Ranna General Data Protection Regulation (GDPR)
The General Data Protection Regulation or “GDPR” is very important for small cafes/takeaway to large corporate enterprises. The law comes into effect on 25 May 2018, so to help you understand, please take a look at what this new regulation means for you and us.
What is the GDPR?
The General Data Protection Regulation will replace the existing Data Protection Directive (in place since October 1995) with the aim to provide structure and consistency around data privacy laws within the European Union. In doing so, the GDPR will empower consumers and give them more control over their personal data.
What are the important changes you should be aware of?
Unlike the previous directive, the boundaries of the GDPR will be defined by the consumer’s (you) and not by the companies. GDPR applies to all resident residing in EU countries and not the company’s location.
Our GDPR Policy
The purpose for which your data is collected
We collect customer’s information for three reasons:
- Firstly we want to make sure our EPOS system correlates efficiently when an existing customer places an order with us via phone or online. For example when a customer phones our restaurant instead of a telephone number, the customers name will come up. Once clicked we can see the customers delivery address, phone number and previous orders placed with Ranna. This makes customer relations much more proficient.
- Any new customers placing orders through third party applications such as apps or websites will also have their basic information stored on our EPOS system for future ordering purposes. This data is solely used by us and no external party can or will not have access to your information. This information does not automatically consent us to use your information for marketing purposes. For marketing or promotional activities we will ask for additional permission.
- Customer contact details are given to our delivery staff; address and telephone number. Drivers will return all contact information including delivery receipts at the end of the shift which is subsequently destroyed. Any orders placed via a third party will not fall under our GDPR policy, and is the sole responsibility of the external party.
- We send regular promotional text messages to our customers every now and then. After the 25th of May 2018, we will only be sending text messages to those who have opted in for the service. Customers who wish to receive promotional messages must go to our website ranna.co.uk and select ‘yes’ on promotion page.
Your privacy rights
You can at any point send an email to email@example.com and ask to remove your details from our database.
However request a delivery after data removal from our database, your personal information will be collated once again to deliver the food as prescribed above. Customers will be required to explicitly state that the order be printed manually to avoid collecting personal information.
Customers who do not request the manual print out will be required to email once again for a further data collection opt out.
The way in which your data will be used, stored and retained.
- Your data is stored in our EPOS system database which is managed by PurpleI (our maintenance company). Every sixth months your data will be transferred to an external hard drive for backup and kept in one of our sites. No additional copies will be made.
- Your data will not be passed onto any external organisations. It will be exclusively used by & for Ranna.
- We use TextGoTo.co.uk company (who is also compliant with GDPR) to send promotional text messages to you. TextGoTo has an agreement in place with us that they will not use any of our customer data nor share it with any third party.
- The data we retain is your name, your address and your telephone number. Sometime we may also request your date of birth. Please also remember we also keep record all food items that you place with us for up to six years for legal and accounting reason.
- Your data will be retained so long as we remain as a functional business entity. Every six years we undergo a data cull, where we will contact every customer to validate their information is correct and whether they would like to remain on our database. Customers who opt out or do not respond will automatically be removed from the database.
Your privacy rights
Right to access
GDPR gives individuals the right to access and understand how their personal data is being used. If you request to see what information we hold, we will respond without undue delay. We will give full visibility on the personal data we hold about you and provide you with an electronic copy. There are no fees for responding to a request, unless the request is clearly excessive or unfounded. Any data requests in paper format will carry an admin fee to cover our basic costs.
Right to be “forgotten”
Should you no longer want us to process your data, please contact us via email requesting data removal. You can email us at the following address: firstname.lastname@example.org
In certain circumstances, you have the right to have your personal data “erased”. This right can be exercised when the data is no longer necessary for the purpose for which it was collected. It can also be used where consent has been withdrawn and there is no other legal basis for using the data. This right is not absolute due to some legal or regulatory requirement to retain data for specified time periods.
Data portability allows you to access your personal data and share them with another company or “data controller”, which we do not recommend.
Now you understand GDPR in more detail, here’s a checklist that will help you understand us much clearer:
- Consent – We only rely on consent for any activities (such as marketing) to send out any promotional materials to you. This is clear when you sign up to it, specific and explicitly.
- Know your data – We have shown a clear understanding of the types of personal and sensitive data we hold, as well as where we are collecting them and how were using them.
- Create Fair Processing Notices –As mentioned above, we have described to you what we do with your personal data, how long we will be holding it for and the privacy rights.
- Data security – We update our security processes on regular basis. You can be assured that your personal data is protected from accidental loss, destruction or damages. We use encryption or other methods that can help avoid unknown person to access your data.
- Staff – All employees are trained on GDPR and the process for reporting a suspected, or actual, data breach. In the case of a serious breach, a report will be made to the ICO within 72 hours.
All staff understands what constitutes a personal data breach and builds processes to pick up any red flags.
- Respond to requests quickly – As mentioned above, we respond to data requests in a timely fashion, typically within a month.
- Due-diligence on our supply chain – We make sure that all suppliers and contractors are GDPR-compliant to avoid being impacted by any breaches and consequent penalties.
- Data protection officer – will be responsible to ensure all aspects of GDPR are maintained to the highest standards, along with staff training and customer liaisons.