The EU General Data Protection Regulation (“GDPR”) has come into force across the European Union on May 25th 2018 and brings with it the most significant changes to data protection law in two decades. Based on privacy by design and taking a risk-based approach, the GDPR has been designed to meet the requirements of the digital age.
The 21st Century brings with it broader use of technology, new definitions of what constitutes personal data, and a vast increase in cross-border processing. The new Regulation aims to standardise data protection laws and processing across the EU; affording individuals stronger, more consistent rights to access and control their personal data.
The GDPR applies to data processing carried out by organisations operating within the EU. It also applies to organisations outside the EU that offer goods or services to individuals in the EU.
Security of information and privacy are Strawberry Cottage most important assets. It is in our greatest interest that you have confidence in how we handle your personal data.
We place a high importance on information security and we already comply with a number of standards that focus on it.
We will always comply with the GDPR as a processor and controller of data.
In our role as a data processor, we are responsible for implementing appropriate technical and organisational measures to meet the requirements of GDPR, ensuring a level of information security appropriate to the risk, and acting in accordance with the relevant data controller’s instructions.
We are committed to safeguarding your privacy online. We will not knowingly support any use of your information which is illegal or which contravenes the laws or common practice in the country of your origin.
Strawberry Cottage is committed to ensuring that your privacy is protected and that there is transparency with regard to the processing of your information. Should we ask you to provide certain information by which you can be identified, then you can be assured that it will only be used in accordance with this statement.
WHERE DOES THIS STATEMENT APPLY?
This Statement mainly applies but is not limited to:
- Bed and Breakfast Services
- Catering / Restaurant
- Wedding Functions
- Business Funtions
- Private Functions
HOW WE ARE PREPARING FOR GDPR
We already have a consistent level of data protection and security across our organisation, however it is our aim to be fully compliant with the GDPR by 25th May 2018.
We’ve revised data protection policies and procedures to meet the requirements and standards of the GDPR and any relevant data protection laws, including but not only:
- Terms and Conditions – We have also revised our Terms and Conditions to comply with the GDPR
- Legal Basis for Processing – We have revised all processing activities to identify the legal basis for processing and ensuring that each basis is appropriate for the activity it relates to. Where applicable, we also maintain records of our processing activities, ensuring that our GDPR obligations are met
- Obtaining Consent – We have revised our consent mechanisms for obtaining personal data, ensuring that individuals understand what they are providing, why and how we use it and giving clear, defined ways to consent to us processing their information. We have developed stringent processes for recording consent, making sure that we can evidence an affirmative opt-in, along with time and date records; and an easy to see and access way to withdraw consent at any time.
- Data Protection Impact Assessments (DPIA) – Where we process personal information that is considered high risk, we have developed stringent procedures for carrying out impact assessments that comply fully with the GDPR. We have implemented processes that record each assessment, allow us to rate the risk posed by the processing activity and implement mitigating measures to reduce the risk posed to the data subject(s).
WHAT WE DO WITH INFORMATION WE COLLECT
Strawberry Cottage, as a Consultation/Coaching company, is committed to ensuring that your information is secure. In order to prevent unauthorised access or disclosure, we have already put in place suitable physical, electronic and managerial procedures to safeguard and secure the information we collect.
We will collect and look after your data for the purpose of delivering services and information to you that you have requested and to correspond with you about our Services. We will never pass your information to any external party outside of Strawberry Cottage unless required by law to do so. We will never, ever, give, sell or lease your personal information to anyone outside of our organisation.
If you have subscribed to our services, signed up for the newsletter, survey or similar, we will include you on our mailing list for our regular newsletter and occasional news of our services.
You can opt out of this communication permanently at any time.
DATA SUBJECT RIGHTS
Strawberry Cottage will always respect your rights that concern the protection of your personal data.
A) Right to be informed
You have the right to be informed about the collection and use of your personal data.
We are obligated to provide you with the following information:
- the purposes for processing your personal data
- our retention periods for that personal data
We do not need to provide you with privacy information if you already have them or if it would involve a disproportionate effort to provide it to you.
The information we provide to you will be always concise, transparent, intelligible, easily accessible, clear and easy to understand. We will, of course, be open to feedback on our documents if you feel there is scope for clarification.
We provide individuals with privacy information at the time we collect their personal data from them.
B) Right of Access
You have the right to access your personal data and supplementary information. This right allows you to be aware of and verify the lawfulness of the processing.
You have the right to obtain:
- confirmation that your data is being processed
- access to your personal data; and
We are obligated to provide a copy of the information requested. We will verify the identity of the individual making the request, using “reasonable means”. If the request is made electronically, we will provide the information in a commonly used electronic format.
C) Right to Rectification
Personal data is inaccurate if it is incorrect or misleading as to any matter of fact. You have the right to have inaccurate personal data rectified, or completed if it is incomplete.
When a request is made, we will verify the identity of the individual making the request, using ‘reasonable means’. If the request is made electronically, we will provide the information in a commonly used electronic format.
If we receive a request for rectification, we will take reasonable steps to confirm that the data is accurate and to rectify the data if necessary. We will also take into account the arguments and evidence provided by the data subject.
D) Right to Erasure
You have the right to have personal data erased. This is also known as the “right to be forgotten”.
The right is not absolute and only applies in certain circumstances.
We already have processes in place to ensure that we respond to a request for erasure.
If you no longer want to use our services and you want your personal information to be erased, you may request it by contacting us at any time.
Please note, we may not be able to honour these requests when they conflict with legal circumstances and requirements that we are obligated to fulfil.
We will explain this to you if and when such a conflict arises.
E) Right to Restrict Processing
You have the right to restrict the processing of your personal data in certain circumstances. This means that you can limit the way that we use your data. This is an alternative to requesting the erasure of your data (see above).
We have processes in place to ensure that we respond to a request for restriction without undue delay and within one month of receipt.
F) Right to data portability
The right to data portability allows you to obtain and reuse your personal data for your own purposes across different services.
It allows you to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without hindrance to usability.
The right to data portability only applies:
- to personal data you have provided to a controller
- where the processing is based on your consent or for the performance of a contract
- when processing is carried out by automated means.
We are obligated to provide the personal data in a structured, commonly used and machine readable form. Open formats include CSV files. Machine readable means that the information is structured so that software can extract specific elements of the data. This enables other organisations to use the data.
The information provided is free of charge.
If you request it, we may be required to transmit the data directly to another organisation if this is technically feasible. However, we are not required to adopt or maintain processing systems that are technically compatible with other organisations.
Clarification: This pertains only to your personally identifiable data.
G) Right to Object
You have the right to object to:
- processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling)
- direct marketing (including profiling)
- processing for purposes of scientific/historical research and statistics
You must have “grounds relating to your particular situation” in order to exercise your right to object to processing for research purposes.
We are obligated to halt processing personal data for direct marketing purposes as soon as we receive an objection.
H) Rights related to automated decision making including profiling
Automated individual decision-making is a decision made by automated means without any human involvement. It does not have to involve profiling, although it often will do.
We do not currently use your personal data to make automatic decisions about you. If this changes in the future you will be notified.
HOW YOU CAN EXERCISE YOUR RIGHTS
You are always welcome to communicate with us about the exercise of your rights concerning the protection of your personal data.
We only accept written requests since we cannot deal with verbal requests immediately without first:
- analysing the content of the request; and
- Adequately verifying your identity.
Your request should contain a detailed, accurate description of which right you want to exercise.
We will respond to your request without delay and at the latest within one month of receipt.
We will extend the period of compliance by a further two months where requests are complex or numerous. If this is the case, we will inform you within one month of the receipt of the request and explain why the extension is necessary.
We do not charge a fee to comply with your request.
HOW TO CONTACT US
- using Contact Us section of our websites where available; or
- sending email to firstname.lastname@example.org
We are fully committed to ensuring that we act in accordance with various global data protections laws as applicable, including GDPR, and will take seriously any data protection concerns you raise with us.
DO YOU HAVE A RIGHT TO COMPLAIN?
You have a right to lodge a complaint with a supervisory authority. For the detailed information, please see here: