Welcome to the ChangeGroup privacy statement.
ChangeGroup respects your privacy and is committed to protecting your personal data. This privacy statement will inform you about how we take care of your personal data when you visit our website (wherever you connect from), your privacy rights and how the law protects you.
Please also refer to the Glossary to understand the meaning of certain terms used in this privacy statement.
1. IMPORTANT INFORMATION AND WHO WE ARE
2. INFORMATION WE COLLECT ABOUT YOU
3. HOW YOUR PERSONAL DATA IS COLLECTED
4. HOW WE USE YOUR PERSONAL DATA
5. DISCLOSURE OF YOUR PERSONAL DATA
6. INTERNATIONAL TRANSFERS
7. DATA SECURITY
8. DATA RETENTION
9. YOUR LEGAL RIGHTS
1. important information / who we are
Purpose of this privacy statement
The purpose of this privacy statement is to provide you with information about how ChangeGroup collects and processes your personal data when you use the website, including any data you may provide via the website when you purchase a product or service.
This website is not intended for children and we do not knowingly collect any data from children.
It is important that you read this privacy statement and any other privacy or fair processing statements we may provide in particular circumstances when we collect or process personal data about you, so that you are fully aware of how and why we use your data. This privacy statement supplements the other statements and is not intended to replace them.
ChangeGroup is part of a group of companies registered in the geographical regions in which The Change Group International PLC operates. These ChangeGroup group companies are referred to below as "ChangeGroup", "we", "us" or "our".
Within the European Union
In order to comply with the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) as well as applicable data protection laws, ChangeGroup (the "Company") assumes the role of Data Controller, takes responsibility for your personal data and complies with data protection and privacy laws within the European Union.
Outside the European Union
If you are based outside the European Union and have any questions or concerns about our use of your personal data, you can contact your local ChangeGroup Company or The Change Group International PLC whose contact details are set out below.
The Change Group International PLC operates a number of websites to which this Privacy Statement applies and on which this Privacy Statement will be published.
We have appointed a Data Protection Officer who is responsible for dealing with matters relating to this Privacy Statement. If you have any questions about this statement, including requests to exercise your legal rights, please contact the Data Protection Officer using the details below.
Our full contact details are as follows The Change Group International PLC
Full name of legal entity: The Change Group France s.a.s
Name or title of the Data Protection Officer: Tracie Cook - International HR Director
E-mail address: GDPR@changegroup.com
Postal address: ChangeGroup, 353 Oxford Street, London, WIC 2JG
You have the right to lodge a complaint with the appropriate data protection supervisory authority at any time (in the UK this is the Information Commissioner's Office (ICO), in France it is the Commission Informatique et Liberté). However, we would like to have the opportunity 3 to deal with your concerns before you contact the relevant authority, so please contact us first.
Changes to the privacy statement or your personal data
This version was last updated on 09/09/2020. It is important that the personal data we hold about you is accurate and up-to-date. Please keep us informed if your personal data changes during your relationship with us.
This website may contain links to third-party websites, plug-ins and applications. Clicking on these links or allowing these connections may allow third parties to collect or share data about you. We have no control over these third-party sites and are not responsible for the processing of personal data on these third-party sites. When you leave our website, we encourage you to read the privacy statements of each and every website you visit.
Information we collect about you
The notion of personal data, or personal information, covers information relating to an individual from which that person can be identified. It does not include anonymized data.
We may collect, use, store and transfer various types of personal data about you, which we have grouped together as follows:
Identity Data includes first name, last name, user name, marital status and date of birth.
- Contact Data includes billing address, postal delivery address, e-mail address and telephone numbers.
- Financial Data includes payment card details.
- Transaction Data includes details of payments to and from you and other details of products and services you have purchased from us.
- Technical Data includes Internet Protocol (IP) addresses.
- Profile Data includes your user name and password, your purchases or orders and your preferences.
- Usage Data includes information on how you use our website, products and services (cookies).
- Marketing and Communication Data includes your preferences regarding receipt of our marketing offers and offers from our partners, as well as your communication preferences.
We also collect, use and share Aggregate Data, such as statistical or demographic data, for any purpose. Aggregate Data may be derived from your personal data, but is not considered personal data if it does not directly or indirectly allow you to be identified. We may, for example, aggregate your Usage Data in order to calculate the percentage of users accessing a specific function of the website. Nevertheless, if we associate or connect Aggregated Data with your personal data in such a way that it can directly or indirectly identify you, we treat the associated data as personal data which will be used in accordance with this privacy statement.
We do not collect any personal data about you (this includes details of your racial or ethnic origin, your religious or philosophical beliefs, your sex life, your sexual orientation, your political opinions, your potential trade union membership, information about your health as well as genetic and biometric data). We also do not collect any information concerning your criminal convictions or offences.
If you do not provide us with personal data:
If we need to collect personal data under the law for the performance of a contract to which you are a party, or for the performance of pre-contractual measures taken at your request. In this case, we may have to terminate your sales or service contract with us, but we will inform you of this in good time.
3. How is your personal data collected?
We use a variety of methods to collect data from and about you, including through: - Direct interactions. You can send us your Identity, Contact and Financial Data by filling in forms or by communicating with us via our website, by post, by telephone, by e-mail or otherwise. This includes the personal data you provide when : - you request our products or services; - you create an account on our website; - you order a service; - you request that we send you commercial offers; - you take part in a competition, lottery or survey or - you send us your comments. - Automated technologies or interactions. When you interact with our website, we may automatically collect Technical Data about your equipment, actions and browsing history. We collect this personal data using cookies, trackers and similar technologies. We may also receive Technical Data about you if you visit other websites that use our cookies or trackers. Please see our COOKIES POLICY for further details. - Third-party or publicly available sources (indirect collection). We may receive personal data about you from various third parties as set out below: - Technical Data from our partners who operate services such as VAT refunds and search engines. - Contact Data, Financial Data and Transaction Data from suppliers of technical services, payment services and delivery services. - Identity and Contact Data from data brokers or aggregators.
4. How do we use your personal data?
We will only use your personal data where we are permitted to do so by law. More generally, we will use your personal data in the following circumstances:
- If we need to perform pre-contractual measures or the contract we have entered into with you.
- If this is necessary for our legitimate interests (or those of a third party) and if your interests and fundamental rights do not override said legitimate interests.
- If we need to comply with a legal or regulatory obligation.
In general, we do not rely on consent as a legal basis for processing your personal data, except in the case of commercial prospecting by SMS or e-mail by partners. You have the right to withdraw your consent to marketing messages at any time by contacting us. Withdrawal of your consent in no way affects the lawfulness of the processing.
Purposes for which we will use your personal data We have set out below, in table form, a description of all the ways in which we intend to use your personal data and the legal bases on which we do so. We have also identified our legitimate interests, where applicable.
Please note that we may process your personal data for more than one legal basis, depending on the specific purpose for which we use your data. Please contact us if you require details of the specific legal basis on which we rely to process your personal data if more than one legal basis has been indicated in the table below.
We strive to give you choice regarding certain uses of personal data, particularly around marketing and advertising. We have established the following control mechanisms regarding personal data:
Promotional offers from us
We may use your Identity Data, Contact Data, Technical Data, Usage Data and Profile Data to assess what we think you might want, need or be interested in. This is how we decide which products, services and offers may be appropriate for you (this is what we call marketing).
You will receive marketing messages from us if you have requested information from us, if you have purchased goods from us or if you have provided us with your details by entering a lottery or competition. In all cases, it is in our legitimate interest to use your personal data in this way.
You can ask us or third parties to stop sending you marketing messages by following the unsubscribe links contained in each marketing message sent to you or by contacting us at any time.
If you opt-out of receiving these marketing messages, this will not apply to personal data provided to us as a result of a product/service purchase, warranty registration, product/service experience or other transaction.
You can set your browser to refuse all or some browser cookies, or to alert you when websites install or access cookies. For more information about the cookies we use, please see our COOKIES POLICY.
Change of purpose
We will only use your personal data for the purposes for which we collected it, unless we reasonably believe that we need to use it for another reason and that reason is compatible with the original purpose. If you would like an explanation of how processing for the new purpose is compatible with the original purpose, please contact us.
Disclosure of your personal data
We may need to share your personal data with the parties set out below for the purposes listed in the table in paragraph 4 above.
- Internal third parties. These include other The Change Group International PLC companies and organizations that act as data controllers or joint processors and are based in Europe.
- External third parties. They include :
o IMX Software (UK) Ltd, which provides us with Point of Sale and in-store collection systems.
o Zen Managed Services, which maintains our IT-managed services.
o Pritesh Patel, who provide us with website development services.
o Professional advisors including lawyers, bankers, auditors and insurers, who provide us with various professional services.
We are committed to ensuring that all third parties respect the security of your personal data and treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only authorize them to process your personal data for specified purposes and in accordance with our instructions.
We do not transfer your personal data outside the European Economic Area (EEA). However, it is possible that if we change our service providers or engage a new service provider, they may be based outside the EEA. In this case, we will ensure that they are obliged to provide your personal data with a similar level of protection by guaranteeing that, as a minimum, one of the following protections is implemented:
We will only transfer your personal data to countries deemed by the European Commission to provide an adequate level of protection for personal data. For further details, see European Commission: Adequacy of personal data protection in countries outside the EU.
- If we use certain service providers, we may use specific contracts approved by the European Commission that give personal data the same protection as in Europe. For further details, see European Commission: Standard contracts for the transfer of personal data to third countries.
- If we use service providers based in the USA, we may transfer data to them if they adhere to the EU-US Privacy Shield, which requires them to provide similar protection for personal data shared between Europe and the USA. For further details, see European Commission: EU-US Privacy Shield.
6. Data security
We have implemented appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorized manner, modified or disclosed. In addition, we restrict access to your personal data to employees, agents, co-contractors and other third parties who 9 need to consult it for professional reasons. They will process your personal data only on our instructions and will be subject to an obligation of confidentiality.
We have procedures in place to deal with any suspected breaches of personal data and will report any breaches to you and to the applicable regulatory body if we are required by law to do so.
7.. Data retention
How long will you use my personal data for?
We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.
To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
Details of retention periods for different aspects of your personal data are available in our retention policy which you can request from us by contacting us.
In some circumstances you can ask us to delete your data: see Request erasure below for further information.
In some circumstances we may anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes in which case we may use this information indefinitely without further notice to you.
8. Your legal rights
Under certain circumstances, you have rights under data protection laws in relation to your personal data. Please click on the links below to find out more about these rights:
- Request access to your personal data.
- Request correction of your personal data.
- Request erasure of your personal data.
- Object to processing of your personal data.
- Request restriction of processing your personal data.
- Request transfer of your personal data.
- Right to withdraw consent.
If you wish to exercise any of the rights set out above, please contact us.
No fee usually required
You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.
What we may need from you
We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.
Time limit to respond
We try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.
Legitimate Interest means the interest of our business in conducting and managing our business to enable us to give you the best service/product and the best and most secure experience. We make sure we consider and balance any potential impact on you (both positive and negative) and your rights before we process your personal data for our legitimate interests. We do not use your personal data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law). You can obtain further information about how we assess our legitimate interests against any potential impact on you in respect of specific activities by contacting us.
Performance of Contract means processing your data where it is necessary for the performance of a contract to which you are a party or to take steps at your request before entering into such a contract.
Comply with a legal or regulatory obligation means processing your personal data where it is necessary for compliance with a legal or regulatory obligation that we are subject to.
10. Your legal rights
You have the right to: Request access to your personal data (commonly known as a "data subject access request"). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it. To make a subject access request please contact firstname.lastname@example.org
Request correction of the personal data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.
Request erasure of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your personal data to comply with local law. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.
Object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. You also have the right to object where we are processing your personal data for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms.
Request restriction of processing of your personal data. This enables you to ask us to suspend the processing of your personal data in the following scenarios: (a) if you want us to establish the data's accuracy; (b) where our use of the data is unlawful but you do not want us to erase it; (c) where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims; or (d) you have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.
Request the transfer of your personal data to you or to a third party. We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. Note that this right only applies to the processing carried out by automated means which is based on your prior consent provided to us or on a contract with you.
Withdraw consent at any time where we are relying on consent to process your personal data. However, this will not affect the lawfulness of any processing based on your consent carried out before its withdrawal. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent.