Butlers Chocolates Data Protection Policy Purpose of this Policy:
Butlers Chocolates UC and its subsidiaries (“we/us”) are committed to protecting and respecting your data protection rights and freedoms as specified under the General Data Protection Regulation (GDPR) and related Irish and EU data protection and privacy legislation. The purpose of this data protection policy is a statement of that commitment.Scope of this Policy:
This data protection policy should be read in conjunction with any terms and conditions that apply to your interactions with us to fully understand your data protection rights and freedoms. This data protection policy sets out your data protection rights as a data subject, what personal data we collect, how we use your personal data, whom we may disclose it to, and how long we retain and then delete it. Please read the following carefully to understand our practices regarding your personal data and how we will process it.
Important Definitions:Personal data:
information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly. Processing: any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means.Data Protection Principles:
As a controller of your personal data under the GDPR, we are responsible for the following data protection principles:
Personal data processed must be lawful, and fair and transparent to the data subject. This means that processing will only be done under an allowable legal basis and we will provide you with certain information when collecting your personal data and when you exercise your data subject rights (see next section). We expect the legal basis for processing your personal data will be one of the following: - Your unambiguous, informed, freely given and specific consent, which you can withdraw at any time; A contract between us, formed for example when you purchase a product from our website or enter employment with us; - A legal obligation we are under based upon Irish or EU law, such as calculating and reporting of tax liabilities; - Our legitimate interests in running our business such as ensuring the quality of our products and services, providing training to our employees, for marketing activities, and keeping our customers, visitors, and employees safe and satisfied. We will attempt to balance our interests against your rights and freedoms before processing under this basis.
Personal data must be collected for a specific, explicit, and legitimate purpose and not be further processed for an incompatible purpose. This purpose limitation principle means we will tell you the specific purpose of the processing of your data and it will comply with all applicable laws. We will also not process your personal data for a reason that is not compatible with the purpose it was collected for.
Data Subject Rights:
- Personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed. This data minimisation principle means we will only collect the personal data we need for processing.
- Personal data must be accurate and kept up to date. This accuracy principle means we will endeavour to keep your personal data current and accurate. You may request we update your personal data if it becomes inaccurate or out of date.
- Personal data must not be kept in an identifiable form any longer than necessary. This storage limitation principle means we will delete or anonymise your personal data when it is no longer needed for processing.
- Personal data must be secured against loss or unauthorised alteration or disclosure. This integrity and confidentiality principle means that we will deploy sufficient technical and organisational safeguards to protect your personal data.
Data subjects have certain rights under the GDPR, which you may exercise at your discretion. We will reply without undue delay and usually within 30 days. If we are unable to fully respond within that timeframe, we will notify you within 30 days.Your data protection rights are as follows:
- Right to be informed: At the time of collection of personal data from you, we will inform you of the following information: the purposes and legal basis of the processing, if applicable our legitimate interest, any external recipients, the retention period of your personal data, and other information about your rights including your right to complain to the Data Protection Commission(er) (www.dataprotection.ie).
- Right of access: You may request confirmation that we are processing your personal data. Further, you may access your personal data, meaning you may receive a copy of what we have.
- Right of rectification: You may request that we update any personal data which is inaccurate or incomplete.
- Right of erasure: You may request the erasure of the personal data we control. Please be aware that this right is limited by any legal obligations which we may have to retain the data.
- Right to restrict processing: If your personal data is inaccurate, you may request that the processing of that personal data (except for its storage) be restricted until it is made accurate or if you object to certain processing (see below).
- Right to port: You may request that we provide you or a successor controller in machine-readable form any personal data that you provided to us electronically.
- Right to object: You may object to processing if your personal data is being used for direct marketing purposes or to processing based on our legitimate interest.
- Right to not be subject to solely automated decisions: You have the right to not be subject to decisions that are solely automated (made without human involvement) including profiling and have a legal or other significant impact on you.
If you wish to exercise any of your data protection rights, please send an email to the following address: email@example.com with subject line subject rights. We will respond promptly and confidentially. If you have any other queries regarding your rights as a data subject, please send an email to the following address: firstname.lastname@example.org with the subject line data protection. Our data protection specialist will contact you promptly and confidentially to clarify your query.Security
: We deploy sufficient organisational and technical safeguards to protect the confidentiality, integrity, availability, and resiliency of your personal data hosted on our processing systems. For example, we utilise independent external assessors to determine that our security practices are in compliance with international standards such as PCI DSS for your card payment data, we closely restrict physical access to computing equipment where personal data resides, we securely delete personal data that is no longer necessary for processing, we encrypt your personal data stored with us and your communications with our website using strong algorithms, and we deploy rigorous access controls to prevent unauthorised access to your personal data and have these controls independently tested.
Collection of personal data: We collect personal data from you when you order products from our website, via our pre-order app, or in our Butlers Chocolate Cafés, join our Butlers Platinum Loyalty Card or Happiness Card programme, tour the Butlers Chocolate Factory, decide to receive our Butlers Chocolates newsletter, or apply to enter employment with us. The information we collect will be different for each type of transaction or situation but should be the minimum personal data required to complete the transaction, including details to identify and contact you such as your name, address, phone number, and email address. We do not collect personal data about customers from sources besides yourself.
When you use the website to order products, we would need to collect certain information from your device such as the IP address and browser types for authentication purposes. During website viewing or for transactions you initiate, we will utilise cookies (small files saved on your device) to make the session flow more smoothly, but these will be deleted at the completion of the transaction (session cookies). We will ask for your consent before utilising a cookie. Certain cookies may request to remain beyond the viewing or transaction (persistent cookies) for reasons such as being able to identify you more easily upon your next visit to our website, allowing you to continue where you left off. You can refuse to accept such cookies through the use of the privacy settings of your web browser.Uses of personal data:
We disclose your personal data only to certain processors who help us run our business. These processors are required contractually to act only under our instructions and adhere to the same levels of data protection as we deploy. For example, we use processors to process card payments and deliver the products you ordered on the website and in our pre-order app and to deliver tickets to visitors on the Butlers Chocolate Experience tours. We disclose to them only the minimum amount of personal data needed for the purposes of the processing required by the transaction, such as your name and address for shipping and your card details for payments. We do not retain your card details. We may also be required to disclose your personal data by law or to ensure the safety and security of our customers, visitors, or employees. We will never sell or license your personal data.Storage, Retention and Deletion of personal data
: We store your personal data entirely within the European Economic Area (EEA) and primarily within Ireland. The only exceptions to this may be for credit card payment verification and marketing programs you have consented to participate in. If personal data leaves the EEA for processing, it must be under contract requiring similar protections as would be required here and utilising one of the transfer mechanisms allowed under the GDPR, including adequacy decisions, standard contractual clauses, or EU-U.S. arrangments. Personal data is retained only until the purposes of the processing have been completed unless there is a requirement to it retain longer based on legal obligations we are subject to. When the retention period for processing has expired, we will delete your personal data using secure disposal techniques.Processing of sensitive data and personal data of children:
We do not collect or process any special categories (sensitive) data from our customers or visitors. We do not knowingly collect, on the website or via our pre-order app, and process any personal data of children under the digital age of consent (currently defined in Ireland as those under the age of 16). The personal data of children collected for the Butlers Chocolate Factory Tour is not further processed except to ensure their safety and is securely deleted within a defined period after the completion of each tour.
Changes to this Policy: Revisions to this policy may be made at any time. Please check this policy often to be notified of any changes to this policy. Data subjects will be notified at their last known email address for any material changes to this policy, as reasonable and appropriate. This policy was last revised 10 February 2021.