References in this policy to "data protection law" mean (as applicable) the Data Protection Act 1998, the General Data Protection Regulation (Regulation (EU) 2016/679), and all related data protection legislation having effect in the United Kingdom from time to time.
2. OUR DETAILS
For the purposes of data protection law, the data controller with conduct of your personal information is Hampshire Fare C.I.C. (trading as 'Hampshire Fare') (company number 06960366) of Rownhams House, Rownhams, Southampton, Hampshire, SO16 8LS.
Our Data Protection Officer is Tracy Nash of Hampshire Fare, Rownhams House, Rownhams, Southampton, Hampshire, SO16 8LS, Tracy.Nash@HampshireFare.co.uk.
3. HOW WE USE YOUR INFORMATION
The following sections explain what information we hold about you, why we are processing that information, the legal basis for the processing, the duration for which we keep your information and (if applicable) who your information will be shared with and where those recipients are based.
Which information do we process and for what purpose?
We process the following information from you:
Information you give us. This is information about you that you give us by filling in forms on our website, emailing us, writing to us, speaking to us by phone or in person or by completing a survey we have sent you. If you send us a membership application form then that will contain personal information about you. The information you give us may include your name, job title, employment details, contact address, email address, phone number and, in certain circumstances, banking information.
Occasionally we may also process sensitive personal information about you which could include allergy or dietary requirements or information about your health or mobility requirements.
Information obtained from or provided by third parties. This is typically the case where your employer, principal or a colleague supplies us with your information, for example where you are the point of contact for that organisation. If you are a sole trader or a partner within a legal partnership then we may receive your information from your employees or fellow partners. Such information includes your name, contact details, job title and, in certain situations, bank details.
We process your information for the following purposes:
(a) if you (or your organisation) are applying to become a member of ours, in order to process that membership application;
(b) where you are a member of ours (or an employee or representative of a member of ours), to supply you (or your organisation) with our membership services and benefit;
(c) where you (or your organisation) are a member of ours, to manage your (or your organisation's) membership with us, including the issuing of requests for payment;
(d) where you are an intermediary or other contact, to discuss and arrange for collaboration between us and to promote our members' interests;
(e) where you are a supplier or contractor of ours (or an employee or representative of a supplier/contractor of ours), to request and obtain goods and/or services we have purchased from you (or your organisation), including taking pre-contractual steps such as obtaining a fee quote from you or negotiating the contract between us;
(f) where you are a supplier or contractor of ours (or an employee or representative of a supplier/contractor of ours), to manage our account with you (or your organisation), including making payment for invoices;
(g) if you are a member or have otherwise opted in to receiving marketing communications from us, to send you marketing communications which we think will be of interest to you;
(h) where applicable, to provide you with access to the 'My Hampshire Fare' section of our website;
(i) if you have entered one of our competitions, to conduct that competition and to send out the prizes;
(j) where you are attending an event we are hosting and you have notified us of your allergy, dietary or health/mobility requirements, to accommodate those and, depending on the nature of your requirements, to make appropriate people aware so that they can ensure your safety and comfort; and
(k) to respond to your enquiry or to follow up our own enquiries.
What are the grounds for processing your information?
We are processing your personal information on the following grounds:
(a) if you are a prospective member, current member or supplier of ours, because the processing is necessary for the performance of the contract between you and us. This includes taking pre-contractual steps such as processing your membership application in the case of prospective members;
(b) if you are an employee or representative of a member or supplier of ours, because we have a legitimate interest in processing your information in order to perform the contract between us and your organisation, including taking any pre-contractual steps. In accordance with data protection law, we have carefully weighed your interests and fundamental rights and freedoms against our interest to process your information in this way and are satisfied that we are justified in doing so;
(c) in certain circumstances, the processing is necessary for us to comply with our legal or regulatory obligations;
(d) processing is based on your consent. This will typically be the case where you have opted into receiving marketing communications from us;
(e) where you provide us with your allergy, dietary, health or mobility requirements, because you have consented to us processing and, where applicable, sharing this information in order to accommodate your requirements. If you do not consent to us processing your information in this way then we may not be able to accommodate you at our events;
(f) in all other cases, the processing is necessary for achieving our legitimate interests of:
(i) maintaining accurate internal records of members, suppliers, contractors and their contacts for administrative and commercial purposes. This includes where we keep a record of potential supplier details with a view to using their services or purchasing their products in the near future;
(ii) responding to your enquiry, whether submitted through our website, email, over the telephone, in person or otherwise;
(iii) discussing potential collaboration opportunities with you and generally promoting the interests of our members;
(iv) conducting the competition which you have entered; and
(v) sending you marketing information about our products and services (including, where applicable, on the basis of the soft opt-in under the Privacy and Marketing Communications Regulations). You can unsubscribe from these communications at any time by following the instructions contained in the communication or by contacting us using the details in section 10 below,
and in accordance with data protection law we have carefully weighed your interests and fundamental rights and freedoms against our interest to process your information and are satisfied that we are justified in processing your information for this purposes.
Duration and further processing
We only keep your information for so long as it is reasonably necessary. Generally speaking, we keep your personal information for the following periods of time:
(a) for supplier and contractor information (including contact details of employees and representatives) where we enter into a contract - seven years from the date of termination of our contract (unless the contract was executed as a deed, in which case thirteen years from the date of termination); and
(b) for members, for the duration of your membership with us. Once your membership with us ends, we will usually anonymise your information and keep those records indefinitely for administrative and audit purposes.
If we need to keep your information for a longer period then we will notify you of the reason and grounds for doing so. This may be the case where a dispute arises between us.
Who is your information shared with?
Your personal information is not shared with anyone except where we are required to do so to comply with the law, to protect our rights, to provide our services or to efficiently operate our business. In order to achieve these purposes, we will share your data with the following people or groups of people:
(a) our outsourced IT providers. Our IT providers may in certain circumstances require access to data held on our systems, for example when we need to troubleshoot a technical issue. Our IT providers are subject to strict contractual obligations to treat your personal information with the utmost sensitivity, to keep it confidential and to comply with data protection law at all times;
(b) SurveyMonkey, for conducting surveys. SurveyMonkey is based outside of the EU but has certified its compliance with the EU-U.S. Privacy Shield Framework and so is subject to strict obligations to protect and maintain the confidentiality of your information;
(c) if you have entered into one of our competitions and have expressly consented to us doing so, we will share your contact information with the business whose goods or services are being promoted in the competition. If you do not consent to us doing so then we will not share your information in this way; and
(d) our professional advisers, such as our accountants and solicitors, who are subject to professional duties of confidentiality.
Except as stated above, to the best of our knowledge, understanding and belief your information will not be transferred outside of the European Economic Area or to any country which is not approved by the European Commission. If this changes then we will let you know.
Automated decision making
We do not make automated decisions about you based on your information. If this changes in the future then we will let you know.
You will remember us discussing the 'soft opt-in', whereby you can advertise to your existing members. The ground for carrying out that processing under GDPR is having a 'legitimate interest'.
You should be mindful that the soft opt-in only allows you to market identical or similar products and services. As you (Hampshire Fare) offer a membership scheme (a service) rather than traditional goods, you would potentially be quite limited in the types of marketing communications you can send to existing members under the soft opt in.
If you wanted to, for example, promote other members' products then that would not be similar to the service you are providing and so you could not rely upon the soft opt-in.
Depending on what you put in your member emails, you may want to obtain members' opt-in consent to receiving marketing communications which don't directly relate to the membership service. I.e. in the same way you currently do for opt-ins.
4. YOUR RIGHTS
Under data protection law you have the following rights:
(b) if we are processing your data on the basis of your consent then you have the right to withdraw that consent at any time. One way of doing so would be to notify us using the details set out in section 10 below. In the case of marketing communications sent to you on the basis of your consent, each communication will clearly indicate how you can withdraw your consent. Please note that the lawfulness of our historic processing based on your consent will not be retrospectively affected by your subsequent withdrawal of consent;
(c) the right to access a copy of your information which we hold. This is called a 'subject access request'. Additional details on how to exercise this right are set out in section 6, below;
(d) the right to prevent us processing your information for direct marketing purposes. We will usually inform you (before collecting your data) if we intend to use your data for such purposes or if we intend to disclose your information to any third party for such purposes. You can exercise your right to prevent such processing by checking certain boxes on the forms we use to collect your data. You can also exercise the right at any time by contacting us using the details set out in section 10, below;
(e) the right to object to decisions being made about you by automated means. We do not currently use automated decision making but we will let you know if this changes in the future;
(f) the right to object to us processing your personal information in certain other situations;
(g) the right, in certain circumstances, to have your information rectified, blocked, erased or destroyed if it is inaccurate;
(h) the right, in certain circumstances, to claim compensation for damages caused by us breaching data protection law;
(i) the right, in certain circumstances, to request that we erase, rectify, cease processing and/or delete your information; and
(j) in certain circumstances, the right to request the information we hold on you in a machine readable format so that you can transfer it to other services. This right is called 'data portability'. Additional details on how to exercise this right are set out in section 6, below.
Should you have any concerns about how we hold and process your information, you have the general right to complain to us (in the first instance) and, if you are not satisfied by our response, to your local supervisory authority (which in the UK is the Information Commissioner's Office). Our contact details are set out in section 10, below. The Information Commissioner's Office website is www.ico.org.uk.
If you are based in the UK then you can obtain further information on your rights under data protection law and how to exercise them by contacting Citizens Advice Bureau (www.citizensadvice.org.uk) or the Information Commissioner's Office (www.ico.org.uk).
6. ACCESS TO INFORMATION
Under data protection law you can exercise your right of access by making a written request to receive copies of some of the information we hold on you. You must send us proof of your identity, or proof of authority if making the request on behalf of someone else, before we can supply the information to you. Requests should be sent to us using the contact details in section 10 below.
You do not need to pay a fee to exercise this right unless you are requesting copies of documents you already possess, in which case we may charge our reasonable administrative costs. We are, however, allowed to charge you for our reasonable administrative costs in collating and providing you with details of the requested information which we hold about you if your request is clearly unfounded or excessive. In very limited circumstances, we are also entitled to refuse to comply with your request if it is particularly onerous.
In certain circumstances, you are entitled to receive the information in a structured, commonly used and machine readable form.
7. DATA SECURITY
We will always store your digital information on secure servers. Unfortunately, however, the transmission of information via the internet is not completely secure. Although we will do our best to protect your information, we cannot guarantee the security of your information transmitted to our website or otherwise to our servers (such as by email). Any such transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access.
8. THIRD PARTY SITES
Our website may, from time to time, contain links to and from third party websites. If you follow a link to any of these websites, please note that these sites have their own privacy notices and that we do not accept any responsibility or liability for those notices. In particular, please check their privacy notices before you submit any personal data to those websites as they may not be on the same terms as ours.
Rownhams House & Gardens
Registered number: 27524R
VAT registration number: 643 3120 75