The Old Original Bakewell Pudding Shop (the “Company”) is a data controller for the purposes of the European General Data Protection Regulation (GDPR) and UK law.
This policy sets out the approach the Company will take to comply with its legal obligations in relation to personal data that it holds.
WHAT TYPE OF INFORMATION WE COLLECT AND WHAT IT IS USED FOR
We receive, collect and store any information Customers enter on our website or provide us in any other way. In
addition, we collect the Internet protocol (IP) address used to connect your computer to the Internet.
We may use software tools to measure and collect session information, including page response times, length of visits to certain pages, page interaction information, and methods used to browse away from the page.
Our website is hosted on the Wix.com platform. Your data may be stored through Wix.com’s data storage,
databases and the general Wix.com applications. They store your data on secure servers behind a firewall.
We also collect personally identifiable information including name and address, which is stored securely in our
internal secure database and on MailChimp. We use this information in order to review and provide the best service and to send targeted marketing information to Customers where they have opted to receive such information.
HOW WE COLLECT INFORMATION
We only store and process data where Customers have consented to this for marketing purposes through our
website or in our shop.
If we use third parties, we will also instruct third parties to maintain a record of each consent we rely upon - we must be able to demonstrate consent in this way to comply with the GDPR.
Your personal information will be used for the specific reasons stated above only.
Should a Customer wish to withdraw consent, they can contact us at firstname.lastname@example.org or send mail to:
The Old Original Bakewell Pudding Shop
Where consent is withdrawn, processing of the relevant Customer data will cease immediately.
WHAT PERSONAL INFORMATION WE HOLD
We will hold the following data about Customers where they have given this information:
Date of birth
WHY WE COLLECT SUCH PERSONAL INFORMATION
The law requires that we only hold the information we need and that we only use it for the purposes set out in this policy. In our view, all of the information set out above is necessary for these purposes.
However, please note that if you do this you may not be able to use the full functionality of this website.
Our website uses Google Analytics, a service which transmits website traffic data to Google servers in the United States. Google Analytics does not identify individual users or associate your IP address with any other data held by Google. We use reports provided by Google Analytics to help us understand website traffic and web page usage.
clarifications will take effect immediately upon their posting on the website. If we make material changes to this policy, we will notify you here that it has been updated, so that you are aware of what information we collect, how we use it, and under what circumstances, if any, we use and/or disclose it.
Where Customer consent for data processing is withdrawn we will ensure that any personal data is destroyed. Where data is held in a paper format, destruction means that the data will be shredded or sent to confidential
waste for destruction.
Where data is held in an electronic format, destruction means that the data is put permanently beyond use.
Where data is held by third parties, we will rely on confirmation from them that data has been properly destroyed.
RIGHT OF ACCESS TO INFORMATION WE HAVE
People are entitled to be told what information we hold about them and to be given a copy of that information.
On request, we will also inform people:
• The purpose for which we process their data
• What type of information we hold about them
• If we have not collected the information from the person themselves, where the information we hold comes from
• To whom we have disclosed it or intend to disclose it
• About their rights in respect of their personal data, including:
- the right to be forgotten in certain circumstances (also known as the right to erasure)
- the right to restrict the processing of their personal data in certain circumstances, for instance where the
Customer claims it is inaccurate (until the accuracy is verified)
- the right to object in certain circumstances to the processing of their personal data (including for direct
We will provide this information to people within one month of receiving their request. Where the person makes an electronic request (for example, by email), we will provide the information in an electronic form (unless the person requests otherwise).
INFORMATION BEING HANDLED BY OTHER PARTIES
All agreements that we have with another party who handles customer data on our behalf will require that party to keep the data securely in accordance with specific GDPR requirements.
When we transfer data to another party, we will ensure that the transfer is made in a manner that keeps the data secure in accordance with the GDPR.
We will never give or sell customer data to any other companies.
WHERE DATA IS LOST OR DESTROYED
Where there is a breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data (a breach), we will consider as soon as possible what action we need to take.
As a first step, the Compliance Officer must be notified immediately.
As soon as possible when becoming aware of a breach we will consider what we can do to put it right and the likely impact it will have on any customer whose data was involved. We will work with service providers where relevant to gather as much information as possible in order to understand the extent of the breach and the steps needed to contain and mitigate the effects of the breach.
Our other third parties who handle personal data on our behalf are required to notify us as soon as they become aware of a breach and we take all reasonable steps to ensure that they are aware of this requirement.