The Scotch Pie Company Limited is committed to protecting the privacy and security of your personal information.

This privacy policy describes how we collect and use personal information about you before, during and after your relationship with us, in accordance with the General Data Protection Regulation (GDPR). This policy also outlines what rights individuals have over data held by us and sets out how we comply with GDPR.

It applies to all staff and customers of The Scotch Pie Company. It must also be complied with by the proprietors and visitors and others with access to your personal information whilst at or working on our behalf.

Who we are

We are The Scotch Pie Company Limited, located at 1-3 High Street, Tain, Ross-Shire, IV19 1AB. In this policy, Pollo Management Limited is also referred to as “The Scotch Pie Company”, “we”, “us” or “Bakery”.

Our Contact Details

To discuss this policy or any matters relating to the data we hold and how we use it please contact Mr Ian Laslett the Proprietor who is the GDPR Compliance Lead. He can be contacted on 01862 892 030 or at 1-3 High Street, Tain, Ross-Shire, IV19 1AB.

What is the Purpose of this Document?

The Scotch Pie Company Limited is a “data controller”. This means that we are responsible for deciding how we hold and use the personal information about you that we collect. We are required under data protection legislation to notify you of the information contained in this privacy notice. Those acting on the ‘data controllers’ behalf are the proprietors and the staff employed by The Scotch Pie Company.

We may update this notice at any time but if we do so, we will provide you with an updated copy of this policy as soon as reasonably practical.

It is important that you read and retain this notice, together with any other privacy notice we may provide on specific occasions when we are collecting or processing personal information about you, so that you are aware of how and why we are using such information and what your rights are under the data protection legislation.

Data protection principles

We will comply with data protection law. This says that the personal information we hold must be:
1. Used lawfully, fairly and in a transparent way.
2. Collected only for valid purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes.
3. Relevant to the purposes we have told you about and limited only to those purposes.
4. Accurate and kept up to date.
5. Kept only as long as necessary for the purposes we have told you about.
6. Kept securely.

Personal Information

Personal data, or personal information, means any information about an individual from which that
person can be identified. This include an individual’s name, contact details, and financial information.
It does not include data where the identity has been removed (anonymous data).

There are “special categories” of more sensitive personal data which require a higher level of
protection, such as information about a person’s religion, ethnic group or health and medical
information.

What Personal Information Does the Scotch Pie Company Collect and Process

We set out below examples of the personal information we collect and where we collect it from:

  • We obtain core data relating to customers via order forms. This data will include names,
    addresses, telephone numbers, e-mail addresses and other contact details.
  • Where appropriate, food allergy information (categorised as medical information).
  • Customers’ names and addresses will be used for the purpose of invoicing. Necessary
    information will also be shared with the bakery’s accountants.
  • In connection with your browsing of our website we may collect, store and use the following
    categories of personal information about you:
    – Technical Data including your internet protocol (IP) address, your login data, browser
    type and version, time zone setting and location, browser plug-in types and versions,
    operating system and platform and other technology on the devices you use to access
    our website
    – Usage data including how you use our website.

Please note, the Scotch Pie Company is compliant with the PECR (Privacy and Electronic Communications
Regulation).

How the Scotch Pie Company Collects Data

Generally, we receive personal data from an individual directly. This may be via a form, or simply in the
ordinary course of interaction and communication such as email or conversations either in person or
over the phone. Some orders from repeat clients may also come via email.

Why we use Personal Data

The primary purpose for which we use personal information is to provide a service to you. We have set
out below different examples of the ways in which we use personal information. These examples are
not exhaustive.

  • To fulfil orders placed.
  • To send you information to keep you up to date with what is happening at the bakery. For
    example, by sending you information about events and offers taking place.
  • We process financial information about you in relation to payment for goods provided.

Who Has Access to Personal Data and Who We Share Personal Data With

  • Essential personal information is confidentially shared with bakery staff and the proprietors.
    Personal information is only shared on a need to know basis to ensure confidentiality is
    maintained at all times. The Scotch Pie Company will not share your data with any third parties
    without obtaining your express consent.
  • We store your data on the bakery premises in both electronic and paper format. Please see the
    Data Storage section for further information.
  • The bakery outsources its accountancy. The accountants act as Data Processors for the bakery.
  • Occasionally, we might need to use consultants, experts and other advisers to assist us in fulfilling
    our obligations and to run the bakery properly. For example, the food standards agency. Data
    would only be shared if essential and on the proviso that consent was gained.
  • We may need to share information if there is an emergency, for example, if you are hurt while
    on our premises.

Legal grounds for the Scotch Pie Company using an Individuals Data

This section contains information regarding the legal basis that the Scotch Pie Company relies upon
when handling individual’s personal data.

Necessary for a Contract

The Scotch Pie Company will need to use an individuals’ or an organisations’ data in order to perform
contractual obligations with you in the instance of fulfilling an order placed or where appropriate,
contractual obligations with staff. We rely on this basis for most of the ways in which we collect, use,
store and handle personal data.

If an individual wishes to object to us using their information where the legal basis of contract has
been relied upon, they should contact the bakery GDPR Compliance Lead immediately.

Legitimate Interest

A legitimate interest means that it is necessary for the bakery to process an individual’s data.
Specifically, The Scotch Pie Company has a legitimate interest in:

  • Safeguarding and promoting the welfare of all staff.
  • Promoting the ethos and interests of the bakery this also includes ensuring our rights
    can be enforced for example being able to contact customers if invoices are not paid.
  • Facilitating the effective operation of the business for example, fulfilling orders.
  • Ensuring that all relevant legal obligations of the bakery are complied with.

Legal Obligation

The bakery may need to use an individual’s personal data in order to comply with a legal obligation
such as proving staff have the right to work in the UK. This basis is generally most applicable to staff
as in order to comply with employment regulation we must have and retain certain pieces of personal
information.

Vital Interest

This basis is relied upon to ensure the prevention of harm coming to an individual by way of collecting
data such as allergy information.

Special Category Data

“Special categories” of particularly sensitive personal information require higher levels of protection.
We need to have further justification for collecting, storing and using this type of personal. The special
categories are: Personal information revealing racial or ethnic origin, political opinions, religious or
philosophical beliefs, trade union membership, genetic information, biometric information, health
information and information about sexual orientation. The Scotch Pie Company does not hold data on
individuals which falls into each category but has a duty to inform individuals the categories classified as
‘special’. We may process special categories of personal information in the following circumstances:

Substantial Public Interest

The processing of special category data is necessary for reasons of substantial public interest. For
example, to not have such data that could endanger an individual or a group of individuals. For
example, we hold information on staff relating to any medical conditions that they may have.

Vital Interest

To protect the vital interest of the individual where that individual is not able to give their consent.
For staff, we hold medical information and information to contact their next of kin should an incident
occur i.e if they were seriously hurt.

Legal Claims

This allows us to share personal data with legal advisors and insurers should there be a need to
establish or defend a legal claim.

Medical Purposes

This includes emergency medical treatment or first aid should the need arise. Along with allergy
information for customers who place orders with us.

Data Retention

  • Customer Data will be retained for 2 Years from the date of the last order at which point it will
    be securely disposed of.
  • Staff data will be retained for 7 Years from the termination of their employment and then
    reviewed and either kept or securely disposed of.

Detailed information on retention periods is available on request, free of charge, from the bakery office.
Please contact the either of the GDPR Compliance Leaders to obtain a copy.

No personal data is retained indefinitely.

Data Storage

The physical data is stored in secure filing cabinets which are locked, in a locked office to ensure their
security when not in use. During working hours, when unattended, the cabinets in the office are locked
and so is the office until the return of a member of staff.

There is a limited amount of information which is held electronically, the data stored on a computer is
password protected and backed up regularly.

Individual Rights

In line with the General Data Protection Regulation (or GDPR 2018), individuals have the following rights,
some rights are new and some rights have been enhanced from the previous Data Protection Act (1998).

The rights an individual has are as follows:

  • If an information relating to an individual is incorrect, that individual has the right to ask us to
    correct the data.
  • In some cases, we may have restricted use of an individual’s data, for example if checks are being
    made to ensure the data accuracy.
  • Individuals have the right to ask what information the bakery holds about them and may ask for
    a copy of it. We are also able to inform individuals on things such as why we have the data, where
    it has come from and what the data is used for.
  • Individuals can request for data to be erased in certain circumstances, for example where we no
    longer need the information. It should be noted that in line with the retention periods the Scotch
    Pie Company has, no data is kept for longer than is necessary.
  • Individuals can request the transfer of their personal information to another party.
  • Individuals can object to processing of their personal information where we are relying on a
    legitimate interest (or those of a third party) and there is something about your particular
    situation which makes you want to object to processing on this ground. You also have the right
    to object where we are processing your personal information for direct marketing purposes.

You will not have to pay a fee to access your personal information (or to exercise any of the other rights).
However, we may charge a reasonable fee if your request for access is clearly unfounded or excessive.
Alternatively, we may refuse to comply with the request in such circumstances.

A copy of our retention periods is available, on request, from the bakery office.

Withdrawing Consent or Requesting Erasure

If an individual wishes to withdraw their consent for the recording, processing and managing of the data
that they have provided us, they must do so in writing to the Data Controller or those acting on its behalf.

Individuals may request data to be erased in some circumstances, erasure requests may be refused in
order for us to remain compliant with UK Law. Requesting erasure of an individual’s data should be
carried out in writing to the Data Controller or those acting on its behalf. The correspondence, once
received, will be acted upon in a timely manner (and within one month to remain GDPR compliant) and
a reply will be sent to the individual confirming the date that all of their data will be removed.

Further information regarding data protection rights can be obtained from the GDPR Compliance
Leaders as named earlier in this policy or from the Information Commissioners Office whose contact
details can be found at the end of this policy.

Cookies

Where you are accessing our website, we may use cookies to personalise your experience. In the
instance that cookies are used, you can disable or refuse cookies, but please note that some parts of
this website may become inaccessible or not function properly. For more information about the cookies
we use, please see our cookies policy which can be found on our website.

Data Breaches

If a data breach were to happen the Data Controller, or those acting on its behalf, will report this where
required to do so to the Information Commissioners office within 72 hours. Contact would be made via
the following means:
Phone: 0303 123 1113
Website: https://ico.org.uk/concerns/

The limited amount of data which is stored electronically, is protected by various firewalls, anti-virus
software and is only accessible to the appropriate staff. All staff, regardless of their position, are asked
to sign a confidentiality agreement to ensure the data is securely accessed. No access is permitted to
unauthorised persons. Cyber-attacks are likely to cause minimal impact on the bakery due to the amount
of data that is held electronically; should the bakery change the way it stores its data, this policy will be
updated accordingly.

Individuals are also able to contact the Information Commissioners Office if they feel that the Scotch Pie
Company is not treating their data appropriately. Their contact details are:
Phone: 0303 123 1113
Website: https://ico.org.uk/concerns/

Where possible, individuals should approach the bakery in the first instance to see if a solution can be
found however individuals may always contact the Information Commissioners Office if they wish.

Further information and Guidance on GDPR

For further information, please contact either Mr Ian Laslett who is the GDPR Compliance Lead for the
Scotch Pie Company. They are contactable on 01862 892 030 or at 1-3 High Street, Tain, Ross-Shire,
IV19 1AB.

Contact The Scotch Pie Company

We would love to hear from you.