Last Updated: 1st November 2021
1. Who we are?
The Sustainable Food Trust (“SFT”) are a limited company registered in England and Wales under registration number 7577102 with a registered office at 38 Richmond Street, Totterdown, Bristol, BS3 4TQ. The Sustainable Food Trust are the ‘Data Controller’ of any personal information we collect about you.
The Sustainable Food Trust is a charity (registration number 1148645) and what we do can be found here.
SFT must process personal data (this may at times also include sensitive personal data) so that it can provide our services, in doing so, the Sustainable Food Trust acts as a data controller.
The Sustainable Food Trust will process your personal information in accordance with all applicable laws, including the UK and EU General Data Protection Regulations (GDPR) and the Data Protection Act 2018 (DPA 2018).
2. What is Personal Data?
The term “Personal Data” means any information relating to you that identifies you, or through which you can be identified, directly or indirectly. In particular, by reference to an identifier such as a name, an identification number, location data, or an online identifier or to one or more factors specific to your physical, physiological, genetic, mental, economic, cultural or social identity.
3. The purpose of this Privacy Notice
The purpose of this Privacy Notice is to let you know how we process your Personal Data when you visit our website or share information with us as a participant in one of our projects. This Privacy Notice therefore explains what Personal Data we collect from you and how we collect, use, store and disclose it when you use our website. This Privacy Notice also contains information about your rights under applicable data protection legislation.
We are committed to compliance with data protection laws. We believe that ensuring data protection compliance is the foundation of trustworthy business relationships.
It is important that you read this Privacy Notice together with any other Privacy Notice we provide on specific occasions when we are collecting or processing Personal Data about you so that you are fully aware of how and why we are using your data. This Privacy Notice supplements the other notices and is not intended to override them.
4. How do we use your personal data?
We collect your Personal Data for the purpose of providing you with The Sustainable Food Trust’s Services: This data includes (but is not limited to)
Identity Data includes first name, last name, username or similar identifier, and date of birth.
Contact Data includes email address and telephone numbers, and mailing address.
Technical Data includes internet protocol (IP) address, unique Cookie ID, Device ID, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access the Service.
Usage Data includes information about how you use our site.
We collect no Sensitive personal data from external data subjects, also referred to as Special Category Personal Data, which is defined as data that needs more protection due to its sensitive nature.
We will only use your Personal Data for the purpose we collected it and in accordance with the law. We will not use your Personal Data for any other purpose without your prior consent. The only exception to this is if it is required or permitted by law, such as where it is necessary for the prevention, investigation, detection or prosecution of criminal offences or the enforcement of civil law matters.
5. We may share your personal data as follows:
We may share your personal data with third parties where you have provided your consent for us to do so.
We may share your personal data with our third-party service providers who provide services such as payment processing, information technology, data analytics and related infrastructure provision.
These third parties are:
- 123 reg (who provide our email hosting service)
- Fastnet (who provide our web hosting service)
- Mailchimp (where our subscriber lists, and email templates are stored)
- Marketcircle Inc. trading as Daylite (CRM system we use for storing business contacts and tracking the history of our relationships)
- Paypal (for receiving individual donations)
- Quickbooks (where all our financial activity and processing takes place).
They are only permitted to use your personal data to the extent necessary to enable them to provide their services to us and are required to follow our express instructions and to comply with appropriate security measures to protect your personal data.
When we are required to share your data with third parties on the basis that we are jointly undertaking the provision of a service to you.
If and when we sell or transfer of all or a part of our business or assets. These deals can include any merger, financing, acquisition, or bankruptcy transaction or proceeding.
We may share personal data as we believe necessary or appropriate to comply with applicable laws; to comply with lawful requests and legal process, including to respond to requests from public and government authorities to meet national security or law enforcement requirements; to enforce our Policy; and to protect our rights, privacy, safety or property, and/or that of you or others.
6. How do we collect your Personal Data?
We will collect your Personal Data directly from you in the following ways detailed below.
Most of the personal information we process is provided to us directly by you for one of the following reasons:
- Where we need to perform the contract we are about to enter into or have entered into with you. Such as the provision of services or applying for a job.
- Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests. This includes using your details to send you a monthly newsletter about our work and farming issues or you are contracting for the provisions of good and services.
- Where we need to comply with a legal or regulatory obligation. Such as our obligations to collect personal data in relation to HMRC in employment circumstances.
- Where you have provided your consent to such use. An example of this would be where you join the Global Farm Metrics project.
On our website
If you do not consent to your data being processed in this way, we may be unable to provide the information requested. Users have the right to update their details and change their permissions at any point and the SFT wants this to be as easy as possible.
To do this please follow the link at the end of the newsletter which says ‘Update subscription preferences’. If you wish to unsubscribe from a mailing list or newsletter you can click the unsubscribe button at the bottom of the email.
Information you give us
This includes personal data:
- You provide when you register to receive emails, through our Site.
- You provide when you correspond with us by phone, email or otherwise.
- You provide when signing up to an event, such as your name, contact details, and organisation;
- Any data that may be contained in a video, photograph, comment, a job, or volunteering opportunity, news article, or other content or submission you post to our website, send via email or social media; and
- Any data that may be contained in a video, photograph, or other media, taken by an SFT member of staff, for example at one of our events (this will only ever be shared with your consent).
Information from social networking sites
Our Site includes interfaces that allow you to connect with social networking sites (“SNS”).
We post content on Twitter, LinkedIn, YouTube, Instagram, Facebook and Vimeo, and advise you check their privacy policies (which can be found using the above links). If you connect to an SNS through our Site or other Services, you authorise us to access, use and store the information that you agreed the SNS could provide to us based on your settings on that SNS. We will access, use and store that information in accordance with this Policy. You can revoke our access to the information you provide in this way at any time by amending the appropriate settings from within your account settings on the applicable SNS.
We monitor our SNS activity through the SNS, for example Facebook Insights and Twitter Analytics. By interacting with us on the SNS listed above you are agreeing to your social media account details being logged by these programs. They allow us to monitor individuals interacting with us and we use this information to improve our services.
Information we get from others
Information automatically collected
Using Google Analytics, some information is automatically logged when you access our site. For example, we may log your computer or mobile device operating system name and version, manufacturer and model, browser type, browser language, pages you viewed on our site, how long you spent on a page, access times and information about your use of and actions on our Site. No personal data – which could identify you from another person – is stored via this method.
7. Our Legal Bases for processing your Personal Data
The UK and EU GDPR, (Our Global standard of compliance) requires that a Controller must have a legal basis for processing Personal Data.
(a) Your consent. We will obtain you consent by completing a consent form and you are able to withdraw your consent at any time. You can do this by contacting firstname.lastname@example.org
(b) We have a contractual obligation.
(c) We have a legal obligation.
(d) We have a vital interest.
(e) We need it to perform a public task.
(f) We have a legitimate interest.
With your consent we may contact you via email and/or phone to promote or inform you about our services. If you have provided consent, we may also contact you to promote services provided by third parties. Where we are legally required to obtain your consent to provide you with marketing materials, we will only provide you with such marketing materials if you have provided consent for us to do so.
Where we contact you for direct marketing purposes, we will comply with the requirements set out in the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR).
To start or stop receiving marketing information from us, simply contact us by email: email@example.com
9. How long we will keep your Personal Data
We will only keep your Personal Data for as long as is necessary to fulfil the purposes we collected it for, which may include satisfying any legal, accounting, or reporting requirements. The retention period depends on the type of Personal Data and the reason we are processing it. Further details of retention periods are set out in the Schedule of Processing which can be found at the end of this document.
When calculating the appropriate retention period for your data, we consider the nature and sensitivity of the data, the purposes for which we are processing the data, and any applicable statutory retention periods. Using these criteria, we regularly review the Personal Data which we hold and the purposes for which it is held and processed.
When we determine that Personal Data can no longer be retained (or where we must comply you request us to delete your data in accordance with your right to do so) we ensure that this data is securely deleted or destroyed.
10. Security of your Personal Data
In order to protect your Personal Data, we put in place appropriate organisational and technical security measures. These measures include ensuring our internal IT systems are suitably secure and implementing procedures to deal with any suspected data breach.
In the unlikely event of a data breach, we will take steps to mitigate any loss or destruction of data and, if required, will notify you and any applicable authority of such a breach.
Although we use appropriate security measures once we have received your Personal Data, you will appreciate that the transmission of data over the internet (including by email) is never completely secure. We endeavour to protect Personal Data, but we cannot guarantee the security of data transmitted to or by us.
11. Location of your data
Information is stored on our secure servers in the UK and we have implemented the appropriate measures to protect it from improper access, destruction, tampering and loss. Data held by the SFT is accessible to all our staff members and contractors so that we can provide thorough and personalised support. The SFT has an internal data protection policy which requires staff and contractors to not share information (other than on the third-party sites listed above) unless required to do so by law.
12. Your Rights
You have rights under the data protection legislation and, subject to certain legal exemptions, we must comply when you inform us that you wish to exercise these rights. There is no charge, unless your requests are manifestly unfounded or excessive. In such circumstances, we may make a reasonable charge or decline to act on your request. Before we action your request, we may ask you for proof of your identity. Once in receipt of this, we will process the request without undue delay and within one calendar month. In order to exercise your rights please contact the Data Protection Manager at firstname.lastname@example.org.
You can contact us if you wish to complain about how we collect, store and use your Personal Data. It is our goal to provide the best possible remedy with regard to your complaints.
However, if you are not satisfied with our answer, you can also contact the relevant competent supervisory authority. In the UK, the relevant supervisory authority is the ICO, contact details of which can be found below.
Your rights in connection with personal information are set out below:
Subject Access Request – You have a right to receive a copy of all the Personal Data we hold about you.
Rectification – If any of the Personal Data we hold about you is incomplete or inaccurate, you have a right to have it corrected.
Erasure – This is also known as the “right to be forgotten”. You have a right to ask us to delete your Personal Data where there is no good reason for us continuing to process it. However, certain criteria apply and if we have a legitimate reason to continue processing your personal data, we will not be legally required to delete it.
Objection – You have a right to object where we are relying on legitimate interests as our legal basis for processing your Personal Data but, in certain circumstances we may be able to continue with the processing. For example, if we have compelling legitimate grounds which override your interests, rights and freedoms or your personal information is needed for the establishment, exercise or defence of legal claims. However, you have an absolute right to object to us processing your Personal Data for direct marketing purposes.
Restriction – You have a right to ask us to restrict the processing of your Personal Data in certain circumstances. For example, you may require us to suspend processing information about you whilst checks are made to ensure it is accurate.
Portability – You have the right to ask us to transfer any Personal Data you have provided to us to another party, subject to certain criteria being satisfied. We will provide this Personal Data in a structured, commonly used and machine-readable format.
Right to withdraw consent – If you have given us your consent for the processing of your Personal Data, you can withdraw this at any time. Please note, the withdrawal has no effect on the legality of the data processing carried out in the past on the basis of your consent. To exercise your right to withdraw consent contact us at email@example.com
Right to complain – If you are unhappy with the way in which your personal information has been or is being processed, you have the right to make a complaint about it to the Information Commissioner’s Office (ICO). They can be contacted at:
Information Commissioner’s Office
13. Your obligations
If any of your Personal Data changes whilst you are a user of our services, it is important that you update the information within your account to ensure that the data we hold about you is accurate and up to date.
If you wish to contact us regarding your personal data or any information in this policy, there are a number of ways to get in touch
Sustainable Food Trust
38 Richmond Street
Telephone: +44 (0) 117 987 1467
14. The Data Protection Principles
We will comply with the EU GDPR, UK GDPR and the DPA 2018. Article 5 of the UK and EU GDPR contains the data protection principles, which require that Personal Data shall be:
- Processed lawfully, fairly and in a transparent way.
- Collected for specified, explicit and legitimate purposes and not used in any way that is incompatible with those purposes.
- Adequate, relevant and limited to what is necessary.
- Accurate and, where necessary, kept up to date.
- Kept for no longer than is necessary for the purposes we have told you about.
- Kept securely.
We operate according to the principles of the UK and/or EU GDPR, and PECR, regardless of the location of the data subject.
15. Changes to this Privacy Notice
We reserve the right to update this Privacy Notice from time to time. Updates to this Privacy Notice will be published on our website. To ensure you are aware of when we make changes to this Privacy Notice, we will amend the revision date at the top of this page. Changes apply as soon as they are published on our website. We therefore recommend that you visit this page regularly to find out about any updates that may have been made.
16. Schedule of Processing
|Ref||Purpose of Processing||Type of Personal Data||Who has Access||Legal Basis||Retention Period|
|1||Personal data is collected to facilitate the collection of farm data in order to take part in the pilot scheme.
|Electronic – Name, Address and email address.||SFT employees||Consent||For the duration of the data collection process and whilst consent remains.|
17. Version Control
|Version No.||Author||Effective Date||Status/Comments|
|V1.0||Nigel Gooding||02.09.2021||First Draft|
|V2.0||Charlotte Bolt||02.09.2021||Second Draft|
|V3.0||Nigel Gooding||15.09.21||Third Draft|
|V4.0||Morwenna Lewis||06.10.21||Fourth Draft|
18. Review & Approval
This policy will be reviewed regularly and may be altered from time to time in light of legislative changes or other prevailing circumstances.
|Reviewer||Job Title||Signed Off Date||Status/Comments|
|DPO||Finance and Operations Manager||06.10.2021||Finalisation of version produced by DPAS|
Next Review Date
All policies should be reviewed at least annually or when significant change occurs to the policy subject matter.
The next review date for this policy is January 2022.