Explaining the legal bases of General Data Protection Regulation
How do we collect your personal data?
Why do we need to collect your personal data?
How will we use your personal data?
Your security. How we protect your personal data
Joint use of your personal data
Protecting your data outside the EEA
What to do if you feel that your data has not been handled correctly
Introduction
We appreciate that reading Privacy Policies isn’t top of your list when it comes to your favourite pastimes, but it is important.
Jack Brock has always operated under its core values of openness, honestly and integrity, as such, we want you to be fully informed about your legal rights, along with how Jack Brock collects, handles, uses and securely stores your personal data.
The EU Data Law changes on 25th May 2018. Jack Brock are committed to ensuring that we comply with the new General Data Protection Regulation (GDPR) and that we continue to safeguard the data of our customers, followers, suppliers and employees.
To help you find the information you are looking for quickly and easily, we have broken our Privacy Policy down into sections.
Who is Jack Brock?
Jack Brock was founded in 2018 by founder, Alexandra Stearn. Alexandra Stearn is legal owner of two brands; Jack Brock and The Garden Box.
Jack Brock ensures that all distributers, suppliers and third-party agencies are all GDPR compliant.
For simplicity throughout the policy ‘we’ and ‘us’ refers to Jack Brock as a whole.
Explaining the legal bases of General Data Protection Regulation:
Jack Brock will only use personal data in a way that is both fair and lawful.
The new data protection law sets out 6 lawful bases for which a company may collect and process your personal data, these are:
Consent:
You can give your direct consent and positively opt-in to receive communication from Jack Brock.
For example; Marketing permissions: You may sign up to a receive a newsletter, direct mail or text messages.
We will never assume that you have given your consent, even if we have had this previously. From 25th May 2018, we must receive express consent for you to remain on our database. We will record the date, time and how consent was given by each individual that has given their consent.
Without direct consent:
This reason applies as part of a contract between two or more parties.
For example; Supplier and employment contracts. This could be a contract in the supply of goods and services or an employment contract.
Where personal details of a ‘Next of Kin’ are provided by an employee as part of the recruitment process, Jack Brock will ask for the employee to confirm that the appropriate permission has been granted by the Next of Kin for Jack Brock to hold their personal data. This will be held securely and protected by password by Human Resources.
Contractual obligations:
There are some circumstances where we would need your personal data to comply with our contractual obligations.
For example; Online orders: If you order a home delivery of our products from our online Jack Brock Store, then we would need to take your address to deliver this to you. To complete your order, we would also need to pass this on to our courier partners to fulfil the delivery. We ensure that all suppliers and couriers are GDPR compliant, under our own obligations.
Vital interest:
In the interest of protecting someone’s physical health, mental well-being or in extreme cases, to save someone’s life, it may be necessary to pass on personal data.
For example; If the emergency services require this information, such as medication, Next of Kin.
Legal compliance:
If the law requires us to, we may need to collect, process your data and pass this on to enforcement agencies if requested to do so.
For example; Law enforcement: We may be asked to pass on details of people involved in criminal activity to the Police.
Government legalisation compliance:
It may be necessary to pass on personal data if we receive a valid request from a regulatory or public authority function, such as the HMRC.
Legitimate interest:
Legitimate interest is not focused on a particular purpose but it refers to where there is a minimal impact on the individual, or else a compelling justification for the processing.
For example, we may provide those registered with Jack Brock loyalty scheme with exclusive offers, only available to them. The data privacy law allows this as an ‘legitimate interest’ in understanding our customers and providing the highest levels of service.
Legitimate Interest may also be used when:
- the processing is not required by law, but is of a clear benefit to Jack Brock or others;
- there’s a limited privacy impact on the individual;
- the individual should reasonably expect you to use their data in that way;
- We cannot give the individual full upfront control or send disruptive consent requests when they are unlikely to object to the processing.
How do we collect your personal data?
Jack Brock gather personal data for a variety of ways during the operation of the business: These are:
- When you visit Jack Brock website, and use your account to buy products and services, or redeem vouchers or discount codes provides by Jack Brock or third-party voucher code websites
- When you purchase a Jack Brock product online and check out as a customer, whether you hold an account or check out as a guest
- When you create an account with us
- When you engage with us on social media
- If you join our mailing list by positively opting -in to marketing preferences or join a loyalty programme administered by Jack Brock
- If you contact us for any reasons, to make an enquiry regarding the business or any of our products, apply for an employment post with Jack Brock, or submit a complaint
- When you enter prize draws or competitions, by any means, including electronically and via social media platforms
- When you comment upon or ‘share’ any of Jack Brock social media posts
- When you review our products online, such as Google Reviews, Facebook Reviews and other review platforms. (Any individual may access personal data related to them, including opinions. If your comment or review includes information about the Partner who provided that service, it may be passed on to them if requested)
- When you submit a customer feedback survey we have sent to you
- When you complete any forms, which are then held by Jack Brock. For example, if a photographic permissions form is required
- When you’ve given a third-party permission to share with us the information they hold about you
- If you make a complaint regarding the business, a member of staff or a Jack Brock product; information will be held where a full internal investigation has taken place. If this also involves a third-party, this information may also be shared with them to ensure the investigation can be completed and unable us to seek an appropriate resolution
- When you visit our offices where we have CCTV systems operating for the security of both employees and visitors. These systems may record your image during your visit.
What data is collected?
When collecting your personal data, we’ll always make clear to you which data is necessary in connection with a particular service.
For example, we will collect notes from our conversations with you, details of any complaints or comments you make, details of purchases you made, items viewed or added to your basket, gift list and wish list choices, voucher redemptions, how and when you contact us.
- When you set up on account online with us, we will request mandatory information:
- your name, billing/delivery address, email and telephone number. For your security, we’ll also keep an encrypted record of your login password. We do not hold or store any payment information on our e-commerce website.
- Details will be held on the e-commerce system regarding your order history, receipts along with delivery and tracking information
- We will ask you to verify your email address details by sending an activation email – a confirmation email will be sent once your account is activated
- We may also hold details of your interactions and communications with us through our website, emails, online store, social accounts and messaging app’s – this includes any comments, product reviews or testimonials left on the Jack Brock website
- Details of your shopping preferences along with details of your visits to our websites and which site you came from to ours, if applicable
- Information gathered by the use of cookies in your web browser
- Technical information about your internet connection and browser as well as the country and telephone code where your computer is located, the web pages viewed during your visit, the advertisements you clicked on, and any search terms you entered; this is tracked and stored on our secure Google Analytics account
- If you receive an email from us, your engagements with be recorded on the mailing software, MailChimp. This includes open rate and click through rates
If you choose to engage and follow us via our social media channels, your username will be used and will be visible to other users of the Jack Brock pages if you post and we respond to your comments, questions or feedback.
It is assumed that those using social media are over the age of consent (13 years old) and that they abide by the terms and conditions of Facebook, Twitter, Instagram and Pinterest.
Why do we need to collect your personal data?
We want to ensure that we deliver our products to you quickly and efficiently; we want to provide the very best customer service.
As part of our commitment to customer service, we want to keep you informed with the latest Jack Brock news, offers, limited discount codes, and competitions which may interest you. In the case of any loyalty scheme, we would offer those members exclusive and relevant rewards.
How will we use your personal data?
It is essential that we collect your personal information to enable us to process any orders that you make by using our websites. We will keep your details for a reasonable period afterwards in order to fulfil any contractual obligations to you and to provide the very best in customer service in your legitimate interest.
Holding this data is necessary to ensure we meet our legal obligations, such as The Consumer Contracts Regulations 2013 (which replaced the Distance Selling Regulations.
It allows us to respond to customer queries, refund requests, guarantees, returns, replacements and complaints. We may also keep a record of these to document how we communicated with you and also to monitor our own internal procedures.
We use your personal data in order to maintain, update and safeguard your account and to protect our business and your account from fraud and other illegal activities. It allows us to monitor browsing activity and to quickly identify and resolve any problems and protect the integrity of our websites. We action this as part of both our and your legitimate interest.
To protect our premises, assets, customers and partners from crime, we operate CCTV systems in our offices which record images for security. We do this due to our legitimate interests. If criminal activity is detected, this data will then be passed on to the relevant law enforcement authorities.
With your consent, we will use your personal data and personal marketing preferences to keep you informed by post, email, web, social media, text, telephone about relevant products including special offers, discounts, promotions, events, competitions and Jack Brock news. You are free to opt out at any time. (It is assumed that if you follow or like Jack Brock on social platforms, that you opt-in to receive messages from Jack Brock).
We will track digital marketing activity, such as email Open and Click-through rates and website traffic on Google Analytics to gain a better understanding of our communications and how we can improve these for the future for our customers.
To send you communications required by law or which are necessary to inform you about our changes to the services we provide you.
For example, updates to this Privacy Notice, product recall notices, and legally required information relating to your orders.
To administer any of our prize draws or competitions which you enter, based on your consent given at the time of entering.
We may use your data to develop, test and improve our systems, services and products we provide to you. We’ll do this on the basis of our legitimate business interests. For example; We may look at your personal data to enable us to make improvements to our website, providing you with an improved platform.
To comply with our contractual or legal obligations to share data with law enforcement. For example; If information is requested by the courts or Law Enforcement agencies.
To send you survey and feedback requests to our customers to improve our services. These messages will not include any promotional content and do not require prior consent when sent by email or text message.
Your security. How we protect your personal data:
We know how much data security matters to all our customers. With this in mind we will treat your data with the utmost care and take all appropriate steps to protect it.
We secure access to all transactional areas of our websites using ‘https’ technology.
To protect the confidentiality of your information, we will ask you to verify your identity before proceeding with any request you make under this Privacy Notice. For example; When you set up an online Jack Brock account, you will be asked to activate your account by verifying your email address.
Access to your personal data is password-protected, and sensitive data such as payment card information) is not stored by the website in anyway – there is no option to store card payment information on our e-commerce websites.
Internal policies are in place to ensure that data is not held in multiple, such as laptops, flash drives, external hard drives or on Cloud storage.
Our email and database provider, MailChimp, has a ‘double opt-in’ function which adds an additional layer of security and verification. In addition, reCAPTCHA is enabled, this prevents Spambots.
Whenever we collect or process your personal data, we’ll only keep it for as long as is necessary for the purpose for which it was collected.
At the end of that retention period, your data will either be deleted completely or anonymised, so the data can still be held for business planning and statistical analysis but the individual can no longer be identified.
For example; In the case of website traffic, Google Analytics will automatically delete data after 24 months. When you place an order, our e-commerce system will keep the personal data you give us for five years so we can comply with our legal and contractual obligations.
Joint use of your personal data:
When you provide express consent to Jack Brock, you may also receive messages regarding our other brands, For example; The Garden Box.
Third-party suppliers:
We will only share your personal data with our business partners to comply with our contractual obligations to you or for the business. E.g. We will share your delivery address with our couriers to ensure your products are delivered. We do not share your personal data with other parties for their own purposes, for example, their own marketing.
Sometimes it is necessary for us to share your personal data with trusted third parties. E.g. Delivery couriers or to enable us to handle complaints. When this is essential, we ensure that they also keep your data safe and protect your privacy:
- We ensure that all of our suppliers and business partners also comply with GDPR; we hold a copy of their Privacy Policy as part of their contractual agreement with us
- We provide only the information they need to perform their specific services
- They may only use your data for the exact purposes we specify in our contract with them, For example; Goods delivery
- We work closely with them to ensure that your privacy is respected and protected at all times
- If/when we stop using their services, any of your data held by them will either be deleted or rendered anonymous.
Examples of the kind of third-parties we work with are:
- I.T companies who support our website, telephone and other business systems
- Operational companies, For example; delivery couriers
- Direct marketing companies who help us manage our electronic communications with you. Our customer database is securely stored with MailChimp, who are fully compliant with GDPR. To find out more about MailChimp’s Privacy Policy and their commitment to GDPR, please click visit: https://bit.ly/2kkGyih By signing up to the Jack Brock mailing list, you give consent for your data to be sent to and securely stored by MailChimp on their servers.
- Google Display Network and targeted social advertising platforms such as Facebook and Pinterest to show you products that might interest you while you’re browsing the internet. This is based on either your marketing consent or your acceptance of cookies on our websites
- For fraud management, we may share information about fraudulent or potentially fraudulent activity in our premises or systems. This may include sharing data about individuals with law enforcement bodies
- We may, from time to time, expand, reduce or sell the business and this may involve the transfer of divisions or the whole business to new owners. If this happens, your personal data will, where relevant, be transferred to the new owner or controlling party, under the terms of this Privacy Notice.
Children:
Due to the nature of our business and the brand tone of voice, it is unlikely that we will ever broadcast messages which are not suitable for children. However, safeguarding children is of primary importance to Jack Brock. Parental/guardian permissions will be sought if children under 16 engage with Jack Brock, for example, for a school project. Permission forms will need to be returned prior to the children’s involvement in the project, including allergy information. When any photography is taken, photographic permission forms will need to be returned by those with parental consent.
With regards to social media, the age of consent for Facebook, Twitter, Instagram and Pinterest is 13. Whilst we cannot verify the ages of who follows us through social media, we can ensure that content is appropriate for all ages.
Protecting your data outside the EEA:
Sometimes we will need to share your personal data with third parties and suppliers outside the European Economic Area (EEA), such as the USA where our MailChimp account is held. We have ensured that MailChimp are fully complaint with the EU GDPR legislation.
Your rights under GDPR:
The right to request the personal data held by Jack Brock.
As with previous Data Protection Laws, upon request we will provide you with a copy of all personal data we hold about you. If you would like us to do so, please submit a ‘Subject Access Request’. Under the new GDPR legislation, we will respond in full within one month of the request being received. We will acknowledge the request as soon as it is received. There will no longer be any £10 fee payable to us for this information request.
Where the Subject Access Request is more complex, Jack Brock may request an extension in order to fulfil our obligation fully. If we choose not to action your request we will explain to you the reasons for our refusal and inform the Information Commissioner’s Office of this decision.
To request a Subject Access Request, please do so in writing:
Data Protection Officer. info@jackbrock.co.uk
Your right to withdraw consent
Under GDPR, individuals have the ‘right to be forgotten’. You have the right to withdraw consent at any time, even if you have previously given your express consent.
Electronically: You can do so electronically by clicking ‘unsubscribe’ at the base of any email sent to you by Jack Brock. Alternatively, you can write to the Jack Brock Data Protection Officer via email and request for your data to be deleted from the Jack Brock database.
By email: The Data Protection Officer can be contacted at info@jackbrock.co.uk
Please include ‘For the attention of the Data Protection Officer’ in the subject line.
The personal data of any individual who unsubscribes will be automatically moved to an unsubscribed list. This will then be hard deleted from our mailing system, MailChimp.
If you choose not to share your personal data with us, or refuse certain contact permissions, we might not be able to provide some services you’ve asked for.
You also have the right to request:
- The correction of your personal data when incorrect, out of date or incomplete
- Removal of personal data when there is no legitimate overriding interest, or once the purpose for which we hold the data has come to an end (such as the end of a warranty)
- That we stop using your personal data for marketing purposes, either on specific channels or completely)
- That we stop any consent-based processing of your personal data after you withdraw that consent
- Review by a Partner of any decision made based solely on automatic processing of your data (i.e. where no human has yet reviewed the outcome and criteria for the decision).
To withdraw consent or make any amends to your personal data, please contact info@jackbrock.co.uk
To stop receiving emails from Jack Brock, you can also click the ‘unsubscribe’ link in any email communication that we send you. We will then stop any further emails from Jack Brock and The Garden Box, unless you specify that you would still like to hear from either brand.
Please note: You may continue to receive communications for a short period after changing your preferences while our systems are fully updated.
What to do if you feel that your data has not been handled correctly.
If you are ever unhappy in anyway, we would like you to contact us:
Email us:
info@jackbrock.co.uk (Please as Data Protection to the subject line)
What to do if you would like to make a formal complaint:
If you feel that your data has not been handled correctly, or you are unhappy with our response to any requests you have made to us regarding the use of your personal data, you have the right to lodge a complaint with the Information Commissioner’s Office.
You can contact them by calling 0303 123 1113.
Alternatively, visit www.ico.org.uk/concerns
If you are based outside the UK, you have the right to lodge your complaint with the relevant data protection regulator in your country of residence.
Policy updates:
It’s likely that we’ll need to update this Privacy Notice from time to time to ensure we comply with legislation and safeguard our customers and business partners.
We will notify you of any significant changes, but you’re welcome to come back and check the policy whenever you wish.
You can also request a copy of this policy, by contacting our Data Protection Officer, by any of the methods listed above.
Contact us:
If you have any queries about your personal data or our Privacy Policy, please contact our Data Protection Officer who will be happy to help:
Email us:
info@jackbrock.co.uk (Please add Data Protection to the subject line)
Privacy Policy – updated 6 July 2020.