Last updated October 2020
Braehead (“We”) is committed to protecting and respecting your personal data and your privacy. This Data Protection policy outlines how we process and store the personal data that you provide to us.
The General Data Protection Regulation (GDPR) regulates the processing of personal data relating to an individual. This includes the collecting, storage and processing of such data on our digital database.
At Braehead, we hold the minimum personal data necessary to enable us to provide you the service which subscribers have signed up to receive. All personal data is confidential and is treated with care in order to comply with the law.
We recognise that the lawful and correct treatment of personal data is very important to successful operations and to maintaining customers confidence and satisfaction with Braehead.
All personal data that we collect, store and process is held on a secure online database with appropriate safeguards in place to ensure that an individual’s personal data is safe and secure and that we are compliant with the GDPR and the law.
This policy will cover the rules and also the implementation of best practice around data capturing, storage, processing and protection.
- DATA PROTECTION PRINCIPLES
The Company is fully committed to adhering to the principles of Data Protection, as set out in the GDPR. In summary, the principles state that personal data shall:
- Be collected and processed fairly and lawfully and shall not be processed unless prior notice being given to the data subject.
- Be obtained for a specified and lawful purpose; only to be collected, stored and processed in order to provide the service that the data subject has subscribed to receive.
- Be adequate, relevant and not excessive for that lawful purpose.
- Be accurate and kept up to date annually.
- Not be kept for longer than is necessary for that purpose.
- Be processed in accordance with the data subject’s rights.
- Be kept safe from unauthorised access, accidental loss or accidental destruction.
- Not be transferred to a country outside the European Economic Area (EEA), unless that country has equivalent levels of protection for personal data.
- Not shared or disclosed to any other person or organisation unlawfully.
To comply with the GDPR, the law and to abide by these principles, personal data shall be collected, stored and processed fairly, safely and lawfully and will not be shared or disclosed to any other individual or organisation without prior consent from the data subject.
Any changes we may make to this Data Protection Policy will be communicated by email to our data subjects when appropriate.
- COMPLIANCE AND ACCOUNTABILITY
It is the responsibility of Braehead to:
- Assess the understanding of the obligations of Braehead under the GDPR.
- Identify and monitor problem areas and risks and recommend solutions.
- Promote clear and effective procedures and offer guidance to staff on Data Protection issues.
- Review current databases and determine whether resubscription under the GDPR is required.
- Ensure that the rights of individuals are met in all instances.
- COLLECTING DATA
When an individual subscribes to our database, the personal data they provide is as follows:
- Their email address
- Their first name
- Their last name
- Their date of birth
- Their preferences or interests
When an individual visits the Braehead website or opens or clicks a Braehead email, we may automatically collect the following information:
- Technical information: including the Internet protocol (IP) address used to connect your computer to the Internet, browser type and version, time zone setting, browser plug-in types and versions, operating system and platform.
- Information about your visit: Uniform Resource Locators (URL) you have clicked on, website pages you have visited, duration of your page visits, page response times, download errors, page interaction information (such as scrolling and clicking), email interaction information (such as opening and clicking) and how or when you end your visit.
- Social media activity: if you have a social media profile and access the website through a social media network, we may collect, store or propose the details of that social media profile and any information that is lawfully available.
- DATA CLASSIFICATION
Braehead staff who regularly deal with the collection, storage and processing of personal data are responsible for assessing the importance and sensitivity of the data and classifying it accordingly. This ensures that any recipients are aware of the precautions that they need to take when they are handling it.
- Low: A dataset that does not contain any information which is directly personally-identifiable. It has either been completely anonymised or pseudonymised, or does not contain any personal information such as contact details, email addresses, addresses etc or any vital client information. An example would be a self-generated testing dataset used to create an analytical model, as this is something that is worthless to anyone outside the organisation. That said, care should still be taken around its storage, use and transference.
- High: Any dataset which contains confidential information, either personal data such as email lists, CRM outputs, address targets and so on, or information which is vital to a client, such as transaction details. If you are unsure of the classification, err on the side of caution and assume it should be classified as High. This data should be stored for no longer than is needed, should be password protected and encrypted and would ideally only be transferred by secure means.
- STORING DATA
That personal data individuals provide and the information we collect is stored on a secure database. This database is protected by password and only accessible to the Braehead team and a contracted agency to provide the service that individuals subscribed to.
For the purpose of internal reports and reviews, collected information and information on the activity of data subjects is depersonalised.
We intend to store the information of data contacts for up to 7 years.
- PROCESSING DATA
We may process or use your data in the following ways:
- Personalisation: we may segment our database in order for us to provide individuals with tailored communications that are relevant to the activity and information on the data subject.
- Service updates: we may notify you about changes to our service, updates on www.braehead.co.uk or parent company Braehead Glasgow Ltd, questions or updates regarding your personal data or changes to this Data Protection Policy.
- Troubleshooting and User Experience (UX) reviewing: we may need to use your data to check that the website and emails presented is in an effective manner for individuals and their computer in order to successfully provide the service that individuals have subscribed to. This may include administering data or information for internal operations, data analysis, testing, research, statistical and surveying purposes.
- Transferring data: we may occasionally be required to transfer personal data to an external agency to carry out or improve the services which individuals have subscribed to. We will only transfer data to a recipient who is authorised to receive and who must not share the data further. We will ensure that all reasonable steps to ensure the safe transfer of data have been taken. Data will not be transferred outside the European Union unless absolutely necessary; is this case was to occur, sign off from a Company director must be obtained. Data will be depersonalised is possible. The sender should ask recipients outside the Company to acknowledge receipt of the data and then log the time that receipt was acknowledged.
- BREACH PROCEDURE
In the event of a data breach (an incident where data is lost, either through the loss or theft of the laptop/memory stick/hard drive it is stored on, a breach in the security of the platform it is stored in, or the hard copies being lost or stolen); Braehead staff will inform the nominated team members who will then assess the severity of the breach and work to ascertain the correct response.
In all instances, if in individual has had their personal data compromised, either through actions or a breach on the employee’s part or on the part of a third party, individuals shall be alerted to the fact as soon as possible. This should take the form of a telephone call, but if this is not possible, an email. Follow-up calls with the individuals responsible for data storage and security may be arranged.
If it is found that the breach has occurred through negligence (loss of device/documentation with data stored on it, poor password practices, storing data in a way which contravenes the Data Protection Policy), disciplinary or criminal action may be taken. If a complaint is raised against Braehead due to breach of procedure this will be dealt in accordance with the company’s complaints procedure.
- YOUR RIGHTS
You have the right to ask us not to process your personal data for marketing purposes.
At any time you can exercise your right to remove your details from our marketing database by contacting us in writing at Braehead Shopping Centre, Management Suite, Kings Inch Road, Renfrew G51 4BN or firstname.lastname@example.org or by using the unsubscribe link with the Braehead email you have given consent to receive.
Our site may, from time to time, contain links to and from the websites of our partner networks, advertisers and affiliates. If you follow a link to any of these websites, please note that these websites have their own privacy policies and that we do not accept any responsibility or liability for these policies. Please check these policies before you submit any personal data to these websites.