Last Updated: May 25th, 2018
Emily Crisps Ltd
Data Statement & Protection Policy
It also tells you how to exercise Your Rights, this includes the right to object, erasure, restriction to the data handling we carry out. More information regarding this has been provided in the “Your Rights 5.0” section below.
1.0 GENERAL INFORMATION
Who we are
Emily Crisps Ltd is a London based company established in 2013 within the food, snacking industry. We strive towards creating new, innovative products that also provide an alternative to traditional snacking. We believe that combining both fruit and vegetables with new flavours are the first steps in finding a solution to providing a healthier, more nutritious snacking option.
Herein this document, Emily Crisps Ltd will be referred to as the following: “Emily Crisps”, “we”, “us” or “our”.
What we do
Our primary focus is our customers. Armed with fruit and vegetable crisps, we are creating a revolution to change the way the world snacks. Since we began in 2013, we originally started with multiple fruit options, (Apple, Banana, Pineapple) across a range of sizes. Furthermore, we have expanded with a range of vegetable crisps, (Root, Bean and Sweet Potato sticks range).
Our dominant market is the United Kingdom; however, we supply into a number of other countries.
Privacy Document & Definitions
This privacy document relates to data about yourself, your devices and your interaction with us as a company.
As described by GDPR document chapter 4, article 1;
“personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”
GDPR – “General Data Protection Regulation”
2.0 DATA COMMITMENTS
Our commitment to keeping your data safe
At Emily Crisps we take in to great consideration the way we obtain and store your personal information. Personal data is extremely sensitive and you have the fundamental right to know and control how your information is disclosed – this is known as ‘subject access’. In conjunction with this, Under the general data protection regulation (GDPR), we have a legal duty to protect any information we collect from you.
We take reasonable measures in order to protect your data at all times. We ensure you that across the business that, no matter where your information has been collected, that it has been stored effectively and in the safest way possible.
‘Subject Access’ – The right an individual has to obtain a copy of all the information held about them.
Why we collect your data
We collect your personal information to support either our business relationship with you, or for the purpose for responding to your queries.
Personal information you provide us includes your name, address, number, company name, email addresses and any other relevant information where required. Similarly, this may additionally include information regarding the product and service you have contacted us about.
If we have established a contractual relationship with you, we may store the relevant information regarding bank details, company names, etc in order to adhere to our agreement with you. To name a few:
- Customer Feedback/Complaints – Analysing
- To adhere to a contract – Contractual Agreement
3.0 LAWFUL PROCESSING
Under the General Data Protection Regulation act we are legally obliged to have a lawful basis for collecting and using your personal data. This means that we can only collect and use your data if:
- You have explicitly given us consent
- We have formed a contractual relationship
- It is within Emily Crisps Ltd’s “legitimate interests” to do so,
We may need to access, transfer and disclose to third parties your personal information if we are required by law to do so. We also may use your personal information as required to comply with different laws and regulations.
Conditions for Consent
In accordance to GDPR regulation Article (7), when processing is based on consent, the data collected can only be processed after consent has been made. After which, we will store this information in order to demonstrate that you have agreed for your data to be processed (article 7, (1)). In conjunction with this, we will always ensure to be as unambiguous, specific and informative as possible regarding to what you are agreeing to, and what this data will be used for.
Where you have provided your consent, we aim to keep a detailed documentation to ensure clarity and transparency to what you have consented to, what we have told you, and when, how you have provided consent.
Furthermore, we guarantee that you have the legal right to withdraw your consent at any time (Article, 7 (3)). Information regarding this has been further developed in this document under Your Legal Rights (5.0)
In many cases it may not be both practical and appropriate to ask an individual for consent. In this situation, Article 6 (1)(F) states that consent is not needed for processing if this personal data is collected for a legitimate business interest. In conjunction with ‘lawful processing’ this has to ensure that the individual is still treated fairly and in no way of breach of your individual rights.
Our Legitimate Interests in data collection – Improvement & Development
Our desire to process your data stems from the strive towards creating a better product and service for you as an individual. In order to do this, we need to analyse trends, and patterns.
Below is our legitimate interests in handling your data without your consent:
- Analysis of data regarding our products and services. This can be in the form of either complaints or queries. This is form of data collection only occurs when you are in contact with us.
- Our website will collect data regarding behavioural patterns/statistical data. This will be collected via cookies and log data – and through the Google Analytics tool.
- To adhere to a contractual agreement – any relevant information needed
Response to Your Requests
To respond to your requests for product information or to any other communication you initiate. In many cases if you have initiate contact with us via any platform stated further below in Data Handling (4.0), we may have to store your data in order to respond to your requests.
On occasion we will process your personal data to facilitate our business dealings with you. This includes the following:
- To process any business transactions with us, and any relevant information needed for this
- To process your data in order to register yourself as a user of these products and services
- To communicate with yourself about any ongoing updates or progression of your pending product or service order
- To respond to your requests in regards to our products and services
- To notify you of any changes that could change our relationship with you
Compliance with Law and Public Safety
To assist in any investigation of suspected illegal or wrongful activity. To protect and defend our rights and property, or the safety and rights of third-parties. This section is further developed later in this privacy document.
4.0 DATA HANDLING
How we collect this data
We receive feedback from you across multiple platforms. Generally, you may choose to connect with us through various social media platforms, for example, Facebook, Twitter, Instagram etc (“Social Networking Service” or “SNS”). Some of our handles have been presented below:
- HelloEmily@emilycrisps.com / firstname.lastname@example.org
- Instagram - @emilycrisps
- Twitter - #emilycrisps
- Website (www.emilycrisps.com)
These channels are usually redirected through email@example.com. However, occasionally when you connect using your SNS account, we may collect your personal data that you have provided in conjunction with that SNS account. For example, if you have directly sent us a message via Twitter but have not emailed helloemily we will still collect this data as it is in our “legitimate interest” to do so.
At this point, we will begin to arrange and store this data. On occasion we will store data of customers through social media platforms, mainly for the purpose of product send-outs and to respond to your queries.
Whenever you use or interact with our website, we will store information referred to as “Usage Information”. This data will further be used for analysis purposes. The purpose of this analysis is to ensure that we are providing you with the best information and to improve your experience with our website. We analyse this “Usage Information” from all visitors:- this “Usage Information” includes-
- The characteristics of your browsing device, brand, operating system and hardware, the mobile network information and potentially location services
- The specific time of day and the duration of your visit
- The interaction with our web pages, and any links you have clicked on inside our website.
- Any other relevant information from IP addresses etc.
How the Online Website collect your data:
The website collects information through ‘cookies’. We only collect information that we believe will be beneficial in analysing for purposes that will be further explained later in this document.
Ultimately, cookies enable us to understand you as a customer in a safe and private way. Knowing selective information about yourself enables us to enhance the user’s experience in the future.
If you prefer not to share your cookie data with us, you can instruct your browsers to refuse all cookies. However, if you do not accept cookies, you may be unable to use some portions of our service.
Similarly, Log Data is also collected when you visit our website. This log data may include information such as your IP, browser type, browser version, the pages of our service that you visit and the time, date of your visit. (and any other additionally statistical information)
Third-Party & Service Providers:
Please be advised, that we do employ a third-party company to facilitate our service, to provide the service on our behalf, to perform hosting related services or to assist us in analysing how our service is used.
Why we collect this data
The following section is in regards to our Customer Feedback Data collection policy. We collect data regarding consumers feedback. Whether this is in the form of a complaint or a general query regarding either our products or services. In general terms, this data collected from both online websites and ‘SNS’ accounts are used for processing purposes. To name a few:
- This data is used analysed in order to fully understand the scope of the feedback. To ensure we are fully focused on providing the best service for our customers.
- This data is used to ensure tracking of when the feedback was made, it’s context, and finally to track our communication with yourself.
- To process and search for any trends, patterns in reasons for complains.
The information collected from our website is for analysis on multiple performance indicators. It helps us monitor and measure for better user experience.
What types of information we collect
On occasion Emily Crisps will collect several types of personal information including, names, addresses, telephone numbers, email address. This data is collected under the ‘legitimate interests’ for purposes that we consider necessary for processing. This can be collected by our website, but usually given by the individual for a legitimate purpose.
Sensitive information, such as race, ethnic origin, political opinions will not willingly be collected by us. If we somehow find that we have collected this data, we will immediately contact the relevant people, to ensure that this data will be removed.
How we use this information
It has now been established that your information is collected from your online activity on our website, and or your complaint or query through an ‘SNS’ platform. The information given at this point will now be used for processing in the following way.
We will begin arranging data from yourself and other individuals. Then we will begin processing through the necessary analysis platforms. At which point we will start to build a database around this data and begin delving deeper into extracting the relevant data needed to illustrate multiple performance indicators.
An example of this would be our customer performance indicators. We can determine whether a certain SKU requires greater attention in quality, quantity etc. It is for this reason we can decipher to make adjustments to our products and services.
Information Security & Data Integrity
We take sensible measures to protect your information whilst in our possession. We routinely implement many different procedures in order to prevent loss, misuse, alteration or destruction – but we cannot guarantee that this information will be protected under all circumstances. In general – we take these steps in order to safeguard your data:
- Records of type of consent – In accordance to GDPR Article 6.
- The location of personal data - where this information is stored
- Records of data breaches
- Data Protection impact assessments – who, why and how/where the data is shared between the processors in this situation.
When preparing documents ready for processing, we guarantee to follow in accordance to the eight principles set out within The Data Protection Act (1984).
- Personal data shall be processed fairly and lawfully
- Personal data shall be obtained only for one or more specific purposes in accordance to the law set out by the GDPR Article 6.
- Personal data shall be adequate and relevant
- Personal data shall always be up-to-date and accurate
- Personal data processed for any purpose shall not be kept for longer than its intended purpose.
- Personal data will be processed in accordance to you, the individual’s rights.
- Personal data will always be kept in a secure location to ensure minimal loss of important information
- Personal data will not be shared outside of the company, or to outside the EAA.
Who your data shared with
We will never share your personal information with another organization. In very rare cases we may be required to disclose your personal data under the following circumstances:
- For legal compliance, Public safety and Law enforcement purposes
With any government or regulatory bodies, lawful authorities, or other authorized third parties that require your information in regards to compliance with the law, court orders or to assist in an investigation as an example.
- you have given consent for a given purpose to do so
How long we keep your data
We at Emily Crisps will only keep your information for as long as it is necessary in order to manage your complaint or query. Typically, we will store this information for around 1 year – after which we will begin the pseudonymisation process in order to protect your personal information.
In terms of a contractual relationship, we will store personal data where required by law. This typically means will keep a record of your data for up to 7 years.
5.0 YOUR LEGAL RIGHTS/INDIVIDUAL RIGHTS
Under the General Data Protection regulation, you have certain rights regarding the personal information we hold on you as detailed below. Should any of your personal details change, or you have any questions on your rights, or you would like to make a request, please contact us at either firstname.lastname@example.org or write to us at Emily Crisps, 8 Lee Street, London, E8 4DY.
Below is a breakdown of your legal rights as an individual: please note that below is not the full statement, but merely a breakdown of what has been covered throughout this data document. Furthermore, information here is still part of this document and will be used a basis of informing yourself of your rights as an individual.
Right to be informed:
Individuals such as yourself, have the right to be informed about the collection and the use of your personal data. Under the GDPR it is our obligation to uphold this promise to you.
We must provide you with information including: purpose of processing this data, the length of holding this data, and who this information will be shared with. Also known as ‘privacy information’.
We will provide the lawful basis for storing and processing this data, and the legitimate reasons behind this. This policy documents goes into more detail about how we use your data.
Right of Access:
You have the right to access your personal data and supplementary information. We have an obligation to make yourself aware of and verify the lawfulness of the processing (Recital 63).
We have at the latest one month of receipt to respond. This may be extended depending on the complexity of the request. Finally – we have the right to charge a reasonable fee, or refusal to respond if we deem the request manifestly unfounded or excessive.
Right of Erasure
The right of erasure, or also known as ‘the right to be forgotten’ permits you to be in control of the data. Essentially, you have the right to withdraw consent and request for us to erase all the data that we hold on you. This is in accordance to Article 17 of the GDPR.
With this in mind – you can request for your right of erasure either verbally, or in writing. With this, we have a month to respond to your request. We understand that there is particular emphasis on the erasure of information if children have been involved.
When the Right of Erasure does not apply:
- To comply with a legal obligation
- for the establishment, exercise or defence of legal claims
- similar to the previous section, we can refuse the right of erasure if we believe it is manifestly unfounded or excessive (also taking into account if the request is repetitive in nature.
If we refuse, we will:
- inform you for the reasons behind the refusal
- inform you of your right to make a complaint to the ICO or another supervisory authority
- your ability to seek to enforce this right through the judicial system.
Right to withdraw consent
If you have given us consent to process your data, at any point you have the right to withdraw that consent.
Right of Rectification
The GDPR clearly lays out in Article 16 your individual right to have inaccurate personal data to be rectified.
The GDPR does not define the term accuracy. But in accordance to the Data Protection Bill states that personal data is inaccurate if it is either incorrect or misleading. In our case, opinionated data is considered complex and naturally very difficult to deem inaccurate.
Right of Restrict Processing
The right of restrict processing (article 18) works in conjunction with the right of rectification (article 16) and the right to object (article 21). In essence, you the individual have the right to restrict the processing of your stored data in certain circumstances. This is an alternative to the requesting your right to erasure.
You have the right to restrict processing if you have an issue with the content of information we hold, or how we have processed your data.
As a matter of good practice, we will generally automatically restrict the processing whilst you consider its accuracy or the legitimate grounds for processing is in question.
Right to object
In accordance to the GDPR regulation (Article 21), you as an individual have the right to object to the processing of your personal data.
“Where personal data are processed for scientific or historical research purposes or statistical purposes pursuant to Article 89(1), the data subject (you), on grounds relating to his or her personal situation, shall have the right to object to processing of personal data concerning him or her, unless the processing is necessary for the performance of a task carried out for reasons of public interest.”
Article 21 (4)
The right to object commonly refers to the processing of personal data if it is for direct marketing purposes. You are able to ask us to stop processing your data for direct marketing at any time. However, currently we do not do this.
This website is not directed or does address anyone under the age of 13 (“Children”).
We do not knowingly collect personal information from any children under the age of 13. If we become aware of any information collected from a child under the age of 13 without the parents or guardians consent, we will take the necessary steps in order to get this data immediately removed.