NB: LIVE DOCUMENT - this policy content will change as we achieve our duties
This policy describes the strategy of Shillingford Organics with regards to the General Data Protection Regulation (GDPR) that came into force on 25th May 2018.
Shillingford Organics collects some personal information from members of the public for specific reasons, primarily to inform people, through a Newsletter, of events and activities in the local area according to their interests. Shillingford Organics also collects personal details from customers to process orders.
1. LAWFUL BASIS FOR DATA PROCESSING
The six lawful bases for data processing as set out in Article 6 of the GDPR are:
- Legal obligation
- Vital interests
- Public task
- Legitimate interests
The lawful basis under which Shillingford Organics processes personal data is
(6) Legitimate Interests: “processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.”
2. INDIVIDUAL RIGHTS
The GDPR provides the following rights for individuals:
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision making and profiling
2.1 The right to be informed
Shillingford Organics has an obligation to advise individuals how their personal data will be used. This will be via a privacy statement at the time of signing up to mailing lists.
Shillingford Organics takes your privacy seriously and will only use your name and email address to send you emails at your request. Your information will not be used for any other purpose, will not be shared with any other party and you can request to unsubscribe at any time. You also have the right to object if you believe emails from us contain inappropriate material for this mailing list.
Identity and contact details of the controller:
Purpose of data processing and the lawful basis:
The purpose for holding the names and email addresses of subscribers is to send subscribers newsletters as specified at the time of subscribing.
The lawful basis is legitimate Interest.
The legitimate interests of the controller:
Shillingford Organics would like to keep subscribers to the newsletter informed about crop news, farm activities, events and any other news of interest concerning the farm or other business marketing matters.We also use mailmerges to send our customers information about changes in their orders, updates and any other business.
Categories of personal data:
Shillingford Organics will only hold the name and email address of the subscriber for the purposes of Shillingford Organics’ Newsletter emailing list. Shillingford Organics may request further information for specific events. The same controls will apply to all data supplied.
Any recipient of the personal data:
The personal data will be stored in a secure database and will only be accessible by mailing list administrators.
Details of transfer to third party and safe guards:
Personal data will not be transferred to any other location or to any other third party.
Personal data will be held from the time of subscribing to the mailing list until such time that the subscriber removes themselves from the list by unsubscribing.
The right to withdraw consent at any time:
Every subscriber has the right to remove themselves from the mailing list at any time by unsubscribing.
2.2 The right of access
Individuals have the right to confirmation that their data is being held by Shillingford Organics and to receive a copy of the information stored. This can be provided free of charge by emailing us.
2.3 The right of rectification
Individuals are entitled to have personal data rectified if it is inaccurate or incomplete. This can be achieved free of charge by emailing us and must be actioned by Shillingford Organics within one month of the request.
2.4 The right to erasure
An individual can request the deletion of their information by unsubscribing from the mailing list by emailing us.
2.5 The right to restrict processing
An individual can request that we cease sending emails to them. Due to the limited data held, this will be treated in the same way as 2.4. Should an individual wish to begin receiving emails again, they should subscribe to the mailing list again as a new user.
2.6 The right to data portability
Due to the limited data held (name and email address), this can be covered by 2.2 whereby a full copy of information held by Shillingford Organics will be provided to the individual via email.
2.7 The right to object
An individual has the right to object should they consider the emails to contain inappropriate material for the mailing list..
2.8 Rights related to automatic decision making and profiling
No automatic decision-making or profiling is currently carried out on the personal data held by Shillingford Organics.
3. ACCOUNTABILITY AND GOVERNANCE
The Administrator acts as the Data Protection Officer and in the event this role is vacant, the Business Owner will assume responsibility.
The GDPR requires personal data to be processed in a manner that ensures its security. This includes protection against unauthorised or unlawful processing and against accidental loss, destruction or damage.
It requires that appropriate technical or organisational measures are used.
The 'Shillingford Organics Newsletter List' data will be held in a secure database, currently MailChimp and will only be accessible by mailing list administrators.
In particular we will: observe the conditions in the Act regarding the fair collection and use of personal information (please see below regarding personal information collected via our website); meet our legal obligations to specify the purposes for which we process personal information; collect and process appropriate personal information, only to the extent that it is needed to fulfil our operational needs or to comply with any legal requirement; ensure the accuracy of any personal information kept by us; apply checks to determine the length of time personal information is held by us; ensure that the rights of people about whom personal information is held, are able to be exercised under the Act; take appropriate technical and organisational security measures to safeguard personal information.
We collect personal information from visitors to this website when you request a specific service, such as our email newsletter, through the use of online forms, and every time you email us your details. We also collect information about the transactions you make when you buy tickets or donate, including, potentially, details of the payment cards used.
We collect additional information automatically each time you visit our website:
- Your server address (for example 987.654.32.1)
- The date and time of the visit to the site
- The pages accessed
- The previous site accessed
- The type of browser used
- Your operating system (for example Apple Mac, Windows etc
Use of personal information
We process personal information collected via this website exclusively for the following purposes:
- Dealing with your inquiries and requests
- Administering orders
- Maintaining information as a reference tool or general resource
- Carrying out market research campaigns