The protection of personal information is important to us
This policy provides detailed information concerning the personal information we collect, how we collect it and how we use it, who it is shared with and rights customers have in relation to their data as it relates to our loyalty card service called Reward Card.
Throughout this document we/us refers to:
Alleyn Park Garden Centre Ltd
77 (R/O) Park Hall Road,
London SE21 8ES
Data Controller and Data Processor
We are the Data Controller for the Reward Card loyalty card service operated at above address
A Data Controller is a company that collects personal data from the public and decides what
to do with it.
The Data Controller is legally responsible for what happens to the personal data they hold and to ensure this complies with data protection law and to ensure customer rights are maintained.
A data controller may appoint a Data Processor to process, hold and otherwise manage personal data and a related service such as the provision of a loyalty card service.
The data processor for Reward Card is Real Rewards Ltd Company Number 05607372 Address
9 Cromwell Place, East Grinstead, West Sussex, RH19 4SD, www.realrewards.co.uk
A Data Controller must be registered with the ICO (Information Commissioners Office) and our registration is effective came into effect 25th May 2018.
Data Protection Officer
A Data Protection Officer (DPO) is appointed by a Data Controller to ensure compliance with Data protection law and regulation throughout an organisation and to provide a first point of contact. We have voluntarily appointed a DPO who can be contacted in writing at Data Protection Officer at our address above.
GDPR (The General Data Protection Regulation)
GDPR is Europe’s new framework for data protection laws that effective 25th May 2018 which affects both business and consumers alike, more detailed information can obtained at the ICO (Information Commissioners Office) https://ico.org.uk.
Lawful Basis for Processing
GDPR requires that a company must have a lawful basis for processing personal data, there are several; Consent, Contract, Legal obligation, Vital Interests, Public Task, Legitimate Interests, Special Category and Criminal offence data.
The ICO state clearly states that “no lawful basis for processing is better than another” each company must select the most appropriate according to circumstances as they relate to processing of personal data that they carry out
We operate Reward Card under Legitimate Interest as our lawful basis for processing personal data.
Legitimate Interest requires
a) That a company must have a valid reason for processing personal data.
We believe that the provision and operation of a loyalty card service such as our Reward Card service constitutes a valid reason to process personal data.
b) The processing must be necessary.
We believe that the processing of personal data that we carry out is necessary to provide our loyalty card service and furthermore that it would be impossible to provide a personalised transaction-based loyalty card service without at least some processing of personal data.
c) Must satisfy reasonable expectation.
Reasonable expectation is that it would be reasonable to assume that Reward Card customers would expect us to hold and process their personal data in the way that do in order to provide the Reward Card service.
We believe that we satisfy this condition in that transaction-based loyalty schemes that reward customers according to how much they spend are very well understood by members of the public and they would of course expect a company providing such a service to need to hold and process personal data.
d) Must be balanced.
Balance requires that a company balances its valid reason for processing personal data against the possible impact of carrying out the processing in so far as it may affect individuals’ interests, rights and freedoms
We believe that as the data we collect is minimal, not considered overly sensitive, used minimally and only for the purposes of providing our Reward Card service, that protentional for negative impact is negligible and as such that we satisfy the balance test.
We conclude that as we can demonstrate a valid reason for processing personal data, that the processing is necessary to provide the Reward Card service, that we satisfy the tests of expectation and balance, that Legitimate Interest has been demonstrated and hence Legitimate Interest is our Lawful basis for processing personal data.
We voluntarily conducted a far more detailed LIA (Legitimate Interest Assessment) to support our conclusions and this forms part of our company records.
The Personal Data we collect
We collect the following personal data in connection with Reward Card.
Title, First Name, Surname, Postal Address, email address and a telephone number
We have in the past collected Dates of Birth, but this is no longer the case.
This information is collected via a paper-based Reward Card application form directly from the customer whilst they are physically at our premises.
Non-Personal Data Associated with Reward Card.
The Card Number(s) assigned to a customer, the transactions created at the till(s) using these cards and the vouchers issued to customers forms the non-personal data associated with Reward Card.
The combination of personal data and non-personal data forms a Reward Card account which is assigned to an individual or couple.
Both the non-personal data and the account remain the property of the company and not the customer.
How we use personal information
We collect personal information from customers for the sole purpose of communication and contact in so far as it enables us to provide our Reward Card service to them.
We do not actually process personal data at all in the sense that the Reward Card service that we provide does not alter or change in anyway based the personal data we collect from our customers.
A customer’s Title, Name Address, Post Code, email address and telephone does not affect the Reward Card service in anyway.
We do use personal information for the following purposes.
- To associate non-personal data such as card numbers, transactions and vouchers with an individual or couple in a Reward Card account.
- To address Reward Card Vouchers being sent via Royal Mail.
- To address Reward Card Voucher notifications being sent via email.
- To report found lost cards via email and telephone.
- To answer any queries customers may have.
- To facilitate changes to the personal data requested by customers.
- To carry out requests to be un-subscribed from Reward Card.
- To generally conduct correspondence with customers in relation to the operation of the Reward Card service.
Location of personal data
We do not store Reward Card personal data at our site as this function is carried out by our Data Processor Real Rewards Ltd
Real Reward Limited operates the Reward Card server located at their premises in East Grinstead
West Sussex in the UK.
Real Rewards Ltd does not alter, process or otherwise interact the personal data associated with Reward Card except as required by us to provide the Reward Card service.
Security of Personal data
We collect personal information in relation to Reward Card via paper-based application forms.
Application forms are collected from customers by authorised members of staff
They are stored in a secure location, accessible only by authorised staff.
On a regular basis the Application form are sent to our Data Processor using a Recorded or Tracked delivery service in very secure packaging.
The data from the application forms will be entered on the Reward Card server by authorised employees of our Data processor.
The application forms are held at our Data Processor’s site only as long as required to complete data entry and are then shredded securely.
In essence that can be summarised as follows
- Only authorised staff have access to the Reward Card Server.
- Access is always under secure password and passwords are regularly changed.
- Changes to personal data relating to Reward Card are only carried out our request.
- Real Rewards Ltd will not make Reward Card personal data available to any third party
accept where that third party is directly involved with providing the Reward Service such as a printer for over printing paper vouchers on our stationary or stationary that they provide.
- Real Rewards will report any data breaches to us upon discovery.
The only marketing material we provide in relation to Reward Card will be included with the Reward Vouchers or part of the Reward Card Vouchers itself.
This material is designed to keep customers updated with the latest news, events, products and services we offer in order maximise the value of the Reward Vouchers enclosed.
No separate marketing will be carried out unless a separate opt out is provided.
Disclosing personal data
We will never disclose personal data belonging to our customers to anyone outside of our company, our data processor or company contracted by them to provide part of the Reward card service.
We will never engage in the selling of personal data.
We will only ever release personal data if the law or public authority requires us to do so.
How customers can access their personal information
We will retain personal information only as long is required to provide the Reward Card service
- The right to correct and update personal data.
Customers have the right to correct and update personal data that relates to their Reward
Card account. This can be carried out by contacting us directly
- The right to unsubscribe
Customers have the right to un-subscribe from Reward Card, this can be carried out by contacting us directly.
- The right to be forgotten.
Customers can request that we remove any personal data that we hold, again this can be carried by contacting us directly,
We are not obliged to support or provide a transfer service to enable customers to transfer their Reward card account to another provider.
We would however consider requests to export data in a format the would permit this but reserve the right to either refuse to carry out the request or to change a small fee.
In all cases we reserve the right to insist that requests are made to us in writing or that customers provide some form of ID before we act on any requests.
Changes to our policy
This Policy replaces all previous versions We may update this privacy statement to reflect changes to our information practices. If we make any material changes we will notify you by means of a prominent notice on our Website prior to the change becoming effective. We encourage you to periodically review our Website for the latest information on our privacy practices.
If you have any queries, please contact us at:
Alleyn Park Garden Centre Ltd
77 (R/O) Park Hall Road,
London SE21 8ES
020 8670 7788