This Privacy Notice sets out what personal data we, Our Secret Boutique here after referred to as ‘the Company’, hold about you and how we collect and use it.
We are required by data protection law to give you the information in this Privacy Notice. It is important that you read the Privacy Notice carefully, together with any other information that we might give you from time to time about how we collect and use your personal data. You should also read our Data Protection Policy which explains our obligations in relation to personal data and how we keep it secure.
Who is the controller?
Our Secret Boutiqueis the “controller” for the purposes of data protection law. This means that we are responsible for deciding how we hold and use personal data about you.
Our Data Protection Lead is Emma Dougan. They will act as your first point of contact if you have any questions or concerns about data protection.
What type of personal data do we hold about you?
Personal data means any information relating to a living individual who can be identified (directly or indirectly) in particular by reference to an identifier (e.g. name, NI number, email address, physical features). It can be factual (e.g. contact details or date of birth), an opinion about an individual’s actions or behaviour, or information that may otherwise impact that individual in a personal or business capacity.
Data protection law divides personal data into two categories: ordinary personal data and special category data. Any personal data that reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, physical or mental health conditions, sexual life or sexual orientation, or biometric or genetic data that is used to identify an individual is known as special category data. (The rest is ordinary personal data).
Why do we hold your personal data and on what legal grounds?
We hold and use your ordinary personal data for employment, HR and business administration purposes. Data protection law specifies the legal grounds on which we can hold and use personal data.
We hold and use your special category data for purposes including, for example reporting and monitoring equality of opportunity and diversity.
Since special category data is usually more sensitive than ordinary personal data, we need to have an additional legal ground to use and hold it. Most commonly we rely on one or more of the following additional legal grounds when we process your special category data:
- Where we need to exercise our legal rights or carry out our legal obligations in relation to employment or social security and the processing is in line with our Data Protection Policy
- Where it is needed in the public interest, such as for equal opportunities monitoring [or in relation to our occupational pension scheme], and in line with our Data Protection Policy (public interest in monitoring equal opportunities within the workforce)
- Where it is needed to assess your working capacity on health grounds, subject to appropriate confidentiality safeguards (assessment of working capacity)
Occasionally, we may also hold and use ordinary personal data: in the public interest for the detection or prevention of crime; or where needed to protect your vital interests or those of another person. We may also occasionally hold and use special category data: to establish, exercise or defend a legal claim; where needed to protect your interests (or someone else’s interests) where you are not capable of giving your consent; or where you have already made the information public.
Sometimes we may use your personal data for purposes that are different from or incompatible with those for which we collected it. If we do this, we will notify you and explain our legal ground for using your data in this way, as required under data protection law.
How do we collect your personal data?
You provide us with most of the personal data about you that we hold and use.
Some of the personal data about you that we hold and use may come from external sources. For example: when we offered you a job, we may have collected references from previous employers; we may obtain information about you from publicly available sources such as your LinkedIn profile or other media sources.
If you give us someone else’s personal data
Sometimes, you might provide us with another person’s personal data. In such cases, we require you to inform the individual what personal data of theirs you are giving to us. You must also give them our contact details and let them know that they should contact us if they have any queries about how we will use their personal data.
Who do we share your personal data with?
We will only share your personal data with third parties where we have an appropriate legal ground under data protection law which permits us to do so.
How long will we keep your personal data?
We will not keep your personal data for longer than we need it for our legitimate purposes.
We take into account the following criteria when determining the appropriate retention period for personal data:
- the amount, nature, and sensitivity of the personal data
- the risk of harm from unauthorised use or disclosure
- the purposes for which we process your personal data and how long we need the particular data to achieve these purposes
- how long the personal data is likely to remain accurate and up-to-date
- for how long the personal data might be relevant to possible future legal claims
- any applicable legal, accounting, reporting or regulatory requirements that specify how long certain records must be kept.
You have a number of legal rights relating to your personal data, which are outlined here:
- The right to make a subject access request. This enables you to receive certain information about how we use your personal data, as well as to receive a copy of it and to check that we are lawfully processing it.
- The right to request that we correct incomplete or inaccurate personal data that we hold about you.
- The right to request that we delete or remove personal data that we hold about you where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have exercised your right to object to processing (see below).
- The right to object to our processing your personal data where we are relying on our legitimate interest (or those of a third party), where we cannot show a compelling reason to continue the processing
- The right to request that we restrict our processing of your personal data. This enables you to ask us to suspend the processing of personal data about you, for example if you want us to establish its accuracy or the reason for processing it.
- The right to request that we transfer your personal data to you or to another party, in a structured format. This right applies in respect of data that you have provided where our legal ground for using the data is that it is necessary for the performance of a contract or that you have consented to us using it (this is known as the right to “data portability”).
- The right to object to a decision based on profiling/solely automated decision-making, including the right to voice your opinion, and obtain human intervention in the decision-making.
If you would like to exercise any of the above rights, please contact Emma Dougan in writing. Note that these rights are not absolute and in some circumstances we may be entitled to refuse some or all of your request.
If you have any questions or concerns about how your personal data is being used by us, you can contact the Data Protection Lead.
Note too that you have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues. Details of how to contact the ICO can be found on their website: https://ico.org.uk