This document provides you with information about how we are handling or intending to handle your personal information when you use our Cow’s Milk Allergy Companion Facebook App (‘the App’) and is provided to satisfy our obligations under Regulation (EU) 2016/679 of the European Parliament (the General Data Protection Regulation (‘GDPR’)) which obliges us to provide you with information about how and why we use your data.
Introduction and Scope
Nutricia is committed to protecting and respecting your privacy and complying with the principles of the GDPR. This policy sets out the basis on which any personal data we collect from you, or that you provide to us through your use of the App will be processed by us.
Please read the following carefully to understand our views and practices regarding your personal data and how we will treat it. The data controller is the Nutricia Ltd of White Horse Business Park, Newmarket Avenue, Trowbridge, Wiltshire, UK, BA14 0XQ. This means that Nutricia alone determines how your personal data will be used in relation to the App.
We have appointed a data protection officer (DPO) who is responsible for helping us to comply with our legal obligations set out in the GDPR. The DPO monitors our data protection compliance and provides advice and guidance as to how we can improve our data handling practices. The contact details of our DPO are available on our website and may change from time to time. At the time of writing our DPO is:
Data Protection Officer
Address as above.
We are committed to processing information about you fairly and in a transparent manner and the aim of this document is to provide you with sufficient information for you to be able to understand what we are doing with your data. If you are unsure how we are handling information about you or you think we could improve our privacy information please let us know.
Information we may be holding about you and its use(s)
We may collect and/or create or otherwise obtain and process the following data about you:
- Information that you provide by working through the App including the name and age bracket of your child (used exclusively for personalising the App user interface); the medical symptoms of your child (used exclusively for preparing the Symptom Summary for you to take to your doctor or other medical professional);
- Limited information from your Facebook account including your Facebook Messenger ID, name, gender and time zone when you launch the App which is used for statistical purposes to help us gauge the success of the App.
You are responsible for informing and obtaining the consent of any third parties whose data you enter into the App.
If we would like to process your personal data for any other purpose incompatible with the purposes listed above we will provide you with appropriate additional privacy information at the point where you come across those additional purposes. Our commitment to you is that we will not process your data for any purpose other than those listed or are similar to those listed in this document. If you interact with Nutricia Ltd or another part of the Danone Group we will provide you with additional privacy information relating to those other uses.
Legal basis of processing
All of the data that you provide to us via the App is processed by us on the basis of your explicit consent (this being the legal basis for our processing information about you and your child). You have the right at any time to withdraw your consent for us to use your personal data. To withdraw consent please email us at email@example.com The information collected from your Facebook account, cookies and via our system logs is processed on the basis of our legitimate interests to gather information about how our services and websites are used to continue to enhance them.
Disclosing, sharing and transferring your personal data
We will share information about you with some of our suppliers who process data on our behalf to help us to provide services to you. We undertake this data sharing on the basis of your explicit consent.
|Categories of Organisation Purpose Location||Purpose||Location|
|Digital marketing agencies (such as Atchai Ltd), data cleansing companies, and other related services.||To develop the App||UK|
|Database Hosting Companies (such as Amazon Web Services)||To host our App and the underlying database including data storage||UK|
|Facebook Inc.||To verify your identify when you register on the App||United States|
We may disclose your personal information to third parties:
a) if we are under a duty to disclose or share your personal data in order to comply with any legal obligation;
b) to fulfil any service that you request from us (e.g. follow‐up contact via the App etc.);
d) to protect the rights, property, or safety of Nutricia Ltd, our customers, or others including exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction.
Other than the circumstances set out above information about you will not be passed to a third party for any other purposes.
International Transfer of Personal Data
We do not envisage transferring any information about or relating to you to anyone who is located outside of the European Economic Area other than as indicated above and we have a commitment from our business partners and data processors that they too will honour this commitment. Because our App is hosted on the Facebook Messenger platform the information that you enter into it is retained by Facebook Inc. who will store such information in the United States. The EU has not endorsed the privacy laws of the United States but has approved a framework for the transfer of personal data called the EU:US Privacy Shield under which Facebook has a valid certificate enabling us to lawfully transfer your personal data to Facebook. You may review Facebook’s Privacy Shield certificate here (www.privacyshield.gov).
We will hold information about you in our App database for no more than three years from the date of the last interaction you have with the App. At the end of the retention period either all of the information collected by the App will be deleted or all personal data will be purged from the App leaving only non‐personal information that we will use for reviewing the performance of the App and for statistical purposes.
The GDPR grants you certain rights (‘information rights’) which we summarise below:
|Right of access||You have the right of access to information we hold about or concerning you. If you would like to exercise this right you should contact our Data Protection Officer.|
|Right of rectification or erasure.||If you feel that any data that we hold about you is inaccurate you have the right to ask us to correct or rectify it. You also have a right to ask us to erase information about you where you can demonstrate that the data we hold is no longer needed by us, or if you withdraw the consent upon which our processing is based, or if you feel that we are unlawfully processing your data.|
Your right of rectification and erasure extends to anyone we have disclosed your personal information to and we will shall take all reasonable steps to inform those with whom we have shared your data about your request for erasure.
|Right to restriction of processing.||You have a right to request that we refrain from processing your data where you contest its accuracy, or the processing is unlawful and you have opposed its erasure, or where we don’t need to hold your data anymore but you need us to in order to establish, exercise or defend any legal claims, or we are in dispute about the legality of our processing your personal data.|
|Right to Portability.||You have a right to receive any personal data that you have provided to us in order to transfer it onto another data controller where the processing is based on consent and is carried out by automated means called a data portability request.|
|Right to Object.||You have a right to object to our processing of your personal data where the basis of the processing is our legitimate interests including but not limited to direct marketing and profiling.|
|Right to Withdraw Consent.||You have the right to withdraw your consent for the processing of your personal data where the processing is based on consent.|
|Right of Complaint.||You also have a right to lodge a complaint about any aspect of how we are handling your data with the UK’s Information Commissioner’s Office who can be contacted at www.ico.org.uk.|
If you would like to find out more about your rights please contact our Data Protection Officer.
Privacy Information Notices under GDPR
Articles 12, 13, and 14 of the General Data Protection Regulation set out the information that must be provided to individuals in order to make the processing of information relating to them lawful. There is a marked difference between the amount, detail, and nature of the information that must be provided under the Data Protection Act 1998 and the GDPR. The table below illustrates the differences between the two regimes.
Article 13 obliges data controllers to provide this information to data subjects at the point of capturing their data. This privacy information does not have to be provided where the data subject already has it.
Article 14 obliges data controllers to provide this information where the personal information is captured via a third party along with the source of the data. Article 14 requires this privacy information to be provided as soon as possible to data subjects and at the latest within a month, or where the personal data are to be used for communication with the data subject, at the latest the time of the first communication with the data subject, or if a disclosure to another recipient is envisaged, at the latest when the personal data are first disclosed. This privacy information does not have to be provided where the data subject already has it or where the provision of such information proves impossible or would involve disproportionate effort and in such cases the controller shall take appropriate measures to protect the data subject’s rights and freedoms and legitimate interests, including making the information publicly available.
Producing privacy notices in this detail requires a thorough understanding of the data processing operations of the controller. They also need to be a controlled document in that changes must be passed through an approvals process because a controller must be able to demonstrate exactly what privacy notices each data subject has seen.