DATA PROTECTION POLICY STATEMENT
The Shampoo Shop is committed to conducting its business in accordance with all applicable data protection laws and regulations and in line with the highest standards of ethical conduct.
This policy sets forth the expected behaviours of the company and third parties in relation to the collection, use, retention, transfer, disclosure and destruction of any personal data.
Personal data is any information (including opinions and intentions) which relates to an identified or identifiable natural person. Personal data is subject to certain legal safeguards and other regulations, which impose restrictions on how organisations may process personal data. An organisation that handles personal data and makes decisions about its use is known as a Data Controller. Our company is responsible for ensuring compliance with the data protection requirements outlined in this policy. Non-compliance may expose us to complaints, regulatory action, fines and/or reputational damage.
We are fully committed to ensuring continued and effective implementation of this policy and expects all third parties to share in this commitment. Any breach of this policy will be taken seriously and may result in business sanction.
Data Protection Principles
We has adopted the following principles to govern its collection, use, retention, transfer, disclosure and destruction of personal data:
Principle 1: Lawfulness, Fairness and Transparency. Personal data shall be processed lawfully, fairly and in a transparent manner.
Principle 2: Purpose Limitation. Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes. This means we must specify exactly what the personal data collected will be used for and limit the processing of that personal data to only what is necessary to meet the specified purpose.
Principle 3: Data Minimisation. Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed. This means we must not store any personal data beyond what is strictly required.
Principle 4: Accuracy. Personal data shall be accurate and, kept up to date. This means we must have in place processes for identifying and addressing out-of-date, incorrect and redundant personal data.
Principle 5: Storage Limitation. Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed. This means we must, wherever possible, store personal data in a way that limits or prevents identification of the data subject.
Principle 6: Integrity & Confidentiality. Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing, and against accidental loss, destruction or damage.
Principle 7: Accountability. The company shall be responsible for, and be able to demonstrate compliance. This means we must demonstrate that the six data protection principles (outlined above) are met for all personal data for which it is responsible.
1.1. Data Use
1.1.1. Data processing
The shampoo Shop uses the personal data of its contacts for the following broad purposes:
- The ongoing administration and management of customer services.
The use of a contact’s information should always be considered from their perspective and whether the use will be within their expectations or if they are likely to object.
1.1.2. Profiling & Automated Decision Making
The shampoo shop will only engage in profiling and automated decision-making where it is necessary to enter into, or to perform, a contract with the data subject or where it is authorised by law. Where a service utilises profiling and automated decision-making, this will be disclosed to the relevant data subjects. In such cases the data subject will be given the opportunity to:
- Express their point of view.
- Obtain an explanation for the automated decision.
- Review the logic used by the automated system.
- Supplement the automated system with additional data.
- Have a human carry out a review of the automated decision.
- Contest the automated decision.
Object to the automated decision-making being carried out. Each service must also ensure that all profiling and automated decision-making relating to a data subject is based on accurate data.
1.1.3. Digital Marketing
Promotional or direct marketing material will not be sent through digital channels such as mobile phones, email and the Internet, without first obtaining their consent. It should be noted that where digital marketing is carried out in a ‘business to business’ context, there is no legal requirement to obtain an indication of Consent to carry out digital marketing to individuals provided that they are given the opportunity to opt-out.
1.2. Data Retention
To ensure fair processing, personal data will not be retained by us for longer than necessary in relation to the purposes for which it was originally collected, or for which it was further processed. The length of time for which personal data needs to be retained will be set out in ‘Data Retention Policy’. This takes into account the legal and contractual requirements, both minimum and maximum, that influence the retention periods set forth in the schedule. All personal data should be deleted or destroyed as soon as possible where it has been confirmed that there is no longer a need to retain it.
1.3. Data Protection
Each service will adopt physical and technical measures to ensure the security of personal data. This includes the prevention of loss or damage, unauthorised alteration, access or processing, and other risks to which it may be exposed by virtue of human action or the physical or natural environment. A summary of the personal data related security measures is provided below:
- Prevent unauthorised persons from gaining access to data processing systems in which personal data are processed.
- Prevent persons entitled to use a data processing system from accessing personal data beyond their needs and authorisations.
- Ensure that personal data in the course of electronic transmission during transport cannot be read, copied, modified or removed without authorisation.
- Ensure that access logs are in place to establish whether, and by whom, the personal data was entered into, modified on or removed from a data processing system.
- Ensure that in the case where processing is carried out by a Data Processor, the data can be processed only in accordance with the instructions of the Data Controller.
- Ensure that personal data is protected against undesired destruction or loss.
- Ensure that personal data collected for different purposes can and is processed separately.
- Ensure that personal data is not kept longer than necessary
1.4. Data subject Requests
The Data Protection Officer will establish a system to enable and facilitate the exercise of data subject rights related to:
- Information access.
- Objection to processing.
- Objection to automated decision-making and profiling.
- Restriction of processing.
- Data portability.
- Data rectification.
- Data erasure. If an individual makes a request relating to any of the rights listed above