Data Protection Policy

Data Protection Policy for Coffee World trading as shopcoffee.co.uk

Table of Contents

  • Introduction, Purpose and Scope
  • Our Obligations
  • Legal Definition of Processing
  • Legal Definition of Personal Information
  • How and Why We Use Your Information
  • Whom We Share Your Data With
  • Data Subject Rights
  • Accountability 
  • ICO Registration Statement

Introduction, Purpose and Scope:

This policy explains how Coffee World and all trading names[1] (“we, “us” and “our”) handles and uses information we collect about visitors to our websites, prospective customers, existing customers and staff. When you interact with us for a specific purpose (e.g. as a prospective or existing customer), other Data Protection Statements may apply to you, and explain our collection and management of your personal information in that setting.

The purpose of this policy is to ensure our compliance with data protection law in the UK. This policy applies to the processing (collection, storage, use and transfer) of personal information (data and other identifiers) about data subjects (living identifiable individuals). This policy applies to information kept in manual or computerised files, whether or not those files comprise a relevant filing system, and therefore falls within the scope of the Data Protection Act 1998 and Regulation (EU) 2016/679 (GDPR).

Websites” refers to collectively, www.coffeeworld.co.uk and www.shopcoffee.co.uk; and “Website” refers to either of them, without prejudice to any other websites owned by Coffee World, or any websites we may create in future. Our Data Protection Statements for specific categories of data subjects are published on our Websites accordingly[2],[3].

Staff” refers to anyone working for us in any context at any level (whether permanent, fixed term or temporary) and including employees, retired but active staff, workers, contractors, trainees, interns, seconded staff, agency staff, agents and volunteers; except when any of the aforementioned are acting in a private or external capacity. Equally, the term “Customer” refers to visitors to our websites, existing customers, prospective customers, enquirers, our agents, brokers, resellers, and consumers and traders as defined by the Consumer Rights Act 2015.

Under data protection law, we are identified as a data controller and are therefore subject to a range of legal obligations. The data controller for your personal information is Coffee World (UK) Ltd, 135 Cambridge Road, Milton, Cambridge, England, CB24 6AT.
The person responsible for data protection at the time of issue, and the person who is responsible for monitoring compliance with relevant legislation in relation to the protection of personal information, is Coffee World’s Data Protection Officer (DPO). All correspondence relating to this Data Protection Policy, or any Data Protection Statements must be addressed to the Data Protection Officer, Coffee World, 135 Cambridge Road, Milton, Cambridge, England, CB24 6AT, or dataprotection@coffeeworld.co.uk.

Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted to our websites; any transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access. Remember to close your browser when you have finished your user session. This will help to ensure that others do not access your personal information if you share your computer or use a computer in a public places such as a library or internet café. Please see our Website Terms & Conditions for more information[4],[5].

This policy should be read in conjunction with our policies, procedures, Terms & Conditions and, where relevant, similar documents with regard to: information security, website use, acceptable use of IT facilities, records management and retention, or any other contractual obligations on our Company or the individual which impose confidentiality or information management obligations (which may at times exceed those of our standard policies with respect to storage or security requirements).

This policy will be reviewed and updated from time to time, in line with best practice procedures in order to achieve compliance with data protection law in line with an appropriate overall risk profile.

In general terms, we use your data in order to be able to process and deliver orders, provide high quality servicing & repairs, deliver barista training, gather vital feedback, offer café marketing support, and to ensure the safety and security of all customers and staff on our physical premises. To comply with data protection law, information must be collected and used fairly, stored safely and not disclosed to any other entities unlawfully.

Unless otherwise stated, the lawful basis for processing your personal data is that it is necessary for the purposes of our legitimate interests (where we have concluded that our interests do not impact inappropriately on your rights and freedoms) in providing effective services to you, and for the purposes of ensuring the safety of staff, and protecting property in our physical shop (e.g. usage of CCTV for security). You may ask us to explain our rationale at any time. Please note that should you choose to withhold necessary data, this may result in your receiving an insufficient service from us.

 

Our Obligations:

When you enter your personal information into an online form for any specified purpose, or have your information registered by our staff whether in person or through other means of communications, you will be told about the use we will make of that information (e.g. to confirm orders and send deliveries to your home address or business premises).

The lawful and correct treatment of personal information is vital to successful operations, and to maintaining the confidence that customers place in us as an organisation. Therefore, we commit to uphold data protection law as part of everyday working practices by:

  • ensuring all personal information is managed appropriately through this policy;
  • fully observing conditions regarding the fair collection and use of information;
  • meeting our legal obligations to specify the purposes for which information is used;
  • collecting and processing appropriate information, and only to the extent that it is needed to fulfil operational needs or to comply with any legal requirements;
  • ensuring the integrity of information used;
  • applying strict checks to determine the length of time information is held;
  • ensuring that the rights of all people about whom information is held can be fully exercised under the Data Protection Act 1998 and Regulation (EU) 2016/679 (GDPR) (these include the right to be informed that processing is being undertaken; the right of access to one’s personal information; the right to prevent processing in certain circumstances; and the right to correct, rectify, block or erase information which is regarded as incorrect);
  • taking appropriate security measures to safeguard personal information;
  • ensuring that personal information is not transferred abroad without suitable safeguards;
  • publishing and making publically available data protection statements outlining the details of our personal data processing in a clear and transparent manner.

We have appointed a statutory Data Protection Officer, who is responsible for:

  • monitoring and auditing compliance with our obligations under data protection law, especially our overall risk profile and delivering reports on the same;
  • advising on all aspects of compliance with data protection law
  • acting as our standard point of contact with the Information Commissioner’s Office with regard to data protection law, including cases of personal data breaches; and
  • acting as an available point of contact for enquiry and complaints from data subjects.

We will ensure that all of our staff are aware of this policy and any associated procedures and notes of guidance relating to data protection compliance, provide training as appropriate, and regularly review our procedures and processes to ensure that they are fully compliant. We will also maintain records of our information assets. Individual members of staff are responsible for ensuring that:

  • any personal data that we hold is kept securely;
  • relevant data protection training is completed, as advised by us;
  • following relevant company policies, procedures and notes of guidance;
  • only accessing and using personal information as necessary for their contractual duties and/or other roles;
  • personal information is not disclosed either orally or in writing or otherwise to any unauthorised third party, and that every reasonable effort will be made to see that data is not disclosed to unauthorised parties accidentally;
  • where identified, reporting personal data breaches and cooperating with the DPO to address them; and
  • only deleting, copying or removing personal information as agreed with the DPO and as appropriate.

Unauthorised disclosure is a disciplinary matter and may be considered gross misconduct.  If in any doubt, consult our Data Protection Officer. Personal data must be:

  • kept in a locked filing cabinet, drawer or room; or
  • if the data is computerised, be password protected or kept only on disk which is itself kept securely; or
  • subject to any other appropriate security measures in addition to those above.

In addition to the requirements of data protection legislation, the confidentiality of information about individuals must be respected.

The obligations and responsibilities above do not waive any personal liability for individual criminal offences for the wilful misuse of personal information under data protection legislation.


Processing:

“Processing”, in relation to personal information, means obtaining, recording or holding the information or data or carrying out any operation or set of operations on the information or data, including:

  • organisation, adaptation or alteration of the information or data;
  • retrieval, consultation or use of the information or data;
  • disclosure of the information or data by transmission, dissemination or otherwise making available; or
  • alignment, combination, blocking, erasure or destruction of the information or data.


Personal information:

Personal information is defined as data or other information about a living person who may be identified from it or combined with other data or information held. Some “special category data” (formerly sensitive personal data) are defined as information regarding an individual’s racial or ethnic origin; political opinion; religious or other beliefs; trade union membership; physical or mental health or condition; sexual life; or criminal proceedings or convictions, as well as their genetic or biometric information.

How and why we use your Personal Data:

We are required to collect and process various types of data from different parties, in order to ensure that we can provide an effective service, which are as follows:

A: Data provided by customers for processing of orders and payments:

Please note that this section includes prospective customers and former customers in addition to our existing customers. Data collected and processed for this purpose includes:

  • Your full name and address:
    • We use this to ensure accurate billing data when taking payments;
    • to facilitate effective storage and delivery of goods;
    • to ensure that our staff can locate your premises to perform servicing and repairs;
    • to ensure that any rented machinery is kept safe from risk by ensuring that it is kept at identifiable premises;
    • we will request business information and the address for your place of work if you are making purchases or enquiries on behalf of your company;
    • to recover rented machinery in the event of unpaid rental fees or insolvency;
    • we may on occasion use your address to send you urgent written correspondence if, after trying other methods of communication, no response have been received from you.
  • Your telephone contact details:
    • We use this in conjunction with the points above to contact you in relation to any enquiries you have made to us, or any orders you have placed with us;
    • to contact you in case of emergencies;
    • to contact you in case of order cancellations, stock depletion, or other information that is important and relevant to your order (e.g. if our driver cannot find where to deliver goods);
    • to gain information about which goods, services or machines are best suited to your needs, to return calls after enquiries you may make, or to address any issues or concerns that are pertinent to any orders placed with us;
    • to provide you with technical support should you have issues using our websites;
    • to call you or send you SMS notifications in order to request overdue payments, or to notify you of changes to your orders or service agreements as a result of overdue payments; and
    • to ask you for your feedback on our services, or to see if we can make any improvements to our services.
  • Your email address:
    • We use this in order to contact you to discuss your orders, or any enquiries made to us about our goods or services;
    • to send you confirmations of orders, invoices and information pertinent to your order (e.g. estimated delivery dates);
    • to send you receipts of payments, change of password requests, IT support in relation to our websites, or other relevant account information;
    • in conjunction with all points listed above, to notify you of order cancellations, emergencies, stock depletion, product recall or other important issues pertaining to your order;
    • to send you information about upcoming changes to our terms or services;
    • if you are not an existing customer, to send you promotional information about our products and services that may be of interest to you, with your express consent to receive promotional emails;
    • if you are an existing customer, to send you promotional information about other products and services that may be of interest to you, unless you should decide to opt out of promotional communications;
    • if you choose to unsubscribe from our emails, we may keep your email address details on our “unsubscribed” list for a reasonable period of time, to ensure that you do not receive any further unwanted correspondence; and
    • to ask you for your feedback on our services, or to see if we can make any improvements to our services.
  • Your payment details:
    • We may ask you for your credit/debit card details in order to make payments for our services (e.g. taking orders over the phone, email or directly via our websites);
    • we may ask for your bank account details in order to process payments, or to process any refunds you may have requested;
    • we do not record, store or otherwise keep your debit/credit card details by any means, as all card payments to us are processed via Paypal, Stripe and Barclays Payment Services;
    • we do not record, store or otherwise keep any personal bank details that you provide to make payments via GoCardless; and
    • we will endeavour not keep any emails from you containing your bank details any longer than necessary and ensure the best possible security of the same.

Please note that if you apply for a credit account with us, we may take some or all of the above details in order to conduct credit checks.

B: Identifiable imagery captured on our surveillance systems:

Please be aware that we also operate Close Circuit Television (CCTV) systems on our properties, which will capture and record footage from which it may be possible to identify you should you approach or enter our premises.

  • We record images of anyone entering or approaching our premises in order to:
    • Protect the Vital Interests of our staff and customers;
    • protect our property from damage and/or theft;
    • deterring criminal activity by the use of signs displaying that a CCTV installation is in use on our properties;
    • assist in the prevention and detection of crime;
    • enabling identification of any actions or events which may result in disciplinary proceedings being taken against staff and;
    • managing access to our shop, classroom and showroom areas.

You may request copies of any recognisable images, subject to exemptions outlined in national data protection legislation and we will only hold footage for a reasonable period, save for cases in which they are required for a specific business need or justification, or in cases of investigation.

C: Computer, IP and location information:

We may collect and process your personal information for operating and improving our webpages, analysing their use and ensuring the security of our website.

We may collect the request made by your browser to the server hosting our website which includes the IP address, the date and time of connection and the page you ask for. We use this information to ensure the security of our website and maintain its quality. Detailed logs may be held for up to 4-5 weeks and are automatically refreshed, with personal data beyond the retention period deleted. Abstract and analytic logs are kept for reporting purposes for as long as required. We may use and/or disclose this in the event of a security concern or incident. More technical details, including information about our use of “cookies”, are published on our websites[6],[7].

If you have any concerns or queries about any of the above, please contact our Data Protection Lead at the address given at the top of this policy.

Whom we share your data with:

At Coffee World, we select our partners very carefully and one of our main criteria for doing so is their handling and securing of our customers’ data. We will never knowingly use any service, choose any partner, or share your data with anyone that we believe may misuse or sell your data. Below is a list of all of the partners that we may share your data with from time to time:

We may use multiple third-party couriers, including EA Logistics, APC, DHL, DPD, Yodel, Hermes, Royal Mail and any other provider should we require to use them in the aim to make deliveries for placed orders. We carefully select our couriers to ensure that you are not only being given the best possible service, but to also make sure your details are in safe hands.

We use Zendesk Support to provide an instant chat feature on our websites, so that we can get back to you as quickly and efficiently as possible without you having to wait in phone queues and to improve our operational efficiency. Personal information that we request via this module is for the purpose of contacting you in relation to the enquiry you have placed. Any personal information you enter will be handled in accordance with this policy and with Zendesk’s own data protection policies and procedures, which you can find on their website[8]. You may wish to submit your details to this module via social media links. The transfer of such information is purely at your discretion and is subject to the privacy policies of the social media websites in question.

We use a visual feedback and customer satisfaction analytics feature on our websites, provided by Hotjar. We use Hotjar in order to better understand our users’ needs and to optimize this service and experience. Hotjar is a technology service that helps us better understand our users experience (e.g. how much time they spend on which pages, which links they choose to click, what users do and don’t like, etc.) and this enables us to build and maintain our service with user feedback. Hotjar uses cookies and other technologies to collect data on our users’ behaviour and their devices (in particular device’s IP address (captured and stored only in anonymized form), device screen size, device type (unique device identifiers), browser information, geographic location (country only), preferred language used to display our website). Hotjar stores this information in a pseudonymized user profile. Neither Hotjar nor we will ever use this information to identify individual users or to match it with further data on an individual user. For further details, please see Hotjar’s privacy policy by clicking on this link.

You can opt-out to the creation of a user profile, Hotjar’s storing of data about your usage of our site and Hotjar’s use of tracking cookies on other websites by following this opt-out link. You are also welcome to give us feedback without supplying an email address. As data collected by Hotjar may be processed outside of the UK, we have signed a Data Processing Agreement with Hotjar in order to ensure the security of your information[9].

Our emails and websites are privately hosted by GURU on secured, encrypted servers. When transferring data between our servers and the user’s computer (administrators and members), we use the same technology to secure information as banks and financial institutions – SSL (Secure Socket Layer) to protect the information. This works through a combination of programmes and encryption/decryption routines, meaning your information is kept safe in transmission. The secure connection is highlighted in your browser address bar where you will see HTTPS in green indicating the connection is secure, as is also the case with our website.

Payments processed and information given in regard to the same is processed securely by our payment facilitators (Paypal, Stripe, Barclays Payment Services and GoCardless). Please visit their websites for their respective Data Protection and Privacy Policies by clicking on the above links in their names.

We use Google’s third party web traffic analytic tools, Google Analytics and other Google products, to collect standard internet log information and details of your visitor behaviour patterns. We do this to find out, for example, the number of visitors to each page of our website. This is governed by Google’s updated privacy policy, which can be found here: https://policies.google.com/privacy/update.

Our telephony and internet systems are provided by UNICOM, a business telecoms provider who are very secure. We may, from time to time, choose to record telephone conversations for the purposes of training and quality assurance purely for business purposes, in accordance with this policy and Ofcom’s Guidance for Recording Calls in the UK[10]. We take the utmost care to make sure that our office network and phone system is as secure as possible through best practice. No telephone records are held on to for any longer than six months, unless specifically required in special circumstances.

We may on occasion use a third-party email platform, Mailchimp, to distribute (with your consent) e-newsletters and promotional emails with information about our other services that you have indicated would be of interest to you. Any email details collected by Mailchimp is done so securely, never sold on and more information can be found here: https://mailchimp.com/legal/privacy/. No data is sent to, or held by Mailchimp. Mailchimp is a US-based company, although they are covered by the EU-US Privacy Shield Framework. We have also signed a Data Protection Agreement with Mailchimp, which we can provide you with a copy of if you wish.

Please note that while we may interact with you using various social media platforms, we will not ask for, and do not recommend submitting any sensitive personal data across social media by way of “Commenting”, “Tweeting”, “Instant Messaging” or any other available formats of social media communication, as we cannot guarantee the safety and security of any data sent and received. All personal information that you store on social media is regulated and processed in accordance with their own privacy and data protection policies.

Should we knowingly send any personally identifiable information to any entity residing in, or storing data, outside of the European Union, we will endeavour to take all reasonable steps in ensuring that appropriate safeguards are put in place to protect your data (E.g. Signing Data Protection Agreements and making sure they are fully compliant with UK and EU law).

We reserve the right to retain your personal data longer than the periods stated elsewhere in this policy, where it becomes apparent that there is a need to do so – For example, in the event of a major health or personal injury incident, records may need to be kept for up to forty years.

Any photographic images of customers or staff collected by us (not including CCTV) for business purposes will be done so only with express consent by way of a signed release form, in which we will detail how we may plan to use them (E.g. On our website or for social media posts).

We also use other third-party service providers as plugins using our website’s CMS. These will be described in our privacy policies and/or data protection policy for the website in question. To clarify, all services used are in our utmost effort to maintain and improve as a business and provide a smooth and easy experience to our customers. No third-party service providers are used for any intention of selling, leasing or any form of compromising your data. A comprehensive list of service providers that collect data will be listed in our privacy policy and/or data protection policy.

Data subject rights:

You have the following rights, all of which are qualified in different ways and are listed without prejudice to any other rights you may have with regards to your personal data:

  • The right to be informed in clear, transparent ways, of how your personal information is being used and with whom it is being shared. This right is usually fulfilled by the provision of ‘privacy notices’ (also known as ‘data protection statements’ or, especially in the context of websites, ‘privacy policies’) which set out how an organisation plans to use your personal information, who it will be shared with, ways to raise objections, and so on;
  • to ask us for, and receive access to your personal information and to ask for rectification of inaccurate data, or erasure of your data (right to be forgotten);
  • to restrict the processing of your personal information pending its verification, correction or deletion;
  • to ask for the transfer of your personal information in machine-readable and commonly used formats and/or for said information to be transferred electronically to a nominated third party (data portability);
  • to object to: processing (including profiling) of your data that proceeds under particular legal bases; to direct marketing; and to processing of your data for research purposes where that research is not in the public interest; and
  • the right not to be subject to a decision based solely on automated decision-making using your personal information.

Some of these rights are not automatic and we reserve the right to discuss with you why we might not be able, or be willing to comply with a request from you to exercise them.

You retain the right at all times to lodge a complaint about our management of your personal information with the Information Commissioner’s Office[11].


Accountability:

We are required under law to:

  • comply with data protection law and hold records demonstrating this;
  • implement policies, procedures, processes and training to promote “data protection by design and by default”;
  • have appropriate contracts in place when outsourcing functions that involve the processing of personal data;
  • maintain records of the data processing that is carried out across the company;
  • record and report personal data breaches;
  • carry out, where relevant, data protection impact assessment on high risk processing activities;
  • cooperate with the Information Commissioner’s Office (ICO) as the UK regulator of data protection law;
  • respond to regulatory/court action and pay administrative levies and fines issued by the ICO.

 

 

ICO Registration Statement:

Coffee World fully complies with the Data Protection Act 1998, Regulation (EU) 2016/679 (GDPR), and per our obligation as a Data Controller, we are registered with the Information Commissioners Office in the UK (ICO) under registration number ZA394500[12]. Coffee World does not rent, lease or sell any personal information to third parties, for any reason whatsoever.

 

Date:                                   May 2018
Author:                                Nasar Aboukshem, Managing Director
As approved by:                 Board of Directors & Data Protection Officer (Coffee World (UK) LTD)

 

 

[1] In the rest of this document, “we”, “our” and “us” refer to Coffee World (UK) LTD; and “you” and “yours” refer to website visitors, general enquirers, customers and students.

[2] https://www.coffeeworld.co.uk/page/data-protection-policy/

[3] https://www.shopcoffee.co.uk/data-protection-policy/

[4] https://www.coffeeworld.co.uk/terms/

[5] https://www.shopcoffee.co.uk/terms-conditions/

[6] https://www.coffeeworld.co.uk/privacy/

[7] https://www.shopcoffee.co.uk/privacy-policy/

[8] https://www.zendesk.com/company/policies-procedures/

[9] https://www.shopcoffee.co.uk/wp-content/uploads/2018/05/Hotjar-Data-Processing-Agreement-signed.pdf

[10] http://www.icallsuite.com/uploads/1/1/0/0/11004260/ofcom_guidance.pdf

[11] https://ico.org.uk/concerns/
The Information Commissioner’s Office
Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Tel: 0303 123 1113 (Local rate) or 01625 545 745 (National rate)

[12] You can check our registered details here: https://ico.org.uk/ESDWebPages/Search?EC=3&fieldregistration=ZA394500