Data Protection Policy

Introduction

Varieteas.co.uk (a trading name of Brew Roulette Ltd) is required to maintain certain personal data about individuals for the purposes of satisfying operational and legal obligations. The Company recognises the importance of the correct and lawful treatment of personal data; it maintains confidence in the organisation and provides for a successful operation.

Our Data Protection Policy should be read in conjunction with our Fair Processing Notice, Privacy Policy, Marketing Opt Out Procedure and our Communication Policy.

The types of personal data that the Company may require includes information about:

  • Consumers, current, past and prospective customers;
  • Current, past and prospective employees;
  • Company members;
  • Suppliers;
  • Others with whom it communicates

This personal data, whether it is held on paper, on computer or other media, will be subject to the appropriate legal safeguards as specified in the General Data Protections Regulations.

The Company fully endorses and adheres to the principles of data protection. These principles specify the legal conditions that must be satisfied in relation to obtaining, handling, processing, transportation and storage of personal data. Employees and any others who obtain, handle, process, transport and store personal data for the Company must adhere to these principles.

The Data Protection Principles

The principles require that personal data shall:

  1. Be processed fairly and lawfully and shall not be processed unless certain conditions are met;
  2. Be obtained for a specified and lawful purpose and shall not be processed in any manner incompatible with that purpose;
  3. Be adequate, relevant and not excessive for those purposes;
  4. Be accurate and, where necessary, kept up to date;
  5. Not be kept for longer than is necessary for that purpose;
  6. Be processed in accordance with the data subject’s rights;
  7. Be kept secure from unauthorised or unlawful processing and protected against accidental loss, destruction or damage by using the appropriate technical and organisational measures;
  8. And not be transferred to a country or territory outside the European Economic Area, unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

Data Security

The need to ensure that data is kept securely means that precautions must be taken against physical loss or damage, and that both access and disclosure must be restricted.

All staff are responsible for ensuring that:

  • Any personal data which they hold is kept securely.
  • Personal information is not disclosed either orally or in writing or otherwise to any unauthorised third party.
  • All phone operators are required to hand their phones in at the start of each shift, and end of breaks.
  • All staff are required to lock their computers whilst they’re away from their desks.
  • Ensuring that customer records are updated correctly.
  • Informing the Company of any changes to information which they have provided, e.g. changes

of address.

  • Ensuring that security is passed before disclosing personal information

Rights to Access Information – Subject Access Request (SAR)

Consumers, customers, employees and other subjects of personal data held by the Company have the right to access any personal data that is being kept about them. Any person who wishes to exercise this right should make the request in writing to the Company’s Data Protection Officer.

If personal details are inaccurate, they can be amended upon request. The Company aims to comply with requests for access to personal information as quickly as possible.

Retention of Data

Varieteas.co.uk keeps all consumer and customer records, this data is stored securely within a secure and encrypted database. This database is also backed up offsite, through a secure third party periodically throughout the day.

Electronic Communications

Communication with clients via electronic methods must still pass data protection, by confirming at least two pieces of personal information via a registered contact method e.g. email address recorded on client policy.

All electronic documentation is to be accessed by clients via an online portal called to which they will have been supplied a username and password during application or throughout their policy.