Lime Cross Nursery Privacy Policy 2018

Introduction

Lime Cross Nursery is committed to protecting our customer privacy and takes its responsibility regarding the security of customer information very seriously. We will be clear and transparent about the information we are collecting and what we will do with that information.

Data Controller

Lime Cross Nursery (referred to as “we”, “us”, “our” or Lime Cross Nursery” in this policy primarily refers to Lime Cross Nursery operating as a trading partnership and Wellbeing in the Wild Ltd located at Lime Cross Nursery, both registered in the UK.

This Policy sets out the following:

  1. Processed lawfully, fairly and in a transparent manner in relation to individuals;
  1. Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;
  1. Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
  1. Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
  1. Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals; and
  1. Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.”

What are Lime Cross Nursery lawful bases for processing your personal data?

What personal data we collect:

Personal data means any information relating to you which allows us to identify you, such as your name, contact details, payment details and information about your access to our website.

We may collect personal data from you when you purchase something from our online shop, when you subscribe to our mailing list through our website. When you join our My Garden Card loyalty card. When you participate in an event at Lime Cross Nursery. When you fill out an in store comments card, participate in a survey or competition, or when you contact us.

Specifically, we may collect the following categories of information:

  1. Name, home address, e-mail address, telephone number, health details, record of purchases you have made at Lime Cross Nursery.
  2. The communications you exchange with us or direct to us via letters, emails, chat service, calls, and social media.
  3. Location, including real-time geographic location of your computer or device through GPS, Bluetooth, and your IP Address, along with crowd-sourced Wi-Fi hotspot and cell tower locations, if you use location-based features and turn on the Location Services settings on your device and computer.

What do we use your personal data for, why and for how long? 

Your data may be used for the following purposes:

a.    Providing products and services you request: we use the information you give us to perform the services you have asked for in relation to product information, event information, information about promotions we offer.

b.    Contacting you in the event of an event being cancelled or amended, product being recalled, to provide information about our services.

c.     Credit or other payment card verification/screening: we use your payment information for accounting, billing and audit purposes and to detect and / or prevent any fraudulent activities;

d.    Administrative or legal purposes: we use your data for statistical and marketing analysis, systems testing, customer surveys, maintenance and development, or in order to deal with a dispute or claim. Note that we may perform data profiling based on the data we collect from you for statistical and marketing analysis purposes. Any profiling activity will be carried out with your prior consent only and by making best endeavours to ensure that all data it is based on is accurate. By providing any personal data you explicitly agree that we may use it to perform profiling activities in accordance with this Privacy Policy;

f.     Security, health, administrative, crime prevention/detection:  we may pass your information to government authorities or enforcement bodies for compliance with legal requirements;

g.    Customer Services communications: we use your data to manage our relationship with you as our customer and to improve our services and enhance your experience with us;

h.    Provide tailored services: we use your data to provide information we believe is of interest to you, prior to, during, and after you visit Lime Cross Nursery.

i.      Marketing: from time to time we will contact you with information regarding in store and online promotion and ancillary products via e-communications. You will also be given the opportunity on every e-communication that we send you to indicate that you no longer wish to receive our direct marketing material.

We will only process your personal data where we have a legal basis to do so. The legal basis will depend on the reasons we have collected and need to use your personal data for.

We may also process your personal data for one or more of the following:

          To comply with a legal obligation

          You have consented to us using your personal data (e.g. for marketing related uses);

          To protect your vital interests or those of another person (e.g. in case of a medical emergency);

          It is in our legitimate interests in operating as a garden centre (e.g. for administrative purposes).

Only children aged 16 or over can provide their own consent. For children under this age, consent of the children’s’ parents or legal guardians is required.

We will not retain your data for longer than is necessary to fulfil the purpose it is being processed for. To determine the appropriate retention period, we consider the amount, nature and sensitivity of the personal data, the purposes for which we process it and whether we can achieve those purposes through other means.

We must also consider periods for which we might need to retain personal data in order to meet our legal or to deal with complaints, queries and to protect our legal rights in the event of a claim being made.

When we no longer need your personal data, we will securely delete or destroy it. We will also consider if and how we can minimise over time the personal data that we use, and if we can anonymise your personal data so that it can no longer be associated with you or identify you, in which case we may use that information without further notice to you. 

Security of your personal data: 

We follow strict security procedures in the storage and disclosure of your personal data, and to protect it against accidental loss, destruction or damage.

We may share your personal data with:

a.    Government authorities, law enforcement bodies.

e.    Credit and debit card companies which facilitate your payments to us, and anti-fraud screening, which may need information about your method of payment.

f.     Legal and other professional advisers, law courts and law enforcement bodies in all countries we operate in in order to enforce our legal rights in relation to our contract with you;

We understand the importance of taking extra precautions to protect the privacy and safety of children. Accordingly, children under 16 will not be permitted to create a Green Card loyalty Account with us.

We have appointed a Data Protection Officer (“DPO”) to oversee compliance with this policy. You have the right to make a complaint at any time by contacting info@limecross.co.uk

The GDPR provides the following rights for individuals:

1. The right to be informed as above

2. The right of access

3. The right to rectification

4. The right to erasure

5. The right to restrict processing

6. The right to data portability

7. The right to object

8. Rights in relation to automated decision making and profiling.

The right of access – Data subject access requests (SARs)

What information is an individual entitled to under the GDPR?

Under the GDPR, individuals will have the right to obtain:

• confirmation that their data is being processed;

• access to their personal data; and

• other supplementary information

What is the purpose of the right of access under GDPR?

The GDPR clarifies that the reason for allowing individuals to access their personal data is so that they are aware of and can verify the lawfulness of the processing.

Can we charge a fee for dealing with a subject access request?

We will provide a copy of the information free of charge (previously £10). However, we may charge a ‘reasonable fee’ when a request is manifestly unfounded or excessive, particularly if it is repetitive. Lime Cross Nursery & Cafe may also charge a reasonable fee to comply with requests for further copies of the same information. The fee must be based on the administrative cost of providing the information.

How long do we have to comply for?

Information must be provided without delay and at the latest within one month of receipt. We will be able to extend the period of compliance by a further two months where requests are complex or numerous. If this is the case, we will inform the individual within one month of the receipt of the request and explain why the extension is necessary.

What if the request is manifestly unfounded or excessive?

Where requests are manifestly unfounded or excessive, because they are repetitive, we can:

• charge a reasonable fee considering the administrative costs of providing the information; or

• refuse to respond.

Where we refuse to respond to a request, we must explain why to the individual, informing them of their right to complain to the supervisory authority and to a judicial remedy without undue delay and at the latest within one month.

How should the information be provided?

We must verify the identity of the person making the request, using ‘reasonable means’. If the request is made electronically, we should provide the information in a commonly used electronic format. The GDPR includes a best practice recommendation that, where possible, organisations should be able to provide remote access to a secure self-service system which would provide the individual with direct access to his or her information. This will not be appropriate for all organisations, but there are some sectors where this may work well.

The right to obtain a copy of information or to access personal data through a remotely accessed secure system should not adversely affect the rights and freedoms of others.

The right to rectification

• The GDPR includes a right for individuals to have inaccurate personal data rectified, or completed if it is incomplete.

• An individual can make a request for rectification verbally or in writing.

• We have one calendar month to respond to a request.

• In certain circumstances we can refuse a request for rectification.

• This right is closely linked to the controller’s obligations under the accuracy principle of the GDPR.

The right to erasure

• The GDPR introduces a right for individuals to have personal data erased.

• The right to erasure is also known as ‘the right to be forgotten’.

• Individuals can make a request for erasure verbally or in writing.

• You have one month to respond to a request.

• The right is not absolute and only applies in certain circumstances.

• This right is not the only way in which the GDPR places an obligation on you to consider whether to delete personal data.

The right to restrict processing

• Individuals have the right to request the restriction or suppression of their personal data.

• This is not an absolute right and only applies in certain circumstances.

• When processing is restricted we are permitted to store the personal data, but not use it.

• An individual can make a request for restriction verbally or in writing.

• We have one calendar month to respond to a request.

• This right has close links to the right to rectification and the right to object

Right to object

Individuals have the right to object to:

• processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling);

• direct marketing (including profiling); and

• processing for purposes of scientific/historical research and statistics.