Lavish Alice Retail Limited Rights Of
Individuals Policy

...

This Policy is to be read and applies in conjunction with the Company’s Data Protection Policy. References to the Company and to the Legislation are as defined in that Policy.

The Legislation provides individuals who are data subjects with a number of rights in relation to their personal data. This policy sets out those rights and how the Company will deal with the same.

...

Right Of Access

Individuals have the right to request access to / copies of any data that the Company holds in relation to them.

The Data Compliance Manager, and in their absence the Deputy Data Compliance Manger, is responsible for dealing with any access request. All employees must be alert to any access request and immediately notify the Data Compliance Manager or their deputy of any access request. Employees should note that the Company has a defined time limit of 30 days under the Legislation to respond to an access request failing which it will be in breach and as such why the request should be referred as soon as possible. Employees should also note that an access request can be made verbally or in writing and does not have to specify that it is a request made under the Legislation.

The Company will attend to any access request made as soon as possible and in any event within 30 days of the date or receipt of the same by the Company. The Company will request evidence of the data subject’s identity in the first instance.

The Data Compliance Manager will record and keep an electronic record of all access requests received, including the date of receipt, the information / copies provided to the data subject (if any), and the date that the information / copies are provided.

The Data Compliance Manager (or in their absence the Deputy Data Compliance Manager) will ultimately be responsible for determining;

• whether to respond to the access request by supplying the information or copies requested (as applicable);
• if it is determined to supply the information or copies requested, the extent of the same to be disclosed including whether any cannot be provided and the reason why or whether any can be provided but with certain information redacted;
• if it is determined not to supply the information or copies requested, the reason why and will set the reasons out by way of written response to the data subject and explain that if the data subject does not agree that they have a right of recourse to the Information Commissioner and / or the courts;
• if the request is manifestly unfounded or excessive and if so whether to charge an administration fee or to refuse the request. If an administration fee is to be charged this will be reasonable and be determined by them;
• whether additional time over and above 28 days is required to deal with the request. If so determined, the data subject will be informed in writing and given an indication of when the request will be completed. In any event, the request will be attended to and completed within 84 days of the date of receipt.

...

Right Of Rectification

The Company acknowledges that it is obliged under the Legislation to ensure that all data is kept up to date and correct. The Company will use its best endeavours to do so. All employees are required to ensure that this is the case and if an employee becomes aware that any data is incorrect or out of date shall take immediate steps to ensure that the same is rectified and amended.

In the event of a request by a data subject to amend and / or rectify data held, such request shall be referred by an employee immediately to the Data Compliance Manager who shall take such reasonable steps to ensure that the rectification is justified, accurate and appropriate and shall then undertake the amendment as soon as possible (in relation to all data held relating to the said data subject) within 30 days. Evidence will be required of the validity of the information received that requires rectification. The data subject will then be notified in writing of the rectification.

Whilst considering the request, the Data Compliance Manager shall also ensure that the individual’s data is not processed in line with the procedure under the right to restrict processing below.

In the event that they determine not to rectify the data held, they will confirm with the Data Compliance Manager or their deputy and they will then notify the data subject of this fact and the reason why the Company has not amended the data. In doing so the data subject will be advised that they have a right of recourse to the Information Commissioner and / or the courts.

The Data Compliance Manager will keep an electronic record of all requests for rectification made, including details of the request, the action taken and when.

...

Right Of Erasure

The Company will only retain and process data relating to any individual for as long as is necessary and in line with the purpose for which the data was obtained and the provisions of the Company’s Policies.

In the event that the Company should receive any request for erasure by any individual the Data Compliance Manager must be informed as soon as possible. They will decide whether the data of the individual in question can be erased and if necessary seek guidance. In doing so, they will take into account the purpose for which the data was obtained and the Company’s Policies relating to the retention of data. The individual will be notified in writing of the decision and the reason for the same. If the decision is that the data will not be erased, the individual will be informed of their right to complain to the Information Commissioner and / or the court. If it is determined that the data can be erased, the Data Compliance Manager will arrange to do so within 28 days of determination. Any data processor who may hold or be processing the individual’s data will also be informed and the Company will seek confirmation from them also that the same has been deleted.

The Data Compliance Manager will keep an electronic record of all requests for erasure, including details of the request, the action taken and when.

Where data is held with an individuals’ consent, and that consent is withdrawn, this is set out in paragraph 22 below.

...

Right To Restrict Processing

In the event that the Company should receive a request to restrict processing, the Data Compliance Manager must be informed as soon as possible.

The right of restriction only applies in certain circumstances, namely:

• the individual contests the accuracy of their personal data and the Company is verifying the accuracy of the data;
• the individual alleges that their data has been unlawfully processed and the individual opposes erasure and requests restriction instead;
• the Company no longer intends to process the individual’s personal data but the individual asks the Company retain it in order to establish, exercise or defend a legal claim; or
• the individual has objected to the Company processing their data and the Company is considering whether it has legitimate grounds that override those of the individual.

Upon receipt of a request to restrict processing, the Data Compliance Manager will ensure that the individual’s data is made unavailable for processing by either the Company or its data processors. The Data Compliance Manager will determine how long the restriction should remain in place which will be dependent upon the reason the individual has asked that the restriction is put in place.

The Data Compliance Manager will record the restriction electronically and the reason for the same. They will also arrange to inform the individual that their right has been exercised.

Once it is determined that the restriction should end, the individual will be informed in writing, setting out the reason why the restriction has been removed and also that if the individual objects that they have the right to refer the matter to the Information Commissioner and / or the court.

...

Right To Object

Individuals have the right to object to the processing of their data by the Company when it is being used for direct marketing purposes. This is on the basis of the individual’s specific consent. They are given the right to opt out of direct marketing and this is then actioned by the Data Compliance Manager who will make the appropriate arrangements to ensure they do not receive further marketing communications. As this is actioned by Klaviyo & Shopify as the Company’s data processors, they will be notified under the terms of the written agreement in place.

...

Right To Be Informed

Individuals have the right to know what data the Company holds about them even though they do not ask for copies.

The Data Compliance Manager is responsible for dealing with any request for such confirmation. All employees must be alert to any request and immediately notify the Data Compliance Manager. Employees should note that the Company has a defined time limit of 30 days under the Legislation to respond to such request failing which it will be in breach and as such why the request should be referred as soon as possible. Employees should also note that a request can be made verbally or in writing and does not have to specify that it is a request made under the Legislation.

The Data Compliance Manager will attend to any request made as soon as possible and in any event within 30 days of the date or receipt of the same by the Company. The Company will request evidence of the data subject’s identity in the first instance.

The Data Compliance Manager will record and keep a electronic record of all access requests received, including the date of receipt, the information / copies provided to the data subject, and the date of completion.

...

Employee Rights

Please refer to the HR Data Protection policy in relation to employees’ data for access requests, rectification, erasure, and restriction.

...

Last Policy Update: 25/10/2024 by Matthew Newton.