Growing in Wellness, LLC (the owner and data processor) is committed to ensuring that all personal data handled will be processed according to legally compliant standards of data protection and data security.
The purpose of this policy is to help achieve data protection and data security aims by notifying you of the types of personal information that may be held about customers, suppliers and other third parties and what is done with that information; setting out the rules on data protection and the legal conditions that must be satisfied when collecting, receiving, handling, processing, transferring and storing personal data and ensuring understanding of rules and the legal standards; and clarifying the responsibilities and duties in respect of data protection and data security.
For the purposes of this policy: Data protection laws means all applicable laws relating to the processing of Personal Data, including, for the period during which it is in force, the General Data Protection Regulation (Regulation (EU) 2016/679). Data subject means the individual to whom the personal data relates. Personal data means any information that relates to an individual who can be identified from that information. Processing means any use that is made of data, including collecting, storing, amending, disclosing, or destroying it. Special categories of personal data mean information about an individual's racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, orientation and biometric data.
Data protection principles
Contractors and freelancers whose work involves using personal data must comply with this policy and with the following data protection principles which require that personal information is:
Processed lawfully, fairly and in a transparent manner. The data processor must always have a lawful basis to process personal data, as set out in the data protection laws. Personal data may be processed as necessary to perform a contract with the data subject, to comply with a legal obligation which the data controller is the subject of, or for the legitimate interest of the data controller or the party to whom the data is disclosed. The data subject must be told who controls the information, the purpose(s) for which the information is being processed and to whom it may be disclosed.
Collected only for specified, explicit and legitimate purposes. Personal data must not be collected for one purpose and then used for another. If the data processor wants to change the way personal data is used, they must first tell the data subject.
Processed only where it is adequate, relevant and limited to what is necessary for the purposes of processing. Personal data will only be collected to the extent required for the specific purpose notified to the data subject.
Accurate and the owner and data processor takes all reasonable steps to ensure that information that is inaccurate is rectified or deleted without delay. Checks to personal data will be made when collected and regular checks must be made afterward. Reasonable efforts to rectify or erase inaccurate information will be made.
Kept only for the period necessary for processing. Information will not be kept longer than it is needed and all reasonable steps to delete information when it’s no longer need will be made. For guidance on how long particular information should be kept, contact email@example.com, or request a copy of the Data Retention Policy.
Secure, and appropriate measures are adopted by the owner and data processor to ensure as such.
Who is responsible for data protection and data security?
Maintaining appropriate standards of data protection and data security is a collective task shared between the data processor and you. This policy and the rules contained in it apply to the owner and data processor, irrespective of seniority, tenure and working hours, including all contractors and freelancers, directors, consultants and contractors, casual or agency, trainees, homeworkers and fixed-term contractors and any freelancers.
Questions about this policy, or requests for further information, should be directed to firstname.lastname@example.org.
The data processor has the personal responsibility to ensure compliance with this policy, to handle all personal data consistently with the principles set out here and to ensure that measures are taken to protect the data security. Managers have special responsibility for leading by example and monitoring and enforcing compliance. The Data Protection Officer must be notified if this policy has not been followed, or if it is suspected this policy has not been followed, as soon as reasonably practicable.
Any breach of this policy will be taken seriously and may result in disciplinary action up to and including dismissal. Significant or deliberate breaches, such as accessing data.
What personal data and activities are covered by this policy?
This policy covers personal data:
which relates to a natural living individual who can be identified either from that information in isolation or by reading it together with other information possessed;
is stored electronically or on paper in a filing system;
in the form of statements of opinion as well as facts;
which relates to (present, past or future) or to any other individual whose personal data is handled or controlled;
which is obtained, is provided, held or stored, organized, disclosed or transferred, amended, retrieved, used, handled, processed, transported or destroyed.
This personal data is subject to the legal safeguards set out in the data protection laws.
Sensitive personal data
The data processor may from time to time need to process sensitive personal information (sometimes referred to as 'special categories of personal data').
Sensitive personal information will only be processed if:
one of the following special conditions for processing personal information applies:
the data subject has given explicit consent.
the processing is necessary to protect the data subject's vital interests, and the data subject is physically incapable of giving consent.
processing relates to personal data which are manifestly made public by the data subject.
the processing is necessary for the establishment, exercise, or defense or legal claims; or
the processing is necessary for reasons of substantial public interest.
Sensitive personal information will not be processed until the assessment above has taken place and the individual has been properly informed of the nature of the processing, the purposes for which it is being carried out and the legal basis for it.
The privacy notice sets out the type of sensitive personal information that is processed, what it is used for and the lawful basis for the processing.
Accuracy and relevance
The data processor will:
ensure that any personal data processed is up to date, accurate, adequate, relevant and not excessive, given the purpose for which it was collected.
not process personal data obtained for one purpose for any other purpose, unless you agree to this or reasonably expect this.
If you consider that any information held about you is inaccurate or out of date, then you should tell the data processor. If there is agreement that the information is inaccurate or out of date, then it will be corrected promptly. If you do not agree with the correction, then you will note your comments.
Storage and retention
Personal data (and sensitive personal information) will be kept securely in accordance with the Data Retention Policy.
The periods for which personal data is held are contained in the privacy notices.
You have the following rights in relation to your personal data.
Subject access requests:
You have the right to make a subject access request. If you make a subject access request, the data processor will tell you:
whether or not your personal data is processed and if so why the categories of personal data concerned and the source of the data if it is not collected from you;
to whom your personal data is or may be disclosed.
for how long your personal data is stored (or how that period is decided);
your rights of rectification or erasure of data, or to restrict or object to processing;
your right to right to complain to the Information Commissioner if you think the data processor has failed to comply with your data protection rights; and
whether or not automated decision-making is carried out and the logic involved in any such decision making.
You will be provided with a copy of the personal data undergoing processing. This will normally be in electronic form if you have made a request electronically unless you agree otherwise.
To make a subject access request, contact email@example.com
You may be asked for proof of identification before your request can be processed. You will be notified if there is a need to verify your identity and the documents required.
The data processor will normally respond to your request within 28 days from the date your request is received. In some cases, where there is a large amount of personal data being processed, a response within 3 months of the date your request is received may be likely. You will be contacted within 28 days of receiving your original request if this is the case.
If your request is manifestly unfounded or excessive, the data processor is not obliged to comply with it.
You have a number of other rights in relation to your personal data. You can require the data processor to:
rectify inaccurate data;
stop processing or erase data that is no longer necessary for the purposes of processing;
stop processing or erase data if your interests override our legitimate grounds for processing the data (where legitimate interests are relied upon as a reason for processing data);
stop processing data for a period if data is inaccurate or if there is a dispute about whether or not your interests override the owner and data processor's legitimate grounds for processing the data.
To request that any of these steps be taken, please send the request to firstname.lastname@example.org
Appropriate technical and organizational measures will be used to keep personal data secure, and in particular to protect against unauthorized or unlawful processing and against accidental loss, destruction or damage.
Maintaining data security means making sure that:
only people who are authorized to use the information can access it;
where possible, personal data is pseudonymized or encrypted;
information is accurate and suitable for the purpose for which it is processed; and
authorized persons can access information if they need it for authorized purposes.
By law, procedures and technology must be used to secure personal information throughout the period that data processor holds or controls it, from obtaining to destroying the information.
Personal information must not be transferred to any person to process ( For example, while performing services for the data processor or on behalf of the data processor) unless that person has either agreed to comply with data security procedures or are satisfied that other adequate measures exist.
Security procedures include:
Any desk or cupboard containing confidential information must be kept locked.
Computers should be locked with a strong password that is changed regularly or shut down when they are left unattended and discretion should be used when viewing personal information on a monitor to ensure that it is not visible to others.
Data stored on CDs or memory sticks must be encrypted or password protected and locked away securely when they are not being used.
Any cloud used to store data is noted as GDPR compliant.
Data should never be saved directly to mobile devices such as laptops, tablets or smartphones.
All servers containing sensitive personal data must be approved and protected by security software.
Servers containing personal data must be kept in a secure location, away from general office space.
Data should be regularly backed up in line with the owner and data processor's backup procedure.
Methods of disposal. Copies of personal information, whether on paper or on any physical storage device, must be physically destroyed when they are no longer needed. Paper documents should be shredded and CDs or memory sticks or similar must be rendered permanently unreadable.
Data impact assessments
Some of the processing that the owner and data processor carries out may result in risks to privacy.
Where processing would result in a high risk to your rights and freedoms, the owner and data processor will carry out a data protection impact assessment to determine the necessity and proportionality of processing. This will include considering the purposes for which the activity is carried out, the risks for individuals and the measures that can be put in place to mitigate those risks.
If it is discovered that there has been a breach of personal data that poses a risk to the rights and freedoms of individuals, it will be reported to the Information Commissioner within 72 hours of discovery.
The data processor will record all data breaches regardless of their effect in accordance with the Breach Response Policy.
If the breach is likely to result in a high risk to your rights and freedoms, the data processor will tell affected individuals that there has been a breach and provide them with more information about its likely consequences and the mitigation measures it has taken.
The data processor will provide training to all individuals about their data protection responsibilities as part of the induction process and at regular intervals thereafter.
Individuals whose roles require regular access to personal data, or who are responsible for implementing this policy or responding to subject access requests under this policy will receive additional training to help them understand their duties and how to comply with them.
The data processor will only retain your personal data for as long as necessary to fulfill the purposes it was collected for, including for the purposes of satisfying any legal, accounting, or reporting requirements. When deciding what the correct time is to keep the data for by considering its amount, nature and sensitivity, the potential risk of harm from unauthorized use or disclosure, the processing purposes if these can be achieved by other means and legal requirements.
For tax purposes, the law requires keeping basic information about customers (including Contact, Identity, Financial and Transaction Data) for, up to, six years after they stop being customers.
In some circumstances, the data processor may anonymize your personal data for research or statistical purposes in which case this information may be used indefinitely without further notice to you.
YOUR LEGAL RIGHTS
Under data protection laws you have rights in relation to your personal data that include the right to request access, correction, erasure, restriction, transfer, to object to processing, to the portability of data and (where the lawful ground of processing is consent) to withdraw consent.
This website may include links to third-party websites, plug-ins, and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. The data processor does not control these third-party websites and is not responsible for their privacy statements. When you leave the website, you are encouraged to read the privacy notice of every website you visit.
What's a cookie?
A "cookie" is a piece of information that is stored on your computer's hard drive and which records how you move your way around a website so that, when you revisit that website, it can present tailored options based on the information stored about your last visit. Cookies can also be used to analyze traffic and for advertising and marketing purposes.
Cookies are used by nearly all websites and do not harm your system.
If you want to check or change what types of cookies you accept, this can usually be altered within your browser settings. You can block cookies at any time by activating the setting on your browser that allows you to refuse the setting of all or some cookies. However, if you use your browser settings to block all cookies (including essential cookies) you may not be able to access all or parts of the site.
How do are cookies used?
Cookies are used to track your use of the website. This enables understanding as to how you use the site and track any patterns with regards how you are using the website. This helps to develop and improve the website as well as products and/or services in response to what you might need or want.
Cookies are either:
- Session cookies: these are only stored on your computer during your web session and are automatically deleted when you close your browser – they usually store an anonymous session ID allowing you to browse a website without having to log in to each page but they do not collect any personal data from your computer; or
- Persistent cookies: a persistent cookie is stored as a file on your computer and it remains there when you close your web browser. The cookie can be read by the website that created it when you visit that website again. Persistent cookies are used for Google Analytics.
Cookies can also be categorized as follows:
- Strictly necessary cookies: These cookies are essential to enable you to use the website effectively, such as when buying a product and/or service, and therefore cannot be turned off. Without these cookies, the services available to you on the website cannot be provided. These cookies do not gather information about you that could be used for marketing or remembering where you have been on the internet.
- Performance cookies: These cookies enable the ability to monitor and improve the performance of the website. For example, they allow the ability to count visits, identify traffic sources and see which parts of the site are most popular.
- Functionality cookies: These cookies allow the website to remember choices you make and provide enhanced features. For instance, the data processor may be able to provide you with news or updates relevant to the services you use. They may also be used to provide services you have requested such as viewing a video or commenting on a blog. The information these cookies collect is usually anonymized.