Skip to content

Bag

Your bag is empty

Lavish Alice Retail Limited Data Protection Policy

...

This policy applies to Lavish Alice Retail Limited whose registered office is at Unit 33 Irlam Business Centre, Soapstone Way, Manchester, M44 6RA, referred to in this policy as the Company. This policy reflects the Company’s obligations and duties under the UK General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (Legislation).

The policy is effective from 01/01/2024 and applies to all of the Company’s directors, employees, consultants, volunteers, and those working on a temporary basis or through an agency.

This policy must be read and applies in conjunction with the Company’s policy for employees in the HR Data Protection Policy, the Rights of Third Parties Policy, IT Policy, Breach Policy and the CCTV Policy (Policies).

The Company’s Data Compliance Manager is Matthew Newton. The Deputy Data Compliance Manager is Lee Bloor. The Company is registered with the Information Commissioner’s Office.

The Policies together document the Company’s obligations under the Legislation and how the Company complies with these obligations. The Company will document so far as is reasonably practicable decisions made in relation to the processing of any data.

Personal Data is defined by the Legislation as any information relating to an identified or identifiable natural person (‘data subject’), an identifiable natural person is one who can be identified, whether directly or indirectly, by reference to the person’s name, an identification number, location data, an online identifier (email address) or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Any reference in this policy to data means both Personal Data and Special Category Data. The Company only processes Special Category Data relating to its employees. This is set out in further detail in the HR Data Protection policy.

The processing of data means any operation or set of operations which is performed (whether or not by automated means), such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. As such, wherever the Company holds data in any format this amounts to processing.

The Company will comply with its obligations under Article 5 of the UK GDPR to ensure that any data:

  • is processed lawfully, fairly and in a transparent manner
  • collected for specified, explicit and legitimate purposes and not further processed in a manner that is not compatible with these purposes
  • will be adequate, relevant and limited to what is necessary in relation to the purpose which the company holds the data
  • accurate and kept up to date and erased or rectified without delay
  • kept in a form which permits identification of the individual for no longer that is necessary for the purposes for which the data is obtained and processed
  • is processed in a manner which ensures security of the personal data (and which includes unauthorised or unlawful processing, accidental loss, destruction or damage.

The Company is a data controller under the Legislation. This means that the Company is responsible for the personal data it holds and processes and must comply with the Legislation in doing so. The Company complies with Article 6 of the UK GDPR which confirms the grounds upon which the data can be lawfully processed.

The Company has conducted an audit into the data it processes. The data held is divided into different categories dependent upon what the Company holds it for.

The Company’s business is in the sale and retail of clothing via the Company’s website and also to resellers.

The Company’s website is www.lavishalice.com

...

Data Related To Website Customers

The Company holds data about those who have ordered goods from it via the Company’s Website.The data the Company holds comprises the customer’s name, email address, home address, order details (including sizes of goods), telephone contact number/s, and bank card or credit card details.

The purpose for which the Company holds the data in paragraph 12 is to process the customer’s order and to supply and deliver the goods. The lawful basis upon which the Company processes this data is that it is necessary for the purpose of a contract between the Company and the individual.

Except for bank or credit card / payment details, the data is retained electronically on the Company’s Shopify, ZenDesk & Microsoft 365 servers. The data is also provided to Shopify for retention on the Company’s behalf (see paragraph 15).

The Company does not retain the bank card or credit card details. These are processed by Shopify. The Company has written terms in place with Shopify detailing their respective obligations in relation to this data. The data that the Company holds for the purpose of the contract is deleted by the Company on request.

The Company does retain customer’s data for future marketing purposes. This is obtained by specific consent from the customer at the time they place an order. The consent is granular and is broken down as to what information the customer would like to receive and in what format. This data comprises the customer’s name, email address, and gender and is held by Klaviyo for these marketing purposes. It is not retained by the Company.

The lawful basis upon which this data is held by Klaviyo on the Company’s behalf is consent of the individual. Once they have provided their data and opt in, customers receive an email in which they are told how they may opt out of that consent at the time that they provide it, and also each time they receive marketing emails.

When a customer opts out of the marketing, their data is deleted by Klaviyo under the terms of the written agreement with the Company.

Otherwise, this customer data is retained for marketing purposes indefinitely unless a customer either withdraws their consent

...

Data Relating To Employees

Please see the HR Data Protection policy.

...

Internet

The Company obtains and retains data of those who visit its website even if they do not place an order for goods. The cookies on the Company’s websites retain information about the identifier of the website users and such other computer data. This is retained as it is necessary in the legitimate interests of the Company and also of the visitor as it enhances a visitors’ experience when visiting the website.

Details of the use of cookies on the Company’s website can be found in the Cookie policy.

...

CCTV

Please see the CCTV policy.

...

Suppliers

The Company holds and processes data about its suppliers. It is necessary for the company to process the data obtained for the purpose of a contract (or in anticipation of a contract being entered into) with supplier.

The data the Company processes includes the company or organisation name, contact names, email addresses, postal addresses, telephone numbers, bank details, and details of quotations received and orders placed and settled.

Once a contract has been fulfilled with a supplier the Company will retain the data as the Company considers it necessary to do so in the legitimate interests of the Company and also in the legitimate interests of the supplier in order to assist in future business relationships with them and facilitate those relationships.

This data is retained indefinitely by the Company for this reason.

...

General

The Company holds data of other companies, businesses, organisations or associations with whom the Company has a professional relationship or potentially common interest. The Company does so as it considers it necessary in its legitimate interests to enhance and preserve such relationships.

For these third parties, the Company processes business / organisation names, contact names, addresses, email addresses, and telephone numbers.

The Company does not consider that the data in paragraph 29 amounts to personal data as it is data relating to businesses rather than individuals themselves but includes the same in this policy as a matter of good practice.

...

Retention Of Data

The Company retains data for a defined period of time before it is destroyed, as set out in the specific paragraphs above. The destruction is by way of permanent deletion from the computer systems where the data is held and destruction of paper files.

The person responsible for arranging and organising the destruction of data is Matthew Newton or Lee Bloor.

...

Right Of Information

The Company’s Website contains a privacy notice which sets out the information which must be provided under the Legislation.

A copy of the privacy notice is also available for those who request one.

The privacy notice sets out in particular on what basis the Company holds data, what the Company will do with the data obtained, how long the data will be retained for and individuals’ rights.

...

Right Of Individuals

Please see the Rights of Individuals policy for details of these rights and how they will be addressed by the Company.

...

Automated Processing & Profiling

The Company does not process data it holds by automated means nor by profiling.

...

Data Security

A breach of the Legislation occurs if there is a breach of security of data which leads to;

  • (i) accidental or unlawful destruction of ;
  • (ii) loss of;
  • (iii) alteration of;
  • (iv) unauthorised disclosure or access to; any data.

Please refer to the Data Breach Policy.

...

Data Protection By Default

The Company will ensure that compliance with the Legislation is inbuilt into its working systems and fabric of the business to ensure that data protection is considered and taken into account at all times.

The Company will undertake a Data Protection Impact Assessment (DPIA) whenever the Company should;

  • elect or consider electing to use any new technology or technological process
  • consider changing the lawful basis for the processing of any data
  • consider any extension to the retention periods for the storage of data
  • consider any change to the type of data that it may hold
  • elect or consider the use of cloud storage (over and above any existing cloud storage used)
  • intend to use a new data processor

The extent of the DPIA will depend upon the change involved. A decision will be made by the Data Compliance Manager over who should be involved in the DPIA and who should be responsible for the same. The DPIA will be led by the individual responsible who shall determine the extent of the DPIA and what shall be required to be considered and documented.

Following the DPIA, the decision of the DPIA will be reviewed and approved by the Company’s Board before implementation.

...

Information Technology

Please see the Company’s IT Policy.

...

Data Processors

Where the Company passes data to any third party for the purposes of processing the data upon its behalf, the Company will ensure before doing so that it has entered into a written agreement with the Data Processor to regulate the use of the data. This shall include;

(i) specifically confirming the use of the data by the Data Processors;

(ii) how long the data may be retained for;

(iii) at the end of the period, whether the data should be destroyed or returned to the Company;

(iv) the lawful basis upon which the Company hold the data and that the data subject/s are aware that the data may be transferred to the data processor for processing;

(v) that the data may not be processed outside the EEA;

(vi) the appropriate security arrangements that the data processor must have in place and the obligation for the data processor to report any security breaches to the Company immediately;

(vii) that the data processor will promptly assist the Company in dealing with any data subject’s rights;

(viii) recognition that the Company is responsible for any actions of the data processor in relation to the use of the data and indemnity provisions.

The Company maintains a central record of all Data Processors and the agreements in place with them. The responsibility for and the upkeep of central record lies with the Data Compliance Manager.

In the event that any data should be transferred to a third party without a written agreement in place, the Company will take all appropriate steps to obtain such written agreement and if the same should not be obtained within a reasonable period of time, but by at least 28 days, the Company shall request the return of the data immediately and should the request not be complied with take appropriate action, whether by way of report to the Information Commissioner and / or application to the court for its return.

...

Employees' Duties In Relation to Confidentiality Of Data

Article 5 of the UK GDPR requires the Company to have appropriate security to prevent data from being accidentally or deliberately compromised.

All papers, computers, files and documents (generally referred to as Company property in this policy and which includes any computer, mobile device, physical copies or copies held on a computer, mobile device or memory stick) relating to the Company and all data, are, and remain at all times, the Company’s property. Company property must not be removed from the Company’s premises except with the permission of Matthew Newton or Lee Bloor.

Should an employee remove Company Property from the Company’s premises without permission then he / she may be held personally liable if they are stolen, lost or destroyed.

At all times, the safeguarding of Company property and information contained within them is the responsibility of all employees. Any loss of Company property or the dissemination of information within them is highly likely to amount to a breach of confidentiality and of the Legislation. If ever Company property should go missing, are destroyed or are lost, this must be reported to a director as soon as possible and the Data Compliance Manager informed. If Company property is stolen, or, being missing may have been stolen, employees must also inform the Police immediately.

Employees must never leave any Company property unattended or in a vehicle. If Company property is taken home or to any other place for the purpose of working upon them or for any other purpose, it is the employee’s responsibility to ensure that they are secure and that the contents or details are not released to any third party or papers left such that customer details, identities, or information can be seen by any third party.

All and any data is strictly confidential. It is all employees’ responsibility and duty to maintain confidentiality of this data at all times. This duty to maintain confidentiality continues after termination of employment.

The following are specific rules with which employees must comply. However, employees must at all times ensure generally that they act in such a way so as not to breach confidentiality, compromise themselves or the Company and pay heed to their obligations under this policy and the Legislation itself;

  • Ensure that when sending an email that the correct recipient/s addresses are given.
  • When sending any email, ensure that it does not contain in it, or further down in the email chain, any information relating to any other party which may be confidential.
  • Avoid using, replying to or forwarding on emails which have other emails in the email chain or attachments.
  • Always check that a fax number is the correct one
  • When working on a computer, laptop or mobile device away from the Company’s premises ensure that it cannot be read or overseen by any third party.
  • When leaving the Company premises at the end of the day, employees should close down their computers;.
  • Do not save anything containing confidential information to a laptop or computer.
  • Never leave any papers unattended, including on printers.
  • Do not lend office keys or security fobs to any third party at any time.
  • Do not give anyone details of any alarm codes to any one else.
  • Do not allow unauthorised access to the Company’s premises to anyone.
  • Do not leave computers, laptops or mobile devices unattended when outside the Company’s premises.
  • Never leave computers, laptops or mobile devices in a parked vehicle or at anyone else’s premises.
  • If taking customer data away from the Company’s premises, ensure that the papers are kept secure at all times, are not left for others to see, copy, or take and do not leave papers unattended.

...

Data Storage & Transfer Outside The EEA

The Company will not store data outside the EEA. There are restrictions on international transfers of Data. No Data shall be transferred outside the EEA (which includes the European Union, Iceland, Liechtenstein, and Norway) without first consulting with the Data Compliance Manager to ensure that adequate safeguards are in place.

...

Conclusion & Review

All employees’ and the Company’s obligations under the Legislation are extremely important. If data or Company property is destroyed, lost or stolen or data finds its way to any third party as a result of mishandling, negligence or neglect, this will lead to disciplinary proceedings and the Company reserves the right to claim any losses incurred. Employees should note that in some circumstances it could amount to a criminal offence and / or a fine and / or sanction from the Information Commissioner’s Office, and / or the court. If there is any breach of the Policies then this may lead to disciplinary proceedings.

The Data Compliance Manager and the Deputy Data ComplianceManager will review this policy at least once every 12 months.

...

Last Policy Update: 25/10/2024 by Matthew Newton.