Privacy Policy

 

 

What this Policy covers

 

The Data controller is McCurrach Group Limited (referred to in this policy as “we” or “us”).

 

We are committed to doing the right thing when it comes to how we collect, receive, use and protect your personal data. That’s why we’ve developed this privacy and cookies policy (“Policy”), which:

This Policy applies to you if you use our services (referred to in this Policy as “Services”). Using our Services means disclosing personal information with us either verbally, over the phone, online or otherwise using any of our websites or mobile applications. This Policy also applies if you contact us or we contact you about our Services.

 

Data Disclosure

 

Legal Authorities

We may share personal data with other organisations in the following circumstances:

We will not sell, distribute or lease your personal information to third parties unless we have your permission, or are required by law to do so. We may use your personal information to send you promotional information about third parties which we think you may find interesting if you tell us that you wish this to happen.

 

Other Organisations

 

McCurrach shares personal data with organisations including Service Providers, Government Agencies and Financial Regulators. The disclosure sections below apply where the processing of personal data is necessary and where we have a legal right to do so.

 

McCurrach Group

Some other parts of our business and other McCurrach Group companies may need to collect and use personal data to provide you with their products and services and for certain other purposes. Where this is the case, each part of the business has their own privacy policy that explains how they use your personal data.

 

Service Providers

We work with selected Service Providers that carry out certain functions on our behalf. These include, for example, companies that help us with storing and analysing data, processing payments and delivering orders. We only share personal data that enable our Service Providers to provide their services. When we share personal data with these companies, we require them to keep it safe, and they must not use your personal data for their own marketing purposes.

 

PayPoint

PayPoint is a partner of McCurrach, supporting growth and development of the MyStore+ App. McCurrach will disclose data to PayPoint Network Limited as part of running the App and administration of the services offered by it. To the extent information is provided by you to identify your PayPoint store, site or location, such information is not personal and is specific to PayPoint. It is not transferrable to other services.

 

Fraud Prevention

To protect our customers and us from fraud and theft, we may look at the information that we get from making identity checks and other information in our customer records, including how you conduct your account, and may pass this to other group companies, other retailers and to financial and other organisations (including law enforcement agencies) involved in fraud prevention and detection, to use in the same way.

 

International Transfers

From time to time we may transfer your personal information to our group companies, suppliers or service providers based outside of the EEA for the purposes described in this privacy policy. If we do this your personal information will continue to be subject to one or more appropriate safeguards set out in the law. These might be the use of model contracts in a form approved by regulators, or having our suppliers sign up to an independent privacy scheme approved by regulators (like the US ‘Privacy Shield’ scheme).

 

Policy Change

 

McCurrach Group Ltd may change this policy from time to time by updating this document/webpage. Where the Policy is provided in document format, we may either email you an updated Policy, or post an updated Policy to you, depending on contact preference etc. Should this occur, please review the updated Policy to ensure that you are happy with any changes.

 

Data Processed

The table below contains the details of your personal data that we process.

Ref

Data Processed

Purpose

Category

Legal Right

1

Business Owners Name

 

To enable use of the Application and to more fully understand regional variances on offers

Personal

Legitimate Interest

2

Business address

 

To enable the company to communicate more effectively with the customer base/users of the application

Personal

Legitimate Interest

3

Contact detail e.g. Mobile/Email Address

As Above

Personal

Legitimate Interest

4

Bank account information

To facilitate prompt and secure payments to our customers

Personal

Legitimate Interest

 

Retention of your Personal Data

 

Personal Data that we collect and use for purposes named above shall not be retained for longer than is necessary. We will retain a record of your personal information. This is done to provide you with a high quality and consistent service across our group. We will always retain your personal information in accordance with law and regulation and never retain your information for longer than is necessary.

 

Data Controller

 

Data Controller:            McCurrach Group Ltd

Registration Number:    Z3518106
Address:                      74 Waterloo Street, Glasgow, G2 7DJ

 

Controlling your Personal Information

 

The rights of Data Subjects are outlined in the section below. Should you need to contact our Data Protection Officer to exercise any of these rights, please use either of the following contacts:

 

Email:                    DPO@McCurrach.co.uk

 

Letter:                   Data Protection Officer

                             74 Waterloo Street,

                             Glasgow, G2 7DJ.

 

There are a few circumstances where we do not need to provide people with privacy information, such as if an individual already has the information or if it would involve a disproportionate effort to provide it to them.

 

Right to be Informed (applicable to all ‘Legal Rights’)

This Privacy Policy provides awareness to Data Subjects, in relation to what personal data we process and why. The Policy also informs Data Subjects of their Individual Rights and our Complaints Process.

 

Right of Access (applicable to all ‘Legal Rights’)

Under the General Data Protection Regulation 2016 you have the right to access the personal information that we hold about you in many circumstances. This is sometimes called a ‘Subject Access Request’. If we agree that we are obliged to provide personal information to you (or someone else on your behalf), we will provide it to you or them free of charge. However, we may charge a ‘reasonable fee’ when a request is manifestly unfounded or excessive, particularly if it is repetitive.

 

We may also charge a reasonable fee to comply with requests for further copies of the same information. The fee will be based on the administrative cost of providing the information.

 

McCurrach have the right to refuse the request should it be manifestly unfounded or excessive.

 

Before providing personal information to you or another person on your behalf, we will ask for proof of identity and sufficient information about your interactions with us, in order to locate your personal information.

If you would like a copy of the information held on you, please send your request to our DPO using the contact details provided above.

 

Right to Rectification (applicable to all ‘Legal Rights’)

 

If you believe that any information, we are holding on you is incorrect or incomplete, please complete the Proof of Identity Form located at the end of this document in ‘Appendix A – Proof of Identity Form’ and either post it to us, or email it to us as soon as possible, at the postal or email address below. Your request will be processed within 30 calendar days upon receipt of a fully completed form and proof of identity.

 

We will promptly correct any information found to be incorrect. To allow us to deal with your request promptly, please provide information on where you believe the incorrect data is being held, for example an employee file and any details of the data you believe to be incorrect including the data you would like it to be replaced with. Send your request to our DPO using the contact details provided above.

 

Right to Data Portability (applicable to Consent and Contract ‘Legal Rights’ only)

The right to data portability allows Data Subjects to obtain and reuse their personal data for their own purposes across different services. It allows them to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without hindrance to usability.

 

The right to data portability only applies:

 

McCurrach will, should the request meet the criteria above and be deemed reasonable, provide you with your data free of charge, in a structured and commonly used, machine readable format. Once validated your request will be processed within 30 calendar days upon receipt of a fully completed form and proof of identity.

 

To allow us to deal with your request promptly, please provide as much detail as you can such as whether the incorrect data is held in an employee or other file system and the date range that you require to the data to be provided for.

 

If you would like to request some, or all your data to be provided in a format as outlined above, please complete the Proof of Identity Form located at the end of this document in ‘Appendix A – Proof of Identity Form’. Send your request to our DPO using the contact details provided above. Your request will be processed within 30 calendar days upon receipt of a fully completed form and proof of identity.

 

Rights Related to Automated Decision Making - including profiling (applicable to all ‘Legal Rights’ apart from Vital Interest)

McCurrach will only process personal data for Automated Decision Making with your explicit consent. Should you wish to challenge any decision made using automated processing or request human intervention, please complete the Proof of Identity Form located at the end of this document in ‘Appendix A – Proof of Identity Form’. Send your request to our DPO using the contact details provided above. Your request will be processed within 30 calendar days upon receipt of a fully completed form and proof of identity.

 

To allow us to deal with your request promptly, please provide as much detail as you can such as whether the incorrect data is held in an employee or other file. Please also describe the automated decision process and clarify whether you would like to challenge the decision and why, or whether you would like to request human intervention.

 

Right to Restrict Processing (applicable to all ‘Legal Rights’ apart from Vital Interest)

You may choose to restrict the collection or use of your personal information. If you are asked to fill in a form on the website, look for the box that you can click to indicate that you do not want the information to be used by anybody for direct marketing purposes.

 

Please complete the Proof of Identity Form located at the end of this document in ‘Appendix A – Proof of Identity Form’. Send your request to our DPO using the contact details provided above. Your request will be processed within 30 calendar days upon receipt of a fully completed form and proof of identity.

 

To allow us to deal with your request promptly, please provide as much detail as you can such as whether the data is held in an employee or other file system. Please also describe the processing that you would like to restrict.

 

Right to Erasure (applicable to Consent and Legitimate Interest ‘Legal Rights’ only)

If you have previously agreed to us using your personal information for direct marketing purposes, you may change your mind at any time. Once validated your request will be processed within 30 calendar days upon receipt of a fully completed form and proof of identity.

 

Please complete the Proof of Identity Form located at the end of this document in ‘Appendix A – Proof of Identity Form’. Send your request to our DPO using the contact details provided above. Your request will be processed within 30 calendar days upon receipt of a fully completed form and proof of identity.

 

To allow us to deal with your request promptly, please provide as much detail as you can such as whether the data is held in an employee or other file system. Please also describe what data that you would like us to stop processing.

 

Right to Object (applicable to Consent and Legitimate Interest ‘Legal Rights’ only)

If you have previously agreed to us using your personal information, you may change your mind at any time. Once validated your request will be processed within 30 calendar days upon receipt of a fully completed form and proof of identity.

 

Please complete the Proof of Identity Form located at the end of this document in ‘Appendix A – Proof of Identity Form’. Send your request to our DPO using the contact details provided above. Your request will be processed within 30 calendar days upon receipt of a fully completed form and proof of identity.

 

To allow us to deal with your request promptly, please provide as much detail as you can such as whether the data is held in an employee or other file system. Please also describe what data that you would like us to stop processing.

 

Complaints

 

We aim to acknowledge receipt of all complaints within five business days and to resolve all complaints within 30 business days (although this may not be possible in all circumstances and is dependent on the complexity of the issue).

 

Please complete the Proof of Identity Form located at the end of this document in ‘Appendix A – Proof of Identity Form’. Send your complaint to our DPO using the contact details provided above. Your request will be processed within 30 calendar days upon receipt of a fully completed form and proof of identity.

 

Where we cannot resolve a complaint within 30 business days, we will notify you of the reason for the delay as well as an indication of when we expect to resolve the complaint.

 

You also have the right to lodge a complaint with the UK regulator, the Information Commissioner. Go to ico.org.uk/concerns to find out more.

 

Cookies

 

What is a cookie?

A cookie is a small amount of data, which often includes a unique identifier that is sent to your computer or mobile phone browser from a website's computer and is stored on your device's hard drive. Each website can send its own cookie to your browser if your browser's preferences allow it, but (to protect your privacy) your browser only permits a website to access the cookies it has already sent to you, not the cookies sent to you by other websites. Many websites do this whenever a user visits their website to track online traffic flows.

During any visit to a website, the pages you see, along with a cookie, are downloaded to your device. Many websites do this, because cookies enable website publishers to do things like find out whether the device has visited the website before. This is done on a repeat visit by checking to see, and finding, the cookie left there on the last visit.

How do McCurrach UK Ltd use cookies?

McCurrach UK Ltd may use an independent measurement and research company to collect information about your visit to the website. They will gather information regarding the visitors to the website on our behalf using cookies. McCurrach UK Ltd uses this type of information to help improve the services it provides to its users. All third parties are strictly required not to use any information for their own business or other purposes.

How do I control and delete cookies?

McCurrach UK Ltd will not use cookies to collect personally identifiable information about you. However, if you wish to restrict or block the cookies, you can do this through your browser settings. The ‘Help’ function within your browser should tell you how.

 

Alternatively, you may wish to visit www.aboutcookies.org which contains comprehensive information on how to do this on a wide variety of browsers. You will also find details on how to delete cookies from your computer as well as more general information about cookies. For information on how to do this on the browser of your mobile phone you will need to refer to your handset manual.

 

Please be aware that restricting cookies may impact some functionality on some websites.

 

Security

 

The company takes all reasonable steps to ensure that the Personal Data we collect, use or disclose is accurate, complete, up-to-date, relevant and stored securely.

 

We also take all reasonable steps to ensure that the Personal Data we hold is protected from misuse, interference, loss, unauthorised access, modification or disclosure using various methods including access limitation, and industry-standard Secure Socket Layer (SSL) encryption technology to safeguard the contact us process. Other security safeguards include but are not limited to data encryption, firewalls, and physical access controls to building and files.

 

We are committed to ensuring that your information is secure. To prevent unauthorised access or disclosure, we have put in place suitable physical, electronic and managerial procedures to safeguard and secure the information we collect online.

 

Social Media

 

When using one of our websites or mobile applications, you may be able to share information through social networks like Facebook and Twitter. For example, when you ‘like’, ‘share’ or review our Services. When doing this your personal information may be visible to the providers of those social networks, their other users and/or McCurrach Group Companies. Please remember it is your responsibility to set appropriate privacy settings on your social network accounts, so you are comfortable with how your information is used and shared on them.

 

Data collected from this website is stored and processed within the EEA. Your data will not be transferred out of this region.

 

Websites

 

Website improvement

To help us design our website and improve your experience, we may collect information about the way you use and access our website. Our web system collects information about each visitor, including IP address, the length of time spent on the website and the order in which pages are visited. We may employ third party experts to help us look at this information. However, we make sure that anyone we employ treats all information with the same sensitivity and security that we treat it with. This is explained in more detail in the cookies section above.

 

Links to other websites

Our website may contain links to other websites of interest. However, once you have used these links to leave our site, you should note that we do not have any control over that other website. Therefore, we cannot be responsible for the protection and privacy of any information which you provide whilst visiting such sites and such sites are not governed by this privacy statement. You should exercise caution and look at the privacy statement applicable to the website in question.

 

Our Websites may contain links to other websites operated by other organisations that have their own privacy policies. Please make sure you read the terms and conditions and privacy policy carefully before providing any personal data on a website as we do not accept any responsibility or liability for websites of other organisations.

 

 

Useful resources

The Information Commissioner’s Office (ICO) is the UK’s independent body to uphold information rights. The ICO’s website has useful information on data privacy and your rights.

 

  

  

 

APPENDIX A – PROOF OF IDENTITY FORM

 

Proof of identity:  

We require proof of your identity before we can disclose personal data. Proof of your identity should include a copy of two documents such as your birth certificate, passport, driving licence, official letter addressed to you at your address e.g. bank statement, recent utilities bill or council tax bill.  The documents should include your name, date of birth and current address. If you have changed your name, please supply relevant documents evidencing the change. 

 

If you are NOT the Data Subject, but an agent appointed on their behalf, you will need to provide evidence of your identity as well as that of the Data Subject and proof of your right to act on their behalf.  

 

Administration fee:  

Fees will be determined following a review of the request and communicated in advance of processing to the Data Subject or Data Requestor.

 

Data Subject & Data Requestor Information

A Data Requestor is a person who is acting on behalf of the Data Subject.

 

Data Subject Information 

Please fill in the details of the Data Subject in the form below.  

 

Proof of Identity Form:

 

Title:    

Surname/ Family Name:        

First Name(s)/Forenames:        

Date of Birth:        

Address:                                        

  

  

    

 

     

 

 

Post Code:  

 

Day Time Telephone Number(s):

 

Main:                         ­­­­­­­­­­­­­­­­­­__________________________________

 

 

Alternative:               __________________________________

 

 

 

Previous Address 1:  

       

    

 

    

  

  

Previous Post Code 1:   

    

 

Previous Address 2:  

 

 

 

 

 

 

Previous Post Code 2:  

 

 

Proof of Identity

Please tick the relevant box below for the type of proof of identity you are providing: 

 

Birth certificate                    

 

Driving Licence           

 

Passport                                

 

An official letter to my home address                  

 

If none of these are available, please contact McCurrach for advice at:    DPO@McCurrach.co.uk

 

Data Subject Declaration:  

  

I certify that the information provided on this form is correct to the best of my knowledge and that I am the person to whom it relates. I understand that McCurrach is obliged to confirm proof of identity/authority and it may be necessary to obtain further information to comply with this subject access request. 

 

Name:        

 

Signature:  

 

Date:

 

 

OR

 

Data Requestor Information 

Please fill in the details of the Data Requestor below.  

 

Relationship to Data Subject (e.g. parent, carer, legal representative):

 

 

Title:

Surname/ Family Name:        

 

First Name(s)/Forenames:        

  

Date of Birth:        

  

Address:                                        

       

  

 

  

 

  

 

Post Code:        

 

Day Time Telephone Number(s)   

 

Main:                         ­­­­­­­­­­­­­­­­­­__________________________________

 

Alternative:               __________________________________

 

 

Proof of Identity

Please tick the relevant box below for the type of proof of identity you are providing: 

 

Birth certificate                    

 

Driving Licence           

 

Passport                                

 

An official letter to my home address                  

 

If none of these are available, please contact McCurrach for advice at:   DPO@McCurrach.co.uk

 

Authorisation

 

I am enclosing the following copy as proof of legal authorisation to act on behalf of the data subject:

 

Letter of Authority                                                         

 

Lasting or Enduring Power of Attorney           

 

Evidence of Parental responsibility                           

 

Other     (provide details:)     ____________________________________________

 

 

Authorised Person Declaration (if applicable):  

  

I confirm that I am legally authorised to act on behalf of the data subject.  I understand that McCurrach is obliged to confirm proof of identity/authority and it may be necessary to obtain further information to comply with this subject access request. 

 

Name:        

 

Signature:  

 

Date:        

Warning:

A person who unlawfully obtains or attempts to obtain data is guilty of a criminal offence and is liable to prosecution.

I wish to: 

 

Receive the information in electronic format                   

(some files may be too large to transmit electronically, and we may have to supply in CD format)

  

Receive the information by post *                       Collect the information in person        

 

View a copy of the information only       Go through the information with a member of staff       

 

* Please be aware that if you wish us to post the information to you, we will take every care to ensure that it is addressed correctly. However, we cannot be held liable if the information is lost in the post or incorrectly delivered, or opened by someone else in your household. Loss or incorrect delivery may cause you embarrassment or harm if the information is 'sensitive'. 

 

Please email this completed form and the required proof of identity to:

 

DPO@McCurrach.co.uk

 

Or

 

Write to our Data Protection Officer:

 

        Data Protection Officer,

74 Waterloo Street,

Glasgow, G2 7DJ.

                 

McCurrach will retain the information provided and only share the information with those it is legally entitled to. The information will only be kept for as long as necessary and in accordance with our retention policy, will be disposed of in a safe and secure manner.