1 WHO WE ARE
G&G Delicatessen Ltd (trading as Spoon) (‘we’ or ‘us’ or ‘our’) gather and process your personal information in accordance with this privacy notice and in compliance with the relevant data protection Regulation and laws. This notice provides you with the necessary information regarding your rights and our obligations, and explains how, why and when we process your personal data.
G&G Delicatessen Ltd’s registered office is at Beacon House, Warwick Road. Beaconsfield, HP9 2PE and we are a company registered in England and Wales under company number 10271649.
We act as the data controller when processing your data and our designated Data Processing Officer is Miss Annie Gray, who can be contacted at 45 Duke Street, Henley on Thames, Oxfordshire, RG9 1UR
2 INFORMATION THAT WE COLLECT
G&G Delicatessen processes your personal information to meet our legal, statutory and contractual obligations and to provide you with our products and services. We will never collect any unnecessary personal data from you and do not process your information in any way, other than as specified in this notice.
2.1 LOYALTY CARD SCHEME
If you make a Loyalty Card Application the personal data that we collect from your completed form is:
• Title (Mr./Mrs./Miss/Ms./Other)
• First & Last Name
• Home Address & Post Code
• Telephone Number
• Email Address
• A tick box Opt-In Consent which allows us to send you our Newsletters with your exclusive offers
• Optionally you can choose to/or not to provide the following additional information
o Whether you have Children or Grand Children
o Day of Birth (Birth Day & Month)
In signing the Loyalty card application form you are giving “affirmative consent” for us to hold your details in our Loyalty database system and to send email Newsletters to you if you tick the Newsletter Consent Opt-In box.
Once the Loyalty card has been received, and is in use by you, points are accrued for the value of products purchased during each shopping/café visit and these may be used to discount the cost of future purchases that you make. The Loyalty points system interacts with the shop and Café terminals storing the following information about your purchases:
• Stock Product Line Purchased
• Order Number off/Unit Quantity sold
• Date of Purchase
This information is referred to whenever there are any queries about the number of points a customer has accrued and how they were accrued. This information is never used to try to sell or offer you specific or tailored products based on your buying preferences and it is never divulged to 3rd parties.
This information may be aggregated with the information from other Loyalty customer purchases to provide anonymised overall trend analysis which assists us with product stocking requirements when combined with other market trends and trading conditions.
2.2 ABOUT COOKIE FILES
Cookie files, commonly referred to as Cookies, can be used by web servers to identity and track users as they navigate different pages on a website and identify users returning to a website.
Cookies contain an identifier (a string of letters and numbers) that is sent by a web server to a web browser and is stored by the browser. The identifier is then sent back to the server each time the browser requests a page from the server.
Cookies may be either "persistent" cookies or "session" cookies; a persistent cookie will be stored by a web browser and will remain valid until its set expiry date, unless deleted by the user before the expiry date; a session cookie, on the other hand, will expire at the end of the user session, when the web browser is closed.
Cookies do not typically contain any information that personally identifies a user, but personal information that we store about you may be linked to the information stored in and obtained from cookies.
3 HOW WE USE YOUR PERSONAL DATA
G&G Delicatessen Ltd takes your privacy very seriously and will never disclose, share or sell your data without your consent; unless required to do so by law. We only retain your data for as long as is necessary and for the purpose(s) specified in this notice.
Where you have consented to us providing you with promotional offers and marketing, you are free to withdraw this consent at any time. The purposes and reasons for processing your personal data are detailed below: -
• We collect your personal data in the "performance of a contract or service" and to ensure that orders are completed and can be collected or sent out to your preferred address.
• We collect your personal data when you make a signed Loyalty Card Account application to us and optionally Opt-in to our Newsletters processing both on the basis of "affirmative consent".
• We will use your personal data to send out Newsletter Emails on an approximately quarterly basis but only provided that you have requested them on the basis of "affirmative consent".
4 YOUR PERSONAL INFORMATION RIGHTS
You have the right to access any personal information that G&G Delicatessen Ltd processes about you and to request information about: -
• What personal data we hold about you
• The purposes of the processing
• The categories of personal data concerned
• The recipients to whom the personal data has/will be disclosed
• How long we intend to store your personal data for
• If we did not collect the data directly from you, information about the source
If you believe that we hold any incomplete or inaccurate data about you, you have the right to ask us to correct and/or complete the information and we will strive to do so as quickly as possible; unless there is a valid reason for not doing so, at which point you will be notified.
You also have the right to request erasure of your personal data or to restrict processing (where applicable) in accordance with the data protection laws; as well as to object to any direct marketing from us. Where applicable, you have the right to data portability of your information and the right to be informed about any automated decision-making we may use.
If we receive a request from you to exercise any of the above rights, we may ask you to verify your identity before acting on the request; this is to ensure that your data is protected and kept secure. Valid forms of identity verification would include official photographic identity documents along with address confirmation details on bank statements or utility bills.
5 SHARING AND DISCLOSING YOUR PERSONAL INFORMATION
We do not share or disclose any of your personal information without your consent, other than for the purposes specified in this notice or where there is a legal requirement.
G&G Delicatessen Ltd uses 3rd Party Data/Technical Support Processors to provide the below services and business functions; however, all processors acting on our behalf only process your data in accordance with instructions from us and comply fully with this privacy notice, the data protection laws and any other appropriate confidentiality and security measures.
5.1 Lakeland Computer Consultancy Services Ltd (LCCS)
We use Lakeland Computer Consultancy Services Ltd to provide and support our Eureka retail system which provides our front of house point of sale terminals in the shop and café, our Loyalty card system, product labelling and ordering functions. Their 3rd party technical support function is to keep the Eureka system up to date and running properly/efficiently along with responding to any perceived or actual system malfunctions.
6 SAFEGUARDING MEASURES
G&G Delicatessen Ltd takes your privacy seriously and takes every reasonable measure and precaution to protect and secure your personal data. We work hard to protect you and your information from unauthorised access, alteration, disclosure or destruction and have several layers of security measures in place, including: -
• Business level anti-virus/malware protection for all Desktop & Server Systems
• Email Server Provision uses SSL/TLS encryption for all service port communications
• Secure passwords used for IT authentication, access rights and restricted application menus
• Restricted access to information utilising network separation and restricted share mappings
• Firewall based network separation using Routing, Rules, IP restrictions & port based VLANs
• Encryption of all data hosted on remote backup services
7 DATA TRANSFERS
G&G Delicatessen Ltd like many companies makes use of certain Cloud based data services in the course of its daily operations. GDPR broadly considers them under two headings:
7.1 Data Transfers to Services within the European Economic Area
Data transfers to Cloud Services take place using the following providers hosted within the EU
• LCCS – Encrypted Eureka Retail System database backups (includes Loyalty data)
The above supplier has supplied us with GDPR compliant DPA Agreements/Addendums.
7.2 Data Transfers to Services outside the European Economic Area
G&G Delicatessen Ltd utilise some products or services (or parts of them) that may be hosted/stored in non-EU countries, which means that we transfer certain classes of information outside the European Economic Area ("EEA") for the purposes given below: -
• DropBox – Encrypted office network remote backups and H&S processes & procedures
DropBox hosting services comply with specific GDPR compliant EU-U.S. Privacy Shield Frameworks as detailed here: https://www.privacyshield.gov/.
The Privacy Shield framework is designed to ensure that hosting providers use the necessary level of protection for your information and abide by strict International agreements and measures in order to protect your data and comply with GDPR’s data protection laws and requirements.
8 CONSEQUENCES OF NOT PROVIDING YOUR DATA
You are not obligated to provide your personal information to G&G Delicatessen Ltd , however, where this information is required for our Loyalty Scheme , Website, Newsletter or for special event bookings, we will not be able to offer some/all our services without it.
9 HOW LONG WE KEEP YOUR DATA
G&G Delicatessen Ltd only ever retains personal information for as long as is necessary and we have strict review and retention policies in place to meet these obligations.
Where you have consented to the use of your details in connection with our Loyalty Programme or our Newsletter mailing list, we will retain such data until you notify us otherwise and/or withdraw your consent.
10 MAKING A SUBJECT ACCESS REQUEST (SAR)
You can use the following link SAR form to download a "Subject Access Request Form" directly or you can email a request for one to firstname.lastname@example.org Please submit your completed SAR Form either in person, by registered post or by emailing it back to email@example.com We would advise that any attachments sent by email, containing personal information, should be password protected in some way and that a method of receiving the password separately is provided.
11 LODGING A COMPLAINT
G&G Delicatessen Ltd only processes your personal information in compliance with this privacy notice and in accordance with the relevant data protection laws.
If, however, you wish to raise a complaint regarding the processing of your personal data or are in any way unsatisfied with how we have handled your information, you have the right to lodge a complaint.
In the first instance, you should contact us directly by emailing the Data Control Officer at firstname.lastname@example.org
or by writing to: -
Miss Annie Gray
45 Duke Street
Henley on Thames
Tel: 01491 410758 option 4