The Scotch Pie Company Limited is committed to protecting the privacy and security of your personal information.
This privacy policy describes how we collect and use personal information about you before, during and after your relationship with us, in accordance with the General Data Protection Regulation (GDPR). This policy also outlines what rights individuals have over data held by us and sets out how we comply with GDPR.
It applies to all staff and customers of The Scotch Pie Company. It must also be complied with by the proprietors and visitors and others with access to your personal information whilst at or working on our behalf.
Who we are
We are The Scotch Pie Company Limited, located at 1-3 High Street, Tain, Ross-Shire, IV19 1AB. In this policy, Pollo Management Limited is also referred to as “The Scotch Pie Company”, “we”, “us” or “Bakery”.
Our Contact Details
To discuss this policy or any matters relating to the data we hold and how we use it please contact Mr Ian Laslett the Proprietor who is the GDPR Compliance Lead. He can be contacted on 01862 892 030 or at 1-3 High Street, Tain, Ross-Shire, IV19 1AB.
What is the Purpose of this Document?
The Scotch Pie Company Limited is a “data controller”. This means that we are responsible for deciding how we hold and use the personal information about you that we collect. We are required under data protection legislation to notify you of the information contained in this privacy notice. Those acting on the ‘data controllers’ behalf are the proprietors and the staff employed by The Scotch Pie Company.
We may update this notice at any time but if we do so, we will provide you with an updated copy of this policy as soon as reasonably practical.
It is important that you read and retain this notice, together with any other privacy notice we may provide on specific occasions when we are collecting or processing personal information about you, so that you are aware of how and why we are using such information and what your rights are under the data protection legislation.
Data protection principles
We will comply with data protection law. This says that the personal information we hold must be:
1. Used lawfully, fairly and in a transparent way.
2. Collected only for valid purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes.
3. Relevant to the purposes we have told you about and limited only to those purposes.
4. Accurate and kept up to date.
5. Kept only as long as necessary for the purposes we have told you about.
6. Kept securely.
Personal Information
Personal data, or personal information, means any information about an individual from which that
person can be identified. This include an individual’s name, contact details, and financial information.
It does not include data where the identity has been removed (anonymous data).
There are “special categories” of more sensitive personal data which require a higher level of
protection, such as information about a person’s religion, ethnic group or health and medical
information.
What Personal Information Does the Scotch Pie Company Collect and Process
We set out below examples of the personal information we collect and where we collect it from:
Please note, the Scotch Pie Company is compliant with the PECR (Privacy and Electronic Communications
Regulation).
How the Scotch Pie Company Collects Data
Generally, we receive personal data from an individual directly. This may be via a form, or simply in the
ordinary course of interaction and communication such as email or conversations either in person or
over the phone. Some orders from repeat clients may also come via email.
Why we use Personal Data
The primary purpose for which we use personal information is to provide a service to you. We have set
out below different examples of the ways in which we use personal information. These examples are
not exhaustive.
Who Has Access to Personal Data and Who We Share Personal Data With
Legal grounds for the Scotch Pie Company using an Individuals Data
This section contains information regarding the legal basis that the Scotch Pie Company relies upon
when handling individual’s personal data.
Necessary for a Contract
The Scotch Pie Company will need to use an individuals’ or an organisations’ data in order to perform
contractual obligations with you in the instance of fulfilling an order placed or where appropriate,
contractual obligations with staff. We rely on this basis for most of the ways in which we collect, use,
store and handle personal data.
If an individual wishes to object to us using their information where the legal basis of contract has
been relied upon, they should contact the bakery GDPR Compliance Lead immediately.
Legitimate Interest
A legitimate interest means that it is necessary for the bakery to process an individual’s data.
Specifically, The Scotch Pie Company has a legitimate interest in:
Legal Obligation
The bakery may need to use an individual’s personal data in order to comply with a legal obligation
such as proving staff have the right to work in the UK. This basis is generally most applicable to staff
as in order to comply with employment regulation we must have and retain certain pieces of personal
information.
Vital Interest
This basis is relied upon to ensure the prevention of harm coming to an individual by way of collecting
data such as allergy information.
Special Category Data
“Special categories” of particularly sensitive personal information require higher levels of protection.
We need to have further justification for collecting, storing and using this type of personal. The special
categories are: Personal information revealing racial or ethnic origin, political opinions, religious or
philosophical beliefs, trade union membership, genetic information, biometric information, health
information and information about sexual orientation. The Scotch Pie Company does not hold data on
individuals which falls into each category but has a duty to inform individuals the categories classified as
‘special’. We may process special categories of personal information in the following circumstances:
Substantial Public Interest
The processing of special category data is necessary for reasons of substantial public interest. For
example, to not have such data that could endanger an individual or a group of individuals. For
example, we hold information on staff relating to any medical conditions that they may have.
Vital Interest
To protect the vital interest of the individual where that individual is not able to give their consent.
For staff, we hold medical information and information to contact their next of kin should an incident
occur i.e if they were seriously hurt.
Legal Claims
This allows us to share personal data with legal advisors and insurers should there be a need to
establish or defend a legal claim.
Medical Purposes
This includes emergency medical treatment or first aid should the need arise. Along with allergy
information for customers who place orders with us.
Data Retention
Detailed information on retention periods is available on request, free of charge, from the bakery office.
Please contact the either of the GDPR Compliance Leaders to obtain a copy.
No personal data is retained indefinitely.
Data Storage
The physical data is stored in secure filing cabinets which are locked, in a locked office to ensure their
security when not in use. During working hours, when unattended, the cabinets in the office are locked
and so is the office until the return of a member of staff.
There is a limited amount of information which is held electronically, the data stored on a computer is
password protected and backed up regularly.
Individual Rights
In line with the General Data Protection Regulation (or GDPR 2018), individuals have the following rights,
some rights are new and some rights have been enhanced from the previous Data Protection Act (1998).
The rights an individual has are as follows:
You will not have to pay a fee to access your personal information (or to exercise any of the other rights).
However, we may charge a reasonable fee if your request for access is clearly unfounded or excessive.
Alternatively, we may refuse to comply with the request in such circumstances.
A copy of our retention periods is available, on request, from the bakery office.
Withdrawing Consent or Requesting Erasure
If an individual wishes to withdraw their consent for the recording, processing and managing of the data
that they have provided us, they must do so in writing to the Data Controller or those acting on its behalf.
Individuals may request data to be erased in some circumstances, erasure requests may be refused in
order for us to remain compliant with UK Law. Requesting erasure of an individual’s data should be
carried out in writing to the Data Controller or those acting on its behalf. The correspondence, once
received, will be acted upon in a timely manner (and within one month to remain GDPR compliant) and
a reply will be sent to the individual confirming the date that all of their data will be removed.
Further information regarding data protection rights can be obtained from the GDPR Compliance
Leaders as named earlier in this policy or from the Information Commissioners Office whose contact
details can be found at the end of this policy.
Cookies
Where you are accessing our website, we may use cookies to personalise your experience. In the
instance that cookies are used, you can disable or refuse cookies, but please note that some parts of
this website may become inaccessible or not function properly. For more information about the cookies
we use, please see our cookies policy which can be found on our website.
Data Breaches
If a data breach were to happen the Data Controller, or those acting on its behalf, will report this where
required to do so to the Information Commissioners office within 72 hours. Contact would be made via
the following means:
Phone: 0303 123 1113
Website: https://ico.org.uk/concerns/
The limited amount of data which is stored electronically, is protected by various firewalls, anti-virus
software and is only accessible to the appropriate staff. All staff, regardless of their position, are asked
to sign a confidentiality agreement to ensure the data is securely accessed. No access is permitted to
unauthorised persons. Cyber-attacks are likely to cause minimal impact on the bakery due to the amount
of data that is held electronically; should the bakery change the way it stores its data, this policy will be
updated accordingly.
Individuals are also able to contact the Information Commissioners Office if they feel that the Scotch Pie
Company is not treating their data appropriately. Their contact details are:
Phone: 0303 123 1113
Website: https://ico.org.uk/concerns/
Where possible, individuals should approach the bakery in the first instance to see if a solution can be
found however individuals may always contact the Information Commissioners Office if they wish.
Further information and Guidance on GDPR
For further information, please contact either Mr Ian Laslett who is the GDPR Compliance Lead for the
Scotch Pie Company. They are contactable on 01862 892 030 or at 1-3 High Street, Tain, Ross-Shire,
IV19 1AB.