and any other documents referred to on it) sets out the basis on which any personal data we collect from you, or that you provide to us, will be processed by us. Please read the following carefully to understand our views and practices regarding your personal data and how we will treat it.
The rules on processing of personal data are set out in the General Data Protection Regulation (the “GDPR”).
Data controller – A controller determines the purposes and means of processing personal data.
Data processor – A processor is responsible for processing personal data on behalf of a controller.
Data subject – Natural person
Categories of data: Personal data and special categories of personal data
Personal data – The GDPR applies to ‘personal data’ meaning any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier (as explained in Article 6 of GDPR). For example name, passport number, home address or private email address. Online identifiers include IP addresses and cookies.
Special categories personal data – The GDPR refers to sensitive personal data as ‘special categories of personal data’ (as explained in Article 9 of GDPR). The special categories specifically include genetic data, and biometric data where processed to uniquely identify an individual. Other examples include racial and ethnic origin, sexual orientation, health data, trade union membership, political opinions, religious or philosophical beliefs.
Processing – means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Third party – means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.
2. Who are we?
Kate Fenton is the data controller. This means we decide how your personal data is processed and for what purposes. My contact details are:Kate Fenton, Editor Eastbourne, Wealden and Lewes Family Grapevine . [email protected]
The purpose(s) of processing your personal data
We may use your personal data, but only if you have provided it to us, for the following purposes:
- Contacting you to add, check or update listings in the Family Grapevine
- Contacting you to ask if you would like to advertise with us
- Invoicing you if you have booked advertising with us
- Sending you a copy of the magazine if you have booked advertising with us
- To enter a competition in our magazine or website
- To bring you copies of the magazine if you have agreed to be a distributor
3. The categories of personal data concerned
With reference to the categories of personal data described in the definitions section, we process the following categories of your data:
- Personal data: name, phone number, address, email
- We do not process Special categories of data
- We have obtained your personal data from:
- Your entry into our competitions in the case of readers
- Fliers (public source), websites (public source), social media (public source) and referrals in the case of free listers and advertisers
- Directly from you when checking listings
4. What is our legal basis for processing your personal data?
Our lawful basis for processing your general personal data:
|Consent of the data subject;||Entry into a competition by readers. This information will be deleted from our systems once the competition winner/s has been notified and accepted the prize.We use public data to contact local businesses to ask if they would like a free listing or to advertise in our publication. During this process they may give us personal data to make it easier to contact them eg a direct phone number of personal email. This information will be checked at least annually. This information is held in an Access database on a password secured laptop and not shared with anyone else. It is backed up using cloud-based software Carbonite based in the USA.
Information that is already in the public domain will not be deemed personal data.
Security statements from both Kashflow and Carbonite will be forthcoming
We may use the personal address of a distributor where we cannot leave copies in a public place eg the organisers of toddler groups which take place weekly/fortnightly. This information will be provided by the distributor and will be checked at least annually.
You may have provided us with your personal contact details via
We will check this information at least annually to make sure you are happy that we continue to hold and use it.
|Processing necessary for the performance of a contract with the data subject or to take steps to enter into a contract||We need to gather the contact details of advertisers so that we can communicate with them.We send copies of the printed magazine to advertisers who provide their address for this purpose.|
|Processing necessary for compliance with a legal obligation||We retain contact details for paying advertisers in line with Inland Revenue and Accounting purposes in cloud-based software called Kashflow.This information is retained for at least 5 years after a tax return is submitted.|
|Processing necessary to protect the vital interests of a data subject or another person||Not applicable|
|Processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller||Not applicable|
|Processing necessary for the purposes of the legitimate interests of the data controller or a third party, except where such interests are overridden by the interests or fundamental rights or freedoms of the data subject||Not applicable|
5. Sharing your personal data
Readers: your personal data will be treated as strictly confidential and will be shared only with the providers of prizes if you have won a Family Grapevine competition.
Advertisers: we will share your personal information only if you have given it to us as part of the contractual process eg to editors of other local Family Grapevines who you are advertising with and who require this information to draw up an invoice, send you an invoice and/or the printed magazine.
6. How long do we keep your personal data?
We keep your personal data for no longer than reasonably necessary for a period of one month after the closing date of a competition so we can ensure that the winner is able to take the prize and the competition doesn’t need to be redrawn.
We keep your personal data as long as you may be advertising or considering advertising with us and to comply with HMRC requirements.
We only keep personal data that you have shared with us for the purpose of contacting you more easily than via your public contact details. We do not share this information with anyone and we will delete it if requested. Further we will check this information at least once a year.
We will check with you at least once a year to make sure you are still happy for us to hold your personal address on file and to bring you copies of our magazines rather than leaving them in a public place.
7. Providing us with your personal data
We require your personal data so that we can send winners’ details to the company who has offered the prize. We also need this data to ensure that our Terms and Conditions of entry have not been broken; specifically the requirement for no more than one entry per household.
We require your contact details: name, phone number, email and mailing address for invoicing and distribution purposes. We cannot take paid advertising without this information.
8. Your rights and your personal data
Unless subject to an exemption under the GDPR, you have the following rights with respect to your personal data:
- The right to request a copy of the personal data which we hold about you;
- The right to request that we correct any personal data if it is found to be inaccurate or out of date;
- The right to request your personal data is erased where it is no longer necessary to retain such data;
- The right to withdraw your consent to the processing at any time, where consent was your lawful basis for processing the data
- The right to request that we provide you with your personal data and where possible, to transmit that data directly to another data controller, (known as the right to data portability), (where applicable i.e. where the processing is based on consent or is necessary for the performance of a contract with the data subject and where the data controller processes the data by automated means);
- The right, where there is a dispute in relation to the accuracy or processing of your personal data, to request a restriction is placed on further processing;
- The right to object to the processing of personal data, (where applicable i.e. where processing is based on legitimate interests (or the performance of a task in the public interest/exercise of official authority); direct marketing and processing for the purposes of scientific/historical research and statistics).
9. Transfer of Data Abroad
We transfer data abroad for our automated backups via cloud-based software called Carbonite. This is a link to their current statement on GDPR which they fully support. https://www.carbonite.com/globalassets/files/white-papers/carb-gdpr.pdf
Our accounts are processed via Kashflow. This is a link to their privacy notice confirming their compliance with GDPR. https://www.kashflow.com/privacy-policy/
We use Google Analytics at the top level to track how many users we have on our website but we do not look at any data relating to individual users and cannot identify you from these reports. The Google statement on GDPR is shown via this link: https://privacy.google.com/businesses/compliance/#?modal_active=none
10. Automated Decision Making
We do not use automated decision making.
11. Further processing
If we wish to use your personal data for a new purpose, not covered by this Data Privacy Notice, then we will provide you with a new notice explaining this new use prior to commencing the processing and setting out the relevant purposes and processing conditions.
13. How to make a complaint
To exercise all relevant rights, queries or complaints please in the first instance contact me – Kate Fenton, Editor Eastbourne, Wealden and Lewes Family Grapevine . [email protected]
If this does not resolve your complaint to your satisfaction, you have the right to lodge a complaint with the Information Commissioners Office on 03031231113 or via email https://ico.org.uk/global/contact-us/email/ or at the Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, England.