We are dedicated to ensuring that all information stored about our customers, potential customers, visitors and any individuals is kept as secure as possible, at all times and stored in accordance to the General Data Protection Regulations 2018. Our policy is to respect the privacy of customers, potential customers, visitors and any individual and to maintain compliance with the General Data Protection Regulations (GDPR). We have obligations imposed on it by the General Data Protection Regulation (GDPR) to ensure that all information about individuals is collected and used fairly, stored safely and securely, and not disclosed to any third party unlawfully. We must ensure that our policies are written in a clear, plain way that everyone will understand. This policy outlines the information we collect and how we use it. Individuals have various rights under the legislation including a right to:
- Be told the nature of the information we hold and any parties to whom this may be disclosed
- Prevent processing likely to cause damage or distress
- Prevent processing for purposes of direct marketing
- Be informed about the mechanics of any automated decision making process that will significantly affect them
- Not have significant decisions that will affect them taken solely by automated process
- Take action to rectify, block, erase or destroy inaccurate data
- Sue for compensation if they suffer damage by any contravention of the legislation
- Request that the Office of the Information Commissioner assess whether any provision of the Act has been contravened
- We will only process personal data in accordance with individuals’ rights
Data Protection Officer: Christopher Dixon
GDPR Principals In order to comply with its obligations, we undertake to adhere to the GDPR Principals:
- Process personal data fairly, lawfully and transparently We will make all reasonable efforts to ensure that individuals who are the focus of the personal data (data subjects) are informed of the purposes of the processing, any disclosures to third parties that are envisaged; given an indication of the period for which the data will be kept, and any other information which may be relevant.
- Data collected for a specified and legitimate purpose we will ensure that the reason for which it collected the data originally is the only reason for which it processes those data, unless the individual is informed of any additional processing before it takes place.
- Ensure that the data is adequate, relevant and not excessive in relation to the purpose for which it is processed we will not seek to collect any personal data which is not strictly necessary for the purpose for which it was obtained. Forms for collecting data will always be drafted with this mind. If any irrelevant data are given by individuals, they will be destroyed immediately.
- Keep personal data accurate and, where necessary, up to date. We will review and update all data on a regular basis. It is the responsibility of the individuals giving their personal data to ensure that this is accurate, and each individual should notify us if, for example, a change in circumstances mean that the data needs to be updated. It is the responsibility of the company to ensure that any notification regarding the change is noted and acted on.
- Only keep personal data for as long as is necessary. We undertake not to retain personal data for longer than is necessary to ensure compliance with the legislation, and any other statutory requirements. This means we will undertake a regular review of the information held.
- Put appropriate technical and organisational measures in place against unauthorised or unlawful processing of personal data, and against accidental loss or destruction of data. The Data Protection Officer is responsible for ensuring that any personal data which is held is kept securely and not disclosed to any unauthorised third parties. We will ensure that all personal data is accessible only to those who have a valid reason for using it. We will have in place appropriate security measures and take all necessary cyber precautions. In addition, we will put in place appropriate measures for the deletion of personal data – manual records will be shredded or disposed of as ‘confidential waste’ Hard drives of redundant PCs will be wiped clean before disposal or if that is not possible, destroyed physically.
Customers and Potential Customers
When you enter our premises, and if you are invited to join our mailing list, we may require some or all of the following personal data in order to process your subscription:
- Preferred / Known Name
- Email address
- Contact number (mobile or landline)
- Area of Interest
- Preferred Method of Contact
- Residential Address (if delivery required)
- Date of Birth (to establish if over 18)
- Proof of age if you appear to be younger than 25
We require your contact details in order to contact you and your date of birth in order to establish we have recorded your age if under 25. Your data is stored on our password protected secured database, which is only accessible by authorised members of staff. This database is accessed in order to offer you goods or services that may be of interest to you. If we take payment over the phone for your order, once we have processed your payment all your details will be confidentiality shredded and not retained.
Communications to customers and potential customers
We like to send out communications with information about our business, events and general notices. In order for us to do this we ask you when joining our mailing list to give us your consent to contact you via email, telephone, post and/or SMS. You may unsubscribe to these communications at any time by contacting the Data Protection Officer. We do not pass this data onto any other third parties.
We have CCTV for security purposes and as a condition of the Premises Licence granted by Herefordshire Council. The footage is stored for a period of 3-months and is overwritten. We may share footage with police and other authorities if required to do so.
Information Security and Storage
Authorised employees of the company will have access to our customers, potential customers, visitors and any individual’s data. All electronic data is password protected and is only accessible by authorised employees. We review our security regularly and take all necessary cyber precautions. Your information is retained for an undefined period unless a successful request for the removal of such data is made. If you consent to receiving our communications, we will retain your details unless you unsubscribe from receiving these communications.
We only pass on personal data to comply with our legal obligations, such as to the Health and Safety Executive for accidents which may have occurred on our premises. We do not pass your data onto any other third party.
Transparency and Choice
You may at any time contact us and ask what information we hold on you. You may ask us to update this information if it is incorrect, which we will strive to do as quickly as possible. You have the right to be forgotten and may at any time request that we delete your data, please be aware that this request may be refused due to legal requirements.
Our policy may change as necessary to reflect best practice in data management, security and control and to ensure compliance with any changes or amendments to the GDPR and other relevant legislation. Compliance: We regularly review this policy to ensure that it complies with current legislation.