Being transparent and providing accessible information to individuals about how we will use their personal data is a key element of the Data Protection Act 1998 (DPA) and the EU General Data Protection Regulation (GDPR) May 2018.
The first principle of data protection is that personal data must be processed fairly and lawfully. The DPA says that in order for the processing to be fair, the data controller (The beauty room) has to make certain information available to the data subjects (the individuals whom the data relates to), so far as practicable.
The code of best practice uses the term ‘privacy notice’ to describe all the privacy information that we make available or provide to data subjects when collecting information about them.
- What information is being collected.
- Who is collecting it.
- Why is it being collected.
- How will it be used.
- Who will it be shared with.
- Right of access to data
- Methods for un-subscription
These techniques allow us to give data subjects greater choice and control over how their personal data is used and demonstrates that we are using personal data fairly and transparently.
In broader terms, an individual’s data will be collected to administer the products, services or information requested.
The beauty room collects data for the purpose of legitimate interest and this may include (but not be limited to) title, first name, surname, address, telephone numbers, email address and where provided, status of health, age and gender.
Once data has been collected it will be stored in a secure locked cabinet and will only be used to confirm appointment, to advise of offers/promotions or any other relevant information in administrating and fulfilling requests.
Data will be retained for a period of time that is deemed suitable for the purpose of being relevant, which may vary according to the services requested.
Personal data will not be shared, sold or passed to third parties for any marketing purposes.
Data subjects have a right of access to the data we hold and should contact us in writing with any requests for access. Data subjects may also exercise their right to erasure provided they do so in writing, including any evidence or proof why we should no longer hold their data.
All requests will be considered and a response given within 72 hours. In exceptional cases, we may not agree to full erasure if a legitimate/legal reason for doing so exists.
Who Can I Complain To If I Feel You Are Not Handling My Data Correctly?