1. Introduction
Allkin Brewing Company is hereinafter referred to as “the Company” is committed to protecting the privacy and security of personal data. This Data Policy outlines the principles and practices that the Company follows to ensure compliance with the General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA 2018) in the UK.
2. Data Controller and Data Protection Officer
Data Controller: Allkin Brewing Company, Oakridge Farm, Sandhill Lane, Eridge, TN3 9LP, [email protected]•
Data Protection Officer (DPO): Christopher Drummond, [email protected].
3. Principles of Data Processing:
The Company adheres to the following principles when processing personal data:
• Lawfulness, Fairness, and Transparency: Data will be processed lawfully, fairly, and in a transparent manner.
• Purpose Limitation: Data will be collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
• Data Minimisation: Data collected will be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed.
• Accuracy: Data will be accurate and, where necessary, kept up to date.
• Storage Limitation: Data will be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
• Integrity and Confidentiality: Data will be processed in a manner that ensures appropriate security, including protection against unauthorised or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organisational measures.
• Accountability: The Company shall be responsible for and be able to demonstrate compliance with these principles.
4. Legal Basis for Processing:
The Company processes personal data based on the following legal grounds:
• Consent: The data subject has given consent to the processing of their personal data for one or more specific purposes.
• Contract: Processing is necessary for the performance of a contract to which the data subject is party or to take steps at the request of the data subject prior to entering into a contract.
• Legal Obligation: Processing is necessary for compliance with a legal obligation to which the Company is subject.
• Legitimate Interests: Processing is necessary for the purposes of the legitimate interests pursued by the Company or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.
5. Data Subject Rights
Data subjects have the following rights under GDPR and DPA 2018:
• Right to be Informed: Data subjects have the right to be informed about the collection and use of their personal data.
• Right of Access: Data subjects have the right to access their personal data and supplementary information.
• Right to Rectification: Data subjects have the right to have inaccurate personal data rectified or completed if it is incomplete.
• Right to Erasure: Data subjects have the right to have personal data erased, also known as the ‘right to be forgotten’.
• Right to Restrict Processing: Data subjects have the right to request the restriction or suppression of their personal data.
• Right to Data Portability: Data subjects have the right to obtain and reuse their personal data for their own purposes across different services.
• Right to Object: Data subjects have the right to object to the processing of their personal data in certain circumstances.
• Rights Related to Automated Decision Making and Profiling: Data subjects have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them.
6. Data Security
The Company implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including:
• Encryption of Personal Data: Ensuring that personal data is encrypted during transmission and storage.
• Access Controls: Implementing access control measures to restrict access to personal data to authorised personnel only.
• Regular Security Assessments: Conducting regular assessments of data processing practices and security measures.
• Data Breach Procedures: Establishing procedures to detect, report, and investigate data breaches in accordance with GDPR requirements.
7. Data Retention
The Company retains personal data for as long as necessary to fulfil the purposes for which it was collected, including for the purposes of satisfying any legal, accounting, or reporting requirements. The specific retention periods are defined in the Company’s Data Retention Policy.
8. Data Transfers
The Company ensures that any transfer of personal data to a third country or international organisation complies with GDPR requirements, including the use of Standard Contractual Clauses or other appropriate safeguards.
9. Data Breach Notification
In the event of a data breach, the Company will notify the Information Commissioner’s Office (ICO) within 72 hours of becoming aware of the breach, where feasible. If the breach is likely to result in a high risk to the rights and freedoms of individuals, the Company will also inform the affected individuals without undue delay.
10. Changes to the Data Policy
The Company reserves the right to update this Data Policy at any time. Any changes will be communicated to data subjects through appropriate channels.
11. Contact Information
For any questions or concerns regarding this Data Policy or the Company’s data processing practices, please contact:
• Data Protection Officer (DPO): Christopher Drummond, [email protected].
• Address: Oakridge Farm, Sandhill Lane, Eridge, TN3 9LP
• This Data Policy is effective as of 29-05-2024