- The “Company” is granoVita UK Ltd, Oxleasow Road / B98 0RE Redditch
United Kingdom, as part of the Bell Food Group, of Basel Switzerland.
- We purchase, sell and distribute healthy free-from foods and substitutes.
- “The Company”
- “Personal Data”
- All information relating to an identified or identifiable natural person
- Any handling of personal data, regardless of the applied measures and procedures, in particular the obtaining, storage, use, revision, disclosure, archiving or destruction of data.
- “Data Controller”
- The natural or legal person, public authority, organisation or other office who is exclusively or jointly responsible for deciding on the purposes and method of processing of personal data (the company)
- “Data Processor”
- A natural or legal person, public authority, organisation or other office who processes personal data on behalf of the controller (staff or selected outside third parties)
- “Data Subject” (DS)
- A living individual to whom personal data relates. This could mean individuals, employees, applicants, customers, visitors, or members of the general public who come into contact with granoVita and may have cause to pass on their personal data to us.
- “Data Protection Officer”
- A data protection officer (DPO) is the position within the company that acts as an independent advocate for the proper care and use of customer’s information.
- GranoVita is committed to protecting every individual’s personal data. At granoVita, personal data security is one of our highest priorities and therefore we aim to be as clear as possible about what we do with personal data and why we do it.
- We are committed to ensuring our Data Protection Policies outline what information we collect about anyone, how we use it, who we may share it with, how long we keep it and how we secure it.
- We are committed to protecting the privacy of each individual and take every precaution with each person’s personal information, only ever using it in accordance with the Data Protection Act 1998 and the General Data Protection Regulation 2018.
- All data we collect will be kept securely in accordance with our respective policies. Generally, the reason for collecting this data is to enable us to process our job on behalf of the individual
- Where permitted by Data Protection and Privacy Laws we may disclose your personal information. For example, we may do this if we were required by a Government body or a Court, in connection with legal proceedings.
- We will be open and honest about the personal data we collect
- We will be legal and fair in how we process the data
- The Company are required by law to let the DS know of the legal basis for each of its activities involving their personal data
- We regularly review our processes to ensure they are accurate and up-to-date
- We will use it only for the specific purpose for which a DS gave us that data
- We will only use it for another purpose with the consent of the DS, unless there is a legal right or obligation to do so
- We will only collect, use and share your personal data if the DS gave us permission or if we have either a legal right or a legal obligation.
- We will not collect any more information than is necessary for the purpose
- We will ensure that any personal data we hold is accurate and as up-to-date as we have been informed
- We will not retain the personal data for longer than is necessary for the purpose.
- Our Retention Policies set limits on the length of time we keep personal data, depending on the type of information and the reason we are using or keeping it. Each specific process has its own retention period
- We will keep personal data secure, by ensuring it is stored in such a way that it is either password-protected, or housed in lockable cabinets
- Secure systems are in place for personal data held on IT systems, and physical documentation
- We endeavour to ensure our computer system and network is protected from viruses and attacks
- Access to the personal data of a DS is restricted to staff authorised by the Managing Director, staff who need that information to carry out their normal role
- Where it is possible, we will endeavour to anonymise the DS’ personal data so that people who access it will not be able to identify them unless they need to for their job
- We will collect and use your information only where the process involved is determined by an ‘implied consent’, where the reasons for collecting the personal data are the interests of the DS, and are required to carry out the process (for example recruitment, advertising positions), or where the DS has given us their permission [consent] where we may consider using their personal data for something other than its original intention.
- When you sign up for and use any service, send us an email, or communicate with us in any way, you are voluntarily giving us information that we collect. That information may include either your name, physical address, email address, IP address, phone number, credit card information, as well as details including gender, occupation, location, purchase history, and other demographic information.
- Personal Data
- Information about individuals that we may collect and process will only be collected if it is connected with the process which it pertains to
- The information will only be requested at the appropriate time, where the process has reached a stage that would require that level of personal data.
- The information required may include various identity details, and will be requested according to the process for which it is connected, examples of which are:
- Name, address, date of birth and contact details
- Work history, bank account details etc.
- The information may only be used for that specific purpose, and no other unless consent is given by the DS.
- Sensitive Personal Data
- Information classified as ‘sensitive’ personal information e.g. relating to health, marital or civil partnership status.
- This information will only be collected and used where it is offered and used internal processes such as payroll.
- We will not ask questions about any sensitive personal data, including information about an individual’s children, where this is unnecessary, and not required for the specific purpose.
Purpose for Processing Data
- The Act
- The GDPR states that;
- Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.
- This requirement aims to ensure that
- GranoVita UK as a company are open about our reasons for obtaining personal data, and that what we do with the information is in line with the reasonable expectations of the individuals concerned.
- This means that granoVita UK will;
- Be clear from the outset about why you are collecting personal data and what you intend to do with it;
- Comply with the Act’s fair processing requirements – including the duty to give privacy notices to individuals when collecting their personal data;
- Comply with what the Act says about notifying the Information Commissioner; and
- Ensure that if you wish to use or disclose the personal data for any purpose that is additional to or different from the originally specified purpose, the new use or disclosure is fair.
- The company declares the purpose or purposes for which we hold personal data on each process description, so that we can then ensure that we process the data in a way that is compatible with the original purpose or purposes.
- How Is the Purpose Specified?
- We specify the relevant purposes:
- in a “privacy notice” given to individuals at the time their personal data is collected; or
- in a “privacy notice” available to individuals at the time their personal data is collected; or
- Using Personal Data for Another Purpose
- The Data Protection Act does not prohibit this, but it does place a limitation on it: the second data protection principle says, in effect, that personal data must not be processed for any purpose that is incompatible with the original purpose or purposes.
- Where the data is to be used for a different process to the one that was first specified, we will first obtain the consent of the Data Subject.
Lawful Basis for Processing Data
- The GDPR requires that processing of all personal data is done lawfully, fairly, and in a transparent manner. There are 6 lawful bases under which each process applies. These 6 bases are;
- Legal Obligation
- Right to erasure, Right to portability, Right to object
- Vital Interests
- Right to portability, Right to object
- Public Task
- Right to erasure, Right to portability
- Legitimate Interests
- We have reviewed the purposes of our processing activities, and selected the most appropriate lawful basis (or bases) for each activity.
- We have checked that the processing is necessary for the relevant purpose, and are satisfied that there is no other reasonable way to achieve that purpose.
- We have documented our decision on which lawful basis applies to help us demonstrate compliance.
- We have included information about both the purposes of the processing and the lawful basis for the processing in our privacy notice.
Who We May Share Data With
- We may share DS information with third parties for the reasons outlined above
- These may be companies we have chosen to support us in the delivery of the processes that we use.
- These may involve government authorities (e.g. HMRC), solicitors, accountants etc, where the information is either legally required, or is required pursuant to the continued processing of that data, specific to its intended purpose
- We will never sell DS details to someone else. Whenever we share DS personal information, we will do so in line with our obligations to keep the information safe and secure.
- The majority of DS information is processed in the UK and European Economic Area (EEA).
- In the unlikely event that DS information is being processed outside of the EEA, we will take additional steps to ensure that the information is protected to at least an equivalent level as would be applied by UK / EEA data privacy laws e.g. we will put in place legal agreements with our third party suppliers and do regular checks to ensure they meet these obligations.
Securing & Protecting Data
- We take information and system security very seriously and we strive to comply with our obligations at all times. Any personal information which is collected, recorded or used in any way, whether on paper, online or any other media, will have appropriate safeguards applied in line with our data protection obligations.
- These safeguards will include building alarm systems, lockable cabinets with key access only to authorised personnel, and password-protected computer systems.
- DS information is protected by controls designed to minimise loss or damage through accident, negligence or deliberate actions. Our employees also protect sensitive or confidential information when storing or transmitting information electronically
- Our security controls are aligned to industry standards and good practice; providing a control environment that effectively manages risks to the confidentiality, integrity and availability of your information.
Retention of Data
- We will keep DS personal data only for as long as is required by law, or is required for its intended purpose.
- Retention periods for all personal data will be stated for each process, and destroyed thereafter.
- We may keep DS information after this period but only where required to meet our legal or regulatory obligations.
- The length of time we keep DS information for these purposes will vary depending on the obligations we need to meet.
Data Subject Rights
- The company provides individuals with information including our purposes for processing their personal data, our retention periods for that personal data, and who it will be shared with.
- We encourage the requests to be made in writing. We will therefore encourage these requests to be made on a “Subject Access Request” form.
- This section outlines the general definitions of the Data Subject Rights under the GDPR.
- Where the Data Subject wishes to take up their “rights” under one of the headings stated below, they will be advised to complete a “Subject Access Request”, obtainable from the company’s Data Protection Officer.
- Consent must be unambiguous, freely given, specific and the data subjects should be informed for each purpose for which the data is being processed, especially if the purposes evolve overtime
- Must be ‘explicit’ for the processing of sensitive data, renamed special category data under GDPR. Explicit consent will require clear approval from the data subject e.g. a signed consent form.
- Consent needs to be obtained for each separate processing activity
- Data subjects will have the right to withdraw their consent at any time
- ‘Explicit’ consent must be received for transferring personal data outside the European Economic Area (EEA)
- A DS has the right of access to their personal information. If they wish to receive a copy of the personal information we hold on them, they may complete a “Subject Access Request” (SAR) form, by contacting our Data Protection Officer.
- If DS personal information is inaccurate or incomplete, they can request that it is corrected.
- A DS can ask for their information to be deleted or removed if there is not a compelling reason for the company to continue to have it.
- A DS can ask that we block or suppress the processing of their personal information for certain reasons.
- This means that we are still permitted to keep their information – but only to ensure we don’t use it in the future for those reasons the DS has restricted.
- A DS can ask for a copy of their personal information for their own purposes to use across different services.
- In certain circumstances, a DS may move, copy or transfer the personal information we hold to another company in a safe and secure way. For example, if they were moving their pension to another pension provider.
- You can object to Standard Life processing your personal information where: it’s based on our legitimate interests (including profiling); for direct marketing (including profiling); and if we were using it for scientific/historical research and statistics.
- A DS has the right to ask the company to:
- give you information about its processing of your personal information
- request human intervention or challenge a decision where processing is done solely by automated processes
- carry out regular checks to make sure that our automated decision making and profiling processes are working as they should.
- If the individual believes that the personal data held about them is inaccurate or out-of-date, they can contact us to ask us to correct it.
- The DS can raise any concerns they may have about our handling of their personal data by writing to our Data Protection Officer.
- If you are not happy with the outcome, you have the right to raise your concern with the Information Commissioner’s Office.
- A DS has the right to request a copy of the data the company holds about them under the Data Protection Act 1998 and the General Data Protection Regulation.
- This will be in the form of a “Subject Access Request” form, which can be requested from the company’s Data Protection Officer, but for which a £10 administration charge will be administered for any request.
- If the DS is still unhappy, they can complain to the Supervisory Authority, the “Information Commissioner’s Office”