NB: LIVE DOCUMENT - this policy content will change as we achieve our duties
This policy describes the strategy of Shillingford Organics with regards to the General Data Protection Regulation (GDPR) due to come into force on 25th May 2018.
Shillingford Organics collects some personal information from members of the public for specific reasons, primarily to inform people of events and activities in the local area according to their interests.
1. LAWFUL BASIS FOR DATA PROCESSING
The six lawful bases for data processing as set out in Article 6 of the GDPR are:
- Legal obligation
- Vital interests
- Public task
- Legitimate interests
The lawful basis under which Shillingford Organics processes personal data is
(a) Consent: the individual has given clear consent for Shillingford Organics to process their personal data for a specific purpose.
The role of the Shillingford Organics Data Protection Officer is to ensure access to and accuracy of the data stored is maintained.
2. INDIVIDUAL RIGHTS
The GDPR provides the following rights for individuals:
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision making and profiling
2.1 The right to be informed
Shillingford Organics has an obligation to advise individuals how their personal data will be used. This will be via a privacy statement at the time of signing up to mailing lists.
Shillingford Organics takes your privacy seriously and will only use your name and email address to send you emails at your request. Your information will not be used for any other purpose, will not be shared with any other party and you can request to unsubscribe at any time. You also have the right to object if you believe emails from us contain inappropriate material for this mailing list.
Identity and contact details of the controller:
The Administrator at Shillingford Organics
Purpose of data processing and the lawful basis:
The purpose for holding the names and email addresses of subscribers is to send subscribers newsletters as specified at the time of subscribing.
The lawful basis is consent.
The legitimate interests of the controller:
Shillingford Organics would like to keep subscribers informed about crop news, farm activities, events and any other news of interest concerning the farm or other business marketing matters.
Categories of personal data:
Shillingford Organics will only hold the name and email address of the subscriber for the purposes of Shillingford Organics’ emailing list. Shillingford Organics may request further information for specific events. The same controls will apply to all data supplied.
Any recipient of the personal data:
The personal data will be stored in a secure database and will only be accessible by mailing list administrators.
Details of transfer to third party and safe guards:
Personal data will not be transferred to any other location or to any other third party.
Personal data will be held from the time of subscribing to the mailing list until such time that the subscriber removes themselves from the list by unsubscribing.
The right to withdraw consent at any time:
Every subscriber has the right to remove themselves from the mailing list at any time by unsubscribing.
2.2 The right of access
Individuals have the right to confirmation that their data is being held by Shillingford Organics and to receive a copy of the information stored. This can be provided free of charge by emailing us.
2.3 The right of rectification
Individuals are entitled to have personal data rectified if it is inaccurate or incomplete. This can be achieved free of charge by emailing us and must be actioned by Shillingford Organics within one month of the request.
2.4 The right to erasure
An individual can request the deletion of their information by unsubscribing from the mailing list by emailing us.
2.5 The right to restrict processing
An individual can request that we cease sending emails to them. Due to the limited data held, this will be treated in the same way as 2.4. Should an individual wish to begin receiving emails again, they should subscribe to the mailing list again as a new user.
2.6 The right to data portability
Due to the limited data held (name and email address), this can be covered by 2.2 whereby a full copy of information held by Shillingford Organics will be provided to the individual via email.
2.7 The right to object
An individual has the right to object should they consider the emails to contain inappropriate material for the mailing list..
2.8 Rights related to automatic decision making and profiling
No automatic decision-making or profiling is currently carried out on the personal data held by Shillingford Organics.
3. ACCOUNTABILITY AND GOVERNANCE
The Administrator acts as the Data Protection Officer and in the event this role is vacant, the Business Owner will assume responsibility.
The GDPR requires personal data to be processed in a manner that ensures its security. This includes protection against unauthorised or unlawful processing and against accidental loss, destruction or damage.
It requires that appropriate technical or organisational measures are used.
The 'Shillingford Organics Newsletter List' data will be held in a secure database, currently MailChimp and will only be accessible by mailing list administrators.
In particular we will: observe the conditions in the Act regarding the fair collection and use of personal information (please see below regarding personal information collected via our website); meet our legal obligations to specify the purposes for which we process personal information; collect and process appropriate personal information, only to the extent that it is needed to fulfil our operational needs or to comply with any legal requirement; ensure the accuracy of any personal information kept by us; apply checks to determine the length of time personal information is held by us; ensure that the rights of people about whom personal information is held, are able to be exercised under the Act; take appropriate technical and organisational security measures to safeguard personal information.
We collect personal information from visitors to this website when you request a specific service, such as our email newsletter, through the use of online forms, and every time you email us your details. We also collect information about the transactions you make when you buy tickets or donate, including, potentially, details of the payment cards used.
We collect additional information automatically each time you visit our website:
- Your server address (for example 987.654.32.1)
- The date and time of the visit to the site
- The pages accessed
- The previous site accessed
- The type of browser used
- Your operating system (for example Apple Mac, Windows etc
Use of personal information
We process personal information collected via this website exclusively for the following purposes:
- Dealing with your inquiries and requests
- Administering orders
- Maintaining information as a reference tool or general resource
- Carrying out market research campaigns