HIMALAYAN LUXURY BEANS

himalayan logo

Data Protection Policy for Himalayan Beans trading as himalayanbeans.com

Table of Contents

  • Introduction, Purpose and Scope
  • Our Obligations
  • Legal Definition of Processing
  • Legal Definition of Personal Information
  • How and Why We Use Your Information
  • Whom We Share Your Data With
  • Data Subject Rights

Introduction, Purpose and Scope:

This policy explains how Himalayan Beans and all trading names (“we, “us” and “our”) handles and uses information we collect about visitors to our websites, prospective customers, existing customers and staff. When you interact with us for a specific purpose (e.g. as a prospective or existing customer), other Data Protection Statements may apply to you, and explain our collection and management of your personal information in that setting.

Website” refers, www.himalayanbeans.com, without prejudice to any other websites owned by Himalayan Beans, or any websites we may create in future. Our Data Protection Statements for specific categories of data subjects are published on our Websites accordingly.

Staff” refers to anyone working for us in any context at any level (whether permanent, fixed term or temporary) and including employees, retired but active staff, workers, contractors, trainees, interns, seconded staff, agency staff, agents and volunteers; except when any of the aforementioned are acting in a private or external capacity. Equally, the term “Customer” refers to visitors to our websites, existing customers, prospective customers, enquirers, our agents, brokers, resellers, and consumers and traders as defined by the Consumer Rights Act 2015.

Under data protection law, we are identified as a data controller and are therefore subject to a range of legal obligations. The data controller for your personal information is Himalayan Luxury Beans.
The person responsible for data protection at the time of issue, and the person who is responsible for monitoring compliance with relevant legislation in relation to the protection of personal information, is Himalayan Beans’ Data Protection Officer (DPO). All correspondence relating to this Data Protection Policy, or any Data Protection Statements must be addressed to the Data Protection Officer, Himalayan Luxury Beans.

Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted to our websites; any transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorized access. Remember to close your browser when you have finished your user session. This will help to ensure that others do not access your personal information if you share your computer or use a computer in a public places such as a library or internet café. Please see our Website Terms & Conditions for more information.

This policy should be read in conjunction with our policies, Terms & Conditions and, where relevant, similar documents with regard to: information security, website use, acceptable use of IT facilities, records management and retention, or any other contractual obligations on our Company or the individual which impose confidentiality or information management obligations (which may at times exceed those of our standard policies with respect to storage or security requirements).

This policy will be reviewed and updated from time to time, in line with best practice procedures in order to achieve compliance with data protection law in line with an appropriate overall risk profile.

In general terms, we use your data in order to be able to process and deliver orders, provide high quality servicing & repairs, deliver barista training, gather vital feedback, offer café marketing support, and to ensure the safety and security of all customers and staff on our physical premises. To comply with data protection law, information must be collected and used fairly, stored safely and not disclosed to any other entities unlawfully.

Unless otherwise stated, the lawful basis for processing your personal data is that it is necessary for the purposes of our legitimate interests (where we have concluded that our interests do not impact inappropriately on your rights and freedoms) in providing effective services to you, and for the purposes of ensuring the safety of staff, and protecting property in our physical shop (e.g. usage of CCTV for security). You may ask us to explain our rationale at any time. Please note that should you choose to withhold necessary data, this may result in your receiving an insufficient service from us.

Our Obligations:

When you enter your personal information into an online form for any specified purpose, or have your information registered by our staff whether in person or through other means of communications, you will be told about the use we will make of that information (e.g. to confirm orders and send deliveries to your home address or business premises).

The lawful and correct treatment of personal information is vital to successful operations, and to maintaining the confidence that customers place in us as an organization. Therefore, we commit to uphold data protection law as part of everyday working practices by:

  • ensuring all personal information is managed appropriately through this policy;
  • fully observing conditions regarding the fair collection and use of information;
  • meeting our legal obligations to specify the purposes for which information is used;
  • collecting and processing appropriate information, and only to the extent that it is needed to fulfil operational needs or to comply with any legal requirements;
  • ensuring the integrity of information used;
  • applying strict checks to determine the length of time information is held;
  • taking appropriate security measures to safeguard personal information;
  • ensuring that personal information is not transferred abroad without suitable safeguards;
  • publishing and making publicly available data protection statements outlining the details of our personal data processing in a clear and transparent manner.

We have appointed a statutory Data Protection Officer, who is responsible for:

  • monitoring and auditing compliance with our obligations under data protection law, especially our overall risk profile and delivering reports on the same;
  • advising on all aspects of compliance with data protection law
  • acting as our standard point of contact with the Information Commissioner’s Office with regard to data protection law, including cases of personal data breaches; and
  • acting as an available point of contact for enquiry and complaints from data subjects.

We will ensure that all of our staff are aware of this policy and any associated procedures and notes of guidance relating to data protection compliance, provide training as appropriate, and regularly review our procedures and processes to ensure that they are fully compliant. We will also maintain records of our information assets. Individual members of staff are responsible for ensuring that:

  • any personal data that we hold is kept securely;
  • relevant data protection training is completed, as advised by us;
  • following relevant company policies, procedures and notes of guidance;
  • only accessing and using personal information as necessary for their contractual duties and/or other roles;
  • personal information is not disclosed either orally or in writing or otherwise to any unauthorized third party, and that every reasonable effort will be made to see that data is not disclosed to unauthorized parties accidentally;
  • where identified, reporting personal data breaches and cooperating with the DPO to address them; and
  • only deleting, copying or removing personal information as agreed with the DPO and as appropriate.

Unauthorized disclosure is a disciplinary matter and may be considered gross misconduct.  If in any doubt, consult our Data Protection Officer. Personal data must be:

  • kept in a locked filing cabinet, drawer or room; or
  • if the data is computerized, be password protected or kept only on disk which is itself kept securely; or
  • subject to any other appropriate security measures in addition to those above.

In addition to the requirements of data protection legislation, the confidentiality of information about individuals must be respected.

The obligations and responsibilities above do not waive any personal liability for individual criminal offences for the willful misuse of personal information under data protection legislation.


Processing:

“Processing”, in relation to personal information, means obtaining, recording or holding the information or data or carrying out any operation or set of operations on the information or data, including:

  • organization, adaptation or alteration of the information or data;
  • retrieval, consultation or use of the information or data;
  • disclosure of the information or data by transmission, dissemination or otherwise making available; or
  • alignment, combination, blocking, erasure or destruction of the information or data.


Personal information:

Personal information is defined as data or other information about a living person who may be identified from it or combined with other data or information held. Some “special category data” (formerly sensitive personal data) are defined as information regarding an individual’s racial or ethnic origin; political opinion; religious or other beliefs; trade union membership; physical or mental health or condition; sexual life; or criminal proceedings or convictions, as well as their genetic or biometric information.

How and why we use your Personal Data:

We are required to collect and process various types of data from different parties, in order to ensure that we can provide an effective service, which are as follows:

A: Data provided by customers for processing of orders:

Please note that this section includes prospective customers and former customers in addition to our existing customers. Data collected and processed for this purpose includes:

  • Your full name and address:
    • to facilitate effective storage and delivery of goods;
    • to ensure that our staff can locate your premises to perform servicing and repairs;
    • to ensure that any rented machinery is kept safe from risk by ensuring that it is kept at identifiable premises;
    • we will request business information and the address for your place of work if you are making purchases or enquiries on behalf of your company;
    • to recover rented machinery in the event of unpaid rental fees or insolvency;
    • we may on occasion use your address to send you urgent written correspondence if, after trying other methods of communication, no response have been received from you.
  • Your telephone contact details:
    • We use this in conjunction with the points above to contact you in relation to any enquiries you have made to us, or any orders you have placed with us;
    • to contact you in case of emergencies;
    • to contact you in case of order cancellations, stock depletion, or other information that is important and relevant to your order (e.g. if our driver cannot find where to deliver goods);
    • to gain information about which goods, services or machines are best suited to your needs, to return calls after enquiries you may make, or to address any issues or concerns that are pertinent to any orders placed with us;
    • to provide you with technical support should you have issues using our websites;
    • to ask you for your feedback on our services, or to see if we can make any improvements to our services.
  • Your email address:
    • We use this in order to contact you to discuss your orders, or any enquiries made to us about our goods or services;
    • to send you confirmations of orders, invoices and information pertinent to your order (e.g. estimated delivery dates);
    • in conjunction with all points listed above, to notify you of order cancellations, emergencies, stock depletion, product recall or other important issues pertaining to your order;
    • to send you information about upcoming changes to our terms or services;
    • if you are not an existing customer, to send you promotional information about our products and services that may be of interest to you, with your express consent to receive promotional emails;
    • if you are an existing customer, to send you promotional information about other products and services that may be of interest to you, unless you should decide to opt out of promotional communications;
    • if you choose to unsubscribe from our emails, we may keep your email address details on our “unsubscribed” list for a reasonable period of time, to ensure that you do not receive any further unwanted correspondence; and
    • to ask you for your feedback on our services, or to see if we can make any improvements to our services.

B: Identifiable imagery captured on our surveillance systems:

Please be aware that we also operate Close Circuit Television (CCTV) systems on our properties, which will capture and record footage from which it may be possible to identify you should you approach or enter our premises.

  • We record images of anyone entering or approaching our premises in order to:
    • Protect the Vital Interests of our staff and customers;
    • protect our property from damage and/or theft;
    • deterring criminal activity by the use of signs displaying that a CCTV installation is in use on our properties;
    • assist in the prevention and detection of crime;
    • enabling identification of any actions or events which may result in disciplinary proceedings being taken against staff and;
    • managing access to our shop, classroom and showroom areas.

You may request copies of any recognizable images, subject to exemptions outlined in national data protection legislation and we will only hold footage for a reasonable period, save for cases in which they are required for a specific business need or justification, or in cases of investigation.

C: Computer, IP and location information:

We may collect and process your personal information for operating and improving our webpages, analyzing their use and ensuring the security of our website.

We may collect the request made by your browser to the server hosting our website which includes the IP address, the date and time of connection and the page you ask for. We use this information to ensure the security of our website and maintain its quality. Detailed logs may be held for up to 4-5 weeks and are automatically refreshed, with personal data beyond the retention period deleted. Abstract and analytic logs are kept for reporting purposes for as long as required. We may use and/or disclose this in the event of a security concern or incident. More technical details, including information about our use of “cookies”, are published on our websites.

If you have any concerns or queries about any of the above, please contact our Data Protection Lead at the address given at the top of this policy.

Whom we share your data with:

At Himalayan Beans, we select our partners very carefully and one of our main criteria for doing so is their handling and securing of our customers’ data. We will never knowingly use any service, choose any partner, or share your data with anyone that we believe may misuse or sell your data. Below is a list of all of the partners that we may share your data with from time to time:

We use Google’s third party web traffic analytic tools, Google Analytics and other Google products, to collect standard internet log information and details of your visitor behaviour patterns. We do this to find out, for example, the number of visitors to each page of our website. This is governed by Google’s updated privacy policy, which can be found here: https://policies.google.com/privacy/update.

Please note that while we may interact with you using various social media platforms, we will not ask for, and do not recommend submitting any sensitive personal data across social media by way of “Commenting”, “Tweeting”, “Instant Messaging” or any other available formats of social media communication, as we cannot guarantee the safety and security of any data sent and received. All personal information that you store on social media is regulated and processed in accordance with their own privacy and data protection policies.

We reserve the right to retain your personal data longer than the periods stated elsewhere in this policy, where it becomes apparent that there is a need to do so – For example, in the event of a major health or personal injury incident, records may need to be kept for up to forty years.

Any photographic images of customers or staff collected by us (not including CCTV) for business purposes will be done so only with express consent by way of a signed release form, in which we will detail how we may plan to use them (E.g. On our website or for social media posts).

We also use other third-party service providers as plugins using our website’s CMS. These will be described in our privacy policies and/or data protection policy for the website in question. To clarify, all services used are in our utmost effort to maintain and improve as a business and provide a smooth and easy experience to our customers. No third-party service providers are used for any intention of selling, leasing or any form of compromising your data. A comprehensive list of service providers that collect data will be listed in our privacy policy and/or data protection policy.

Data subject rights:

You have the following rights, all of which are qualified in different ways and are listed without prejudice to any other rights you may have with regards to your personal data:

  • The right to be informed in clear, transparent ways, of how your personal information is being used and with whom it is being shared. This right is usually fulfilled by the provision of ‘privacy notices’ (also known as ‘data protection statements’ or, especially in the context of websites, ‘privacy policies’) which set out how an organization plans to use your personal information, who it will be shared with, ways to raise objections, and so on;
  • to ask us for, and receive access to your personal information and to ask for rectification of inaccurate data, or erasure of your data (right to be forgotten);
  • to restrict the processing of your personal information pending its verification, correction or deletion;
  • to ask for the transfer of your personal information in machine-readable and commonly used formats and/or for said information to be transferred electronically to a nominated third party (data portability);
  • to object to: processing (including profiling) of your data that proceeds under particular legal bases; to direct marketing; and to processing of your data for research purposes where that research is not in the public interest; and
  • the right not to be subject to a decision based solely on automated decision-making using your personal information.

Some of these rights are not automatic and we reserve the right to discuss with you why we might not be able, or be willing to comply with a request from you to exercise them.