GDPR: DATA PRIVACY NOTICE FOR CLIENTS AND SUPPLIERS
*Throughout this document you must insert information where you see square brackets.
**Further guidance from the ICO may also affect the content of our Privacy Notice, please check back nearer to May 2018 for updates to this document.
***This document must be read in conjunction with the Guidance notes on completing the Data Privacy Notice.
Queens Square ("We") are committed to protecting and respecting your privacy.
The rules on processing of personal data are set out in the General Data Protection Regulation (the “GDPR”).
Data controller - A controller determines the purposes and means of processing personal data.
Data processor - A processor is responsible for processing personal data on behalf of a controller.
Data subject – Natural person
Categories of data: Personal data and special categories of personal data
Personal data - The GDPR applies to ‘personal data’ meaning any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier (as explained in Article 6 of GDPR). For example name, passport number, home address or private email address. Online identifiers include IP addresses and cookies.
Special categories personal data - The GDPR refers to sensitive personal data as ‘special categories of personal data’ (as explained in Article 9 of GDPR). The special categories specifically include genetic data, and biometric data where processed to uniquely identify an individual. Other examples include racial and ethnic origin, sexual orientation, health data, trade union membership, political opinions, religious or philosophical beliefs.
Processing - means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Third party - means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.
Who are we?
Queens Square is the data controller. This means we decide how your personal data is processed and for what purposes. Our contact details are: email@example.com . For all data matters contact The Centre Manager on 0121 553 4694 or at firstname.lastname@example.org.
The purpose(s) of processing your personal data
We use your personal data for the following purposes:
Sending you a newsletter by email.
The categories of personal data concerned
With reference to the categories of personal data described in the definitions section, we process the following categories of your data:
- Personal data:
- First Name
- Last Name
- Mobile Number
- Prize Draw Answers
We have obtained your personal data from digital & written prize draw forms.
What is our legal basis for processing your personal data?
Personal data (article 6 of GDPR)
Our lawful basis for processing your general personal data:
Consent of the data subject;
More information on lawful processing can be found on the ICO website.
Sharing your personal data
Your personal data will be treated as strictly confidential, and will be shared only with our marketing agency for the purposes of contacting you for upcoming events, newsletters and prize draws.
How long do we keep your personal data?
We keep your personal data for no longer than reasonably necessary for a period of three years in order to keep you updated with upcoming events, newsletters and prize draws and in case of any legal claims/complaints; for safeguarding purposes etc.
Providing us with your personal data
You do not have to provide us with your personal dates but we do need it if you would like to receive information relating to upcoming events, newsletters and prize draws.
Your rights and your personal data
Unless subject to an exemption under the GDPR, you have the following rights with respect to your personal data:
- The right to request a copy of the personal data which we hold about you;
- The right to request that we correct any personal data if it is found to be inaccurate or out of date;
- The right to request your personal data is erased where it is no longer necessary to retain such data;
- The right to request that we provide you with your personal data and where possible, to transmit that data directly to another data controller, (known as the right to data portability), (where applicable i.e. where the processing is based on consent or is necessary for the performance of a contract with the data subject and where the data controller processes the data by automated means);
- The right, where there is a dispute in relation to the accuracy or processing of your personal data, to request a restriction is placed on further processing;
- The right to object to the processing of personal data, (where applicable i.e. where processing is based on legitimate interests (or the performance of a task in the public interest/exercise of official authority); direct marketing and processing for the purposes of scientific/historical research and statistics).
Transfer of Data Abroad
we do not transfer personal data outside the eea.
Automated Decision Making
WE DO NOT USE ANY FORM OF AUTOMATED DECISION MAKING IN OUR BUSINESS.
If we wish to use your personal data for a new purpose, not covered by this Data Privacy Notice, then we will provide you with a new notice explaining this new use prior to commencing the processing and setting out the relevant purposes and processing conditions.
How to make a complaint
To exercise all relevant rights, queries or complaints please in the first instance contact The Centre Manager on 0121 553 4694 or at email@example.com.
If this does not resolve your complaint to your satisfaction, you have the right to lodge a complaint with the Information Commissioners Office on 03031231113 or via email https://ico.org.uk/global/contact-us/email/ or at the Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, England.
This Policy applies to personal data collected by CCTV and or Electronic Access Control Systems (EACS) at Queens Square Shopping Centre West Bromwich.
Where the CCTV system is able to process Data which by itself or with other Data available to us can be used to identify you, this is known as Personal Data.
This data protection policy sets out how we use that personal data, you can contact us at www.queenssquaresc.co.uk
If you have any questions Including site specific details of whether or not the site you are or are about to visit has a CCTV and or Access Control System installed, which does or could process your personal data and where and if data processors are operating for and on behalf of us.
We take the security of your personal data very seriously and take a stringent approach to data protection including its secure storage and taking the appropriate technical, physical and organisational steps to protect it.
We regularly evaluate, whether it is necessary and proportionate to use CCTV systems at each of the sites for which we are responsible as Data Controllers. Queens square Shopping Centre has had a CCTV privacy impact assessment conducted and annual audits are undertaken to ensure that correct legal procedures are followed.
Prior to disclosing any CCTV footage, we seek the advice of a specialist data protection advisory service to protect your personal data from inappropriate or wrongful disclosure.
Your data will not be processed or stored outside of the European Economic Area (EEA)
The types of personal data we collect and use
CCTV, the lawful basis for processing personal data by the use of CCTV is: For the legitimate interest of Queens square Shopping Centre (the Data Controller).
We will use the data obtained from CCTV images for the purposes set out below
For the purposes of,
- Good property management,
- Maintaining the security of the premises and the prevention and investigation of crime.
- To monitor goods and services.
- For health and safety.
- For Protecting the rights, property and for the personal safety of the tenants of the buildings including, staff, visitors to the Shopping Centre including members of the public and those of Queens Square shopping Centre and its employees.
- When you exercise your rights under data protection law and make requests
- Based on your consent. When you request us to disclose your personal data to other people or organisations such as a company handling a claim on your behalf, or otherwise agreed to disclosures:
- For the security and wellbeing of equipment and vehicles
CCTV recorded images
Recorded images will be kept for a limited period only usually a maximum of 30 days and are then erased.
The exception being where images are required for evidential purposes or another legally valid reason including responses to your legal rights (subject rights).
The Data will be collected directly during any visits you make to Queens square Shopping Centre.
Electronic Access Control the Lawful Basis for Processing Personal Data via the use of an Access Control System is:
For the legitimate interest of the data controller or that of other persons or organisations.
We will use your data for the purposes set out below
The data will be collected directly and may include a combination of the following Personal Data dependant on the system itself and its objectives.
Your photographic image
The company you work for
Your position within that company
Your vehicle registration number
Your address and contact details
The Access Control System may record the days / times that you enter and leave the premises.
This information will not be given to any third parties including your employer without first obtaining your permission and will not be used to make any automated decisions concerning your employment.
Prior to any of your data being entered or processed by or into an access control system you will be advised of the exact content of the required data and the purposes for which your data will be used.
You will have the right to question why the data is required and to object to anything that you do not want to be processed.
Where you give your consent to your personal data being processed you will have the right to withdraw that consent at any time.
Your data will only be kept within the access control system for the duration of time during which you asked to use the system to gain entry and to leave the premises where it is installed.
Following which your Data will be deleted from the system, for example when and if you are no longer employed in the building or are not intending to re-visit the building again.
We will process your personal data:
As necessary to comply with a legal obligation, e.g.:
- When you exercise your rights under data protection law and make requests:
- For compliance with legal and regulatory requirements and related disclosures:
- For establishment and defence of legal rights:
- For activities relating to the prevention, detection and investigation of crime:
- To verify your identity.
- For the security of the premises
- For Health and Safety
- For the safety and security of tenants, their employees and members of the public
- For Good property/estate management
Sharing of my personal data
Subject to applicable data protection law we may share your personal data with:
- Companies and other persons providing services to us:
- Courts and Law enforcement agencies to comply with legal requirements, and for the administration of justice:
- In an emergency or to otherwise protect our vital interests:
- To protect the security or integrity of our business operations and those of our tenants
- The tenants of the building
- For Health and Safety
Automated decision making and processing
- Your data will not be used in order to make any automated decisions which may or could significantly affect you
Your rights under applicable data protection law
Your rights are as follows:
- The right to be informed about the processing of your personal data:
- The right to have your personal data corrected if it’s inaccurate and to have incomplete personal data completed.
- The right to object to processing of your personal data:
- The right to have your personal data erased (the “right to be forgotten”)
- The right to request access to your personal data and information about how we process it (Subject Access requests)
- The right to move, copy, or transfer your personal data (data portability) and
- Rights in relation to automated decision-making including profiling
You also have the right to complain to the Information Commissioner’s office. It has enforcement powers and can investigate compliance with data protection law:
The contact details are as follows
The information Commissioners Office
Wycliffe House, Water Lane,
Wilmslow SK9 5AF
Telephone 0303 123 1113
Information Commissioners Office
45 Melville Street,
Edinburgh EH3 7HL
Telephone 0131 244 9001
Information Commissioners Office
2nd Floor, Churchill House,
Churchill Way, Cardiff, CF10 2HH
Information Commissioners Office
3rd floor, 14 Cromac Place,
Belfast BT7 2JB