INTRODUCTION
This policy is the binding framework for the compliant handling and processing of personal data for Mr Pretzels Retail (UK) Limited. The implementation of this policy aims to protect the fundamental rights and freedoms of data subjects and to ensure an appropriate level of data protection against the risks of processing personal data. The main objective of the policy is to bring all data processing activities in line with the applicable data protection legislation (in particular, the General Data Protection Regulation). This policy applies to the entire organisation including all affiliated entities that are economically controlled by Mr Pretzels Retail (UK) Limited.

The provisions of this policy apply to all employees and managers. The policy is made available to every employee at the start of their employment and can be accessed at any time through the organisation’s internal system. This policy applies to all operations and activities in which the personal data of individuals is processed. It is irrelevant whether the processing of personal data is carried out electronically or in paper form. The provisions of this policy supplement, but do not replace, the applicable data protection legislation. In the event of a conflict or divergence between the applicable data protection legislation and the provisions of this policy, the applicable data protection legislation shall prevail. This policy may only be amended with the approval of the Data Protection Officer. The organisation, or any affiliated entity, may not implement any diverging policies. Management is responsible for determining when this policy comes into force.

DEFINITIONS
Personal data means any information relating to an identified or identifiable natural person (hereinafter “data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Special categories of personal data means any information concerning racial or ethnic origin, religious or philosophical beliefs, political opinions, trade union membership, genetic or biometric data, health or sexual orientation or life of a natural person.

Criminal offence data is data which relates to an individual’s criminal convictions and offences.

Processing of personal data means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Data subjects means any identified or identifiable natural person whose personal data is processed.

Profiling means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.

Pseudonymisation means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.

Filing system means any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis.

Controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by UK or local law, the controller or the specific criteria for its registration may be provided for by UK or local law.

Processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

Recipient means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with UK or local law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing.

Third party means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.

Consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes, by a statement or by a clear affirmative action, in agreement to the processing of their personal data.

Personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

Health data means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about their health status.

Organisation means a natural or legal person engaged in an economic activity, irrespective of its legal form, including partnerships or associations regularly engaged in an economic activity.

Group of undertakings means a controlling undertaking and its controlled undertakings.

DATA PROTECTION OFFICER
The Data Protection Officer shall monitor compliance with the applicable data protection legislation and this policy. The Data Protection Officer advises and informs the management of their obligations under data protection law. In addition, the Data Protection Officer acts as a contact point for data subjects and supervisory authorities on issues relating to the processing of personal data. The Data Protection Officer shall not receive any instructions regarding the exercise of these tasks and reports directly to the highest level of management. Mr Pretzels Retail (UK) Limited has appointed the following Data Protection Officer:

DataCo International UK Limited 25 Luke St London EC2A 4DS +44 2035146557 [email protected] www.dataguard.co.uk

Employees may contact the Data Protection Officer at any time. In particular, the Data Protection Officer should be involved as early as possible in the following issues:

  • Data subject requests or enquiries
  • Enquiries from the supervisory authorities
  • Data breaches (incidents affecting personal data)
  • Enquires on data protection documentation
  • Corporate strategies related to data protection
  • Data protection compliance of offered products and services as well as the use of tools and software (privacy by design/privacy by default).

DATA PROTECTION PRINCIPLES
The following principles must be observed when processing personal data:

  • Lawfulness of processing: personal data must be processed in a lawful manner.
  • Purpose limitation: personal data may only be collected for specified, explicit and legitimate purposes. Personal data may not be further processed in a way that is incompatible with these purposes. A change of purpose requires a separate justification. In particular, the following must be taken into account:
    • the link between the original and the intended purpose of processing;
    • the context in which personal data was collected;
    • the nature of the personal data being processed;
    • the possible consequences of the data processing; and
    • the existence of appropriate safeguards.
  • Transparency: personal data should be handled in a way that is easily understood by the data subject. The information obligations that the controller must fulfil play an important role here. When these are properly observed, data subjects are informed about the purpose of the data processing, the contact details of the data controller and to which third parties personal data will be transferred to. In certain cases, the data subject must be informed if their personal data originates from other sources (i.e. not collected directly from the data subject). The data subject must also be informed if the purposes of processing change. Transparency also plays an important role for data controllers, system operators or supervisory authorities. It allows these parties to understand which personal data is processed for which purposes by which bodies and through which means. This can help to ensure that data processing risks and gaps are quickly identified and remedied.
  • Data minimisation: the core aspect of data minimisation refers to the principle of necessity. According to this principle, all processing activities must be designed in a way that personal data is processed only when necessary to achieve the specific purpose. These principles play a decisive role, for example, when defining internal retention periods. Before processing personal data, you must assess whether and to what extent the purpose of processing is achieved through the intended processing. If this purpose can also be achieved without using personal data, for example by processing anonymised or pseudonymised data, this type of data processing is preferred.
  • Storage limitation: storing personal data on a “just in case” basis is not allowed. Personal data should only be stored for as long as it is necessary for the respective processing purpose.
  • Accuracy: personal data shall be accurate, complete and kept up to date. Incorrect, incomplete or no longer up-to-date data must be corrected, supplemented, updated or deleted without delay.
  • Integrity: personal data must be treated confidentially. Appropriate technical and organisational measures must be implemented to ensure adequate protection against unauthorised or unlawful processing, accidental loss, destruction or damage.
  • Deletion: as soon as the purposes of processing cease to apply and the legal retention periods have expired, personal data must be deleted.
  • Availability: the core element of availability is the ability to access personal data without delay. This includes, in particular, accessing and transmitting personal data in a structured way and in a format that is appropriate for users. In addition, technical measures must be implemented to ensure that:
    • personal data can be quickly recovered in the event of a physical or technical incidents;
    • the data processing systems remain functional during high load incidents;
    • the implementation of measures that can remedy or mitigate the consequences of a potential data breach.
  • Data Integrity: integrity requires that personal data remains complete, authentic and accurate during processing.
  • Accountability: the data controller is responsible for compliance with these principles and must be able to demonstrate this compliance.

LEGAL BASES FOR DATA PROCESSING
All processing of personal data requires a legal basis. The following principles must be observed:

  • If personal data is processed based on the data subject’s consent, this consent must be documented. The data subject has the right to revoke their consent at any time.
  • In the case of processing activities that serve the performance of a contract with the data subject, it must be ensured that the data processing is necessary for the performance of the contract.
  • Processing activities which serve the fulfilment of legal obligations must be documented, including the legal obligation concerned. It must be verified that the processing activity is necessary to fulfil the respective legal obligation.
  • If processing is necessary to protect the vital interests of the data subject or another natural person, the relevant circumstances must be documented.
  • If personal data is processed to perform a task that is in the public interest or in the exercise of official authority, the legal provision in question must be documented.
  • If processing is necessary for the purposes of the legitimate interests of the data controller or a third party, it must be documented which interests are pursued by the processing activity. In addition, the controller must determine whether these interests are overridden by the data subject’s interests or fundamental rights and freedoms. This balancing test must be documented.

DATA SUBJECTS RIGHTS
The data subject has the following rights, provided that the respective requirements are met:

  • Right of access: the data subject may request information on whether their personal data is being processed. If personal data is being processed, the data subject has the right to access this personal data.
  • Right to rectification: the data subject has the right to obtain rectification of inaccurate or incomplete personal data without undue delay.
  • Right to erasure: the data subject has the right to obtain erasure of their personal data without undue delay.
  • Right to restriction of processing: the data subject has the right to obtain restriction of processing.
  • Right to data portability: the data subject has the right to obtain the personal data which they have provided to the controller in a structured, commonly used and machine-readable format. They have the right to transmit this data to another controller without hindrance, provided that the respective requirements are met.
  • Right to object: the data subject has the right to object, on grounds relating to their particular situation, at any time to the processing of their personal data. The right to object applies in particular if personal data is processed for direct marketing purposes.
  • Right to lodge a complaint: the data subject has the right to lodge a complaint with a supervisory authority.

THIRD COUNTRY TRANSFERS
Personal data may only be transferred to countries outside the European Economic Area (EEA) if appropriate safeguards are in place to ensure an adequate level of data protection. The Data Protection Officer must be involved before transferring personal data to third countries.

DATA PROTECTION BREACHES
All employees must immediately report any data protection breaches to the Data Protection Officer. This includes any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. The Data Protection Officer will assess whether the breach is likely to result in a risk to the rights and freedoms of natural persons. If so, the Data Protection Officer will report the breach to the competent supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of the breach. If the breach is likely to result in a high risk to the rights and freedoms of natural persons, the Data Protection Officer will inform the data subject without undue delay. The notification to the data subject must describe in clear and plain language the nature of the breach and contain at least the following information:

  • The name and contact details of the Data Protection Officer or another contact point where more information can be obtained;
  • The likely consequences of the breach;
  • The measures taken or proposed to be taken by the controller to address the breach and to mitigate its possible adverse effects.

DATA PROTECTION IMPACT ASSESSMENTS
When a type of processing is likely to result in a high risk to the rights and freedoms of natural persons, the Data Protection Officer must be consulted to carry out a data protection impact assessment. The assessment must contain at least:

  • A systematic description of the envisaged processing operations and the purposes of the processing;
  • An assessment of the necessity and proportionality of the processing in relation to the purposes;
  • An assessment of the risks to the rights and freedoms of data subjects;
  • The measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with this policy.

RECORDS OF PROCESSING ACTIVITIES
Each department must keep records of their processing activities. These records must contain at least the following information:

  • The name and contact details of the controller and, where applicable, the joint controller, the controller’s representative and the data protection officer;
  • The purposes of the processing;
  • A description of the categories of data subjects and of the categories of personal data;
  • The categories of recipients to whom the personal data have been or will be disclosed, including recipients in third countries or international organisations;
  • Where applicable, transfers of personal data to a third country, including the identification of that third country and the documentation of suitable safeguards;
  • Where possible, the envisaged time limits for erasure of the different categories of data;
  • Where possible, a general description of the technical and organisational security measures.

DATA PROTECTION BY DESIGN AND BY DEFAULT
The principle of data protection by design requires that, both at the time of the determination of the means for processing and at the time of the processing itself, appropriate technical and organisational measures are implemented to ensure data protection principles are effectively integrated into processing activities. The principle of data protection by default requires that, by default, only personal data which is necessary for each specific purpose of the processing is processed. This obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility.

RESPONSIBILITIES OF EMPLOYEES
All employees must comply with this policy and the applicable data protection legislation. Employees must only process personal data where it is necessary for the performance of their duties. Employees must ensure that personal data is kept secure and confidential at all times. In particular, employees must:

  • Ensure that personal data is only shared with authorised personnel;
  • Report any data protection breaches to the Data Protection Officer without undue delay;
  • Complete data protection training as required;
  • Cooperate with the Data Protection Officer in relation to data protection impact assessments and audits;
  • Follow the principles of data protection by design and by default.

SANCTIONS
Any breach of this policy or the applicable data protection legislation may result in disciplinary action. Appropriate sanctions include dismissal with or without notice dependent on the severity of the failure.

 

Privacy Notice

In accordance with the UK General Data Protection Regulation (GDPR) and Data Protection Act 2018 (DPA), we have implemented this privacy notice to inform you, as a customer of our Company, of the types of data we process about you. We also include within this notice the reasons for processing your data, the lawful basis that permits us to process it, how long we keep your data for and your rights regarding your data.

A) Data Protection Principles

Under GDPR and the DPA, all personal data obtained and held by us must be processed according to a set of core principles. In accordance with these principles, we will ensure that:

  • Processing is fair, lawful, and transparent.
  • Data is collected for specific, explicit, and legitimate purposes.
  • Data collected is adequate, relevant, and limited to what is necessary for the purposes of processing.
  • Data is kept accurate and up to date. Data which is found to be inaccurate will be rectified or erased without delay.
  • Data is not kept for longer than is necessary for its given purpose.
  • Data is processed in a manner that ensures appropriate security of personal data including protection against unauthorized or unlawful processing, accidental loss, destruction, or damage by using appropriate technical or organization measures.
  • We comply with the relevant GDPR procedures for international transferring of personal data.

B) Types of Data Held

We keep several categories of personal data on our customers in order to carry out effective and efficient processes. We keep this data within our computer systems, for example, customer logs. Specifically, we hold the following types of data:

  • First Name
  • Last Name
  • Postal Address
  • Phone Number
  • Email Address
  • Bank Details.

C) Collecting Your Data

You provide several pieces of data to us directly during customer services interaction. We have obtained your personal data from you directly.

D) Lawful Basis for Processing

The law on data protection allows us to process your data for certain reasons only. The information below categorizes the types of data processing we undertake and the lawful basis we rely on:

  • Consent of data subject
  • Processing necessary for the performance of a contract with the data subject or to take steps to enter into a contract
  • Processing necessary for compliance with a legal obligation

E) Special Categories of Data

Special categories of data are data relating to your:

  • Health
  • Sex life
  • Sexual orientation
  • Race
  • Ethnic origin
  • Political opinion
  • Religion
  • Trade union membership
  • Genetic and biometric data.

Most commonly, we will process special categories of data when the following applies:

  • You have given explicit consent to the processing
  • We must process the data in order to carry out our legal obligations
  • We must process data for reasons of substantial public interest
  • You have already made the data public.

We do not envisage that we will process special category data relating to our customers, but we would comply with the obligations for processing in the GDPR and DPA if we were to do so.

F) Failure to Provide Data

Your failure to provide us with data may mean that we are unable to fulfill our requirements for entering into a contract with you. This could include being unable to offer you compensation or other benefits.

G) Who We Share Your Data With

Employees within our company who have responsibility for customer service and finance will have access to your data which is relevant to their function. All employees with such responsibility have been trained in ensuring data is processed in line with GDPR and the DPA. We don’t share your information with any third parties. We do not share your data with bodies outside of the European Economic Area. If we are required to transfer your personal data outside of the UK, we make sure that your data is given the same level of protection, either because that country has a comparable data protection standard (Adequacy), or by using another safeguard such as an enhanced contractual agreement (IDTA).

H) Protecting Your Data

We are aware of the requirement to ensure your data is protected against accidental loss or disclosure, destruction, and abuse. We have implemented processes to guard against such.

I) Retention Periods

We only keep your data for as long as we need it for. We keep your personal data for no longer than reasonably necessary, please contact the Data Protection Officer for further information on our set retention periods. Where you have provided consent to our use of your data, you also have the right to withdraw that consent at any time. This means that we will stop processing your data and there will be no consequences of withdrawing consent.

J) Automated Decision Making

Automated decision-making means making a decision about you using no human involvement e.g. using computerized filtering equipment. No decision will be made about you solely on the basis of automated decision-making (where a decision is taken about you using an electronic system without human involvement) which has a significant impact on you.

K) Your Rights

You have the following rights in relation to the personal data we hold on you:

  • The right to be informed about the data we hold on you and what we do with it;
  • The right of access to the data we hold on you. We operate a separate Subject Access Request policy and all such requests will be dealt with accordingly;
  • The right for any inaccuracies in the data we hold on you, however they come to light, to be corrected. This is also known as ‘rectification’;
  • The right to have data deleted in certain circumstances. This is also known as ‘erasure’;
  • The right to restrict the processing of the data;
  • The right to transfer the data we hold on you to another party. This is also known as ‘portability’;
  • The right to object to the inclusion of any information;
  • The right to regulate any automated decision-making and profiling of personal data.

In addition to the above rights, you also have the unrestricted right to withdraw consent, that you have previously provided, to our processing of your data at any time. Withdrawing your consent means that we will stop processing the data that you had previously given us consent to use. There will be no consequences for withdrawing your consent. However, in some cases, we may continue to use the data where so permitted by having a legitimate reason for doing so.

If you wish to exercise any of the rights explained above, please contact Mr Pretzels Retail (UK) Limited has appointed the following Data Protection Officer:

DataCo International UK Limited

25 Luke St

London

EC2A 4DS

+44 2035146557

[email protected]

www.dataguard.co.uk

L) Making a Complaint

If you think your data rights have been breached, you are able to raise a complaint with the Information Commissioner (ICO). You can contact the ICO at Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF or by telephone on 0303 123 1113 (local rate) or 01625 545 745.

M) Data Protection Compliance

Mr Pretzels Retail (UK) Limited has appointed the following Data Protection Officer:

DataCo International UK Limited

25 Luke St
London
EC2A 4DS
+44 203514