Sandys is committed to your privacy, so we wanted to let you know how we gather, use, store and share your personal data that you share with us.
Who we are:
We are Sandys Fishmongers. For the purposes of this notice, the term ‘we’ encompasses all those employed by us to carry out our business, either directly or as external contractors.
Our Contact Details:
If you have any questions about this Privacy Notice, please contact: firstname.lastname@example.org
1. Privacy laws
The processing of your personal data is governed by the UK General Data Protection Regulations (GDPR), as enacted by the Data Protection Act 2018.
2. The capacities in which we process data
In providing you with our products services, we act as a controller of personal data (as defined by Article 4(7) GDPR) with respect to any processing for which we determine the purpose and means. This includes data that we obtain from you in order to facilitate the administration of our business relationship, the delivery of our products and the fulfilment of any contract with you.
1. The purpose of this privacy notice is;
To inform you about our processing of your data as a controller, in accordance with the ‘transparency’ requirement of Article 13 GDPR.
2. The types of personal data we collect
The personal data we use may include, but is not limited to:
• Your name, address and contact details, including email address and home and mobile telephone numbers;
• Personal preferences and requests;
• The terms and conditions of a contract with us for the provision of our products.
3. How we collect the personal data
Data might be collected through:
• Electronic, written or verbal correspondence with you, or;
• Meetings in person.
Should we collect data relating to you from any other source, we shall inform you of that processing as soon as practicable.
4. Providing your personal data
We will tell you if providing some personal data is optional, including if we ask for your consent to process it. In all other cases, we need you to provide your personal data so we can provide products and services to you.
5. What we use your personal data for
Provision of our products and services
• To deliver our products and services at your request;
• To administer the ‘Sandy’s Catch Rewards’ loyalty programme;
• As necessary to support a contract with you and to allow us to receive full payment for our services and products;
As necessary for our own legitimate interests or those of other persons and organisations, subject to your rights and freedoms as a data subject;
• To allow us to conduct marketing activities, subject to your rights under applicable laws;
• For surveys of client experience and quality of our services;
To comply with a legal obligation:
• When you exercise your rights under data protection law;
• For the establishment and defence of legal rights;
• To investigate complaints, legal claims and data protection incidents.
6. The legal basis for processing
In providing you with professional services, we will process your personal data under Article 6 (1)(b) of the UK General Data Protection Regulations, on the legal basis that processing is necessary for the performance of a contract for the provision of our services or products, or to effect an online purchase form our website.
In addition, we may process your personal data on the following legal bases;
• Consent: where you give your consent for the processing – Article 6 (1) (a);
• Legal obligation: the processing is necessary for compliance with a legal obligation – Article 6 (1)(c);
• Vital interests: the processing is necessary to protect someone’s life – Article 6 (1) (d);
• Legitimate interests: the processing is necessary for an organisation’s legitimate interests or the legitimate interests of a third-party – Article 6 (1) (f). In such cases, the legitimate interest of the processor will be balanced against the rights and freedoms of the data subject to ensure no detriment is caused to the latter.
7. Sharing of your personal data
Subject to applicable data protection laws we may share your personal data with:
• Other organisations necessary for the provision of our services and who require your data in order to meet that requirement;
• Our legal and other professional advisors;
• Fraud prevention agencies, credit reference agencies, and debt collection agencies;
• Government bodies and agencies in the UK and overseas (e.g. HMRC) who may in turn share it with relevant overseas tax authorities and with regulators including the Information Commissioner’s Office;
• Courts, to comply with legal requirements, and for the administration of justice;
• In an emergency or to otherwise protect your vital interests;
• To protect the security or integrity of our business operations and other clients;
• Payment systems and providers; and
• Anyone other party where we have your consent or as required by law
8. Transfer of personal data
We do not envisage that your data will be transferred for processing to any jurisdiction outside the UK. However, in the event that such transfers do occur, and where such processors are located in a country which is not deemed by the United Kingdom to have adequate privacy standards (as defined within the Data Protection Act 2018), the transfer will be subject to a legal instrument providing appropriate safeguards in accordance with Article 46 GDPR.
9. How long do we keep your data?
We will take steps to erase payment data held by us as soon as it is no longer required. Data relating to taxation will be kept for five years from the end of the tax year to which the data relates. We may retain your contact information for an indefinite period in order to facilitate any subsequent business transactions between us or to allow us to conduct marketing activities. You are able to withdraw your consent for that processing at any time and to exercise your rights as described in Section 10. We may also retain your data where any of the following apply:
• Retention in case of queries. We will retain your personal data as long as necessary to deal with any outstanding queries you may have;
• Retention in case of claims. We will retain your personal data for as long as you might legally bring claims against us or, in the event of such a claim, until that matter is complete. This includes data which relates to our professional services and indemnity insurance, and;
• Retention in accordance with legal and regulatory requirements.
10.Your rights under applicable data protection law
Your rights are, where applicable:
• The right to be informed about processing of your personal data;
• The right to have your personal data corrected if it is inaccurate and to have incomplete personal data completed;
• The right to object to processing of your personal data;
• The right to restrict processing of your personal data;
• The right to have your personal data erased (the “right to be forgotten”);
• The right to request access to your personal data and information about how we process it;
• The right to move, copy or transfer your personal data (“data portability”); and
• Rights in relation to automated decision-making including profiling
You may exercise these rights by contacting us using the details given at the top of this Notice.
You are not required to pay any charge for exercising your rights. If you make a request, we have one month to respond to you.
11.How to complain
If you have any concerns about our use of your personal information, you can make a complaint to us using the details given at the top of this Notice. You can also complain to the Information Commissioner’s Office if you are unhappy with how we have used your data;
Information Commissioner’s Office
Helpline number: 0303 123 1113
ICO website: https://www.ico.org.uk
Stipulations for acting in the capacity of a data processor
The data we process under 2(b) above will consist of data provided to us by you as its controller, in order that we may carry out processes specified by you. Where such data relates to other data subjects (your employees , contractors, clients or others) we will process it on the understanding of your compliance with the provisions of the GDPR and, in particular, that;
• You have met the transparency requirements of Article 13 GDPR in respect of informing those data subjects about your sharing of their data with us and our processing of it, and;
• You have established and documented legal bases for the processing of their data and, in particular, any special category data. Where such legal bases include the consent of the data subject, you have obtained, and documented, informed and freely given consent. In acting as a data processor on your instructions, we confirm that we shall respect the privacy rights and freedoms of those data subjects whose data you share with us. In particular, and in accordance with the requirements of Article 28 GDPR, we shall;
• Only act on your documented instructions, unless required by law to act without such instructions or it is in the vital interests of the data subject to do so;
• Ensure that people processing the data are subject to a duty of confidence;
• Take appropriate measures to ensure the security of processing;
• Only engage a sub-processor with your prior authorisation and under a written contract which contains all of the technical and organisational measures necessary to ensure compliance with these stipulations and any other GDPR requirement relevant in the circumstances;
• Take appropriate measures to assist you to respond to requests from individuals to exercise their rights under GDPR;
• Taking into account the nature of processing and the information available, assist you in meeting GDPR obligations in relation to the security of processing, the notification of personal data breaches and data protection impact assessments;
• Delete or return all personal data to you (at your choice) at the end of the contract, unless the law requires its storage; and
• Submit to audits and inspections.