Butlers Chocolates Data Protection Policy Purpose of this Policy:
Butlers Chocolates UC (The Irish Chocolate Company UC T/A Butlers Chocolates) and its subsidiaries (“we/us”) are committed to protecting and respecting your data protection rights and freedoms as specified under the General Data Protection Regulation (GDPR) and related Irish and EU data protection and privacy legislation. The purpose of this data protection policy is a statement of that commitment.Scope of this Policy:
This data protection policy should be read in conjunction with any terms and conditions that apply to your interactions with us to fully understand your data protection rights and freedoms. This data protection policy sets out your data protection rights as a data subject, what personal data we collect, how we use your personal data, whom we may disclose it to, and how long we retain and then delete it. Please read the following carefully to understand our practices regarding your personal data and how we will process it.
Important Definitions:Personal data:
information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly. Processing: any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means.Data Protection Principles:
As a controller of your personal data under the GDPR, we are responsible for the following data protection principles:
Personal data processed must be lawful, and fair and transparent to the data subject. This means that processing will only be done under an allowable legal basis and we will provide you with certain information when collecting your personal data and when you exercise your data subject rights (see next section). We expect the legal basis for processing your personal data will be one of the following: - Your unambiguous, informed, freely given and specific consent, which you can withdraw at any time; A contract between us, formed for example when you purchase a product from our website or enter employment with us; - A legal obligation we are under based upon Irish or EU law, such as calculating and reporting of tax liabilities; - Our legitimate interests in running our business such as ensuring the quality of our products and services, providing training to our employees, for marketing activities, and keeping our customers, visitors, and employees safe and satisfied. We will attempt to balance our interests against your rights and freedoms before processing under this basis.
Personal data must be collected for a specific, explicit, and legitimate purpose and not be further processed for an incompatible purpose. This purpose limitation principle means we will tell you the specific purpose of the processing of your data and it will comply with all applicable laws. We will also not process your personal data for a reason that is not compatible with the purpose it was collected for.
Data Subject Rights:
- Personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed. This data minimisation principle means we will only collect the personal data we need for processing.
- Personal data must be accurate and kept up to date. This accuracy principle means we will endeavour to keep your personal data current and accurate. You may request we update your personal data if it becomes inaccurate or out of date.
- Personal data must not be kept in an identifiable form any longer than necessary. This storage limitation principle means we will delete or anonymise your personal data when it is no longer needed for processing.
- Personal data must be secured against loss or unauthorised alteration or disclosure. This integrity and confidentiality principle means that we will deploy sufficient technical and organisational safeguards to protect your personal data.
Data subjects have certain rights under the GDPR, which you may exercise at your discretion. We will reply without undue delay and usually within 30 days. If we are unable to fully respond within that timeframe, we will notify you within 30 days.Your data protection rights are as follows:
- Right to be informed: At the time of collection of personal data from you, we will inform you of the following information: the purposes and legal basis of the processing, if applicable our legitimate interest, any external recipients, the retention period of your personal data, and other information about your rights including your right to complain to the Data Protection Commission(er) (www.dataprotection.ie).
- Right of access: You may request confirmation that we are processing your personal data. Further, you may access your personal data, meaning you may receive a copy of what we have.
- Right of rectification: You may request that we update any personal data which is inaccurate or incomplete.
- Right of erasure: You may request the erasure of the personal data we control. Please be aware that this right is limited by any legal obligations which we may have to retain the data.
- Right to restrict processing: If your personal data is inaccurate, you may request that the processing of that personal data (except for its storage) be restricted until it is made accurate or if you object to certain processing (see below).
- Right to port: You may request that we provide you or a successor controller in machine-readable form any personal data that you provided to us electronically.
- Right to object: You may object to processing if your personal data is being used for direct marketing purposes or to processing based on our legitimate interest.
- Right to not be subject to solely automated decisions: You have the right to not be subject to decisions that are solely automated (made without human involvement) including profiling and have a legal or other significant impact on you.
If you wish to exercise any of your data protection rights, please send an email to the following address: email@example.com with subject line subject rights. We will respond promptly and confidentially. If you have any other queries regarding your rights as a data subject, please send an email to the following address: firstname.lastname@example.org with the subject line data protection. Our data protection specialist will contact you promptly and confidentially to clarify your query.Security
: We deploy sufficient organisational and technical safeguards to protect the confidentiality, integrity, availability, and resiliency of your personal data hosted on our processing systems. For example, we utilise independent external assessors to determine that our security practices are in compliance with international standards such as PCI DSS for your card payment data, we closely restrict physical access to computing equipment where personal data resides, we securely delete personal data that is no longer necessary for processing, we encrypt your personal data stored with us and your communications with our website using strong algorithms, and we deploy rigorous access controls to prevent unauthorised access to your personal data and have these controls independently tested.Collection of personal data:
We collect personal data from you when you order products from our website, via our pre-order app, or in our Butlers Chocolate Cafés, join our Butlers Platinum Loyalty Card or Happiness Card programme, tour the Butlers Chocolate Factory, decide to receive our Butlers Chocolates newsletter, or apply to enter employment with us. The information we collect will be different for each type of transaction or situation but should be the minimum personal data required to complete the transaction, including details to identify and contact you such as your name, address, phone number, and email address. We do not collect personal data about customers from sources besides yourself. Uses of personal data:
We use (process) your personal data only for the purpose stated when the data was collected. For example, personal data collected when you order on the Butlers Chocolates website, through our pre-order app, or in a Butlers Chocolate Café would be used only for the purposes of completing the transaction you have initiated, including for payment and delivery of the ordered product to you. We share your personal information with third parties who help us to deliver targeted marketing campaigns and to personalise your experience online. These providers include Segmentify, MailChimp and Google. Personal data collected when you join the Butlers Platinum or Loyalty Card program or request to be added to the newsletter distribution will be used only to email you information related to your membership, promotions, and news. We may also send offers and promotions to our existing customers. You may choose to opt-out at any time by simply clicking the “Unsubscribe” link included in the message.Disclosures of personal data:
We disclose your personal data only to certain processors who help us run our business. These processors are required contractually to act only under our instructions and adhere to the same levels of data protection as we deploy. For example, we use processors to process card payments and deliver the products you ordered on the website and in our pre-order app and to deliver tickets to visitors on the Butlers Chocolate Experience tours. We disclose to them only the minimum amount of personal data needed for the purposes of the processing required by the transaction, such as your name and address for shipping and your card details for payments. We do not retain your card details. We may also be required to disclose your personal data by law or to ensure the safety and security of our customers, visitors, or employees. We will never sell or license your personal data.Storage, Retention and Deletion of personal data
: We store your personal data entirely within the European Economic Area (EEA) and primarily within Ireland. The only exceptions to this may be for credit card payment verification and marketing programs you have consented to participate in. If personal data leaves the EEA for processing, it must be under a contract requiring similar protections as would be required here and utilising one of the transfer mechanisms allowed under the GDPR, including adequacy decisions, standard contractual clauses, or EU-U.S. arrangments. Personal data is retained only until the purposes of the processing have been completed unless there is a requirement to it retain longer based on legal obligations we are subject to. When the retention period for processing has expired, we will delete your personal data using secure disposal techniques.Processing of sensitive data and personal data of children:
We do not collect or process any special categories (sensitive) data from our customers or visitors. We do not knowingly collect, on the website or via our pre-order app, and process any personal data of children under the digital age of consent (currently defined in Ireland as those under the age of 16). The personal data of children collected for the Butlers Chocolate Factory Tour is not further processed except to ensure their safety and is securely deleted within a defined period after the completion of each tour.
Revisions to this policy may be made at any time. Please check this policy often to be notified of any changes to this policy. Data subjects will be notified at their last known email address for any material changes to this policy, as reasonable and appropriate. This policy was last revised on 20 May 2021.