Stock Spirits Group (hereinafter “Stock” or “We”) is committed to protecting and respecting privacy.
We are the data controller for the purposes of the Data Protection Act 1998 (the “Act”).
a) Personal Data
Means data which relates to a living individual who can be identified:
This would include information about employees, agents, customers and suppliers.
b) Sensitive Personal Data
The Act draws a distinction between Personal Data and Sensitive Personal Data.
Sensitive Personal Data includes information about a person’s:
c) Data Controller
“A person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed.”
This is the person responsible for making decisions as to how personal data is used, processed or stored, in this case SSG.
d) Data Subject
An individual who is the subject of personal data. In SSG’s case, this would include employees, agents, customers and suppliers.
Processing is any operation carried out on the data including obtaining, recording, retrieving, altering, disclosing and erasing data and passing on data to third party data processors.
f) Explicit Consent
For sensitive personal data explicit consent must be given by the data subject. This requires active communication with the data subject and must specify the data, and the purposes for which the data is held. This would include specifying what data is passed on to any third party data processor.
LAWFULNESS OF PROCESSING
The processing of personal data is only permitted if either the data subject has consented to that processing or if it is permissible under applicable law at the place of processing.
Consent should be declared in writing where possible, or by other legally permissible means, and the data subject must be informed in advance about the purpose of the processing of personal data and the possible transfer of personal data to third parties.
DATA QUALITY AND PROPORTIONALITY
Personal data must be accurate and, where necessary, kept up to date.
Personal data should, wherever possible, be anonymised.
Personal data must be adequate, relevant and not excessive in relation to the purposes for which they are processed.
Stock will only collect personal data to the extent that they are necessary for the relevant purpose for which they are collected.
Stock has implemented measures to prevent the unauthorised processing of personal data including, among other things, controls of:
Access to personal data should only be granted to those employees who have a business-related reason to access that data.
Unauthorised review, file alteration or removal, password dissemination, damage to systems, removal of programs or improper use of information contained in any computer or phone system is not to be permitted.
Stock has a responsibility to ensure that it has technical and organisational security measures in place that are appropriate to the risks (such as accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access) presented by its processing of personal data. More details of Stock’s security policies are included in our Group IT Policy.
OUTSOURCING SERVICES TO THIRD PARTIES
Whenever services which involve processing personal data are outsourced to a third party supplier, Stock chooses the supplier carefully, paying special attention to the suitability of the technical and organisational measures applied by the supplier.
A written agreement must be in place with the supplier which contains provisions (in conformity with this Policy) dealing with the following:
TRANSFERS OF PERSONAL DATA OUTSIDE THE EEA
Stock ensures that appropriate measures are in place in relation to any transfers to organisations located outside the EEA and that any such transfer is subject to the conditions set out in applicable law.
INFORMATION WE MAY COLLECT
Stock may collect and process personal data regardless of physical format, including the following data about data subjects:
For the same reason, Stock may obtain information about users’ general internet usage by using a cookie file which is stored on the hard drive of the user’s computer. Cookies contain information that is transferred to the computer's hard drive. They help us to improve our site and to deliver a better and more personalised service. They enable us:
There are some limitations:
The data that we collect are stored in our HR and Legal departments.
Business data is subject to additional security as well as access controls described above. This means that data is accessible by authorised individuals from relevant business departments only.
All data storage facilities are primarily for the purpose of securely storing business data.
Whilst no barriers are in place to exclude the storage of personal data within the business data storage environments, it is expected that employees treat this facility with due consideration, and explicitly do not use this facility for the storage of any offensive or political data, or data contravening copyright laws (documents, images etc) as defined in the relevant HR Policies document. Any evidence of this practice will be treated in line with formal HR processes, as outlined in the relevant HR policy.
All data storage usage can be monitored by the local IT team (in terms of disc-space used) and remedial actions taken in collaboration with the business if storage space becomes limited.
WEBSITE STORAGE AND TRANSFERS OUTSIDE THE EEA
All information users provide to us is stored on our secure servers. Where we have given users (or where users have chosen) a password which enables users to access certain parts of the Website, users are responsible for keeping this password confidential. We ask users not to share a password with anyone.
Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect users’ personal data, we cannot guarantee the security of data transmitted to the Website and any transmission is at users’ own risk. Once we have received users’ information, we will use strict procedures and security features to try to prevent unauthorised access.
We use information held about data subjects for the purposes for which they were originally collected, which may include in the following ways:
We may also use customers’ data, to provide them with information about goods which may be of interest to them and we may contact them about these by post.
We will only contact existing customers by electronic means (e-mail or SMS) with information about goods similar to those which were the subject of a previous sale to the customer. We will not pass customer data to third parties.
We will contact new customers by electronic means only if they have consented to this.
If customers do not want us to use their data in this way, we ask them to tick the relevant box situated on the form on which we collect their data (the registration form).
In relation to employees, we use personal data to administer their employment with us, including for performance management and HR related matters.
In relation to suppliers, we use personal data to send orders, to process payments and to make enquiries.
We may disclose personal data to any member of our group, which means our subsidiaries, our ultimate holding company and its subsidiaries.
We may disclose personal data to third parties:
Data Subjects have the right to ask us not to process their personal data for marketing purposes. We will usually inform customers (before collecting their data) if we intend to use their data for such purposes. Customers can exercise their right to prevent such processing by checking certain boxes on the forms we use to collect their data.
Data Subjects have the right to request access to any personal data held about them by Stock. Such requests must be made in writing to the address set out in the “Contact” section below and addressed to the General Counsel. If any employee receives a subject access request, it should be passed to the General Counsel for processing as soon as possible, as Stock is required to comply within 40 days.
Data Subjects also have the right to request that their personal data is amended or deleted where it is inaccurate or processed in an unauthorised manner. If any employee receives such a request, it should be passed to the General Counsel as soon as possible.