Who are we?
Food Alert Limited is a limited company registered in England and Wales whose registered office is Kings Court, Water Lane, Wilmslow, Cheshire, United Kingdom, SK9 5AR. We take our Data Protection obligations very seriously and this notice gives you information about our approach to Data Protection legislation and provides you with information about how we manage personal data.
Food Alert as a Data Controller
Food Alert is committed to protecting your privacy and maintaining the security of any personal information received from you. We strictly adhere to the requirements of the UK General Data Protection Regulations (UK GDPR). For the purposes of this notice Food Alert is the Data Controller unless it has been specifically noted otherwise.
This notice relates to the collection and processing of personal data at Food Alert. In many instances Food Alert is a Data Processor acting on the instruction of our clients via contract. There are also small elements of our services where we also operate as a Data Controller. As a Data Processor we offer broadly the following food safety and health and safety services to our clients: (1) case management systems (such as Alert 65) to enable statutory compliance for clients, (2) on-site support, (3) audit, inspection and risk assessments (4) complaints relating to alleged food poisoning, allergic reaction or contamination.
Processing activities that are covered
This notice applies to the processing of personal data collected by us when you:
Procure our services, such as audit & inspections, risk assessments, sampling & nutritional analysis,
Call our safety advice telephone line,
Require HACCP development and support,
Require our services for complaints relating to food safety,
Visit our website,
Visit our social media pages,
Visit our office,
Receive communications such as emails and phone calls from us,
Register for and/or attend events where we participate or host,
Are an applicant to join Food Alert as an employee,
Are a client where our services are of a data controller,
For sales and marketing,
For the understanding, development, growth, and administration of our business.
The personal data we collect
We collect personal data directly from you in the following instance:
- You express an interest or procure our products and services over the phone, via email, social media, webforms or webinar attendance. The information we may require is contact information, name, phone number, email address, company name, company address, confirmation of security credentials, and financial information to pay for our services.
- If we are providing training sessions we will collect your name, address, phone number, email address, company name and company address and financial information to pay for our services. We may share attendance information with your employer.
- If you call our safety advice telephone line we will require your name, and contact information including your company name and address.
- When you make a purchase, we will require financial information for payment, billing and access to e-learning materials (which may be provided by third parties) and this may include bank details, credit card information, invoice name, address and point of contact.
- If we are delivering services relating to food complaints on behalf of our client, we are acting as a Data Controller when we investigate the incident. We will require information from our client including the company name and contact details. Our client may supply; the customer’s name and address; details relating to the incident including any health information; contact information such as your email address, phone number etc and any other information relevant to the incident. We may contact the customer as part of the investigation.
- If you attend an event where we are participating, you may have given your consent to be contacted by us following the event. This information may include name, phone number, email address, company name and job title.
- If you connect with us through a social media channel, we will know your social media handle and any other information including photos you make available through our interactions and your profile.
- If you use our website we will have details about your usage of our sites through cookies, beacons, and similar technologies. This information may include IP address and information about your visit. This is also the case when you use our case management systems (such as Alert 65), we may collect information about your usage.
- If you complete surveys or enter competitions we may require contact information such as name, phone number, email address, company name and job title.
- If you complete a registration form on our website when downloading content, we will ask for details such as name, email, company name and phone number.
- When you interact with live chat we will need name and email address for the functionality to work.
- If you are an applicant for a role at Food Alert we will require all relevant HR information such as name, address, phone number and email address along with information relating to your career history with the positions you held along with any qualifications and certificates.
- If you visit one of our offices, we have CCTV in certain locations which may capture your image. You may be asked to provide your name, signature, company name.
Please note this list is not exhaustive but gives an indication of the processing activities we undertake.
Personal data we collect from other sources
We will receive personal information from other sources, this includes third parties we purchase data from to help us identify and grow our business which could include a greater degree of personalisation.
We obtain information from other companies within the Citation Group in order to provide a greater level of service or to better understand clients and industries we operate in or where synergies apply to our business and to yours. We also obtain information from Citation Group services to help us comply with data protection laws.
Typically, the personal information we get from third parties includes name, phone number, email address, company name, job title, contact preferences.
Data from your device, usage of our website and applications
When you access our website or use our case management tools (such as Alert 65) we use tools such as cookies, beacons and similar technologies to automatically collect information which may contain personal data from your device and usage of our site and services. Cookies are small text files that ‘remember’ bits of information from your visit to our website using your IP address The nature of what these tools collect differ between website and our case management systems but still fall into similar categories.
Our website may contain links to other organisations websites for your ease and convenience, however, please note we are not responsible for them, how they operate or their security provision. If you have any questions regarding privacy, you should review their privacy notices which will be available on their websites.
This website uses Mouseflow: a website analytics tool that provides session replay, heatmaps, funnels, form analytics, feedback campaigns, and similar features/functionality. Mouseflow may record your clicks, mouse movements, scrolling, form fills (keystrokes) in non-excluded fields, pages visited and content, time on site, browser, operating system, device type (desktop/tablet/phone), screen resolution, visitor type (first time/returning), referrer, anonymized IP address, location (city/country), language, and similar meta data. Mouseflow does not collect any information on pages where it is not installed, nor does it track or collect information outside your web browser.
If you’d like to opt-out, you can do so at https://mouseflow.com/opt-out. If you’d like to obtain a copy of your data, make a correction, or have it erased, please contact us first or, as a secondary option, contact Mouseflow at email@example.com.
For more information on Mouseflow and GDPR, visit https://mouseflow.com/gdpr/
For more information on Mouseflow and CCPA visit https://mouseflow.com/ccpa/
Our website uses social media icons such as Facebook and Twitter logos and other social sharing widgets. By using these features, you will be connecting to and sharing information from your browsing session with these organisations. If you are logged into your social media account, it is also possible that they will connect your activity on our site to your social media account.
This is also the case if you access our social media pages on a social media platform. The respective social media company may add your interaction to any information they may already have about you or your interests.
In all cases, in that transfer of data, the social media provider is a Data Controller in their own right and responsible for what they do with your personal data. If you want to find out more, please access their privacy notices.
Purpose for processing and the legal bases for processing we rely on
We collect and process personal data for the following purposes and with the appropriate legal basis:
- Where we are dealing with enquires, this data would be processed as a legitimate interest in being able to effectively follow up on your enquiry. We also process data in accordance with contractual obligations, such as client communications.
- Where we manage our clients and suppliers this is in accordance with our performance of our contract. This is also the case when it comes to good administration of matters relating to your contract with Food Alert.
- Where we provide our food safety and health and safety services, such as where we are investigating an allegation or accident, we will do so under the performance of a contract with our client, and also in accordance with our legitimate interest. However, we will seek full permission from the affected individual to proceed with the investigation. Our purpose for processing is to investigate the allegation and provide an outcome to our client and the individual.
- In limited circumstances where we process children’s data relating to complaints, allegations or accidents, we will generally discuss this with the parent or guardian unless the young person has capacity to understand the process.
- Where our website is concerned, we are processing your personal data with your consent if it is required and for other elements of our website, we are processing based on the legitimate interest to operate and administer the site. Where site security is concerned and the activities through our cookies that enable a secure site, this is administered as a legitimate interest.
- To download some content from our site you are required to complete a form, this is done with your consent. We may also get in touch with you either by email and/or phone as a result of the download again with your consent.
- The recording of phone calls by default on all calls is done as a legitimate interest in protecting both your interests and that of ours. Call recording is used for security, monitoring and training purposes.
- Managing event registration, administration of an event or providing training is done as a legitimate interest in ensuring efficient administration. We also rely on legitimate interests for processing client contact data for service surveys – if you choose to complete a survey this is done on the basis of consent.
- Managing your payments relating to the service we provide. This also includes the entirety of the payment process in line with the terms and conditions of our service. We may also from time to time have to escalate this process to a third-party debt collection service. This disclosure of such data would be as a legitimate interest and further processed as part of the contractual terms.
- The identification of opportunities both with prospects and opportunities within our existing client base is done in the furthering the legitimate interests of the business. Any sharing of data internally within Citation Group companies is also a legitimate interest when it is done for similar purposes. This data may also be used to improve user experience and our understanding of both the client journey and appropriateness of products and services at different points of client lifecycle either within Food Alert or across the Citation group.
- Personal advertising on our website is done with the consent of you when you select cookie settings on the cookie consent management tool. Where advertising of our products and service offline is done in the pursuit of our legitimate interest and done so with prior consent that you have provided.
- Registering your information as a visitor to our office is as a legitimate interest to protect our building, business and colleagues.
- If you provided a testimonial of our service, you will be doing so of your own free will and therefore your consent.
- Where you have applied as a candidate for a role at Food Alert we will process your information in part as a legitimate interest, in part with your consent and in part as a legal obligation. We may also use recruitment companies from time to time, where data is shared with these organisations we will both be Data Controllers and we will process your information in the same way. Further Data Protection information regarding their activities can be gained from the recruitment agency.
- We may use personal data relating to usage of our case management systems for reporting and analytical purposes, this is a legitimate interest in improvement and further growth of the business.
- We will send sales and marketing communications such as emails or phone calls related to our services and those services of other companies in the Citation Group in accordance with our legitimate interests.
- Where there are legal obligations that we must comply with, such as tax or dealing with local or national government, authorities, agencies and professional advisors we process under statute.
- Where information is required by law, such as the Police, Courts or Local Authorities we will process under the legal obligation or it may be in our legitimate interest to protect our rights and if necessary, to disclose information for the protection of these rights.
- Running, managing and administration of our business are critical to the successful delivery of our service. It includes but is not limited to aspects such as account management (sales, service and financial), IT (support to clients, use of or migration to platforms, running and improving the business and its security), development of our applications, reporting and improvement. The legal bases for these activities will vary but is likely to be for the performance of contract, our legitimate interests or a legal obligation.
Please note this list is not exhaustive but gives an indication of the processing activities undertaken with our legal basis.
Who we share your data with?
We only share your information where we are strictly able to and only in accordance with Data Protection legislation. We may share your personal data in the following circumstances:
- Where we are using contracted service partners for services such as IT, web conferencing, hosting and system administration, email communications, analytics and research, data enrichment, survey providers and customer support. All these purposes and legal basis for processing are done in accordance with the information provided above.
- If you are a client, we may share your details internally within the Citation Group in order to improve the service offering and range of services we provide, for the good administration and control of the business, marketing, reporting and account management purposes. Citation group companies are Data Controllers in their own right. A list of Group Companies can be found here
- Where we are processing sampling and nutritional analysis we will share client information with our UK UKAS accredited laboratories.
- If you registering for events where we are partnering with another organisation or if a third party is running the event on our behalf, we may be required to share your details for the purpose of registration, security and administration of the event. This will be done in accordance with the legal bases noted above.
- If we provide training we may share attendance information with your employer.
- In order to process credit and debit card transactions, the bank or card processing agency may require us to verify your personal details for authorisation. We do not store credit card information which is passed through directly to our payment service provider. Our payment processes are PCI DSS compliant.
- Where you interact with third party social media companies either through our website or directly through your social media profiles your data will be shared by you with them. This is also the case if you do not switch off third party cookies where advertising, targeting and analysis is concerned. These parties are likely to be Data Controllers in their own right.
- To any competent law enforcement body, regulatory, government agency, court or other third party where we believe disclosure is necessary (i) as a matter of applicable law or regulation, (ii) to exercise, establish or defend our legal rights, or (iii) to protect your vital interests or those of any other person;
- To a potential buyer (and its agents and advisers) in connection with any proposed purchase, merger or acquisition of any part of our business, or to other interested third parties (and their agents and advisors) in the case of any reorganisation or other potential transfer of any part of our business, provided that we inform the buyer (or relevant third party) it must use your personal information only for the purposes disclosed in this notice.
- To enforce or apply our Terms of Service or other agreements or to protect Food Alert and its customers (including with other companies and organisations for the purposes of fraud protection and credit risk reduction)
- To any other person with your consent to the disclosure.
Finally we may share anonymised or aggregated data gathered in the normal course of the administration and good running of our business with third parties or service providers to enable greater analysis, improvements, industry or service related trends to be identified and action taken accordingly.
How long do we keep your data for?
We retain your data for as long as necessary to fulfil the purpose for its collection and processing. In some instances, this may be a short period of time, for instance, as an unsuccessful job applicant we may retain your records for only 6 months once the process has concluded. In other instances, and especially where there is a legal obligation to retain your information for a certain period of time, we will do so in order to comply with the legal requirement; this is typically 6 years.
Once your data is no longer required it shall be deleted or if it is technically not possible to delete, we shall ensure sufficient controls are in place to put it beyond future use.
Our data is typically hosted in the UK and other parts of the EEA, there are however some of our contracted technical service providers that process from the USA, Pakistan and India. Where these transfers and any other transfer than may occur in the future are concerned, we ensure that there is a legal basis for the transfer and a lawful transfer mechanism in place prior to any transfers in place.
Any such transfers currently done are done using either a transfer to a country with an adequacy ruling or using European Commission Standard Contractual Terms.
Under Data Protection legislation, you have rights as an individual which you can exercise in relation to the information, we hold about you. These rights include:
- The Right of Subject Access– this is the right to have details of the information we hold about you and access to that data including an explanation of that data.
- The Right to Rectification– this is the right to have inaccurate or incomplete data rectified.
- The Right to Erasure– this is also known as the ‘right to be forgotten’ and means that in certain circumstances you have the right to ask us to delete data we hold on you.
- The Right to Restrict Processing– this is where you can request that we restrict/block processing of your personal data (but still retain it)
- The Right to Data Portability– in certain circumstances this allows the transfer of personal data from one Data Controller to another in a useable format.
- The Right to Object– this right allows you to object to us processing your personal data in certain circumstances.
- The right not be subject to solely automated processing – this gives you the right not to be subject to a decision based solely on automated processing. It is not envisaged Food Alert will undertake such processing.
Any request to exercise the above rights can be submitted to our Data Protection Officer at firstname.lastname@example.org
Security of personal data
We take every reasonable and commercially viable precaution to protect personal and commercial data. These are organisational, technical, and physical measures to protect against unlawful or accidental access, disclosure, loss or alteration.
Whilst we taken a robust stance to security no method of storage and transmission is 100% secure and, in some instances, out of our control. For that reason, you are entirely responsible for password security, controlling access to your devices, access to your environment in our case management system and signing out and closing down web sessions once completed.
Complaints and queries
Food Alert takes our Data Protection obligations very seriously and we endeavour to meet the highest standards when collecting and using personal information. For this reason, we welcome any feedback and take any complaints we receive very seriously. We would also welcome any suggestions for improving our procedures.
If you no longer wish to be contacted by us or withdraw your consent, please unsubscribe from the newsletter or email communications by contacting us at email@example.com .
This privacy notice provides an indication of the processing undertaken by Food Alert and how seriously we take our Data Protection obligations. However, it may not provide an exhaustive detail of all aspects of Food Alert’s collection and use of personal information. However, we are happy to provide any additional information or explanation needed. Any requests for this should be sent to the address below:
Divisional Data Protection Officer
Or you can email us at firstname.lastname@example.org
If you want to make a complaint about the way we have processed your personal information, you can contact the Information Commissioner’s Office in their capacity as the statutory body which oversees data protection law – www.ico.org.uk
It is worth noting that the ICO expects an individual to address any complaints with the organisation before contacting the regulator.
Changes to this privacy notice