This privacy notice has been adopted as part of the Wonderbag UK Ltd’s (“Wonderbag” / “we” / “us”) Personal Information Protection Compliance Framework, in terms of the General Data Protection Regulation (“GDPR”).
During your interactions with us, it may happen that we need to process some information about you which may constitute personal information for purposes of the GDPR, which may include accessing it, storing it, merging it with other information, deleting or destroying it, and possibly sharing it with third parties.
We are required to bring to your attention certain matters relating your personal information, which we set out in this notice document. By interacting with us and providing your personal information to us, you acknowledge that you have read and understood this notice and have agreed to the contents hereof. You furthermore authorize us to take any of the actions described herein insofar as your personal information is concerned.
TERMS USED IN THIS NOTICE
Below is a list explaining some of the commonly used terms in this privacy notice:
The person whose personal information is being processed by or on behalf of Wonderbag.
Data Protection Officer
The person internally tasked with ensuring compliance by the Controller, provided that not all organisations are required to appoint a Data Protection Officer.
Information Commissioner’s Office
The office established in the UK to oversee the implementation of, and compliance with the GDPR and applicable data protection laws.
Any information that pertains to an identifiable individual. This include things like contact information, information about a person’s identity, health, religion, education, employment, biometric data, etc.
The actions taken in respect of Personal Information by the Controller or on their behalf. This includes most forms of interaction with the records containing such information, such as creating new records, transmitting information, storing it, updating it and deleting or destroying it.
Third party service providers who process personal information on behalf of Wonderbag.
The person who decides the reason and means by which personal info will be processed. In the context of this privacy notice, Wonderbag is the Controller.
PROCESSING OF PERSONAL INFORMATION AT WONDERBAG
Information that we process
We process various types of information relating to various Data Subjects, which will differ depending on your relationship with Wonderbag. Please refer to Schedule 1 of this notice for a breakdown of the Personal Information commonly processed by Wonderbag.
How we process it
We process personal information by way of digital and physical means. Certain information is processed only by digital means – especially if it was provided to us only in digital format or using one of our digital platforms. Other information is captured manually by way of standard application forms. These records are kept in physical format and secured physically. Such information may also be captured digitally and stored on our digital infrastructure.
Reasons for processing personal information and consequences of not doing so
The proper functioning of Wonderbag’s business operations requires us to process certain personal information if we engage with you. This could be for any of the following reasons:
· To fulfill orders for manufacturing or sale of Wonderbags.
· To verify carbon emission reduction information for audit and verification purposes in relation to carbon offset projects.
· To provide employment to our employees and to interact with them in the context of the employment relationship.
· To engage with investors, donors and other interested parties.
· To market and sell Wonderbag’s products and projects.
· To procure services and manage relationships with service providers.
If requested Personal Information is not provided to us, we may not be able to properly fulfil the above-mentioned functions, which may result in the relevant interaction being interrupted, or Wonderbag not engaging in such interaction at all, in the sole discretion of Wonderbag. We accept no responsibility for any such interruptions if Personal Information was requested by us but not provided.
Where we may obtain your personal information from
In most cases, we will request your personal information directly from you. However, in some cases we may need to obtain it from third parties. This will be the case if you have authorized us to do so, or where the nature of our interaction with you reasonably requires us to do so. If we process your personal information on behalf of a third party – for example where your spouse has provided us with such information – then we do so on their express authorisation and on the understanding that they have obtained your consent, or that they have the legal authority to provide us with your Personal Information.
We may also be legally required to independently verify some of the information provided to us in terms of applicable anti-terrorism and anti-money laundering legislation, which may include our accessing government or public directories in order to obtain certain personal information about you.
In some cases, especially if you are an organisation, we may need to obtain personal information relating to third parties (such as your office bearers or employees) from you. You hereby warrant that you have the express and informed consent of such third parties to provide us with any such information and indemnify us against any liability to such third parties, or any other party, as a result of a lack of such authorization.
If you are a parent or legal guardian of a minor, you hereby consent to our processing the Personal Information of your child for the reasons set out above. If you are a person whose parents previously consented to our processing of your Personal Information and you have subsequently reached the age of majority, you hereby confirm that your parents’ previous consent remains valid, unless you specifically withdraw your consent.
Where we need to process information classified as “special” personal information for any of the reasons specified above, you hereby consent to our processing of such special personal information.
Sharing of your personal information with third parties
We may need to share your Personal Information with third parties. In general, this is limited to transmitting or storing such information through, or on, electronic communication and storage infrastructure administered by third party service providers, which is subject to reasonable security safeguards. However, depending on the nature of our interaction with you, we may need to share some of your Personal Information with other third parties. For example, in order for carbon credits to be generated from the use of Wonderbags, personal information about the users and their cooking habits need to be shared with carbon consultants, auditors and the relevant carbon credit issuing authority.
Information leaving the country
We may need to transmit your Personal Information to a location outside of the country, where it may be processed by third parties. This may, for example, happen when we are communicating with you while you are not in the country. It may also happen where our backup infrastructure is located in, or administered from another country or where we share personal information with third parties located in another country (mostly relating to carbon credit verification). In such cases, the transmission and processing of such information is subject to the requirement that the third party to which we may transmit your information will either be subject to laws, or a contract with us, or corporate binding rules, which requires them to employ the same reasonable safeguards in respect of your Personal Information that we are required to comply with in terms of the GDPR.
Retention of your personal information
In general, we only retain your personal information for the duration of our interactions with you and for a reasonable period thereafter, in order to facilitate further similar interactions. Please refer to Schedule 2 of this policy for instances where specific retention periods apply.
Information that we retain for marketing or statistical purposes may be retained indefinitely, provided that you have authorised us to use the information for marketing purposes or, in the case of use for statistical purposes, that the information has been anonymized.
The confidentiality and integrity of any Personal Information processed by us is subject to reasonable technical and organisational safeguards to prevent loss, damage, destruction or unauthorised access, having due regard to generally accepted information security practices and procedures. We will notify you, and the relevant authorities, should we suspect that a data breach has occurred.
We are not liable to you, or any other person, for any harm, loss, damage, destruction or unauthorized access that may occur despite our implementation of such reasonable safeguards.
Right to withdraw consent
Where you have given us permission to process your Personal Information, you may withdraw your consent at any time.
Right to erasure
You have the right to request that we delete applicable Personal Information we process about you. We must comply with this request, unless processing is necessary:
· for exercising the right of freedom of expression and information;
· for compliance with a legal obligation which requires processing by UK law;
· for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes as authorised by UK law; or
· for the establishment, exercise or defense of legal claims.
Right to rectification
You have the right to request rectification of incorrect or incomplete Personal Information concerning you. We make reasonable efforts to keep your personal information accurate, complete, current and relevant, based on the most recent information available to us.
Right to restriction
In some circumstances, you may obtain from us restriction of processing of your Personal Information.
Right to portability
You have the right to request that we transmit your Personal Information (that you have provided to us) to another organisation (data portability), if:
· we process your Personal Information by automated means;
· we base the processing of your Personal Information on your consent, or our processing of your Personal Information are necessary for the execution or performance of a contract to which you are a party;
· your Personal Information are provided to us by you; and
· your right to portability does not adversely affect the rights and the freedoms of other persons.
Right to object
You may object to the processing of your Personal Information, when it is based on our legitimate interests or those of a third party. In this event we will no longer process your Personal Information, unless we can demonstrate compelling legitimate grounds and an overriding interest for the processing or for the establishment, exercise or defense of legal claims.
Right to access your personal information
We will provide you with a copy of your Personal Information upon request, once we have sufficiently verified your identity.
Right to lodge a complaint
You have the right lodge a complaint with the Information Commissioner’s Office, whose contact details are listed below.
Please direct any enquires relating to your Personal Information to:
- Email: alice -@- wonderbagworld.com
The UK Information Commissioner’s Office contact details
The Information Commissioner’s Office contact details can be found on their website at https://ico.org.uk/
SCHEDULE 1 – TYPES OF PERSONAL INFORMATION PROCESSED BY WONDERBAG
Information type and why we process it:
Identifying and age information, e.g. name, surname, ID number
To identify the data subjects that we interact with or, in some cases, to contact persons related to them (such as next of kin) in the case of an emergency.
Contact information, e.g. telephone numbers, email addresses, etc.
To contact the data subject (or in some cases their next of kin), if necessary;
Behavioral information and information relating to families
To perform carbon verifications;
Information relating to gender, nationality and ethnicity of employees
To report legally required employment statistics;
Financial information relating to our employees, customers or service providers
To provide employment-related benefits or remuneration to our employees; or to screen potential employees; or to invoice customers for products; or to pay service providers;
Criminal history of potential employees
To screen potential employees before hiring them;
Images, video footage and audio clips
To secure our premises; to provide content-rich marketing material of our products and projects;
Location and preferences
To customize marketing content offerings or user experience based on website and app users’ browsing and use preferences.
SCHEDULE 2 – SPECIFIC RETENTION PERIODS IN RESPECT OF CERTAIN INFORMATION
Information type and retention periods:
Information relating to prospective employees
From application date, to the date that a decision is made to hire or not and up to 1 year thereafter. Unsolicited CV’s may be deleted or destroyed immediately upon delivery.
For duration of employment and up to a maximum of 5 years thereafter.
Carbon project participant records
For a period of 9 years.
Service provider information
For the duration of our contract and up to a maximum of 5 years thereafter.
As long as required in terms of relevant tax laws, as advised by our accountants.