GDPR: DATA PRIVACY NOTICE FOR CLIENTS AND SUPPLIERS
INTRODUCTION
Richmond Centre ("We") are committed to protecting and respecting your privacy.
This policy sets out the basis on which any personal data we collect from you, or that you provide to us, will be processed by us. Please read the following carefully to understand our views and practices regarding your personal data and how we will treat it.
The rules on processing of personal data are set out in the General Data Protection Regulation (the “GDPR”).
DEFINITIONS
Data controller - A controller determines the purposes and means of processing personal data.
Data processor - A processor is responsible for processing personal data on behalf of a controller.
Data subject – Natural person
Categories of data: Personal data and special categories of personal data
Personal data - The GDPR applies to ‘personal data’ meaning any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier (as explained in Article 6 of GDPR). For example name, passport number, home address or private email address. Online identifiers include IP addresses and cookies.
Special categories personal data - The GDPR refers to sensitive personal data as ‘special categories of personal data (as explained in Article 9 of GDPR). The special categories specifically include genetic data, and biometric data where processed to uniquely identify an individual. Other examples include racial and ethnic origin, sexual orientation, health data, trade union membership, political opinions, and religious or philosophical beliefs.
Processing - means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Third party - means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.
WHO ARE WE?
Richmond Centre is the data controller. This means we decide how your personal data is processed and for what purposes. Our contact details are: info@richmondcentre.co.uk. For all data matters contact The Centre Manager on 02871 260525 or at info@richmondcentre.co.uk.
THE PURPOSE(S) OF PROCESSING YOUR PERSONAL DATA
We use your personal data for the following purposes:
Sending you a newsletter by email.
Maintaining our Richmond VIP database
THE CATEGORIES OF PERSONAL DATA CONCERNED
With reference to the categories of personal data described in the definitions section, we process the following categories of your data:
Personal data:
First Name
Last Name
Postcode
Mobile Number
Email
Prize Draw Answers
We have obtained your personal data from digital & written prize draw forms.
WHAT IS OUR LEGAL BASIS FOR PROCESSING YOUR PERSONAL DATA?
Personal data (article 6 of GDPR)
Our lawful basis for processing your general personal data:
Consent of the data subject;
More information on lawful processing can be found on the ICO website.
SHARING YOUR PERSONAL DATA
Your personal data will be treated as strictly confidential, and will be shared only with our marketing team for the purposes of contacting you for upcoming events, newsletters and prize draws.
HOW LONG DO WE KEEP YOUR PERSONAL DATA?
We keep your personal data for no longer than reasonably necessary for a period of three years in order to keep you updated with upcoming events, newsletters and prize draws and in case of any legal claims/complaints; for safeguarding purposes etc.
PROVIDING US WITH YOUR PERSONAL DATA
You do not have to provide us with your personal dates but we do need it if you would like to receive information relating to upcoming events, newsletters and prize draws.
YOUR RIGHTS AND YOUR PERSONAL DATA
Unless subject to an exemption under the GDPR, you have the following rights with respect to your personal data:
The right to request a copy of the personal data which we hold about you;
The right to request that we correct any personal data if it is found to be inaccurate or out of date;
The right to request your personal data is erased where it is no longer necessary to retain such data;
The right to request that we provide you with your personal data and where possible, to transmit that data directly to another data controller, (known as the right to data portability), (where applicable i.e. where the processing is based on consent or is necessary for the performance of a contract with the data subject and where the data controller processes the data by automated means);
The right, where there is a dispute in relation to the accuracy or processing of your personal data, to request a restriction is placed on further processing;
The right to object to the processing of personal data, (where applicable i.e. where processing is based on legitimate interests (or the performance of a task in the public interest/exercise of official authority); direct marketing and processing for the purposes of scientific/historical research and statistics).
TRANSFER OF DATA ABROAD
We do not transfer personal data outside the EEA.
AUTOMATED DECISION MAKING
WE DO NOT USE ANY FORM OF AUTOMATED DECISION MAKING IN OUR BUSINESS.
FURTHER PROCESSING
If we wish to use your personal data for a new purpose, not covered by this Data Privacy Notice, then we will provide you with a new notice explaining this new use prior to commencing the processing and setting out the relevant purposes and processing conditions.
CHANGES TO OUR PRIVACY POLICY
Any changes we may make to our privacy policy in the future will be posted on this page and, where appropriate, notified to you by e-mail. Please check back frequently to see any updates or changes to our privacy policy.
HOW TO MAKE A COMPLAINT
To exercise all relevant rights, queries or complaints please in the first instance contact The Centre Manager on 02871 260525 or at info@richmondcentre.co.uk.
If this does not resolve your complaint to your satisfaction, you have the right to lodge a complaint with the Information Commissioners Office on 03031231113 or via email https://ico.org.uk/global/contact-us/email/ or at the Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, England.
DATA PROTECTION
Important information about Data Protection. This information forms part of our privacy policy available at www.richmondcentre.co.uk
This Policy applies to personal data collected by CCTV and or Electronic Access Control Systems (EACS) at Richmond Shopping Centre, Ferryquay Street, Derry/Londonderry, N. Ireland.
Where the CCTV system is able to process Data which by itself or with other Data available to us can be used to identify you, this is known as Personal Data.
This data protection policy sets out how we use that personal data, you can contact us at www.richmondcentre.co.uk
If you have any questions Including site specific details of whether or not the site you are or are about to visit has a CCTV and or Access Control System installed, which does or could process your personal data and where and if data processors are operating for and on behalf of us.
We take the security of your personal data very seriously and take a stringent approach to data protection including its secure storage and taking the appropriate technical, physical and organisational steps to protect it.
We regularly evaluate, whether it is necessary and proportionate to use CCTV systems at each of the sites for which we are responsible as Data Controllers. Richmond Shopping Centre has had a CCTV privacy impact assessment conducted and annual audits are undertaken to ensure that correct legal procedures are followed.
Prior to disclosing any CCTV footage, we seek the advice of a specialist data protection advisory service to protect your personal data from inappropriate or wrongful disclosure, unless required by law.
Your data will not be processed or stored outside of the European Economic Area (EEA)
THE TYPES OF PERSONAL DATA WE COLLECT AND USE
CCTV, the lawful basis for processing personal data by the use of CCTV is: For the legitimate interest of Richmond Shopping Centre (the Data Controller).
We will use the data obtained from CCTV images for the purposes set out below
For the purposes of,
Good property management,
Maintaining the security of the premises and the prevention and investigation of crime.
To monitor goods and services.
For health and safety.
For Protecting the rights, property and for the personal safety of the tenants of the buildings including, staff, visitors to the Shopping Centre including members of the public and those of Richmond Shopping Centre and its employees.
When you exercise your rights under data protection law and make requests
Based on your consent. When you request us to disclose your personal data to other people or organisations such as a company handling a claim on your behalf, or otherwise agreed to disclosures:
For the security and wellbeing of equipment and vehicles
RETENTION PERIOD
CCTV recorded images
Recorded images will be kept for a limited period only usually a maximum of 30 days and are then erased.
The exception being where images are required for evidential purposes or another legally valid reason including responses to your legal rights (subject rights).
The Data will be collected directly during any visits you make to Richmond Shopping Centre.
Electronic Access Control the Lawful Basis for Processing Personal Data via the use of an Access Control System is:
For the legitimate interest of the data controller or that of other persons or organisations.
We will use your data for the purposes set out below:
The data will be collected directly and may include a combination of the following Personal Data dependant on the system itself and its objectives.
Your name
Your photographic image
The company you work for
Your position within that company
Your vehicle registration number
Your address and contact details
The Access Control System may record the days / times that you enter and leave the premises.
This information will not be given to any third parties including your employer without first obtaining your permission and will not be used to make any automated decisions concerning your employment.
Prior to any of your data being entered or processed by or into an access control system you will be advised of the exact content of the required data and the purposes for which your data will be used.
You will have the right to question why the data is required and to object to anything that you do not want to be processed.
Where you give your consent to your personal data being processed you will have the right to withdraw that consent at any time.
RETENTION PERIODS
Your data will only be kept within the access control system for the duration of time during which you asked to use the system to gain entry and to leave the premises where it is installed.
Following which your Data will be deleted from the system, for example when and if you are no longer employed in the building or are not intending to re-visit the building again.
WE WILL PROCESS YOUR PERSONAL DATA:
As necessary to comply with a legal obligation, e.g.:
When you exercise your rights under data protection law and make requests:
For compliance with legal and regulatory requirements and related disclosures:
For establishment and defence of legal rights:
For activities relating to the prevention, detection and investigation of crime:
To verify your identity.
For the security of the premises
For Health and Safety
For the safety and security of tenants, their employees and members of the public
For Good property/estate management
SHARING OF MY PERSONAL DATA
Subject to applicable data protection law we may share your personal data with:
Companies and other persons providing services to us:
Courts and Law enforcement agencies to comply with legal requirements, and for the administration of justice:
In an emergency or to otherwise protect our vital interests:
To protect the security or integrity of our business operations and those of our tenants
The tenants of the building
For Health and Safety
AUTOMATED DECISION MAKING AND PROCESSING
Your data will not be used in order to make any automated decisions which may or could significantly affect you
YOUR RIGHTS UNDER APPLICABLE DATA PROTECTION LAW
Your rights are as follows:
The right to be informed about the processing of your personal data:
The right to have your personal data corrected if it’s inaccurate and to have incomplete personal data completed.
The right to object to processing of your personal data:
The right to have your personal data erased (the “right to be forgotten”)
The right to request access to your personal data and information about how we process it (Subject Access requests)
The right to move, copy, or transfer your personal data (data portability) and rights in relation to automated decision-making including profiling
You also have the right to complain to the Information Commissioner’s office. It has enforcement powers and can investigate compliance with data protection law:
The contact details are as follows
Website www.ico.org.uk
Northern Ireland
Information Commissioners Office
3rd floor, 14 Cromac Place,
Belfast BT7 2JB
Telephone 02890278757
Email: ni@ico.org.uk