Data Protection Policy

1.     Scope and Purpose

a.      This policy applies to all personal data processed by Sparsholt Village Shop Association Limited (The Shop) at The Well House, Woodman Lane, Sparsholt, Winchester SO21 2NR including data collected from customers, staff, volunteers, suppliers and CCTV.

b.      The purpose of this policy is to ensure compliance with the General Data Protection Regulation (GDPR) and other relevant data protection laws.

c.      The Shop management committee needs to keep personal data about its customers, staff, volunteers and members in order to carry out the committee’s activities.

d.      To uphold this policy, we will maintain a set of data protection procedures for our committee and volunteers to follow.

 

2.     Data Protection Principles:

Lawfulness, Fairness and Transparency

We will process personal data lawfully, fairly and in a transparent manner.

Purpose limitation

We will collect and process the personal data only for specific, legitimate purposes and not further process it in a manner incompatible with those purposes e.g. in the case of CCTV for the purpose of crime prevention.

Date Minimisation

We will collect only personal data that is necessary for the specific purposes for which it is processed and in the case of CCTV footage, we will delete it when it is no longer needed.

Accuracy

We will ensure that personal data is accurate and kept up to date.

Storage Limitation

We will keep personal data for no longer that necessary for the purposes for which it is processed.

Integrity and confidentiality

We will take appropriate technical and organisational measures to ensure the security and confidentiality of personal data.

Accountability

Overall responsibility for data protection lies with the management committee, who are responsible for overseeing activities and ensuring this policy is upheld.

All volunteers are responsible for observing this policy, and related procedures, in all areas of their work for The Shop.

We will be able to demonstrate compliance with the GDPR principles.

3.     Data Collection and Processing

Types of data

We may collect personal data such as names, contact details (email. Phone number, address) purchase history and payment information and CCTV footage.

Data collection methods

We may collect personal data directly from customers (e.g. through sales transactions, buy now pay later agreements, loyalty programmes or customer feedback forms) or through third party sources (e.g. suppliers, CCTV footage).

Lawful basis for processing

We will ensure that we have a lawful basis for processing personal data, such as consent, contract, legitimate interests, to protect someone’s life or legal obligation.

Privacy notices

We will provide clear and concise privacy notices to individuals about how their personal data is collected, used and shared.

Data retention

We will retain personal data only for as long as necessary to fulfil the purposes for which it was collected and we will delete it securely when it is no longer needed.

4.     Data security

Security measures

We will implement appropriate technical and organisational measures to protect personal data against unauthorised or unlawful processing and against accidental loss, destruction or damage. Only authorised persons have access to the CCTV recordings, and they will keep a record of who accessed the CCTV footage, when and for what purpose.

Staff training

We will provide data protection training to our staff and volunteers to ensure they understand their responsibilities in protecting personal data.

Data breach

We will endeavour not to have data breaches. In the event of a data breach, we will endeavour to rectify the breach by getting any lost or shared data back. We will evaluate our processes and understand how to avoid it happening again. Serious data breaches which may risk someone’s personal rights or freedoms will be reported to the Information Commissioner’s Office within 72 hours, and to the individual concerned.

5.     Data Subject Rights

Right of access

Individuals have the right to access their personal data that we hold.

Right of rectification

Individuals have the right to rectify inaccurate personal data.

Right to erasure

Individuals have the right to request that their personal data be erased.

Right to restriction of processing

Individuals have the right to restrict the processing of personal data.

Right to Data portability

Individuals have the right to receive their personal data in a structured, commonly used and machine-readable format.

Right to object

Individuals have the right to object to the processing of their personal data in certain circumstances.

Right to withdraw consent

Individuals have the right to withdraw their consent to the processing of their personal data at any time.

6.     Contact information

For any questions or concerns regarding data protection, individuals can contact The Shop at the address above and by email at sparsholtvs@googlemail.com or telephone 01962 776998.