Data Privacy Policy, incorporating GDPR

Introduction

Greenhalgh's Craft Bakery Limited (the Company) is committed to conducting its business in accordance with all applicable Data Protection laws, regulations and best practice guidance.

The Company, as a 'Data Controller' needs to gather and use certain information about individuals. This policy outlines the standards applied by the Company in relation to the collection, use, handling, retention, transfer, disclosure and destruction of any Personal Data relating to individuals (ie the Data Subject) in order to meet the Company's data protection standards and to comply with legislation. Data Subjects can include workers, customers, suppliers, contractors, business contacts, and other people the organisation has a business relationship with or may need to contact.

The policy aims to strike a balance between the legitimate expectations of individuals that personal information about them will be handled properly and in accordance with the legal, employment and contractual requirements of the Company, and the legitimate interests of the Company in deciding how best, within the law, to manage the needs of the business.

The Company expects employees and third parties to share in its commitment to effective implementation of this policy. Any breach of this policy will be taken seriously and may result in disciplinary action or business sanction as relevant.

Why this policy exists

This policy applies where in a business context a Data Subject's personal data is processed and ensures the Company:

Complies with data protection law and follow good practice

Protects the rights of staff, customers and partners

Is open about how it stores and processes individuals' data

  • Protects itself from the risks of a data breach

Failure to comply with legislation can result in substantial fines. Other risks may include:

Breaches of confidentiality - for instance, information being given out inappropriately.

Failing to offer choice – for instance, not recognising that all individuals should be free to choose how the company uses data relating to them.

Reputational damage - for example where there has been a breach which due to reporting requirements comes to public attention.

Key Terminology

Data Subject

The identified or identifiable natural person to which the data refers.

Personal Data

Any information (including opinions and intentions) which relates to an identified or identifiable natural person.

Special Categories of Data

Personal Data pertaining to or revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership; data concerning health or sex life and sexual orientation; genetic data or biometric data.

Identifiable Natural Person

Anyone who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Data Controller

An entity that decides the purpose and manner that personal data is used, or will be used.

Data Processor

The person or group that processes the data on behalf of the controller.

Data Protection Legislation

The guidelines and rules of this policy apply to all Processing of Personal Data in electronic form (including electronic mail and documents created in software programs) or where it is held in manual files that are structured in a way that allows ready access to information about individuals.

To comply with the law, personal information must be collected and used fairly, stored safely and not disclosed unlawfully. The Company will comply with the following principles to govern its collection, use, retention, transfer, disclosure and destruction of Personal Data:

1. Lawfulness, Fairness and Transparency

Personal Data shall be processed lawfully, fairly and in a transparent manner in relation to the Data Subject.

  • 2. Purpose Limitation
  • Personal Data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.

3. Data Minimisation

Personal Data shall be adequate, relevant and not excessive in relation to the purposes for which it is processed.

4. Accuracy

Personal Data shall be accurate and kept up to date.

5. Storage Limitation

Personal Data shall not be held for any longer than necessary for the purposes for which it is processed.

6. Integrity & Confidentiality

Personal Data shall be processed in accordance with the rights of data subjects, including protection against unauthorised or unlawful processing, and against accidental loss, destruction or damage.

7. Accountability

The Data Controller shall be responsible for, and be able to demonstrate compliance with legislation and guidance.

Furthermore, Personal Data will not be transferred outside the European Economic Area (EEA), unless that country or territory also ensures an adequate level of protection.

Policy Scope

This policy applies to:

The head office of the Company

All sites and outlets the Company

All authorised representatives of the Company who process Personal Data on behalf of the Company

Any past, current or prospective customer of the Company

All applicants, employees, former employees, agency, casual and contract workers, work experience students and volunteers of the Company

All contractors, suppliers, service providers and other people working on behalf of the Company

All third party companies or organisations with which the Company shares information, such as governmental bodies, financial institutions and law enforcement agencies

All Company policies and procedures which may lead to personal data being processed

Furthermore, the policy applies to all data that the Company holds relating to identifiable individuals, which can include but may not be limited to:

information which identifies a person, whether by itself, or together with other information in the organisation's possession or that is likely to come into its possession.

Data Subject Consent and Notification

The Company will obtain and process personal data only by lawful and fair means and for legitimate business reasons with the knowledge and consent of the individual concerned.

Consent relates to any freely given, specific, informed and unambiguous indication of the Data Subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

Where a need exists to request and receive the consent of an individual prior to the collection, use or disclosure of their personal data, the Company is committed to seeking such consent.

The Company will, when required by applicable law, contract, or where it considers that it is reasonably appropriate to do so, provide Data Subjects with information as to the purpose of the processing of their personal data. This may be via relevant Privacy Statements.

Responsibilities

Everyone who works for or with Greenhalgh's Craft Bakery Limited has some responsibility for ensuring data is collected, stored and handled appropriately. Each individual that handles personal data must ensure that it is handled and processed in line with this policy and data protection principles.

However, the following have key areas of responsibility:

The Board of Directors is ultimately responsible for ensuring that the Company meets its legal obligations.

The Data Protection Team is responsible for:

o Keeping the Board updated about data protection responsibilities, risks and issues.

o Reviewing all data protection procedures and related policies, in line with an agreed schedule and where there are changes or updates to legislation.

o Arranging data protection training and advice for the people covered by this policy.

o Handling data protection questions from staff and anyone else covered by this policy.

o Dealing with requests from individuals to see the data the Company holds about them (also called 'subject access requests').

o Checking and approving any contracts or agreements with third parties that may handle the Company's sensitive data.

The IT Manager is responsible for:

o Ensuring all systems, services and equipment used for storing data meet acceptable security standards and are in accordance with Company policy and procedures.

o Performing regular checks and scans to ensure security hardware and software is functioning properly.

o Evaluating any third-party services the Company uses or is considering using to store or process data and ensuring such providers have their own appropriate measures in place.

o Where necessary, working with other colleagues to ensure IT initiatives abide by data protection principles.

The Retail Sales & Marketing Director and the Wholesale Director are responsible for:

o Approving any data protection statements attached to marketing communications such as emails and letters.

o Ensuring communications with past, current or prospective customer of the Company is with consent and in accordance with this policy.

o Addressing any data protection queries from journalists or media outlets like newspapers.

o Where necessary, working with other colleagues to ensure Marketing and Customer Relations initiatives abide by data protection principles.

o Ensuring marketing databases are checked against industry suppression files every six months.

The HR Manager is responsible for:

o Approving any data protection statements related to recruitment communications such as applications, emails and letters.

o Ensuring informed consent from employees is obtained and is up to date.

o Ensuring applicant, employee and former employee personal data and sensitive personal data is processed and stored in a confidential manner.

o Addressing any data protection queries from employees, former employees or potential employees.

o Where necessary, working with other colleagues to ensure HR initiatives abide by data protection principles.

o Identifying and facilitating appropriate training for relevant colleagues.

The Finance Director is responsible for:

o Ensuring employee data such as salary data and bank account information is processed and stored in a confidential manner.

o Evaluating any third-party services the Company uses or is considering using to store or process data and ensuring such providers have their own appropriate measures in place.

o Addressing any data protection queries from suppliers, contractors and third party service providers.

o Where necessary, working with other colleagues to ensure Finance initiatives abide by data protection principles.

Individuals, particularly those who come into contact with Personal Data (such as line managers or supervisors or those dealing with the personal data of customers, employees or third parties) are responsible for:

o When working with personal data, ensuring the screens of their computers are always locked when left unattended.

o Ensuring hard copy personal data is held securely and confidentially, and not easily accessible to others, for example other work colleagues.

o Ensuring hard copy personal data is not left unsecured or unattended, for example in vehicles, where loss of such data could result in a data breach and fines.

o Passwords and individual email addresses should not be shared.

o Safeguarding that personal data is not shared informally. In particular, it should never be sent by email, as this form of communication is not secure.

o Encrypting data before being transferred electronically to external providers. The IT Manager can explain how to send data to authorised external contacts.

o Ensuring copies of personal data is not stored to their own computers or devices. Individuals should always access and update the central copy of any data.

o Maintaining confidentiality. Anyone authorised or required on behalf of the Company to process personal data is required to preserve the confidentiality of any information relating to Data Subjects as part of the normal course of their employment and must not, during or after employment, divulge any information of a confidential nature relating in any way to a Data Subject outside of the requirements of the approved processing activity.

o Working within the principles, rules and guidelines of the policy, including those set out in the section below.

General Guidelines

The only people able to access data covered by this policy should be those who need it for their work.

Data should not be shared informally. When access to confidential information is required, employees can request it from their line managers.

The Company will provide training to all relevant employees to help them understand their responsibilities when handling data.

Employees should keep all data secure, by taking sensible precautions and following the guidelines within this policy.

In particular, strong passwords must be used and they should never be shared.

Personal data should not be disclosed to unauthorised people, either within the Company or externally.

Data should be regularly reviewed and updated if it is found to be out of date or inaccurate. If no longer required, it should be deleted and disposed of securely.

Employees should request help from their line manager or the Data Protection Team if they are unsure about any aspect of data protection.

Data Storage and Retention

These rules describe how and where data should be safely stored along with how long personal data is held for. Questions about storing data safely can be directed to the IT manager.

When data is stored on paper (ie in hard copy format – which can relate to an original or printed document or file), it should be kept in a secure place where unauthorised people cannot easily gain access to viewsee it. These guidelines apply to data that is printed or in hardcopy or original form (such as but not limited to customer records, CVs, application forms, training records, accident forms, performance or absence management documentation, etc):

When not required, the paper or files should be kept in a locked drawer, filing cabinet or appropriate lockable storage area.

Employees should ensure paper and printouts are not left where unauthorised people could see them, for example on a printer or photocopier.

Data should not be left in vehicles (Company or private) or non-Company premises.

Data printouts should be shredded and disposed of securely when no longer required.

When data is stored electronically, it must be protected from unauthorised access, accidental deletion and malicious hacking attempts:

Data should be protected by strong passwords that are changed regularly and never shared between employees.

If data is stored on removable media (such a CD, DVD or pen drive), these should be kept locked away securely when not being used.

Data should only be stored on designated drives and servers, and should only be uploaded to approved cloud computing services.

Data contained in CCTV images should be kept in accordance with the Company's CCTV Code of Practice.

Servers containing personal data should be sited in a secure location, away from general office space.

Data should be backed up frequently. Those backups should be tested regularly, in line with the Company's standard backup procedures.

Laptops and other mobile devices such as tablets or smart phones must be kept in secure locations and password protected.

All servers and computers containing data should be protected by approved security software and a firewall.

Data must not be held for longer than necessary for the purposes for which it was originally collected, or for which it was further processed as set out in this policy and associated documents, such as Privacy Statements and the Record Retention Checklist.

Different retention periods apply for different types of data and relevant information will be securely held in accordance with legislation and best practice guidance. This takes into account the legal and contractual requirements, both minimum and maximum, that influence the retention periods outlined in the checklist. All Personal Data should be deleted or destroyed as soon as possible where it has been confirmed that there is no longer a need to retain it.

Data Accuracy

The law requires companies to take reasonable steps to ensure data is kept accurate and up to date. It is the responsibility of all employees who work with data to take reasonable steps to ensure it is kept as accurate and up to date as possible. This will include but not be limited to the steps outlined below:

Data will be held in as few places as necessary. Employees (as data processors) should not create any unnecessary additional data sets.

Employees should take every opportunity to ensure data is updated. For instance, by confirming a customer's details when they call or updating relevant department with the contact information provided by employees where a change has been notified.

The Company will enable data subjects to easily update the information held about them.

Data should be updated as inaccuracies are discovered. For instance, if a customer or employee can no longer be reached on their stored telephone number, it should be removed from the database.

Sharing Data with Third Parties

The Company, during the course of its business activities may be required to share information with third parties in order to:

  • comply with our legal or contractual obligations
  • exercise our legal rights
  • prevent, detect, investigate crime or prosecute offenders
  • and for the protection of employees and customers.

Third parties may include:

carefully selected contractors, suppliers, partners, service providers and other people working on behalf of the Company

governmental bodies, regulators, financial institutions, credit reference agencies

courts, tribunals and law enforcement agencies where we are required to do so

other third parties as set out under the relevant Privacy Statement.

The Company will only transfer personal data to, or allow access by, third parties when it is assured that the information will be processed legitimately and protected appropriately by the recipient.

In certain circumstances, the Data Protection Act allows personal data to be disclosed to law enforcement agencies without the consent of the data subject. Under these circumstances, the Company will disclose requested data. However, the Company will ensure the request is legitimate, seeking guidance from the Board and from the company's legal advisers where necessary.

The Company will never sell or rent its customer, employee data or supplier to other organisations.

Individual Rights and Subject Access Requests

Greenhalgh's Craft Bakery Limited aims to ensure that individuals are aware that their data is being processed, and that they understand how the data is being used and how to exercise their rights.

The Company will, where appropriate, enable and facilitate the Data Subjects rights under GDPR relating to:

  • 1. The right to be informed
  1. The right of access
  2. The right to rectification
  3. The right to erasure
  4. The right to restrict processing
  5. The right to data portability
  6. The right to object
  7. Rights in relation to automated decision making and profiling.

To these ends, the Company has created privacy statements, setting out how data relating to individuals is used by the Company, depending on their business relationship with the Company (ie as customer, employee or supplier). Copies of these documents are available on request or via the Company's website.

If an individual makes a request relating to any of the rights listed above, the Company will consider each such request in accordance with all applicable Data Protection laws and regulations.

All individuals who are the subject of personal data held by Greenhalgh's Craft Bakery Limited are entitled to:

ask what information the Company holds about them and why

ask how to gain access to it

be informed how to keep it up to date

be informed how the company is meeting its data protection obligations.

Data Subjects have the right to require the Company corrects or supplements erroneous, misleading, outdated, or incomplete Personal Data.

If an individual contacts the Company requesting information relating to personal data held about themselves, this is called a Subject Access Request or SAR. Subject Access Requests from individuals should be made in writing or by email, addressed to the IT Manager. The Company will aim to provide the relevant data within 30 days.

The Company will always verify the identity of anyone making a Subject Access Request (required to be the Data Subject or their authorised legal representative) before handing over any information.

An administration fee will not usually be charged for considering and/or complying with a Subject Access Request however, the Company reserve the right to charge a reasonable fee where the request is deemed to be unnecessary, unfounded or excessive in nature.

If the Company cannot respond fully to the request within 30 days, the following information will be provided to the Data Subject, or their authorised legal representative, within the specified time:

  • an acknowledgement of receipt of the request
  • any information located to date
  • details of any requested information or modifications which will not be provided to the Data Subject, the reason(s) for the refusal, and any procedures available for appealing the decision
  • an estimated date by which any remaining responses will be provided
  • An estimate of any costs to be paid by the Data Subject (e.g. where the request is excessive in nature)
  • the name and contact information of the representative of the Company who the Data Subject should contact for follow up.

Situations may arise where providing the information requested by a Data Subject would disclose personal data about another individual. In such cases, information must be redacted or withheld as may be necessary or appropriate to protect that person's rights.

Data Removal

In accordance with their rights under GDPR as outlined in the section above, individuals have:

  • the right to be forgotten (data erasure) by having their personal data deleted or removed on request where there is no compelling reason for an organisation to continue to process it; and
  • the right to restrict processing of their personal data, for example, if they consider that processing is unlawful or the data is inaccurate.

However, the Company may be required for legal, medical or other legitimate business reasons to retain records despite a request to restrict processing or erase data. Examples of this may be in the form of accident reports and health surveillance records, records related to where a dispute has occurred or where the Company is required by law to report certain types of information. Reference should be made to the Company's Records Retention Checklist. In such cases, where it is not legitimately possible to restrict or erase certain personal data, the individual (or their authorised legal representative) will be provided with the reason(s) for the refusal.

Children's Data

Children are unable to consent to the processing of Personal Data and therefore consent must be sought from the person who holds parental responsibility over the child. Children have the same rights as adults over their personal data.

The Company will undertake to review available age verification and parental responsibility verification mechanisms to ensure it uses appropriate current technology to reduce risk in the processing of children's personal data.

Complaints

A Data Subject also has the right to complain if they are unhappy with the way their information is being handled, or if they believe the Company has not complied with their Data Protection rights they should submit a complaint, in writing, to the Data Protection Team or a Board Director. An investigation of the complaint will be carried out within a reasonable period and to the extent that is appropriate based on the merits of the specific case.

If the individual remains dissatisfied with the response received from the Company in relation to GDPR, they have the right to lodge a complaint with the Information Commissioner's Office online (https://ico.org.uk/), via phone (0303 123 1113) or at Wycliffe House, Water Lane, Wilmslow, SK9 5AF.

Data Breaches

Any individual who suspects that a Personal Data Breach has occurred due to the theft or exposure of Personal Data must immediately notify the Data Protection Team, by phone, email, in person or in writing, providing a description of what occurred.

The Company will investigate all reported incidents to confirm whether or not a Personal Data Breach has occurred. If a Personal Data Breach is confirmed, the Company will follow the relevant authorised procedure in compliance with GDPR legislation.

Further Information

For more information relating to GDPR and the rights of individuals, contact the Information Commissioner's Office or visit their website: www.ico.org.uk.

For further information regarding Company policy on GDPR, data privacy and protection and related and supporting documentation, speak to a member of the Data Protection Team.

Policy Changes

The Company reserves the right to update or amend this Policy from time to time and where there are changes or updates to legislation and/or best practice guidance. Please contact the Data Protection team in relation to any queries.