NB: LIVE DOCUMENT - this policy content will change as we achieve our duties
DPA 2018 and the GDPR
The GDPR has direct effect across all EU member states and has already been passed. This means organisations will still have to comply with this regulation and we will still have to look to the GDPR for most legal obligations. However, the GDPR gives member states limited opportunities to make provisions for how it applies in their country. One element of the DPA 2018 is the details of these. It is therefore important the GDPR and the DPA 2018 are read side by side
Shillingford Organics collects some personal information from members of the public for specific reasons, primarily to inform people, through a Newsletter, of events and activities in the local area according to their interests. Shillingford Organics also collects personal details from customers to process orders.
1. LAWFUL BASIS FOR DATA PROCESSING
The six lawful bases for data processing as set out in Article 6 of the GDPR are:
- Legal obligation
- Vital interests
- Public task
- Legitimate interests
The lawful basis under which Shillingford Organics processes personal data is
(6) Legitimate Interests: “processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.”
2. INDIVIDUAL RIGHTS
The GDPR provides the following rights for individuals:
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision making and profiling
2.1 The right to be informed
Shillingford Organics has an obligation to advise individuals how their personal data will be used. This will be via a privacy statement at the time of signing up to mailing lists.
Identity and contact details of the controller:
Please contact: Shillingford Organics via: Email or write to us at: Shillingford Organics, Barton Lane, Shillingford Abbot, Exeter, EX2 9QQ
Purpose of data processing and the lawful basis:
The information we hold, and process will only be used for normal operation and administrative purposes.
The lawful basis is legitimate Interest.
The legitimate interests of the controller:
Shillingford Organics would like to keep subscribers to the newsletter informed about crop news, farm activities, events and any other news of interest concerning the farm or other business marketing matters. We also use mailmerges to send our customers information about amendments to their orders/deliveries, for our management and normal operation.
Categories of personal data:
Shillingford Organics will only hold the name and email address of the subscriber for the purposes of Shillingford Organics’ Newsletter emailing list. Shillingford Organics may request further information for specific events. The same controls will apply to all data supplied.
Any recipient of the personal data:
The personal data will be stored in a secure database and will only be accessible by mailing list administrators.
Details of transfer to third party and safe guards:
Personal data will not be transferred to any other location or to any other third party.
The right to withdraw consent at any time:
Every subscriber has the right to remove themselves from the mailing list at any time by unsubscribing.
2.2 The right of access
Individuals have the right to confirmation that their data is being held by Shillingford Organics and to receive a copy of the information stored. This can be provided free of charge by emailing us.
2.3 The right of rectification
Individuals are entitled to have personal data rectified if it is inaccurate or incomplete. This can be achieved free of charge by emailing us and must be actioned by Shillingford Organics within one month of the request.
2.4 The right to erasure
An individual can request the deletion of their information by unsubscribing from the mailing list by emailing us.
2.5 The right to restrict processing
An individual can request that we cease sending emails to them. Due to the limited data held, this will be treated in the same way as 2.4. Should an individual wish to begin receiving emails again, they should subscribe to the mailing list again as a new user.
2.6 The right to data portability
Due to the limited data held (name and email address), this can be covered by 2.2 whereby a full copy of information held by Shillingford Organics will be provided to the individual via email.
2.7 The right to object
An individual has the right to object should they consider the emails to contain inappropriate material for the mailing list..
2.8 Rights related to automatic decision making and profiling
No automatic decision-making or profiling is currently carried out on the personal data held by Shillingford Organics.
3. ACCOUNTABILITY AND GOVERNANCE
The GDPR requires personal data to be processed in a manner that ensures its security. This includes protection against unauthorised or unlawful processing and against accidental loss, destruction or damage.
It requires that appropriate technical or organisational measures are used.
How your data will be used?
- As a small Business (Shillingford Organics) needs to keep and process information about you for normal operation purposes. The information we hold, and process will only be used for our management and administrative purposes. We’ll keep and use it to enable us to run the business and manage our relationship with you effectively, lawfully and appropriately. This applies when you register with us, whilst you’re a customer, at a time if you ever decide to end your registration with us, and if you then choose to re-join us. This includes using information to enable us to comply with the terms and conditions, to comply with legal requirements, to pursue the legitimate interests of Shillingford Organics and protect our legal position in the event of legal proceedings. If you do not provide this data, we may not be able, in some circumstances, to comply with our obligations and we’ll tell you about the implications of that decision.
- As a business we may sometimes need to process your data to pursue our legitimate business interests. For example, to prevent fraud, for administrative purposes or to report potential crimes. The nature of our legitimate interests is to provide you with information about your account as well as other relevant news about events. Please be assured that we will never process your data where these interests are overridden by your own interests.
- Most of the information we hold will have been provided by you, but some of it may have come from other external sources. Where we’ve not had the data directly from you, we’ll advise you that we hold that data, and where it came from. We’ll do this at the first point of communication with you and at least within one month of us receiving your data from an external source.
- The sort of information (data) we hold includes your name, address, telephone numbers and email address. We also maintain records of when you contact us, and this could be by either storing emails or holding details of calls you have made to us or left on the business answerphone.
- We’ll only ever disclose information about you to third parties if we’re legally obliged to do so, or where we need to comply with our contractual duties to you. For example, payment processing, communications, debt recovery and mobile card payment terminals,
- Should you decide to end your registration with Shillingford Organics for whatever reason, your personal data will be stored until your account is up to date and then for 1-3 months, or sooner depending on you reason for leaving, after this time your data will be anonymised and will not be subject to the GDPR. If you decide to return to us you will need to re-register. If you have specified you wish to return in the future we will keep your data stored.
- If, in the future, we intend to process your personal data for a purpose other than that which it was collected for, we’ll provide you with information about that.
Under the General Data Protection Regulation (GDPR) and The Data Protection Act 2018 (DPA) you have a number of rights with regard to your personal data:
You have the right to request from us access to and rectification or erasure of your personal data, the right to restrict processing, object to processing as well as in certain circumstances the right to data portability.
If you have provided consent for the processing of your data you have the right (in certain circumstances) to withdraw that consent at any time which will not affect the lawfulness of the processing before your consent was withdrawn. You have the right to lodge a complaint to the Information Commissioners’ Office if you believe that we have not complied with the requirements of the GDPR or DPA 18 about your personal data.
Identity and contact details of controller and data compliance advisor
Shillingford Organics is the controller of data for the purposes of the DPA 18 and GDPR.
If you have any concerns as to how your data is processed you can contact us via email: firstname.lastname@example.org or you can write to us at:
Barton Lane, Shillingford Abbot, Exeter, EX2 9QQ
In particular we will: observe the conditions in the Act regarding the fair collection and use of personal information (please see below regarding personal information collected via our website); meet our legal obligations to specify the purposes for which we process personal information; collect and process appropriate personal information, only to the extent that it is needed to fulfil our operational needs or to comply with any legal requirement; ensure the accuracy of any personal information kept by us; apply checks to determine the length of time personal information is held by us; ensure that the rights of people about whom personal information is held, are able to be exercised under the Act; take appropriate technical and organisational security measures to safeguard personal information.
We collect personal information from visitors to this website when you request a specific service, such as our email newsletter, through the use of online forms, and every time you email us your details. We also collect information about the transactions you make when you buy tickets or donate, including, potentially, details of the payment cards used.
We collect additional information automatically each time you visit our website:
- Your server address (for example 987.654.32.1)
- The date and time of the visit to the site
- The pages accessed
- The previous site accessed
- The type of browser used
- Your operating system (for example Apple Mac, Windows etc
Use of personal information
We process personal information collected via this website exclusively for the following purposes:
- Dealing with your inquiries and requests
- Administering orders
- Maintaining information as a reference tool or general resource
- Carrying out market research campaigns