Privacy, Cookie & Retention Policy
This Privacy Notice was last updated on 14/05/2018
This Privacy Notice explains what information Room Aromas T/A Simply Pleasure Limited, (‘we’, ‘us’, and ‘our’) gather about you, what we use that information for, and who we give that information to. It also sets out your rights in relation to your information and who you can contact for more information or queries
We take data protection very seriously and we are committed to protecting your personal information. This Privacy Notice describes how we handle personal information collected through our website www.roomaromas.co.uk and by any other means.
It is our policy to collect only the minimum information required from you. If you believe we have collected excessive information about you, please contact us via email at email@example.com to raise any concerns you may have.
In this Privacy Notice your personal information is sometimes called “personal data”. We sometimes collectively refer to handling, collecting, protecting or storing your personal information as ‘processing’.
Although you do not have to provide any of your personal information to us, if we ask you to do so and you refuse, we may be unable to provide you with the information, products or services you want from us.
Personal information Personal information is anything that enables you to be identified or identifiable, e.g. your name, address, email address, telephone number.
Collection of personal information
Below are some examples of how you may provide personal information to us
- Ordering products from us
- Searching and browsing our website for content
- Subscribing to our newsletter
- Submitting CVs or work history information
Use of personal information
When you provide personal information to us, we may use it for any of the purposes described in this Privacy Notice including:
- To provide you with our products
- To administer and manage our website(s), including
- To confirm and authenticate your identity
- To personalise and enrich your browsing experience by displaying content that is more likely to be relevant and of interest to you;
- To understand how people, use the features and functions of our website in order to improve the user experience;
We do not collect personally identifying information for sale or use by third parties.
Legal grounds for processing personal information
We rely on one or more of the following lawful bases:
- To perform our contractual obligations to you;
- To satisfy any legal obligations to which we are subject;
- To satisfy our legitimate interests in the effective delivery of products and services to you and in the effective and lawful operation of our businesses;
- If you have agreed to us processing your personal information (where no other lawful basis for processing is available)
Security of personal information
We have implemented generally accepted standards of technology and operational security in order to protect personally identifiable information from loss, misuse, alteration or destruction.
Only authorised persons are provided access to personally identifiable information we have collected, and such individuals have agreed to maintain the confidentiality of this information.
Although we use appropriate security measures once we have received your personal data, the transmission of data over the internet (including by e-mail) is never completely secure.
We endeavour to protect personal data, but we cannot guarantee the security of data transmitted to or by us.
Sharing personal information
We may transfer, share or disclose the personal data we collect from you to third parties
(and their respective subcontractors, and/or their subsidiaries and affiliates) for:
- The purposes for which the information has been submitted
- The purposes listed above under use of personal information
- The administration and maintenance of our website and/or
- Other internal or administrative purposes.
We also may transfer share or disclose personal data to third party service providers of identity management, website hosting and management, data analysis, data backup, security and storage services.
The third-party providers may use their own third-party subcontractors that have access to personal data (sub-processors). It is our policy to use only third-party providers that are bound to maintain appropriate levels of security and confidentiality, to process personal information only as instructed by us, and to flow those same obligations down to their sub-processors.
The third parties we may transfer share or disclose the personal data we collect from you to are:
- MComputers LTD
- 7am LTD. trading as Media Lounge
- B1 Solutions LTD
- Scholar Web Services LTD
- Pinnaca Retail Solutions LTD
International transfers of personal information
We do not transfer (send) your personal information outside the European Economic Area (EEA).
We may also disclose personal information to third parties under the following circumstances:
- When explicitly requested by you;
- When required to deliver our products and services to you;
- As otherwise set out in this privacy statement.
We may also disclose your personal information to law enforcement and other government agencies and other third parties, as required by and/or in accordance with applicable law or regulation.
Retention of personal information
We will retain your personal information only for as long as we need it, given the purposes for which it was collected, or as required to do so by law.
Normally, this means we will retain your personal information for seven years. For more information please email firstname.lastname@example.org for a copy of our retention policy.
We keep contact information (such as mailing list information) until a user unsubscribes or requests that we delete that information. If you choose to unsubscribe from a mailing list, we may keep certain limited information about you so that we may honour your request.
Where we are legally required to obtain your explicit consent to provide you with marketing materials, we will only provide you with such marketing materials if you have provided consent for us to do so.
If you opt into any subscriptions, you will receive automated emails when content is updated. If you opt into any newsletters, you will receive emails known as newsletters. If you select any preferences you will receive email communications related to those self-selected topics.
If you want to unsubscribe from mailing lists or any subscriptions, you should look for and follow the instructions we have provided in the relevant communications to you. Alternatively, you can at any time contact us to request that such communications cease.
If you choose to unsubscribe from any or all mailings, we may retain information sufficient to identify you so that we can honour your request.
Rights in relation to your information
You have certain rights in relation to the personal information we hold about you. In particular, you have the right to:
- Request a copy of personal information we hold about you;
- Ask that we update the personal information we hold about you, or correct such personal information that you think is incorrect or incomplete;
- Ask that we delete personal information that we hold about you, or restrict the way in which we use such personal information;
- Object to our processing of your personal information; and/or
- Withdraw your consent to our processing of your personal information (to the extent such processing is based on consent and consent is the only permissible basis for processing).
If you would like to exercise these rights or understand if these rights apply to you, please contact us.
Automated decision making
We will not use your personal information for automated decision making or profiling
We understand the importance of protecting children's privacy and we never knowingly collect personal information about individuals under the age of 18. Our Terms and conditions of use require all users to be above the age of majority in their local country. We adhere to laws regarding marketing to children.
We do not intend to collect special category (also known as sensitive) personal information through our website(s) (unless we are legally required to do so). Examples of special category information are: race or ethnic origin; political opinions; religious or philosophical beliefs; trade union membership; physical or mental health; genetic data; biometric data; sexual life or sexual orientation; and criminal records.
We ask that you do not provide us with special category personal information when using our website.
Please see our at https://www.roomaromas.co.uk/privacy-policy.html
If you have any questions or complaints about this Privacy Notice or the way your personal information is processed by us, or would like to exercise one of your rights set out above, please contact us by one of the following means:
Post: Room Aromas, Spring Lane, Forest gate, Ringwood, BH24 3FH
You also have the right to lodge a complaint with your local data protection regulator, which in the UK is the Information Commissioner Office (ICO). The ICO can be contacted by the following means:
Telephone: 0303 123 1113 (local rate – calls to this number cost the same as calls to 01 or 02 numbers). If you're calling from outside the UK, please call +44 1625 545 700.
Post: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire
We may update this Privacy Notice at any time by publishing an updated version here. So that you know when we make changes to this Privacy statement, we will amend the revision date at the top of this page. The new modified or amended Privacy Notice will apply from that revision date. Therefore, we encourage you to review this Privacy Notice periodically to be informed about how we are protecting your information.
RETENTION POLICY FOR SIMPLY PLEASURE LIMITED
Simply Pleasure Limited, (‘we’, ‘us’ or ‘our’) is committed to:
- Fully complying with all the requirements of the General Data Protection Regulation (GDPR).
- The efficient management of its records for the effective delivery of our services.
This policy explains how we will comply with its responsibilities and obligations under the GDPR and its principles relating to the storage and destruction of personal data.
This policy gives guidance about disposing, deleting and retaining the personal data for which we have a responsibility and/or obligation under the GDPR.
This policy applies to:
- All personal data that is stored by us whether kept on paper, electronically and/or digitally.
- All our staff
NB: This policy should be read and used in conjunction with our other following policies
- Data protection
The objectives of this policy are to:
- Ensure we follow the GDPR and its principles relating to the storage, disposal and destruction of personal data
- Ensure we comply with all applicable legal and regulatory requirements
- Ensue personal data is stored securely
- Ensure that personal data is not out of date
- Keep personal data accurate
- Assist with responding to subject access requests
- Ensure personal data that has been placed in storage can be found and retrieved quickly and efficiently
- Ensure the storage, disposal and destruction of personal data is carried out in a consistent and controlled manner.
- Assist with audits
- Minimise storage requirements and costs
- Assist in the identification of the location of personal data
- Clarify responsibilities for implementing, complying and monitoring this policy
Personal data means any information relating to an identified or identifiable person ('data subject') such as a name, postal/email address, telephone number or identification number, dates of birth, identity documents and numbers and career & educational documents (e.g. CVs & qualifications).
Special categories of personal data means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation and data concerning criminal convictions or offences
Data subject means any individual whose personal data is processed by us
Processing means any use of personal data such as the collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure, dissemination, erasure and destruction. (This means that virtually anything NAME does with personal data will be processing).
Data controller means the organisation which decides the purposes and means of the processing of personal data
NB: Simply Pleasure Limited is the data controller for the purposes of this policy.
Data processor means an individual or organisation that processes personal data on behalf of a data controller
Personal data breach means a breach of security leading to the accidental, or unlawful, destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
Consent means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data.
Staff means anyone working at or for us including directors and permanent, interim and temporary employees
The relevant data protection principles for the purposes of this policy are that personal data must be:
- Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’)
- Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’)
- Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, subject to implementation of the appropriate technical and organisational measures in order to safeguard the rights and freedoms of the data subject (‘storage limitation’)
- Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).
NB: Keeping personal data unnecessarily may use up valuable storage space, incur unnecessary costs and impose on us a significant liability risk.
Roles and responsibilities
Our Directors have ultimate responsibility for ensuring compliance with the GDPR, the principles of data protection and this policy.
The Commercial Director has day-to-day operational responsibility for ensuring we comply with the GDPR,
the principles of data protection and this policy. The Commercial Director can be contacted at: HR@Absholdings.com
All staff have a responsibility to comply with the GDPR, the principles of data protection and this policy when carrying out their duties.
Line managers are responsible for supporting staff’s adherence with this policy.
Failure to comply with this policy may result in legal and/or disciplinary action.
The Appendix sets out the periods how long personal data will be kept. We normally retain personal data for a minimum of seven years.
Disposal and Destruction
When the retention periods expire we must dispose of and destroy all personal data unless A Member of the Board of Directors authorises that such data should be retained in writing..
NB: Retaining or destroying personal data in breach of this policy may be considered serious gross misconduct and lead to dismissal.
Line Manages are responsible for the shredding and safe disposal of paper records and the deletion of electronic files from local PC’s.