PERSONAL DATA PRIVACY NOTICE

Caldey Island Estate Co. Ltd

Personal Data Privacy Notice

Introduction.

• This Privacy Notice explains what we do with your personal data, whether we are in the process of helping you as a customer or dealing with individuals in our supplier chain.

• It describes how we collect, use and process your personal data, and how, in doing so, we comply with our legal obligations to you. Your privacy is important to us, and we are committed to protecting and safeguarding your data privacy rights.

• This Privacy Notice applies to the personal data of our Website Users, Customers, Suppliers and other people whom we may contact to undertake our business.
• It is important to point out that we may amend this Privacy Notice from time to time. Please just visit this page if you want to stay up to date, as we will post any changes here.

Who we are.

• This Privacy Notice refers to Caldey Island Estate Co Ltd, Caldey Island, off Tenby, Pembrokeshire, SA70 7UJ..

• If you have any cause for complaint, if you wish to exercise any of your privacy rights or if you just want to clarify how we use your personal data you should contact us at accounts@caldey-island.co.uk or tel. 01834 845568.

Whose data do we process?

Customers purchasing online or by mail-order:

If you are a customer, we need to collect and use information about you, or individuals at your organisation, in the course of providing you services such as:

•    Online or mail-order sale and delivery of goods.
•   Pricing or product queries.
•    Product and catalogue updates.
•   We limit the data we collect about customers; we need to make sure that our relationship runs smoothly so we will collect the details for individuals or contacts within an organisation, such as names, telephone numbers and email addresses. We DO NOT collect or process “sensitive” data that is subject to GDPR.

• We never pass on your details to our suppliers

• We will pass on your personal data to logistics companies to deliver items to you directly.

• We will also collect bank details, so that we can arrange payment for products and services.

• The principal reason for using your personal data is to ensure that the contractual arrangements between us can properly be implemented so that the relationship can run smoothly, and to comply with legal requirements.

• There are occasions when we will use your name, address and email address for marketing purposes, to send out our catalogue of products. We believe that this is in our legitimate interest. We will always provide an ‘opt out’ option in all our marketing correspondence with you.

• We will use ‘cloud storage’ to assist us with our business operations, this includes data storage as well as web applications. All of our data processed is based in the EU.

• We may use your personal data if we deem this necessary for other legitimate interests, such as recovering any outstanding debts etc.

• We collect data from you on our website if you enter any data into the web forms, such as the Prayer Request facility or Online Shop. This data is printed out for practical reference by the relevant persons (Monastic Community or Post Room staff to arrange delivery).

• Website Visitors: The website records I.P. addresses of those accessing it but we do not currently access, refer to or process any such data from the users of our website. Should this change in the future, this policy document will be amended accordingly.

Suppliers and Professional Services:

We limit the data we collect about Suppliers and our advisors – we need to make sure that our relationship runs smoothly so we will collect the details for our contacts within your organisation, such as names, telephone numbers and email addresses. We will also collect bank details, so that we can pay you. We may also hold extra information that someone in your organisation has chosen to tell us.

• The principal reasons for using your personal data are to ensure that the contractual arrangements between us can properly be implemented so that the relationship can run smoothly, and to comply with legal requirements.

• We may use personal data obtained for the above purposes if we deem this to be necessary for our legitimate interests, such as recovering any outstanding debts etc.

• We will use ‘cloud storage’ to assist us with our business operations, this includes data storage as well as web applications. All of our data processed on the web is based in the EU. Our Cloud providers have confirmed that they are GDPR compliant and that all data is stored securely.

• We collect data to fulfil our contractual obligations with you, such as name, address, delivery address, email address, telephone number.

How long do we keep your personal data for?

• We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.

• By law, we have to keep basic information about our customers (including Contact, Identity, Financial and Transaction Data) for six years after they cease being customers for tax purposes.

• If we have not had meaningful contact with you (or, where appropriate, the company you are working for or with) for an additional four years, we will review your data and make efforts to determine if it is still relevant to our relationship. If it is not we will delete your personal data from our systems unless we believe in good faith that the law or other regulation requires us to preserve it (for example, because of our obligations to tax authorities or in connection with any anticipated litigation).

• If we learn an individual has left our customer or supplier we will delete that individual’s personal data from our systems unless we believe in good faith that the law or other regulation requires us to preserve it (for example, because of our obligations to tax authorities or in connection with any anticipated litigation).

• To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.

Website Service Providers

- Our website service providers are based in the UK and we have confirmed that they have signed up to the EU-U.S. Privacy Shield Framework for the transfer of personal data from entities in the EU to entities in the United States of America or any equivalent agreement in respect of other jurisdictions.

Exercising your rights.
Even if we hold your personal data, you still have various rights in relation to it. To get in touch about these, please contact us. We will seek to deal with your request without undue delay, and in any event in accordance with the requirements of any applicable laws. Please note that we may keep a record of your communications to help us resolve any issues, which you raise.
• Right to object : If we are using your data because we deem it necessary for our legitimate interests to do so, and you do not agree, you have the right to object. We will respond to your request within 30 days. Generally, we will only disagree with you if certain limited conditions apply.

• Right to rectification : If you have informed us that your personal data is inaccurate you have the right to have your data corrected on our systems. We will respond to your request within 30 days.

• Right to restrict processing : Where we have obtained your consent to process your personal data or you object to any other processing we deem in our legitimate interest, you may ask us to stop this processing. We will assess if our interests prevail and make a decision based upon this assessment. In the event that you are requesting that we stop marketing to you, we will do this unconditionally.

•   Data Subject Access Requests (DSAR) : Just so it is clear, you have the right to ask us to confirm what information we hold about you at any time, and you may ask us to modify, update or delete it. At this point we may comply with your request or, additionally do one of the following:-
- we may ask you to verify your identity, or ask for more information about your request; and
- where we are legally permitted to do so, we may decline your request, but we will explain why if we do so.
•   Right to erasure: In certain situations (for example, where we have processed your data unlawfully), you have the right to request us to "erase" your personal data. We will respond to your request within 30 days and will only disagree with you if certain limited conditions apply. If we do agree to your request, we will delete your data but will retain your name on our register of individuals who would prefer not to be contacted or have been erased. That way, we will minimise the chances of you being contacted in the future where your data is collected in unconnected circumstances.
•   Automatic Decision Making: There are often occasions where organisations make automated decisions based upon personal data held. You have the right to have a person intervene in this decision-making process. Therefore we do not undertake any profiling or automated decision making on your personal data

• Right to lodge a complaint with a supervisory authority : You also have the right to lodge a complaint with your local supervisory authority. If you want to exercise this right you should contact the Information Commissioners Office at www.ico.org.uk.

• If your interests or requirements change, you can unsubscribe from part or all of our marketing content by simply letting us know.