Introduction
Good and Useful Trading Ltd is committed to ensuring the security and protection of the personal information we process. This policy outlines our approach to data protection and our responsibilities under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
Scope
This policy applies to all employees, contractors, and third parties who have access to personal data processed by Good and Useful Trading Ltd.
Data Protection Principles
We adhere to the following principles:
Lawfulness, Fairness, and Transparency:
Personal data shall be processed lawfully, fairly, and in a transparent manner. Following your enquiry, we store your personal details in order to provide you with information about our products, apple picking rounds and upcoming events. Whilst we keep marketing communications to a minimum we may contact you from time to time to inform you about upcoming events and promotions. Your personal data is not passed on to any third parties. If you wish to be removed from our database please email: hello@mistymoon.co.uk
Purpose Limitation:
Data is collected for specified, explicit, and legitimate purposes and not further processed in a manner incompatible with those purposes.
The purpose of collecting your data is solely for the production, sale and promotion of our products and services, to keep you updated about our news and upcoming events. For this, we will contact you by email (and/or phone as preferred).
Data Minimisation:
Only data necessary for the intended purpose is collected: name, address, telephone number, email address, details on number and type of apple tree(s) (where relevant), apple donation history (where relevant), Misty Moon Cider order history (where relevant), past and future event history (where relevant)
Accuracy:
Personal data shall be accurate and kept up to date.
Storage Limitation:
Data is retained only for as long as necessary, for the purposes for which the Personal Data is processed. Should you require to be removed from our secure database, please email us at hello@mistymoon.co.uk and we will delete your details immediately.
Integrity and Confidentiality:
Data is processed securely to prevent unauthorised access, loss, or damage. Good and Useful Ltd will use appropriate technical and organisational measures to ensure the integrity and confidentiality of Personal Data is maintained at all times.
Accountability:
We are responsible for and can demonstrate compliance with these principles.
Lawful Basis for Processing
We process personal data based on one or more of the following lawful bases:
Consent
Contractual necessity
Legal obligation
Data Subject Rights
Individuals have the right to:
Access their personal data
Rectify inaccurate data
Erase data (right to be forgotten)
Restrict processing
Data portability
Object to processing
Not be subject to automated decision-making
If an individual makes a request relating to any of the rights listed above Good and Useful Trading Ltd will consider each such request in accordance with all applicable Data Protection laws and regulations. No administration fee will be charged for considering and/or complying with such a request unless the request is deemed to be unnecessary or excessive in nature.
Data Subjects are entitled to obtain the following information about their own Personal Data:
The purposes of the collection, processing, use and storage of their Personal Data
The source(s) of the Personal Data, if it was not obtained from the Data Subject.
The categories of Personal Data stored for the Data Subject.
The recipients or categories of recipients to whom the Personal Data has been or may be transmitted, along with the location of those recipients.
The envisaged period of storage for the Personal Data or the rationale for determining the storage period.
The use of any automated decision-making, including Profiling
We recognise the right of the Data Subject to:
Object to Processing of their Personal Data.
Lodge a complaint with the Data Protection Authority.
Request rectification or erasure of their Personal Data.
Request restriction of Processing of their Personal Data.
A response to each request will be provided within 30 days of the receipt of the written request from the Data Subject. Appropriate verification must confirm that the requestor is the Data Subject or their authorised legal representative. Data Subjects shall have the right to require Good and Useful Trading Ltd to correct or supplement erroneous, misleading, outdated, or incomplete Personal Data.
Requests can be made by contacting us at hello@mistymoon.co.uk.
Data Security
Access to data is restricted to those who need such access to carry out the duties for which they are employed. Each member of staff who has been granted access to data is personally responsible for ensuring compliance with this policy, the relevant legislation, and the confidentially of the data to which they have been granted access.
We implement appropriate technical and organisational measures to ensure data security, including:
Cybersecurity measures: Cybersecurity measures, such as passwords on computers that are changed regularly, regular software updates, virus protection, 2-step verification on relevant applications and VPNs are used to promote data protection. Any use of Generative Artificial Intelligence (GAI, such as ChatGPT) that puts personal or data at risk is prohibited, including uploading any personally identifiable information about our organisation, our customers, suppliers or other key stakeholders into GAI tools.
Physical access controls: All reasonable measures must be taken to prevent physical access by unauthorised persons to Good and Useful Trading Ltd’s data, or those of its clients.
Paper copies of data are stored securely when not in use, for example, in a locked filling cabinet in a secure residence. Where paper copies of sensitive data are required to be taken off-site they will not be left unattended, and all paper copies of sensitive data will be destroyed when no longer required.
Electronic storage and transmission: Files that include any personal information are only shared internally by secure email, or via cloud storage devices that have multiple layers of security to protect user data (e.g. strong encryption, secure data transfer, regular security testing).
Destruction of data: once data is no longer required, we will securely destroy it. Sensitive data on paper documents will be shredded. Electronic data will be effectively destroyed.
Regular security assessments: The data protection policy is updated regularly based on ongoing data protection risk assessments.
Employee training on data protection: employees will be trained on data protection and how to respond in the eventuality of a data breach, as outlined below.
Data Breach Response
In the event of a data breach, we will:
Assess the breach promptly
Contain and recover the breach
Inform affected individuals of the breach
Data Retention
Personal data is retained only for as long as necessary for the purposes for which it was collected.
Third-Party Processors
Good and Useful Trading Ltd do not currently use any third parties to process personal data on our behalf. Should this be required in the future, we will ensure that any third parties processing personal data on our behalf provide sufficient guarantees to implement appropriate technical and organizational measures in compliance with UK GDPR.
Training and Awareness
All employees receive training on data protection principles and practices as needed.
Policy Review
This policy is reviewed annually or as required to ensure ongoing compliance with data protection laws.
Good and Useful Trading Ltd
Effective Date: April 2023
Review Date: April 2026