1. Policy statement
Every day British Rema will receive, use and store personal information about our customers, prospective customers, suppliers and prospective suppliers. It is important that this information is handled lawfully and appropriately in line with the requirements of the Data Protection Act 2018 and the General Data Protection Regulation (collectively referred to as the ‘Data Protection Requirements’).
2. About this policy
This policy sets out the basis on which British Rema will process any personal data we collect or process. The Data Officer is responsible for ensuring compliance with the Data Protection Requirements and with this policy. Any questions about the operation of this policy or any concerns that the policy has not been followed should be addressed in the first instance to the Data Officer.
3. What is personal data?
Personal data means data (whether stored electronically or paper based) relating to a living individual who can be identified directly or indirectly from that data (or from that data plus other information in our possession).
Processing is any activity that involves the use of personal data. It includes obtaining, recording or holding the data, organising, amending, retrieving, using, disclosing, erasing or destroying it. Processing also includes transferring personal data to third parties.
4. Privacy principles
British Rema will ensure that data is:
5. What data do we process and why?
The following sets out the personal data that British Rema may process, the reason for processing and the lawful basis as defined by the Data Processing Requirements.
If you are a customer or a supplier (actual or prospective)
Categories of data
Purposes of processing
Lawful basis of processing
If you are a website visitor or you interact with us on social media
Categories of data
Purposes of processing
Lawful basis of processing
6. Processing in line with data subject’s rights
We will process all personal data in line with data subjects’ rights, in particular your right to:
7. Data security
We will take appropriate security measures against unlawful or unauthorised processing of personal data, and against the accidental or unlawful destruction, damage, loss, alteration, unauthorised disclosure of or access to personal data transmitted, stored or otherwise processed.
We put in place procedures and technologies to maintain the security of all personal data.
We may transfer any personal data we hold to a country outside the European Economic Area (‘EEA’) or to an international organisation, such as Salesforce or MailChimp, provided that one of the following conditions applies:
a. The country to which the personal data are transferred ensures an adequate level of protection for the data subjects’ rights and freedoms.
b. The data subject has given his consent.
c. The transfer is necessary for one of the reasons set out in the Act, including the performance of a contract between us and the data subject, or to protect the vital interests of the data subject.
d. The transfer is legally required on important public interest grounds or for the establishment, exercise or defense of legal claims.
e. The transfer is authorised by the relevant data protection authority where we have adduced adequate safeguards with respect to the protection of the data subjects’ privacy, their fundamental rights and freedoms, and the exercise of their rights.
Subject to the requirements above, personal data we hold may also be processed by staff operating outside the EEA who work for us or for one of our suppliers. Those staff may be engaged in, among other things, the fulfilment of contracts with the data subject, the processing of payment details and the provision of support services.
8. Disclosure and sharing of personal data
We may share personal data we hold with any member of our group, which means our subsidiaries, our ultimate holding company and its subsidiaries, as defined in section 1159 of the UK Companies Act 2006.
9. Subject access requests
Data subjects who wish to make a formal requested about the information we hold relating to them, should do so by emailing our Data Compliance Officer at DataProtection@britishrema.com
10. Changes to this policy
We reserve the right to change this policy at any time. Where appropriate, we will notify changes by mail or email.