Privacy policy

At AL Batavon we are committed to maintaining your privacy and respecting the privacy of any data we hold on file for you or your company.

At AL Batavon we are committed to maintaining your privacy and respecting the privacy of any data we hold on file for you or your company. As such, personal data is processed in accordance with the EU Regulation 2016/679 or the ‘General Data Protection Regulations’ (GDPR).

Our full privacy policy statement is contained below and applies to the processing of personal data in manual and electronic records kept by us in connection with functions as described below. It also covers our responses to any data breach, individuals’ rights under the new legislation, and other responsibilities under GDPR.

This privacy policy applies to all personal data we process as a data controller. To the extent the company decides why and how personal data is processed, the company is a data controller of such personal data. It also covers our responsibilities in the case of any data breach and other individual rights contained within the GDPR.

Definitions – for the purposes of this policy:

Data Protection Principles

Under GDPR, all personal data obtained and held by us must be processed according to a set of core principles. We will ensure that:

Complaints

If you are unhappy with our data protection policies or how your data has been processed you are entitled to lodge a complaint with a supervisory authority.

Categories of Data Processed:

Employees, workers and subcontractors:

We keep several categories of personal data on our employees and related groups in order to carry out effective and efficient processes, business and working relationships. We keep this data in a secure personnel file relating to each employee and we also hold some data within our computer systems, for example, our holiday booking system.

Specifically, we process the following types of data (as appropriate to your status):

Moreover, we also process information relating to your employment with us, including:

The company will process special categories of personal data in accordance with the new GDPR guidelines and this data will only be processed where a suitable lawful basis applies. The lawful bases for processing of employee data are contained within the privacy notice for employees, which is available on request from management.

Customers and Suppliers

AL Batavon Ltd collects and processes personal data in relation to individuals who are, or are working with, our suppliers and customers. This processing includes:

Lawful bases for processing

AL Batavon understands processing may only be carried out where a lawful basis exists under GDPR. We have assigned a lawful basis against each processing activity. For guidance on the lawful bases below please see the ICO (regulator) website (https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/)

Where our use of customer data relates to delivery purposes or customer queries, we rely on legitimate interests as our lawful basis. Processing in this way is necessary and proportionate to allow for effective delivery of goods and practical customer service and this usage is likely to be expected by prospective customers. We’ve concluded the benefits from this kind of processing outweigh potential impact on the rights and freedoms of the customer; unjustified harm is also unlikely to result from breaches relating to this data. We will also continue marketing to existing, recent customers under the justification of legitimate interests, as they would reasonably expect to continue hearing from us. We will also rely on legitimate interests to cover telesales marketing to existing customers and prospective merchant branches of existing customer organisations. We offer an opt-out procedure and do not contact TPS/CTPS registered individuals or organisations in compliance with GDPR. On ‘legitimate interests assessment’, we have concluded that similar corporations would expect contact in this way; the potential nuisance factor to merchant stockists is also low and these businesses do not generally involve vulnerable individuals who may experience serious detriment from this communication. If you do not wish to be contacted in this way, please contact ann@albat.co.uk with an objection.

Where direct marketing to individuals with no previous purchase history and no contractual basis we may rely on consent as our lawful basis. We recognise the high standard attached to consent under GDPR and understand valid consent must be freely given, specific, informed and unambiguous. Where consent is sought, we do so on a specific and individual basis and attain separate consents for separate processing activities. Consenters will be given clear explanations of processing, informed of the consequences of their consent and informed of their right to withdraw consent or opt-out of such marketing. Where no other lawful basis applies, we may also seek consent.

This consent may be withdrawn retroactively at any time (without detriment). Please e-mail ann@albat.co.uk with details of the relevant consent in place and your desire to be withdrawn from our consent registry document.

Where processing is necessary either to fulfil obligations of an existing contract or to carry-out a request prior to entry to a contract (e.g. a quote) we may rely on a contractual or pre-contractual lawful basis. This will only be done where processing is a necessary, targeted and proportionate way of achieving the service in relation to the contract (not maintaining our general business model). If processing is not necessary for the contract we will consider either legitimate interests or direct consent as listed above.

We rely on contractual obligations as our lawful basis for weekly logistical e-mail updates to account customers. These e-mails are compiled to include pertinent, useful information for site managers and we have updated this correspondence to include an opt-out and this updated privacy notice. Where this information is sent to personal e-mail addresses contractual obligations does not apply, so we have

Finally, in a limited range of circumstances we may rely on a legal obligation as our lawful basis for processing, such as in relation to salary details for HMRC. This basis will only be relied upon where processing is absolutely necessary to fulfil such legal obligation.

Individual rights under data protection law

Right to be informed (A.12-14 GDPR)

We update individuals of our policies and compliance with data protection law through our privacy statement. Where data is collected from the subject they will be informed upon collection. Alternatively, where data is collected from a third-party, privacy information will be provided within one calendar month latest when communicating with the data subject.

Right to access personal data (A.15 GDPR)

You can request a ‘subject access request’ containing a summary and copy of all personal data held on file or processed. These requests can be made verbally or in writing and will be returned in a commonly used electronic format within one calendar month. AL Batavon reserves the right to extend this response time to two months where the request is particularly complex or your organisation has made multiple requests in short succession.

Right to rectification (A.16 GDPR)

You can request we complete or rectify incomplete or incorrect data held on file. These requests can be made verbally or in writing and we will respond within one calendar month. These requests will not be refused unless they are deemed to be ‘manifestly unfounded or excessive’.

Right to erasure (A.17 GDPR)

You can request we wipe your personal data from our systems or third-party processor systems we may have shared your data with. Requests will only be refused where the request is ‘manifestly unfounded or excessive’ and must be completed within one month. This right will not apply where a legal obligation has been relied upon as our lawful basis for processing, or where information may need to be retained for the defence or establishment of legal claims.

Right to restriction (A.18 GDPR)

You can request to restrict our processing of your personal data either verbally or in writing. Upon restriction we will continue to store, but not process, your data and subsequently we will only process restricted data with consent or for the establishment, exercise or defence of legal claims.

Data Portability (A.20 GDPR)

Where processing is based on an active consent you have the right to request a copy of all data held on file to be transferred to a new data controller. This will be delivered in a structured, commonly used and machine-readable form within one month.

Right to Object (A.21 GDPR)

Where processing is based on legitimate interests as a lawful basis you have the right to object to the use of your information. Where you are an individual you have an absolute right to stop your information being used for direct marketing. Following an objection, processing will not continue unless an extremely compelling reason exists to do so, of which you would be informed. Processing will be halted on objection within a month and without undue delay.

Automated Individual Decision Making

We do not currently use automated processing or profiling to make decisions using customer, employee or supplier data. Where this may be performed in future this would only be carried-out in compliance with GDPR, ensuring that this is necessary for a contractual or pre-contractual basis or is based on explicit consent. (A.22 GDPR)

Third Party Processing

Where we engage third parties to process data on our behalf, such as courier firms for delivery, we will ensure via a data processing agreement with the third party that the third party takes suitable measures to maintain our commitment to protecting data in compliance with GDPR.

The company may also disclose information where under a legal obligation. This includes exchanging information with other companies and organisations to prevent fraud.

International Data Transfers

The Company does not transfer personal data to any recipients outside of the EEA.

Data Breach Notification Procedure

All data breaches will be recorded on our Data Breach Register. Where legally required, we will report a breach to the Information Commissioner within 72 hours of discovery. In addition, where legally required, we will inform the individual whose data was subject to breach. More information on breach notification is available in our Breach Notification policy.

Records and retention

AL Batavon keeps records of its processing activities including the purpose for the processing and retention periods in its Data Record, in accordance for the GDPR requirements for companies with under 250 employees. These records will be kept up to date so that they reflect current processing activities.

The company keeps personal data only for as long as retention is deemed necessary for the specific purposes for which that personal data is processed. Data is retained in accordance with relevant laws and internal company guidelines.

Compliance

Our appointed compliance officer is Ann Chidzey. You can contact our compliance officer with related queries at ann@albat.co.uk.