Issue Date:    13 January 2020

 

• BACKGROUND

1. 1. 1. This Privacy Notice tells you how the companies from time to time within the QFM Group (“QFM”, “we” or “us”) process personal data other than personal data relating to employees and job applicants and your data protection rights. It, therefore, applies to third parties such as customers, members of the public and contractors. It is important for you to know how we collect, store and use the personal information that you give to us. More information about your rights, and how to exercise them, is set out in the Your Choices and Rights section.
      2. We also may provide you with additional information when we collect personal data, where we feel it would be helpful to provide relevant and timely information.
      3. This Privacy Notice does not apply to QFM employees or job applicants.
      4. We hope that in this Policy you will find answers to any questions that you might have regarding your personal data and how we deal with it. If you have any other questions about our Privacy Policy or the use of your personal information, please contact our Data Compliance Officer at Princess Works, 10 Brightside Lane, Atlas, Sheffield S9 3YE or at DCO@qfm-group.com
      5. It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us.

• WHAT PERSONAL DATA WE COLLECT

1. 1. Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).
   2. We process the following types of personal data:

• • • Identity Data includes first name, maiden name, last name, username, marital status, title, date of birth and gender.
    • Contact Data includes billing address, delivery address, email address and telephone numbers.
    • Financial Data includes bank account and payment card details.
    • Transaction Data includes details about payments to and from you and other details of products and services we have purchased from you.
    • Technical Data includes internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access this website.
    • Usage Data includes information about how you use our website, products and services.
    • Marketing and Communications Data includes your preferences in receiving marketing from us and our third parties and your communication preferences.
• We will never ask you to provide us with any sensitive personal data (e.g. information relating to your physical or mental health, race or ethnicity, sexual orientation, political opinions, religious or philosophical beliefs and/or criminal allegations or convictions).
• We do not use automated processing to process your personal data.
• If you fail to provide personal data where it is required by law, or under the terms of the contract we have with you, we may not be able to perform the contract with you.

• WHY WE COLLECT, USE AND STORE THIS PERSONAL DATA

We collect, use and store your personal data for the reasons set out below.

1. 1. 1. Where necessary to comply with a legal obligation.
      2. Where necessary to perform a contract with you.
      3. Where necessary for QFM’s legitimate interests and where our interests are not overridden by your data protection rights.

3.4     The table below sets out a description of the ways we plan to use your personal data, and which of the legal bases we rely                   on to do so.

Purpose/Activity	Type of data	Lawful basis for processing including basis of legitimate interest
Fulfilment of a contract or in anticipation of a contract	Contact Identity Financial Transaction	Performance of a contract with you
Payment of invoices, tax etc.	Financial Contact Identity Transaction	Performance of a contract with you
Legal claims, compliance and regulatory requirements	Identity Contact Profile Marketing and Communications	Legitimate interest (business interests and legal rights) Legal obligation Performance of a contract with you
Maintaining security	Identity Contact Technical	Legitimate interest (protecting business interests) (protecting the health, safety and security of staff, facilities and customers) Legal obligation
Managing our relationship with you	Identity Contact Financial Transaction	Performance of a contract with you Legal obligation Legitimate interest (to correspond with you and keep records up to date)
Marketing	Identity Contact Usage Marketing and CommunicationData	Legitimate interests (to study how customers use our products and to develop our business)

 

These are just examples and this list may be updated from time to time as business needs and legal requirements dictate. We will update this policy if we decide or need to use your personal information in a considerably different way to those set out above.

• HOW WE SHARE YOUR PERSONAL DATA

1. 1. • We may share your information with carefully chosen third parties. These may include:
        1. other QFM companies
        2. QFM franchisors
        3. companies providing services under contract to QFM, such as service providers, legal advisers and insurance companies
        4. government authorities and/or law enforcement officials if required by law or if required for the protection of our legitimate interests in compliance with applicable laws
        5. in the event that any part of QFM is sold or integrated with another business (in part or whole), personal data may be disclosed to our advisers and any prospective purchaser’s adviser and will be passed to the new owners of the business / business unit
      • In all cases, we will take appropriate steps to put in place safeguards to protect your personal information. We will only provide these third-party companies with the information that they need to carry out the services that we have asked them to – they are not allowed to use your information for their own purposes. We will never pass on your details to third parties for them to send you unwanted marketing, unless you have positively agreed to receive this marketing.

• CCTV

1. 1. 1. To protect our facilities, assets and personnel, and to deter, detect, record and investigate any type of incident, including theft or vandalism, accidents and emergency situations and to promote the efficiency of the business, QFM has installed CCTV cameras throughout its premises. We recognise the need to balance these purposes with an individual’s right to privacy and, as a general principle, we will not employ CCTV equipment in private areas, such as toilets nor will we only capture images of public streets and buildings where permitted by law.
      2. QFM takes the privacy of its customers and employees seriously. This Policy has been created to set out the accepted use and management of CCTV systems and images. It aims to ensure that QFM complies with all relevant privacy and data protection legislation.
      3. Only authorised personnel have permission to operate the CCTV systems and view the images. We anticipate that other access will generally only be by the police and other regulatory bodies, insurance companies and our legal advisers. In limited circumstances, the images may also be disclosed to third parties such as solicitors acting for third parties but only where it is necessary and proportionate to do so.
      4. We will take reasonable and practicable steps to ensure that the CCTV systems and images are protected against unauthorised or unlawful processing and against accidental loss, destruction or damage.
      5. QFM has also contracted with external suppliers for the installation of automatic number plate recognition cameras at various locations for the purposes of the efficient management of car parking and to deter unauthorised parking.  These cameras record only vehicle number plates and are not normally made available to QFM.  We ensure that any third-party data processors are compliant with all relevant data protection legislation.

• DATA RETENTION

As a general rule we will not keep CCTV footage and images for longer than 35 days from the date of recording. At the end of this period the footage and images will be permanently overwritten.

• • Where there is legitimate cause, CCTV footage and images relating to a specific incident or series of incidents may be copied and retained for so long as reasonably required for compliance with a legitimate purpose.
  • Where an extended retention is no longer justified, all affected footage and images will be permanently erased and/or securely destroyed.

 

• YOUR RIGHTS

1. 1. • These rights apply equally to CCTV footage and images.
      • You have the right:
        1. to ask QFM for a copy of your personal data in a structured, machine readable format
        2. to correct, delete or restrict processing of your personal data
        3. to object to the processing of your personal data in some circumstances
      • These rights may be limited, for example, if fulfilling your request would reveal personal data about another person or if you ask us to delete information which we are required by law or compelling legitimate interests to keep. Complaints must be addressed to our Data Compliance Officer. If you have unresolved concerns, you have the right to complain to the Information Commissioner’s Office. Further details are available on their website https://ico.org.uk/about-the-ico/.

• UPDATES TO THIS POLICY

This Policy may be updated periodically. We will update the date at the head of the first page accordingly and encourage you to check for changes that we have made, which will be made available to you. On some occasions, we may also actively advise you of specific data handling activities or significant changes to this Notice, as required by applicable law.

 

• INTERNATIONAL TRANSFERS 

Your personal data may be processed in or accessed from jurisdictions outside the European Economic Area and/or the United Kingdom by us and by some of the third parties to whom we share your personal data. We currently rely on the EU-U.S. Privacy Shield Framework to transfer your personal data to Yum! Brands, Inc. and other parties we contract with in the United States. When we transfer your data to organisations outside the QFM Group we use approved standard contractual clauses to safeguard the transfer. Where we transfer personal data to a third party that has implemented Binding Corporate Rules (internal rules for data transfers within multinational companies), we may rely on them to safeguard the transfer. For further information, including to obtain a copy of the documents used to protect your information, please contact us in writing at the address set out in clause 1.4 of this Policy.