Personal information we collect
When you visit the Site, we automatically collect certain information about your device, including information about your web browser, IP address, time zone, and some of the cookies that are installed on your device. Additionally, as you browse the Site, we collect information about the individual web pages or products that you view, what websites or search terms referred you to the Site, and information about how you interact with the Site. We refer to this automatically-collected information as “Device Information”.
We collect Device Information using the following technologies:
- “Cookies” are data files that are placed on your device or computer and often include an anonymous unique identifier. For more information about cookies, and how to disable cookies, visit http://www.allaboutcookies.org.
- “Log files” track actions occurring on the Site, and collect data including your IP address, browser type, Internet service provider, referring/exit pages, and date/time stamps.
- “Web beacons”, “tags”, and “pixels” are electronic files used to record information about how you browse the Site.
Additionally when you make a purchase or attempt to make a purchase through the Site, we collect certain information from you, including your name, billing address, shipping address, payment information (including credit card numbers, email address, and phone number. We refer to this information as “Order Information”.
How do we use your personal information?
We use the Order Information that we collect generally to fulfill any orders placed through the Site (including processing your payment information, arranging for shipping, and providing you with invoices and/or order confirmations). Additionally, we use this Order Information to:
- Communicate with you;
- Screen our orders for potential risk or fraud; and
- When in line with the preferences you have shared with us, provide you with information or advertising relating to our products or services.
We use the Device Information that we collect to help us screen for potential risk and fraud (in particular, your IP address), and more generally to improve and optimize our Site (for example, by generating analytics about how our customers browse and interact with the Site, and to assess the success of our marketing and advertising campaigns).
Sharing you personal Information
We share your Personal Information with third parties to help us use your Personal Information, as described above. For example, we use Shopify to power our online store--you can read more about how Shopify uses your Personal Information here: https://www.shopify.com/legal/privacy. We also use Google Analytics to help us understand how our customers use the Site -- you can read more about how Google uses your Personal Information here: https://www.google.com/intl/en/policies/privacy/. You can also opt-out of Google Analytics here: https://tools.google.com/dlpage/gaoptout.
Finally, we may also share your Personal Information to comply with applicable laws and regulations, to respond to a subpoena, search warrant or other lawful request for information we receive, or to otherwise protect our rights.
As described above, we use your Personal Information to provide you with targeted advertisements or marketing communications we believe may be of interest to you. For more information about how targeted advertising works, you can visit the Network Advertising Initiative’s (“NAI”) educational page at http://www.networkadvertising.org/understanding-online-advertising/how-does-it-work.
You can opt out of targeted advertising by using the links below:
- Facebook: https://www.facebook.com/settings/?tab=ads
- Google: https://www.google.com/settings/ads/anonymous
- Bing: https://advertise.bingads.microsoft.com/en-us/resources/policies/personalized-ads
Additionally, you can opt out of some of these services by visiting the Digital Advertising Alliance’s opt-out portal at: http://optout.aboutads.info/.
Do not track
Please note that we do not alter our Site’s data collection and use practices when we see a Do Not Track signal from your browser.
If you are a European resident, you have the right to access personal information we hold about you and to ask that your personal information be corrected, updated, or deleted. If you would like to exercise this right, please contact us through the contact information below.
Additionally, if you are a European resident we note that we are processing your information in order to fulfill contracts we might have with you (for example if you make an order through the Site), or otherwise to pursue our legitimate business interests listed above. Additionally, please note that your information will be transferred outside of Europe, including to Canada and the United States.
When you place an order through the Site, we will maintain your Order Information for our records unless and until you ask us to delete this information.
For more information about our privacy practices, if you have questions, or if you would like to make a complaint, please contact us by e‑mail at email@example.com or by mail using the details provided below:
Chester Boutique, 26 Bridge Street, Chester, CH1 1NQ, United Kingdom
IN STORE CCTV POLICY
Our store operates a CCTV system for the safety and security of all staff and all members of the public who enter the business premises; and the security of its property and premises.
CCTV Policy Document type: Chester Boutique Ltd
Policy Date of issue: October 2021
Latest update: October 2021
Author/Originator: Dawn Robinson, DPO
Review date: October 2022
Status: For internal circulation and website publication
Distribution: All staff, all member of the public on the business premises, website audience
Version history: Created October 2021, V1
1.1. This policy seeks to ensure that the Closed Circuit Television (CCTV) system used at the Chester Boutique Ltd is operated in compliance with the law relating to data protection, i.e. the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. It takes into account best practice as set out in codes of practice issued by the Information Commissioner (ICO) and by the Home Office.
1.2. Chester Boutique Ltd seeks to ensure, as far as reasonably practicable, the safety and security of all staff and all members of the public who enter the business premises; and the security of its property and premises. Chester Boutique Ltd therefore deploys CCTV to:
- promote a safe office environment and to monitor the safety and security of its premises
- assist in the prevention, investigation and detection of crime
- assist in the apprehension and prosecution of offenders, including use of images as evidence in criminal proceedings;
- assist in the investigation and breaches of its policies by staff and members of the public, where relevant and appropriate, investigating complaints;
- assist in the investigation of accidents
- assist in the efficient running of the business.
1.3. This policy will be reviewed annually by the Data Protection Officer (DPO) to assure compliance with clauses 1.1 and 1.2 and to determine whether the use of the CCTV remains justified.
1.4. Chester Boutique Ltd has carried out a data protection impact assessment (DPIA) for operating CCTV on the business premises. This can be found at the end of this document.
2.1. This policy applies to the CCTV systems at Chester Boutique, 26 Bridge Street, Chester, CH1 1NQ.
2.2. This policy does not apply to other parts of the building, including the exterior and the main entrance area, or private areas including the fitting rooms, bathroom and kitchen area.
2.3. This policy applies to all Chester Boutique staff and members of the public.
3. Roles and responsibilities
3.1. The DPO is responsible for ensuring that the CCTV system, including camera specifications for new installations, complies with the law and best practice referred to in 1.1 of this policy. S/he is responsible for the safety and security of the equipment and software utilised for the capture, recording and playback of live and historical CCTV images.
3.2. The DPO is responsible for the evaluation of locations where live and historical CCTV images are available for viewing via the appropriate software. The locations and the people authorised to view CCTV images is maintained by the DPO.
3.3. Changes in the use of Chester Boutique’s CCTV system can be implemented only in consultation with Chester Boutique’s Data Protection Officer.
4. System description
4.1. Chester Boutique operates a camera overlooking the counter towards the back of the shop floor, and upstairs overlooking the stock room. They continuously record activities in these areas.
4.2. CCTV cameras are not installed in areas in which individuals would have an expectation of privacy, such as toilets and fitting rooms. Cameras are only located so that they capture images relevant to the purpose the system was set up for. No covert recording is undertaken. No audio is recorded.
4.3. CCTV cameras are installed in such a way that they are not hidden from view. Signs are prominently displayed near the cameras and the entrance to the premises, so that staff, visitors and members of the public are made aware that they are entering an area covered by CCTV. The signs include contact details of the Data Protection Officer, as well as a statement of purposes for the use of CCTV.
5. Operating standards Equipment and access
5.1. The recordings can be accessed by the DPO through the Hik-Connect mobile application.
5.2. Images and videos are password protected and only accessible by the DPO.
Processing of recorded images
5.4. CCTV images are available only to persons authorised to view them (see above) or to persons who otherwise have a right to view them, such as police officers or any other person with statutory powers of entry. If such visitors are given access to view footage, their identity and authorisation must be checked, and a log retained – see 7 below.
5.5. Where authorised persons access or monitor CCTV images on the mobile app, they must ensure that images are not visible to unauthorised persons, for example by locking screens when not in use or when unauthorised persons are present. Screens must always be locked when unattended.
Quality of recorded images
5.6. Images produced by the recording equipment must be as clear as possible, so they are effective for the purpose for which they are intended to be used. The standards to be met (in line with the codes of practice referred to in 1.1) are set out below:
- recording features such as the location of the camera, date and time reference must be accurate and maintained
- consideration must be given to the physical conditions in which the cameras are located, ie additional lighting or infrared equipment may be needed in poorly lit areas, and
- cameras must be properly maintained and serviced to ensure that clear images are recorded, and a log of all maintenance activities kept.
Retention and disposal
5.7. CCTV images are not to be retained for longer than necessary, taking into account the purposes for which they are being processed.
5.8. If there is a legitimate reason for retaining the CCTV images (such as for use in an accident investigation, disciplinary investigation and/or legal proceedings), the footage or still frames can be isolated and saved outside of the application to a separate encrypted zip file. Any saved images or footage will be deleted once they are no longer needed for the purpose for which they were saved.
5.9. All retained CCTV images will be stored securely.
6. Data subjects rights
6.1. Recorded images, if sufficiently clear, are considered to be the personal data of the individuals whose images have been recorded by the CCTV system.
6.2. Data subjects have a right to access to their personal data under the data protection legislation. They also have other rights, in certain circumstances, including the right to have their data erased, rectified, and to restrict processing and object to processing. They can ask to exercise these rights by emailing the DPO at firstname.lastname@example.org.
6.3. On receipt of a request – which needs to include the date and approximate time of the recording – the DPO will communicate the decision to the data subject. This should be done without undue delay and at the latest within one month of receiving the request unless an extension of the period is justified.
6.4. If a request is to view footage, and the footage only contains the individual concerned, then the individual may view the footage. The authorised person accessing the footage must ensure that the footage available for viewing is restricted to the footage containing only the individual concerned.
6.5. If the footage requested contains images of other people, the DPO must consider:
- whether the images of the other people can be distorted so as not to identify them
- seeking consent from the third parties to their images being disclosed to the requester, or
- if these options are not possible, whether it is reasonable in the circumstances to disclose the images to the individual making the request in any case.
6.6. The DPO will keep a record of all disclosures which sets out:
- when the request was made and by whom
- what factors were considered in deciding whether to allow access to any third party images
- whether the requester was permitted to view the footage, or if a copy of the images was provided, and in what format. Requesters are entitled to a copy in permanent form. If a permanent copy is requested, this should be provided unless it is not possible to do so, or it would involve disproportionate effort. (For example, it may be acceptable to allow a requester to view footage which contains third party images, but not to provide a permanent copy.)
7. Third party access
7.1. Third party requests for access will usually only be considered, in line with the data protection legislation, in the following categories:
- from a legal representative of the data subject (letter of authorisation signed by the data subject would be required)
- from law enforcement agencies including the police
- disclosure required by law or made in connection with legal proceedings
- Staff responsible for disciplinary and complaints investigations and related proceedings.
7.2. Where images are sought by other bodies/agencies, including the police, with a statutory right to obtain information, evidence of that statutory authority will be required before CCTV images are disclosed.
7.3. The DPO will consider disclosing recorded images to law enforcement agencies once a form certifying that the images are required for one of the following reasons has been received:
- an investigation concerning national security
- the prevention or detection of crime, or CCTV Policy V1 October 2021
- the apprehension or prosecution of offenders,
and that the investigation would be prejudiced by failure to disclose the information. The DPO will also need to take into account the guidance in BSB’s “Requests for Information from the Police” (Ref: ROD09), as necessary.
7.4. Where third parties are included in images as well as the person who is the focus of the request, the same considerations need to be made as in the case of subject access requests.
7.5. Every disclosure of CCTV images (including where authorised persons are given access to view footage in Chester Boutique) is recorded in the CCTV Operating Log Book and contains:
- the name of the police officer/other relevant person receiving the images
- brief details of the images captured by the CCTV including the date, time and location of the footage/images
- the purpose for which they will be used
- the crime reference number where relevant, and
- date and time the images are handed over to the recipient.
8. Complaints procedure
8.1. Any complaints relating to the CCTV system should be directed in writing to the DPO promptly and in any event within seven days of the date of the incident giving rise to the complaint. A complaint will be responded to within a month of the date of its receipt. Records of all complaints and any followup action will be maintained by the relevant office.
8.2. Complaints in relation to the release of images should be addressed to the DPO. These will be responded to promptly and, in any event, within 30 days of receipt. They will be dealt with in accordance with the provisions of the UK GDPR and the Data Protection Act 2018 (or any successor legislation).
DPO: Mrs Dawn Robinson