Who we are
For the purposes of privacy law*, the data controller is Cheviot Brewery Limited, Slainsfield, Cornhill on Tweed, Northumberland, TD12 4TP. Registered company number: 11068422.
Changes to Our Privacy Notice
We review this notice regularly as part of our internal processes or as our services, activities, or regulatory requirements change. It’s subject to change at any time, but the most up to date version is published on our website: https://cheviotbrewery.co.uk
This notice is dated October 2018.
Your Privacy Rights
We take the protection of your personal data very seriously and respect your privacy in accordance with data protection legislation and best practice. You have rights relating to your personal information. You can find more information about your privacy rights on the Information Commissioner’s Office website http://www.ico.org.uk. You have the right to be informed about how and why we process your personal information and any time you give us personal information you have the right to be informed about why we need it and how we’ll use it.
You can find most of the information you need in this Privacy Notice.
If you have any questions, please contact us through the below contact details.
You have the right to access your personal information
You can request a copy of information we may hold about you at any time.
You may choose to exercise your right of access through any of our contact details, but we’ll ask you to provide documented evidence of your identity before we process your request. We may also contact you to clarify your request or to ensure we have all the information we need to fully meet your request.
We aim to respond to your request within 30 calendar days of verifying your identity (or within 3 months for more complex cases) however you’ll receive a full response as soon as we can reasonably provide one. In more complex cases where we cannot provide a full substantive response within that time frame, we’ll write to you within 30 calendar days to explain why an extension is needed.
We don’t charge for subject access requests.
You have the right to ask us to correct inaccurate personal information
If you believe information we hold about you to be inaccurate or incomplete, you can ask us to correct it or complete it at any time, through any of our contact channels. Wherever possible, we’ll correct inaccurate or incomplete information immediately. Whilst we investigate the accuracy of the information, we’ll restrict the processing of the information in question.
We’ll let you know the outcome of our investigation as soon as we can. Any information we verify as inaccurate will be corrected within one month of receiving your request.
You have the right to ask us to delete your personal information
In some circumstances you have the right to ask us to delete information we hold about you. For example, if we have asked for your consent to process the information, and you withdraw that consent.
We’ll respond to your request as soon as we can, and we’ll act on any requests granted within one month of your request.
We can’t delete any information where we have a legal or regulatory obligation to keep it. For example, this applies to all outstanding debts and some HMRC information that we are required to keep by law. We may also refuse your request if we believe it to be excessive. If your request for deletion is refused, we’ll explain the reasons for refusal.
You have the right to ask us to restrict the use of your personal information
In some instances, you have the right to ask us to restrict the use of your personal information (for example, if you’ve challenged the accuracy of the information we hold or have objected to our processing). We’ll restrict our use of your information whilst we investigate your objection or request to correct your information.
We’ll respond to your request as soon as we can. If your objection is unsuccessful, we’ll only continue processing once we’ve let you know the outcome of the investigation.
Information related to these requests will not be automatically deleted unless you expressly ask us to.
You have the right to data portability
If we process your personal information with your consent and our processing is automated, you have the right to move, transfer or copy that data to another system for your own purposes.
However, we don’t currently have any services that processes information in this way. If we do in future, you can make a request and this data can be exported from our systems for you.
You have the right to ask us not to process your personal information
We process most of the information we collect about you under the lawful basis of ‘legitimate interest’ or by ‘consent’. You have the right to object to our processing of your personal information under these lawful bases or for marketing purposes.
We will respond to your objection as soon as we can, detailing any actions we can reasonably make. If we believe there is an overriding compelling reason to continue the processing, we will explain why we think this is. Where appropriate we’ll action any requests to stop direct marketing as soon as practicable after receiving your request.
You can object to us using your data at any time through any of our contact details above.
Lawful basis for processing
Privacy Law states we must have a lawful basis for processing your information; the legal basis will vary depending on the circumstances of how and why we have your information. Usually we’ll do this in the following instances:
- our business activities within our legitimate interests. Our “legitimate interests” include our legitimate business purposes and commercial interests in operating our business as Cheviot Brewery Limited in a customer-focused, efficient and sustainable manner, in accordance with all applicable legal and regulatory requirements;
- you’ve given consent for us to process the information e.g. if in relation to certain marketing activities;
- the processing is necessary for compliance with a legal obligation to which we are subject, for example some financial, credit or HMRC regulations;
- to fulfil our contractual obligations to you; or because you have asked us to do something before entering into a contract (e.g. provide a quote).
We do not routinely process any special category information i.e. information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, processing of genetic or biometric data for the purpose of uniquely identifying individuals, health data, or data concerning your sex life or sexual orientation. Where we need to do so we must have a further lawful basis for the processing.
These instances may include:
- you are giving us your explicit consent to do so
- the processing is necessary for the establishment, exercise or defence of legal claims e.g. because you’ve failed to pay your bill
- the processing being necessary for reasons of substantial public interest e.g. where we suspect fraud on the part of a customer
Information we collect from you and what we do with it
To provide our services to you, we need to collect, process and store information about you that may be personal or sensitive in nature. We use your information to administer, support, improve and develop our business generally, to provide statistical information to meet our regulatory requirements and to enforce our legal rights. If we intend to use your information for a different purpose, we’ll do so in ways consistent with Privacy Law or, wherever possible, by notifying you in advance.
We only use your information for the specific purpose(s) for which it has been provided to us or collected.
We collect and process a variety of information from you and about you. In most cases, the information we collect about you is provided by you directly. This is one of the ways we can ensure the information we collect is as accurate and up to date as possible. We’ll usually do this when you first contact us, and we may ask you to confirm your details on subsequent contacts from time to time.
The type of information collected from you and obtained about you will vary depending on your relationship with us, the products or services you are requesting and your chosen method of contacting us. However, in almost all cases we are likely to ask you to provide or to process:
- name, address and date of birth – to verify your identity and help us prevent fraud;
- contact details (including phone number, e-mail address or social media identifiers) – to contact you about your account, update you about the products or services you’ve requested or received from us, or contact you with other information related to our business
- financial information (including method of payment and bank account details) – to bill you for the products or services you receive from us and manage your payment arrangements (we may ask you for documented evidence of the above and will keep digital copies for validation and audit purposes)
- If you contact us by telephone, post or e-mail we may keep a record of the contact
- If you use our website, we’ll keep a record of the contact and we may collect additional information about you to provide a better digital service and website functionality. This may include technical information, including the Internet protocol (IP) address you have used to connect to the Internet, your browser type and version, time zone setting, browser plug-in types and versions, operating system and platform
- information about your visit, including the full Uniform Resource Locators (URL) clickstream to, through and from our site (including date and time); products you viewed or searched for; page response times, download errors, length of visits to certain pages, page interaction information (such as scrolling, clicks, and mouse-overs), and methods used to browse away from the page and any phone number used to call our customer service number.
We may store and use your personal information as is necessary for the performance of a contract between you and us and/or as is necessary for our legitimate interests for the purposes of:
(a) administering your orders and queries;
(b) carrying out anti-fraud and anti-money laundering checks and verifying your identity;
(c) where appropriate assessing financial and insurance risks, including by carrying out credit reference checks and credit scoring assessments, and calculating your payments;
(d) using your payment details to process payments relating to your orders;
(e) handling any complaints;
(f) communicating with you about your orders, including responding to your enquiries;
(g) administering debt recoveries, where you lawfully owe us money under a contract or otherwise;
(h) undertaking market research and statistical analysis, including analysing your use of our website;
(i) fulfilling our obligations owed to a relevant regulator, tax authority, or revenue service.
Information we collect or obtain from others about you
We prefer to collect information directly from you, so we can ensure it’s as up to date and as accurate as possible. However, we occasionally we may also need to collect information about you from other sources to assist us supplying your products or services or to improve our quality of service to you e.g. verifying your address or postcode details from open source information such as the Electoral Register.
Profiling and automated decision making
We do not carry out any profiling and automated decision making using your personal data.
What to expect when you contact us
If you contact us by phone or in writing (including e-mail, social media or via our website) we may record, monitor or keep copies of the contact. We keep this information for several reasons (including fraud prevention and crime recording/investigation) but the main reasons are to:
- assist our response to any account queries you may have;
- ensure we continue to offer you the best possible service;
iii. maintain standards and help train our customer relationship staff;
- demonstrate our compliance with regulatory obligations; and
- keep our records up to date so that we comply with data protection legislation.
Contacting us by telephone
When you contact us by telephone, your telephone number may be added to your account so that we can contact you in future to service your account. We use a telephone number listed on your account to contact you to discuss your account for example reminders to pay unpaid bills.
We may also use a telephone number listed on your account to call or text you regarding the status of the order of your service or product.
Contacting us by post
Where the post relates to an identifiable account, we may store the letter and attachments on that account. Post is stored and processed in a secure area of the building. The retention of hard-copy documents and electronic images of post received complies with our data retention rules.
If you email us, we’ll respond to you using the email address you gave us. We may add your email address to your account and it may be used for future communications.
Any email sent to us, including any attachments, may be monitored and used by us for reasons of security and for monitoring compliance with office policy. Emails are stored, archived and deleted in line with our information security and data retention policies.
Contacting us via social media
We strongly advise not to post your personal contact or other sensitive information on a public social media site. If you contact us using social media to report an issue, we’ll ask you to private message us to gather suitable information. We may suggest an alternative contact method if we think this is more appropriate.
Making a complaint
If you make a complaint to us, we’ll follow our complaints process. We may need to share details about your complaint internally to fully investigate.
If the complaint relates to a service provided by a third party, we’ll share information with them to try resolve your complaint. If a complainant doesn’t want information identifying him or her to be disclosed, we’ll try to respect that. However, it may not be possible to handle a complaint on an anonymous basis.
We’ll only use the personal information we collect to process the complaint and to check on the level of service we provide. We may occasionally compile and publish statistics internally, for example information like the number of complaints we receive, but not in a form which identifies any individuals.
We’ll keep complaints in line with our data retention policy. This means that information relating to a complaint will be retained for two years from closure.
Visiting our website or using our mobile application
Cookies are small pieces of data, stored in text files, that are stored on your computer or other device when websites are loaded in a browser. They are widely used to ‘remember’ you and your preferences, either for a single visit (through a ‘session cookie’) or for multiple repeat visits (using a ‘persistent cookie’). They ensure a consistent and efficient experience for visitors, and perform essential functions such as allowing users to register and remain logged in. Cookies may be set by the site that you are visiting (known as ‘first party cookies’), or by third parties, such as those who serve content or provide advertising or analytics services on the website (‘third party cookies’).
Certain cookies are only set for logged in visitors, whereas others are set for any visitors, and these are marked below accordingly. Where a cookie only applies to specific subdomains, they are included under the relevant header.
Strictly Necessary: These are the cookies that are essential for Cheviot Brewery website to perform basic functions. These include those required to allow registered users to authenticate and perform account related functions.
Functionality: These cookies are used to store preferences set by users such as account name, language, and location.
Third Party/Embedded Content: We may make use of different third party applications and services to enhance the experience of website visitors. These include social media platforms such as Facebook and Twitter (through the use of sharing buttons), or embedded content from YouTube and Vimeo. As a result, cookies may be set by these third parties, and used by them to track your online activity. We have no direct control over the information that is collected by these cookies.
Using your information to provide our services
Most of the information we collect from you or about you is to help us manage your account with us and to make account management decisions according to your needs or the products and services we provide you. We’ll use this information to bill you for the products or services or to update you on your order.
Falling into arrears or failure to pay your bill
If you fail to pay your bill in full, or fall into arrears, the information that we hold about you may be used to recover arrears in line with our business requirements. In doing so, we may use third party debt collection / management companies and credit reference agencies to assist us. This will involve sharing your information with them.
Information we share with others
We do not routinely share your information with any other organisations except where detailed in this privacy notice. However, there are circumstances where we need to share some of your information to meet our legal obligations or where we are permitted to under Privacy or other legislation.
If we are contacted by HMRC, the Department for Work and Pensions (DWP) the police, fraud or similar agencies we are obliged to share this data with them without your consent and you will not be notified that this has been done. This is in the support of the prevention and detection of crime.
How long we’ll keep your information
We only keep your information for as long as we need it. We’ll retain certain information (e.g. contact information and bank details) for as long as you have a relationship with us. The length of time depends on the purpose of the processing. Generally, we keep:
- customer account details; billing, correspondence, products supplied, order histories etc. for up to six years after our last contact with you;
- All HMRC business records must be retained for a period of (broadly) six years;
iii. enquiries about our services for up to one year;
- data subject requests and enquiries about your privacy rights (e.g. subject access requests and objections) for up to two years;
- social media posts (in third party systems) for up to six months, unless related to a complaint;
- information relating to a complaint will be retained for two years from closure;
After which time your personal information will be either deleted or anonymised.
These retention periods may be extended in certain limited cases as prescribed or permitted by law – e.g. because of an accident or to bring or defend a legal claim.
* Privacy Law means the General Data Protection Regulation, the Data Protection Act 2018, the Regulation of Investigatory Powers Act 2000, the Telecommunications (Lawful Business Practice)(Interception of Communications) Regulations 2000 (SI 2000/2699), the Electronic Communications Data Protection Directive 2002/58/EC, the Privacy and Electronic Communications (EC Directive) Regulations 2003, the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011, and all other applicable laws and regulations relating to processing of personal data and privacy in any applicable jurisdiction as amended and replaced, including where applicable the guidance and codes of practice issued by the UK Information Commissioner or such other relevant data protection authority.