Bruntsfield Community Greengrocers Ltd (Dig-In Bruntsfield) collects personal information relating to a variety of data subjects, from Supporters Account holders, shop volunteers through to attendees at events who sign up for our newsletters, and shop staff, during the course of our activities. Here we describe the types of personal information that Dig-In Bruntsfield is likely to collect, how we collect and process personal information and the rights of data subjects as outlined by UK Data Protection Act (DPA, 2018).
What types of personal information is Dig-In Bruntsfield likely to collect?
Dig-In Bruntsfield may collect different personal details to allow us to identify that person as an individual. Depending on your relationship with Dig-In Bruntsfield, these details may include the following:
- first name
- phone and mobile numbers
- email address
- age category
- date of birth
- information necessary for legal compliance (including details of ethnicity or disability access requirements)
- payment information (such as bank account, debit or credit card details)
- newsletter preferences
- reason/s for contacting us (such as requests or enquiries)
- opinions, preferences, feedback, complaints, comments and /or suggestions (including comments made on our social media pages); (XX applicable?)
- employment related information
- personal reference information
- emergency contact information
In accordance with DPA 2018, Dig-In Bruntsfield endeavours to collect personal information directly from the data subject and will use all such information solely for the predefined purpose/s for which that information has been provided.
Dig-In Bruntsfield may collect information from and/or combine any personal information which has been provided by a data subject with other sources when it is lawful to do so and when so doing is likely to enhance the efficiency and relevance of the services that we provide. Such sources may include:
- individuals and/or organisations whom you have confirmed may provide us with personal information;
- government, tax or law enforcement agencies;
- referral agencies
Dig-In Bruntsfield may also on occasion collect and use sensitive personal information such as given in a volunteer form which may indicate any special requirements or consideration needed. In all such instances, however, we will ask you to provide the necessary details only. In all cases, we will collect this type of informationonly with your clear consent. Should you provide us with any sensitive personal information in any instance, youwill be deemed to have consented to our collection and use of that information.
How does Dig-In Bruntsfield collect personal information?
Dig-In Bruntsfield collects personal information through one or more of the following:
- our actual shop – through information submitted by paper form or verbally
- websites as may be updated and/or extended from time to time, including our website www.diginbruntsfield.co.uk
- other online/mobile interactive features
- official social media pages (which may be provided in partnership with a third party social media platform such as Facebook or Twitter where other privacy policies and practices will apply)
- communication channels (i.e. phone, SMS/text message and email).
- The personal information collected may be stored in electronic and/or hard copy formats.
How does Dig-In Bruntsfield use personal information?
Dig-In Bruntsfield may use personal information for a variety of purposes, depending upon the data subject’s relationship with the Dig-In Bruntsfield and any specific service(s) that have been requested. Dig-In Bruntsfield will use personal information for one or more of the following purposes:
- to enable the data subject to take part in and/or use an aspect of our community business (e.g. SupportersAccounts, Shareholder, Volunteer.)
- to respond to, action and/or deal with the data subject’s feedback, requests and enquiries
- to manage and improve services
- to send the data subject communications (including e-mail newsletters) with his/her consent where required
- to invite the data subject to provide feedback, assist with surveys and input into consultation exercises
- to provide the data subject with administrative information and/or service announcements and updates(including changes to our policies and terms)
- to ensure our records are accurate and up to date
- to fulfil any contractual obligations assumed by DIG-IN BRUNTSFIELD (e.g. managing SupporterPayments)
- to comply with our legal obligations and to perform our statutory and public functions and duties
- to enforce our rules and policies
- to ensure the data subject’s safety and the security of our premises
- to establish, defend or exercise our legal rights
- to comply with orders, requests received from public, regulatory, governmental and judicial bodies
- to comply with our legal, regulatory and internal governance obligations (e.g. record retentionpolicies)
Personal information will, however, be processed if and only if one or more of the following conditions has beensatisfied:
- The data subject has provided informed, unambiguous consent for his/her information to be used for aspecified purpose/s
- It is necessary for the purposes of the Dig-In Bruntsfield’s legitimate interests;
- Dig-In Bruntsfield is under a legal obligation to do so (e.g. for equality monitoring, employment or health and safety purposes);
- It is in the public interest and required in the performance of our duties
Personal information will be made available to members of Dig-In Bruntsfield’s staff and Management Committeewho need to see it in order to perform their role and responsibilities in respect of the services and aspects of thecommunity business that have been requested and/or agreed upon. Information may be held in our company computers and paper file system to manage details of a data subject’s contact with Dig-In Bruntsfield.
Volunteers will have access to some personal information relating to their shop duties (such as processing supporters’ card payments or supporting in marketing and communication activities); however they are bound by the Volunteer Policy to only use personal information acquired during Dig-In Bruntsfield duties for the purposes of the role and not share this information outside the organisation.
Does Dig-In Bruntsfield share personal information with third parties?
Personal information will not be shared outside Dig-In Bruntsfield’s operations without explicit consent from the individuals involved.
How does Dig-In Bruntsfield keep personal information safe?
Dig-In Bruntsfield takes all possible steps to protect the security of personal information in accordance with our legal obligations with information being stored either in secure storage or electronically in software which is password protected and made accessible to staff or Management Committee on a need-to-know basis only.
Please note, however, that Dig-In Bruntsfield cannot guarantee the security of the transmission of personalinformation via the internet. All personal information should therefore be submitted online if and only if the data subject accepts the incumbent security risks.
For how long will Dig-In Bruntsfield retain personal information?
Dig-In Bruntsfield will keep personal details on record until we have dealt completely with a data subject’s request or enquiry, or until the data subject has stopped participating in relevant aspects of our community business and then for a reasonable period over 5 years thereafter in accordance with data protection and other legislation as setout in the Dig-In Bruntsfield’s GDPR Table.
Should Dig-In Bruntsfield decide that the retention of personal information is no longer necessary, all suchinformation will be destroyed/deleted in a secure and confidential manner.
What rights do data subjects have in relation to personal information?
Data subjects are entitled to request:
- If and how their personal data is being collected and processed;
- A description of the nature of the personal data that is being collected and processed;
- Copies of, and/or to access their own personal information (see How do I make a subject access request? below);
- That their personal information be corrected and/or amended where inaccurate or incomplete;
- That their personal data be deleted or that Dig-In Bruntsfield stop using their personal data where there is nolonger a need to do so;
- That Dig-In Bruntsfield stop sending email newsletters and communications.
How do I make a subject access request?
A subject access request should be submitted in writing to the Dig-In Bruntsfield’s Data Protection Officer via firstname.lastname@example.org or to The Data Protection Officer, Dig-In Bruntsfield Community Greengrocer, 119 Bruntsfield Place, Edinburgh EH10 4EQ.
Dig-In Bruntsfield may require an individual to verify her identity and/or further details to locate the requiredinformation but will endeavour to respond to all such enquiries within one calendar month once the necessary information has been provided.
Where a subject access request is likely to result in the disclosure of personal information relating to a third party,Dig-In Bruntsfield will require that third party consent to the disclosure. If consent from that person cannot beobtained, the subject access request may be denied.
What action(s) will Dig-In Bruntsfield take in response to a personal data breach?
A personal data breach is defined as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. In instances where a data breach is likely to endanger the data subject’s rights or freedoms, Dig-In Bruntsfield will notify the ICO within 72 hours of becoming aware of the breach by completing and submitting a Data Protection Breach Notification Form (https://ico.org.uk/media/for-organisations/documents/2666/security_breach_notification_form.doc) and will record the breach in Dig-In Bruntsfield’s Data Protection Breach Log. Both documents will state:
- The date and time of the breach (or an estimate)
- The date and time that the breach was detected
- Basic information about the nature of the breach
- Basic information about the personal data concerned
- The effects of the breach
- Any remedial action taken
Whenever possible, they will include also:
- Full details of the incident,
- The number of individuals affected and its possible effect(s) on them,
- The measure(s) taken to mitigate those effects, and
- Details of Dig-In Bruntsfield’s notification of the breach to affected data subjects.
If these details are not yet available, Dig-In Bruntsfield will provide them or an indication of the likely timescalerequired to provide them to the Information Commissioner’s Office (ICO) by completing and submitting a second notification form within 3 days of the initial notification.
If a personal data breach is likely to affect the personal data or privacy of the Dig-In Bruntsfield’s data subjects, Dig-In Bruntsfield will notify them of the breach without unnecessary delay, detailing:
- Dig-In Bruntsfield’s name and contact details
- The estimated time and date of the breach
- A summary of the incident
- The possible effect(s) that the breach could have on the individual
- The measures taken by Dig-In Bruntsfield to address the breach
- How the affected individuals can mitigate any possible adverse impact of the breach
Who should I contact for further information?
For further information relating to Dig-In Bruntsfield and data protection, please contact Dig-In Bruntsfield’s Data Protection Officer via email@example.com.
Last revised May 2018