A. Customer Data Collected
1. Customer data acquired by 3rd party software; assurances have been requested and gained from the following third party suppliers that they are, and will remain, GDPR compliant from May 25th 2018.
1.1 – Purple WiFi – (customer wifi access in F&F sites; customer data collected via facebook/twitter or completion of a personal data form)
2. Customer data acquired by company owned web site based software (www.frontierpubs.co.uk), hosted by Wirehive and managed by Glass House Project; assurances have been requested and gained from The Glass House Project who manage the Frontier Pubs Ltd. website that they are, and will remain, GDPR compliant from May 25th 2018. This includes “’Contact Us’, ‘Hops & Dough Club’, ‘Get In Touch’ and any existing or future means of gathering customer data. Data collected and stored by Glass House Project is deleted on a quarterly basis.
2.1 The company owned web site based software (www.frdontierpubs.co.uk), managed by Glass House Project will include a statement from May 25th 2018 informing customers re: customer data collection; what is held, why it is held, its use, the length of time it is held for and how a customer can opt out at any point, see B 1.2.
3. Customer data acquired by email, captured at individual locations, office based PC’s.
3.1 Email reservations/bookings – collated on a weekly basis and entered into a folder named CUSTOMERS on Outlook. On a quarterly basis, this is deleted from the office PC’s by site Managers and checked by the Operations Manager.
4. Customer data acquired by paper based loyalty cards at individual locations; loyalty cards state clearly that customers can ‘opt in’ to having marketing information sent to them, and the purpose of gathering customer data is to send ‘relevant marketing information, in the form of a newsletter’. Customers can opt out via the email marketing software, Mailchimp. Loyalty cards are disposed of by use of a shredder, within 3 months of receipt, by the Operations Manager.
5. Customer data collected by credit card. Credit cards are only accessible by authorised people, the Management team and kept in a secure location. Data is only retained for 3 years, and only shared with those organisations who have a legitimate interest in it. It is securely disposed of after 3 years, by a professional shredding company.
B. Marketing Communication to Customer
1. Customer data within Mailchimp is controlled by Frontier Pubs Ltd. managed by the Glass House project and solely used for the marketing of Frontier Pubs Ltd. businesses, on occasion with a third party but never solely on behalf of a third party. Assurances have been requested and gained from Mailchimp that they are, and will remain GDPR compliant from May 25th 2018.
1.1 Customer data is never used to solely promote third parties or sold to third parties.
1.2 May 2nd 2018 – any customer data held within Frontier Pubs Ltd. part of the Mailchimp database, that has been ported form third parties; these customers will be requested to ‘opt in’ to continue receive emails, detailing the nature of newsletters, frequency and the ability to opt out at any time.
1.3 May 25th – new customers joining the Frontier Pubs Ltd. database from the web site will ‘opt in’ and be informed of receiving marketing emails, detailing the nature of future newsletters, frequency and the ability to opt out at any time.
C. Workforce Data Policy
1. We will only process Personal data in accordance with data protection legislation as outlined in our workforce data privacy notice which will be made available to all employees via Fourth. The document will be incorporated into the employee handbook later in the year. Full training to be given to Managers about their data protection responsibilities.
- Security of documents
- All sites to be provided with a lockable filing cabinet, scanner and shredder.
- All paper documents to be stored in locked filing cabinet
- Each person to have their own Fourth login – relevant to their role and access levels
- All electronic documents to be stored in locked files on PC RIGHT TO WORK CHECKS & EMPLOYEE RELATIONS and relevant documents uploaded to Selima or deleted on a quarterly basis by Managers and checked by Operations Manager
- Incidents of non-compliance may result in disciplinary procedures.
- Retention of information
- Right to work checks to be retained for 2 years
- Staff files to be retained for 6 years after termination of employment
- Data removal requests for deletion or rectification of data should be made to the Commercial Director as outlined in the Frontier Pubs Ltd, Privacy Statement and will be carried out unless we have a legitimate interest in retaining it, in which case we will explain the reasons.
- Breach notification
- A personal data breach is the loss, alteration or unauthorised disclosure of or access to personal data. If the breach is likely to result in a risk to the rights and freedoms of individuals you must report the breach and notify those concerned. If it’s unlikely that there’s a risk to people’s rights and freedoms from the breach, you don’t need to report.
- Errors or reports of witnessing non-compliance to this policy, are to be reported to the Operations Manager as soon as possible, they will then investigate & if necessary report within the 72 hour timeframe.
1.2 Data Disposal
- Waste electronic data (documents, database entries, multimedia, etc.) that contains personal, sensitive and/or confidential information must be deleted, and deleted from any resulting recycle bins or “temporary” deletion folders.
- All waste paper documentation that contains personal, sensitive and/or confidential information must be shredded. Field based workers to ensure documents are returned to Head Office and shredded
- Hardware All unused, old and damaged equipment should be returned to the Head Office as they are responsible for the secure disposal or reuse of computing equipment.