Data Protection Policy
This Data Protection Policy (this “Policy”) sets out how Merchant Gourmet (“we”, “us”, “our”) handle the Personal Data we Process in the course of our business activities.
This Policy applies to all Merchant Gourmet employees and workers (“Personnel” “You”, “Your”). Your compliance with this Policy is mandatory. Any breach of this Policy may result in disciplinary action.
This Policy has been prepared with due regard to the General Data Protection Regulation (EU Regulation 2016/679) (“GDPR”).
- Policy Statement
Merchant Gourmet recognises the importance of respecting and protecting the privacy of individuals with whom We work, including our employees, customers, suppliers and other third parties. We are committed to the fair, lawful and transparent Processing of Personal Data and to respecting the rights of individuals whose personal information We Process.
- Scope & Responsibilities
This Policy applies to all Personal Data Processed by Merchant Gourmet whether held in electronic form or in physical records, and regardless of the media on which that data is stored. All Personnel are required to read, understand and adhere to this Policy.
Merchant Gourmet is responsible for implementing and enforcing this Policy. All line managers are responsible for ensuring that Personnel under their management are made aware of and adhere to this Policy.
The Data Protection Officer is responsible for monitoring compliance with this Policy, with associated policies and procedures and with the GDPR. The Data Protection Officer’s contact detail are as follows: firstname.lastname@example.org
If you have any questions about this Policy or about data protection at Merchant Gourmet, you should contact email@example.com
“Personal Data” means any information relating to an identified or identifiable natural person (a “Data Subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
“Process” or “Processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
“Special Category Personal Data” means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data processed for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.
- Data Protection Obligations
Merchant Gourmet is committed to adhering to the data protection principles set out in the GDPR and shall Process Personal Data strictly in accordance with this Policy.
a) Lawful, Fair & Transparent Processing
Merchant Gourmet will only Process Personal Data where it is lawful for us to do so in accordance with the GDPR. We will only Process special category Personal Data where is it lawful for us to do so and where permitted by the GDPR.
Data Subjects must be provided with information notifying them of the purposes for which Merchant Gourmet will Process their Personal Data (a “Privacy Notice”). When Personal Data is obtained directly, the Privacy Notice shall be provided to the Data Subject at the time of collection. When Personal Data is obtained indirectly, the Privacy Notice shall be provided to the Data Subject no later than one month after obtaining the Personal Data.
Privacy Notes must include information required by the GDPR at Articles 13 and 14 including (without limitation) the identity and contact details for the data controller and, where applicable, it’s data protection officer; the purpose(s) for which the Personal Data is being collected and will be Processed; the legal basis justifying collection and Processing and details of the length of time the personal data will be held (or, where there is no predetermined period, details of the criteria used to define that period).
b) Purpose Limitation
The Processing of Personal Data must match the description given in the Privacy Notice. Where the lawful basis for Processing is Merchant Gourmet’s legitimate interests, we may only Process the Personal Data if our legitimate interests are not outweighed by the interests, rights and freedoms of the Data Subjects in question.
c) Data Minimisation
We must collect and Process no more Personal Data than is strictly necessary for the purposes of the Processing (“data minimisation”) as set out in the Privacy Notice provided to the Data Subject and ensure that data minimisation continues to be applied throughout the lifetime of the Processing activities.
We must ensure Personal Data is kept accurate and up-to-date. The accuracy of Personal Data must be checked when it is collected and at regular intervals thereafter. Where any inaccurate or out-of-date information is found, all reasonable steps are to be taken without delay to amend or erase that information, as appropriate.
e) Storage Limitation
Personal Data must not be kept for any longer than is necessary for the purpose for which that data was originally collected. When the data is no longer required, all reasonable steps must be taken to securely dispose of it without delay.
f) Integrity & Confidentiality
Personal Data must be kept secure and protected against unauthorised or unlawful Processing and against accidental loss, destruction or damage.
Merchant Gourmet is responsible for meeting and demonstrating compliance with it’s data protection obligations as set out in the GDPR.
a) Records of Processing
Where required to do so by the GDPR, we will keep written internal “Records of Processing Activities” in respect of all Personal Data collection, holding, and Processing. Our Records of Processing Activities shall incorporate the information required by the GDPR at Article 30.
b) Data Protection Officer
Where required to do so by the GDPR, we will designate a suitably qualified and experienced Data Protection Officer.
c) Data Protection by Design
We will implement data protection by design and by default when Processing Personal Data. This will include implementing suitable organisational and technical safeguards to reduce the risks to Data Subjects associated with our Processing activities. Safeguards will be implemented during the design, implementation and lifetime of Processing activities. Organisational safeguards shall include awareness training for all personnel and suitable policies and procedures relating to the Processing of Personal Data.
d) Data Protection Impact Assessments
We will carry our Data Protection Impact Assessments where the risks to Data Subjects of a Processing activity are high, or as otherwise required by the GDPR at Article 35 or by the Information Commissioner’s Office (“ICO”) in its DPIA guidance.
e) Data Processor Contracts
Where we utilise a data processor, we will put a binding contract in place between Merchant Gourmet and the data processor to include, as a minimum, the contract terms required by the GDPR at Article 28.
- Data Subject Rights
In addition to the right to be informed, which is facilitated by providing Privacy Notices as set out above, the GDPR grants specific rights to data subjects in respect of the personal data collected and Processed by Merchant Gourmet as a data controller.
a) Right of Access
More commonly known as Subject Access Requests or “SARs”, Data Subjects have the right to request and obtain from information relating to, and to receive a copy of, their Personal Data.
b) Right to Rectification
Data Subjects have the right to obtain the rectification or completion of inaccurate or incomplete Personal Data concerning him or her.
c) Rights to Erasure, Restriction, Data Portability and to Object
In certain circumstances and, in some cases, subject to specific exceptions, Data Subjects have the right to:
- Obtain the erasure of Personal Data concerning him or her;
- Obtain the restriction of Processing of Personal Data concerning him or her;
- Obtain the Personal Data concerning him or her, which he or she has provided to us as a data controller, to transmit to another data controller without hindrance to have us transfer the personal data directly to another data controller where technically feasible;
- Object at any time to Processing carried out in our legitimate interests, or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller or carried out for direct marketing purposes.
d) Automated Decision Making
Data Subjects have the right not to be subject to a decision based solely on automated Processing, including profiling, which produces legal or similarly significantly affects concerning him or her.
e) Facilitating Data Subject Rights
Merchant Gourmet is required to provide information on the action we have taken to facilitate a request or, where applicable, the reasons for not taking action (and the data subject’s right to lodge a complaint with the ICO and to seek a judicial remedy) within one month of receipt of the request. The GDPR permits us to extend this period by a further two months in certain circumstances.
Because of the importance of facilitating data subject rights and to ensure we meet the deadlines for responding to requests, you must communicate receipt of a request from a data subject to exercise their rights without delay, by sending an email with details of the request to firstname.lastname@example.org
- Retention & Disposal
Personal Data shall not be retained for longer than is reasonably required [and in any event, only for as long as set out in the Merchant Gourmet retention schedule].
Once Personal Data records have reached the end of their life, they must be securely destroyed in a manner that ensures that they can no longer be used. Hard drives of redundant computers should be removed and destroyed before disposal if they have been used to hold Personal Data.
- Security, Integrity & Confidentiality
Merchant Gourmet shall implement appropriate technical and organisational measures to ensure the confidentiality, integrity, availability and resilience of Personal Data. Such measures shall be proportionate to the risks to Data Subjects associated with the Processing activities in question, and shall include (without limitation):
- Encryption and pseudonymisation of Personal Data where appropriate;
- Policies relating to information security, including the secure Processing of Personal Data;
- Information security awareness training, including the secure handling of Personal Data;
- Business continuity and disaster recovery capabilities to ensure the ongoing availability of and access to Personal Data; and
- Processes for regularly testing, assessing and evaluating the effectiveness of the technical and organisational measures implemented to ensure the security of the Processing.
- Data Breach Notification
Personal Data breaches must be reported immediately to email@example.com
The Information Commissioner’s Office must be notified of the breach within 72 hours after having become aware of it, if the breach is likely to result in a risk to the rights and freedoms of Data Subjects. Data Subjects must be notified of the breach without undue delay if the breach is likely to result in a high risk to their rights and freedoms.
All data breaches, including those which do not require notification to be provided to the Information Commissioner’s Office, must be added to the Merchant Gourmet register of data breaches, comprising the facts relating to the personal data breach, its effects and the remedial action taken.
- International Transfers
Merchant Gourmet will only transfer (‘transfer’ includes making available remotely) Personal Data to countries outside of the EEA where:
- The transfer is to a country (or an international organisation), that the European Commission has determined ensures an adequate level of protection;
- Standard contractual clauses adopted by the European Commission have been put in place between Merchant Gourmet and the entity located outside the EEA;
- binding corporate rules have been implemented, where applicable; or
- the transfer is otherwise permitted by the GDPR.
- Implementation & Policy Management
This Policy shall be deemed effective as of 25/05/2018 and shall be reviewed annually and following any data breach involving Personal Data by The Data Protection Officer
|Document Reference:||Merchant Gourmet Data Protection Policy|
|Document Author:||The Data Protection Officer|
- Version & Revision History
|Version||Date||Author||Summary of Revisions|
|1.0||25.05.2018||The Data Protection Officer||n/a|