Petersham Nurseries Data Protection Policy

What information does the GDPR apply to?

Everyone who works for or with Petersham Nurseries has some responsibility for ensuring data is collected, stored and handled appropriately. The following is a working document, guide and training tool applicable across the entire Petersham Nurseries brand: Petersham Nurseries Ltd, Petersham UK Ltd and Petersham Cellar Ltd. It comprehensively outlines the activities of key departments and how we as a company upheld the privacy, protection and data security of personal details of customers and employees alike in our day to day operations.

General guidelines:

  • Personal data should not be shared informally. In particular, it should never be sent by email, as this form of communication is not secure.
  • When access to confidential information is required, employees can request it from their line managers.
  • Employees should keep all data secure, by taking sensible precautions and following the guidelines below.
  • Personal data should not be disclosed to unauthorised people, either within the company or externally.
  • Data should be regularly reviewed and updated if it is found to be out of date. If no longer required, it should be deleted and disposed of.
  • Employees should request help from their line manager or the company data protection officer if they are unsure about any aspect of data protection.
  • In the event of a suspected data breach inform a manager immediately. In the cases of severe data breaches, the company has an obligation to notify the ICO without undue delay and by no later than 72 hours; and notify the individual whose personal data is affected by the breach.

Personal data

The GDPR applies to ‘personal data’ meaning any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier.

This definition provides for a wide range of personal identifiers to constitute personal data, including name, identification number, location data or online identifier, reflecting changes in technology and the way organisations collect information about people.

Sensitive personal data

The GDPR refers to sensitive personal data as “special categories of personal data”.

The special categories specifically include genetic data, and biometric data where processed to uniquely identify an individual.

Personal data relating to criminal convictions and offences are not included, but similar extra safeguards apply to its processing.

GDPR requires that personal data shall be:

“a) processed lawfully, fairly and in a transparent manner in relation to individuals;

b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;

c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;

d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;

e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organizational measures required by the GDPR in order to safeguard the rights and freedoms of individuals; and

f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures.”

Why we need your personal data

For administrative purposes, the Company keeps and processes records of its employees’ personal data, including address, date of birth and next of kin. The Company also processes records containing certain “sensitive” data, including information about gender and race, which it uses to monitor and promote its equal opportunities policy, and medical records, which the Company keeps for health and safety reasons as well as for the for the purposes of the administration and management. By signing this Agreement, you agree that the Company may:

  • process your personal data (including “sensitive” data); and
  • disclose and transfer your personal data (including “sensitive” data), to such third parties as are reasonably necessary for the effective running of its business, or to whom the Company is legally required to disclose or transfer it.

We currently share your share your data with the following third parties

  • Fourth Hospitality – our online HR, Payroll, Pension and rota portal
  • FLOW – online training platform
  • WMT- external tronc master
  • NEST – pension provider
  • Vitality Health – private health care provider (where applicable)

Your details will not be given to any other third party, nor signed up to our customer database. All mentioned providers demonstrated compliance and we are satisfied with their processes.