following details:
- Your full name, address and contact details
- Any information used by us to identify you
- Details of the specific information required and any relevant dates
We will normally respond to your request within one month. However, this may be extended by a further two months whereby a request is complex or numerous. If this applies we will write to you within one month of the receipt of the request and explain to you why the extension is necessary.
The information will normally be provided to you free of charge. However, we reserve the right to charge a reasonable fee when a request is considered to be ‘manifestly unfounded’, ‘excessive’ or ‘repetitive.’ In such cases the fee will be based on the administrative cost of providing the information. In exceptional circumstances, we may refuse to respond to the request. If this applies we will explain to you why and inform you of your right to complain.
Making a Complaint
You have a right to complain to the ICO if you think there is a problem with the way we are handling your data.
Customer Data Schedule
Our retention schedule outlines the main types of personal and sensitive data we may collect, process, manage, store and retain about you. This information is not exhaustive but is intended to be reflective of the typical categories of data we collect, process, store and retain. The retention periods outlined are based on statutory and non-statutory recommended retention schedules as well as those deemed necessary for the performance of our contract/service and to ensure we can meet our legal obligations.
Data Storage: The information we hold in relation to our customers is stored securely on company software and hardware systems (company databases, computers, PDA’s/mobile devices, hosted platforms/third party applications/Cloud based servers).
Please note: Any personal/sensitive data is only accessible by appropriate and authorised personnel.
Please contact us for a copy of our Retention Schedule
Appendix 1: Key Definitions
Hosted Platforms/Third Party Applications: These are databases that are not controlled by us but which are provided to us by third party organisations. We request all such third-party organisations who provide hosted platforms to confirm that they will adhere to the lawful requirements under GDPR.
Social Media/Other Party Sites: These are sites that are provided by other parties such as Facebook and Twitter that we do not have control over. We are not the Data Controller. People may freely enter information onto this site about us, including posting information on our Page. In this event, you are advised that if you make any such posts their terms, conditions and privacy notices apply. However, if we note a cause for concern over a post, we may take steps to ask the site to remove it. If you have a concern in relation to a post, you should contact the appropriate site directly. However, ultimately the removal of any such post is at their discretion and subject to their terms.
The Data Controller and Data Co-ordinator: The Data Controller determines why personal data is, or has been, collected, processed and the way in which it is dealt with and ensuring it is processed fairly and lawfully and only for legitimate purposes. All Data Controllers must provide a notification to the Information Commissioner’s Office and be included on the register of data controllers as part of a registration process with the ICO.
The Data Processor: This relates to the party who processes the personal/sensitive data on behalf of the Data Controller and they may be also regarded as a joint Data Controller. The Data Processor is responsible for processing data under the instruction of the Data Controller and only for the purposes intended.
Third Parties: This relates to third party providers who act on our behalf to provide services under our instruction and only for the purposes intended. They may be also regarded as a joint Data Controller and are required to have certain security measures in place and to notify us immediately if there has been any actual or potential data breach.
Our Data Co-ordinator is Christine Ferguson at 57-59 Sloan St, Lisburn BT27 5AG, email address email@example.com.
Data Subject: You are the data subject as you are the individual whose personal information is being held or processed by us.
Authorised Personnel: These individuals are subject to strict contractual confidentiality obligations and may be subject to disciplinary and other action including termination of their contract if they fail to meet these obligations.
Personal Data: Information that identifies and relates to a living individual and includes any expression of opinion or intention about the individual. Personal data could be contact details, date of birth, qualifications, or anything pertaining to an individual. It is something that affects that individual person’s information and privacy.
Sensitive Personal Data: Sensitive personal data is defined as information relating to an individual’s equality, health, criminal investigations/convictions, complaints or appeals or other information that may be considered to be particular sensitive in nature.
Personal and sensitive personal data should not be processed unless at least one of the conditions is met:
- The explicit consent of the individual.
- There is a legal obligation in the context of employment or other legal proceedings/requirements.
- The protection of the vital interests of the individual.
- The processing is carried out in the course of the legitimate activities of the organisation
- The information has been made public by the individual.
- The information is required for medical purposes.
- For other lawful functions, e.g: for lawful monitoring or for other government statistical information.