Data Protection Policy and Privacy Notice 25.05.18
1. – Lawful basis for processing personal data
The data collected is in accordance with this lawful basis for processing:
Consent: the individual has given clear consent for you to process their personal data for a specific purpose.
2. – What personal data is held and how is it used.
2.1 – Wild Oats (WO) requests customer contact details (phone number or email address) for special customer orders, one-offs or regular standing orders.
Consent is sought on receipt of order. Contact details are destroyed on collection of order, or –
1 – postal addresses, which are kept in a file in staffed back-office for 6 months for reference to repeat orders, or until parcels are received and
2 – separate payment details which are shredded on receipt of payment.
These procedures are explained clearly to every customer ordering by post.
2.2 – WO requests customer contact details – phone number, address or email address for customers opting to join the loyalty card system. Personal details are optional for joining loyalty card system.
Additional opt-in is provided for customers subscribing to our email notifications and/or newsletters (“notification data”).
The notification data may be processed for the purposes of sending relevant notifications and/or newsletters. The legal basis for this processing is consent.
The sign-up form clearly and concisely adheres to consent opt-in regulations.
2.22 – Loyalty card system has also been accessed for customer contact in event of personal items being left in WO.
2.3 – WO mobile phone used to text/call customers and staff also for media interfacing.
Kept in staffed area out of public sight. Password protected, used by designated staff.
2.4 – CCTV is in operation for security purposes. Clear signs are displayed to inform customers according to guidelines. Access is available to designated staff who can assist customer enquiries.
2.5 – Personal data that we process for any purpose is not kept for longer than is necessary for that purpose or those purposes, as cited above.
2.7 – The loyalty sign-up form conforms to individual rights and consent for information given.
Customers may access, alter or have deleted their data upon request, in person or via telephone, email or other communication. Customers may withdraw from loyalty database or change details at any time by request. Data will be removed by authorised, delegated staff.
Exact details of procedure can be demonstrated upon request.
3. – Disclosure
3.1 – WO may disclose your personal information if we are required by law to do so.
3.2 – Customer data can only be accessed, altered, disclosed or deleted by designated authorised staff.
3.3 – Data is not shared with any other parties.
4. – WO Data security measures include:
4.1 – Loyalty customer names, phone numbers and email addresses are held securely in a database stored by Mailchimp.
4.2 – Access to Mailchimp is password protected and used only by authorised designated staff.
4.3 – Paper loyalty system sign-up forms are securely destroyed once data is input into database.
4.4 – Password protection on any computerised files and shop phone.
4.5 – Security controls which protect our IT systems infrastructure and our premises from external attack and unauthorised access, with regular monitoring and updates needed.
4.6- Internal policies setting out our data security rules for our employees, with regular training.
4.7 – Updating current measures for recording and managing consent and ensuring they are practised. Updating any changes needed.
Data Protection Impact Assessments
No formal requirement for Impact Assessments.
Data Protection Officers
No formal requirement for a Data Protection Office.
6. – Security Access to shop – keyholders
Named authorised staff keyholders are kept on a list accessible by management staff.
2 additional authorised keyholders for deliveries are named by specific suppliers.
All keyholders have alarm codes for access.
7. – Staff training
Staff have training guidelines to follow when asking for and taking down customer data.
Training as part of induction with ‘refresher trainings’. This includes the 8 rights of individuals in data handled by the shop and high level of sensitivity.
8. – Individual Rights
Adherence to and Procedures to ensure individuals’ rights are covered, including deletion of personal data or provision of data electronically and in a commonly used format. These rights are:
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision making and profiling