Scottish Midland Co-Operative Society Limited is a registered society under the Co-operative and Community Benefit Act 2014, with Society number SP2059RS and with its principal office at Hillwood House, 2 Harvest Drive, Newbridge, EH28 9QJ which trades as Scotmid, Morning,Noon and Night and Lakes and Dales, (together “Scotmid”, “we”, “us”, “our”) strive to protect the privacy of all personally identifiable information collected during the course of our activities and it is important for you to know how we process your data. We will process your personal information under the terms of this notice and in accordance with any agreement with you.
We are a “data controller” in terms under data protection laws (including from 25 May 2018, the EU General Data Protection Regulation 2016 and the Data Protection Act 2018) (“Data Protection Laws”).
We need to process personal data relating to our suppliers and customers in order to function effectively as a business, ensure good governance, for audit purposes, to perform our business and to enable us to meet our legal obligations.
Personal data is processed for commercial, administrative and statutory purposes. All such personal data is collected and held in accordance with all applicable Data Protection Laws.
We take privacy seriously and will endeavour to handle any personal data we may process with due care and attention.
What is the legal basis for holding your data and what do we use it for?
This list includes all the ways we may use your personal information, and which of the reasons we rely on to do so. This is where we tell you what our legitimate interests are.
|Personal Information We May Process:||Our Reasons for Processing||Our Legitimate Interests|
As a customer of our retail stores (Scotmid Food,Morning,Noon and Night, Lakes and Dales) we do not collect personal data as a matter of course but in some circumstances you may be asked to provide some information, for example, to give feedback, for refund verification, guest wifi log in, following an accident/incident in store or if you make a complaint about our services.
We also rely on consent for our guest wifi log in and for the provision of customer feedback via our tell scotmid website.
Where do we obtain your information?
In most cases we will obtain this information from you directly.
We process the personal data referred to above for the purposes of any contract or potential contract with our suppliers and customers; or for our legitimate interests in order to function effectively as a business, to ensure good governance, for audit purposes, to perform our business activities; and to enable us to meet our legal obligations that we may be subject to.
Who do we share your information with?
The information you provide to us may be accessed by our staff, our auditors, our professional advisors and carefully selected third parties in the course of providing services to us under suitable obligations of confidentiality, such as our feedback service (see below), our insurers, solicitors and professional advisers, and in some cases credit reference agencies, debt collection and tracing agencies.
CCTV images may be shared with law enforcement agents, our insurers or our solicitors if necessary.
We use a customer feedback service which you may choose to log in to and will be asked for limited information. Please refer to their privacy statement for more information. See link below.
We may share accident or store incident information with our insurers or law enforcement agencies.
How long do we keep your data?
We will retain personal data securely and only in line with how long it is necessary to keep for the purposes or for a legitimate and lawful reason.
Our typical retention periods are as follows:
- With regard to CCTV images, we usually retain these for one month however if an incident occurs in a store we may retain footage for up to 6 years in order to potentially defend any claims against us.
- Refund confirmation is retained for a 12 week period.
- If your details were provided in order for us to reply to you following a complaint, we will hold this information until 6 years after the date your complaint is resolved. We may retain limited information indefinitely for archiving purposes.
- Wifi log in details are retained for a month.
- Customer feedback records are retained for 3 years.
- Supplier contact details are archived after 2 years following the expiry or termination of our business relationship. We will retain in archive for at least four additional years.
Some personal data may be retained for longer where it is in our legitimate interest to do so, such as to protect and defend our legal rights; or for research, archiving or statistical purposes. Individuals can request that other information relating to them be erased and we will deal with such requests in accordance with the law.
We operate CCTV in our offices and in all of our retail stores. This is done on the basis of our legitimate interests in relation to health and safety, security and crime prevention; and to establish, protect and defend legal claims. The images will be processed in accordance with applicable data protection legislation.
In common with many other website operators, we do employ cookies (download of files to your device to record your visits to the site) to measure site information. Most browsers automatically accept cookies, but you can usually change your browser to prevent cookies being stored. Please note, if you do turn cookies off this will limit the service that we are able to provide to you and may affect your visitor experience. For further information on cookies and how to switch them off see www.allaboutcookies.org
We do not typically send your data outside the European Economic Area (‘EEA’). However, if we do so we will put protections in place to ensure the recipient protects the data to the same standard as the EEA. The protections include:
•transferring to a non-EEA country with privacy laws that give the same protection as the EEA;
•putting in place a contract with the recipient that means they must protect personal data to the same standards as in the EEA;
•transfer personal data to organisations that are part of Privacy Shield. This is a framework that sets privacy standards for personal data sent between the US and EU countries which makes sure standards are similar to what is used within the EEA.
In particular, our customer feedback service , Inmomnet is located outside the EEA and we have in place a contract with the recipient that means they must protect personal data to the same standards as in the EEA Please see their website https://inmoment.wpengine.com/privacy_policy/english/ for more details.
If you have a complaint regarding Scotmid’s use of your data or the way we have handled any request from you to exercise any of the rights requested above then we ask that you contact our Data Privacy Manager, firstname.lastname@example.org or by telephone on 0131 335 4400 in the first instance so we can take remedial action, however you also have the right to make a complaint to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues at www.ico.org.uk or call 0303 123 1113.
We have put in place appropriate technical and organisational security measure to protect the security and confidentiality of your personal data. In addition we have procedures to deal with any data security breach and will notify any affected data subjects and/or the Information Commissioner in compliance with the law if a breach occurs.
Your data rights and obligations
Please inform us of any changes to your contact details. Details of your data rights and obligations are below. If you have a concern regarding the accuracy of your personal data held by Scotmid, please contact the Customer Service Team to request an amendment to the data. Customer Services contact details CustomerService@scotmid.co.uk, 0131 335 4400.
If you wish to exercise any of your rights or have any other questions regarding our use of your data, please contact our Data Privacy Manager.
Under certain circumstances, you have the right to:
Request access to your personal data (commonly known as a “data subject access request”). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.
Request correction of the personal data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.
Request erasure of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your personal data to comply with local law. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.
Object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. You also have the right to object where we are processing your personal data for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms.
Request restriction of processing of your personal data. This enables you to ask us to suspend the processing of your personal data in the following scenarios: (a) if you want us to establish the data’s accuracy; (b) where our use of the data is unlawful but you do not want us to erase it; (c) where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims; or (d) you have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.
Request the transfer of your personal data to you or to a third party. We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.
Withdraw consent at any time where we are relying on consent to process your personal data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent.
If you wish to make a request on any of the above grounds you may contact our Data Privacy Manager, on the contact details below. Please note that depending on the nature of the request, Scotmid may have good grounds for refusing to comply. If that is the case, we will provide an explanation to you. Generally no fee will be payable, however, we may charge a reasonable fee if your request is manifestly unfounded, repetitive or excessive (particularly if it is repetitive). We may also charge a reasonable fee to comply with further copies of the same information. Alternatively, we may refuse to comply with your request in these circumstances.
Changes to this Privacy & Fair Processing Notice
We keep our Privacy & Fair Processing Notice under regular review and reserve the right to update and amend it. This notice was last updated on 25 May 2018.
Scottish Midland Co-Operative Society Limited – ICO registration number Z5336218