Awareness

I am a sole trader, so there is no one else in an organisation to make aware.

​

The information I hold:

• Email addresses of people who have emailed me and to whom I have replied – automatically saved in gmail.

• Email addresses, names and self-identified descriptors (eg “parent”, “shop owner”) of people who have signed up to our mailing list via the opt-in link on my website– held in Mailchimp

• Email addresses, postal addresses (for physical items) and names of people who have obtained something from this website. Orders are saved by default in the background of the website, which is securely password-protected.

I do not share this information with anyone. Ever.

If someone randomly asks for another person’s email address, unless both are known closely to me, I always check with the other person first.

 

Communicating privacy information

I am taking the following steps:

1. I have put this document on this website.

2. I have added a link to the newsletter sign-up boxes.

 

Individuals’ rights

On request, I will delete data.

If someone asked to see their data, I would take a screenshot of their entry/entries.

If they unsubscribe themselves from the Mailchimp list, their data is automatically deleted.

 

Subject access requests

I aim to respond to all requests within 24 hours.

 

Lawful basis for processing data

• If people have emailed me, they have given us their email address. I do not actively add it to a list but gmail will save it. I will not add it to any database or spreadsheet unless someone asks me to or gives explicit and detailed permission.

• If people have opted into the newsletter Mailchimp list, they have actively opted in, in the knowledge that their details will be held for the sole purpose of receiving updates about my activities and products until such time they choose to unsubscribe.

• If people have won or obtained something from this website, I do not use their data for anything other than contacting them to arrange delivery, request permission to display their entry (e.g. a drawing or photo) or about a problem with the order. I will delete any email and postal addresses after one year.
   

Consent 
I regard this information as consent for a year, or until the person asks us to remove the data. I have never harvested email addresses, nor would I. Anyone on my lists has contacted me in the first instance.

Consent is not indefinite, so I will make sure that I remind subscribers that they can unsubscribe or ask for their data to be removed.

 

Children

Young people may sometimes email me but I wouldn’t know their age unless they tell me – and I only have their word for that. I would not deliberately keep their email address (but gmail and iCloud would save it in my accounts.) Since I am not ‘processing’ their data, I am not required to ask for parental consent. I reply to the email and don’t contact them again.

 

Data breaches

I have done everything I can to prevent this, by strongly password-protecting my computers, Mailchimp, Google and iCloud accounts. If any of those organisations were compromised I would take steps to follow their advice immediately.

 

Data Protection by Design and Data Protection Impact Assessments

I have familiarised ourselves with the ICO’s code of practice on Privacy Impact Assessments as well as the latest guidance from the Article 29 Working Party, and believe that I am using best practice.

 

Data Protection Officers

I have appointed myself as the Data protection Officer.

 

International

My lead data protection supervisory authority is the UK’s ICO.