At Citrus Green CBD, we deliver high quality CBD products from carefully chose suppliers.
Citrus Green CBD (A company registered in Scotland with registered number SC631574 and having its registered office address at 14 Caerlaverock Avenue, Prestwick, KA9 1HS).
We are a data controller for the purposes of the General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR) and related data protection legislation.
How to contact us
If you have any questions about our Privacy Notice or our data protection policies generally, please contact us:
- Initial enquiries should be directed to our Scottish office as follows:
- By post: 14 Caerlaverock Avenue, Prestwick, KA9 1HS
- By phone: 0141 218 4465
- By email: firstname.lastname@example.org
Our Data Protection Officer is: Chris Rooney
We are fully committed to handling personal information in accordance with the General Data Protection Regulation (GDPR) which comes into force on the 25 May 2018.
This means your personal information will be:
- Processed lawfully, fairly and in a transparent manner.
- Collected for specified, explicit and legitimate purposes.
- Only collected as required for our lawful purposes.
- Reviewed regularly.
- Retained only for as long as necessary and in accordance with our retention policy.
- Processed securely and with integrity.
It is important that you are aware of our procedures and practices and understand your rights in relation to your personal data and this Privacy Notice is designed to be part of that information.
Why Do We Need to Process Personal Data?
We need to process your personal data throughout our relationship with you for updating you on our services, server issues, website updates, regulatory requirements.
What Personal Data Do We Collect?
“Personal data” or “personal information” is any information relating to or about an individual from which that person can be directly or indirectly identified. It does not include data where the identity has been removed (anonymous data).
How do we collect the information
We may collect this information directly from you (e.g. when you submit a form to us or buy a product on our website).
What is Our Lawful Basis for Processing Your Personal Data?
We will only use your personal data when the law allows us to. Most commonly, we will use your personal information in the following circumstances:
- where we have obtained your prior consent;
- where we need to perform a contract we have entered into with you;
- where we need to comply with a legal obligation; or
- where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.
We may also use your personal information where we need to protect your interests (or someone else’s interest) or where it is needed in the public interest.
Change of purpose
We will only use your personal information for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal information for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.
Please note that we may process your personal information without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.
Do We Share with Third-Parties?
We may share your personal information with third parties where required by law, where it is necessary to administer the working relationship with you or where we have another legitimate interest in doing so.
We will take all reasonable steps to ensure all information sharing is carried out in a secure way and will ask our third-party associates to assure us they will handle your personal data securely by using contracts to make our requirements clear and within the legal requirements as set out in the GDPR.
Retention of Personal Data
The retention periods for personal data depend on the purpose for which the information was obtained and will differ for different uses.
We may retain in our CRM system to highlight possible connections and touch points to better advise of contact with you, however we do regularly clean our databases to keep the information current and this information is securely deleted.
Where do we store Personal Data?
Your data is stored on a secured premises in a secure client relationship management (CRM) database enforced by password protocols.
We do collect statistics on visits to our website and social media sites and whilst these are anonymous statistics, your IP address may be considered personal data under the legislation. Therefore, we may collect information about the computer or device which is used to access our website. We use this information to collect anonymous statistics to view traffic to the site and how the site is used. This collection does not identify individual users.
Cookies are text files placed on your computer to collect standard internet log information and visitor behaviour information. This information is used to track visitor use of the website and to compile statistical reports on website activity.
You can set your browser not to accept cookies and the above websites tell you how to remove cookies from your browser. However, in a few cases some of our website features may not function as a result.
In the event of a “high risk” personal data breach the individual(s) will be notified immediately within 72 hours as well as the Information Commissioners Office (ICO). Our company and staff shall follow our security protocols in line with our “Data Breach” company policy as well as the ICO guidelines and take all necessary precautions in order to minimise the severity of the breach for the individual. All personal data breach shall be recorded in our data breach register.
Right to be informed.
You have the right to be informed about the processing of your personal data, and this Privacy Notice provides you with the information you need to reassure you that we handle your personal data securely and lawfully.
Right of access.
You have the right to request access to your personal data and to request further information relating to your personal data such as the purposes of processing, the categories of organisations with whom we share your personal data, the retention period for such personal data and the existence of any automated decision-making relating to your personal data.
Right to rectification.
You have the right to have any inaccuracies or factual errors corrected or incomplete data amended.
If this information has been disclosed to a third-party we will inform that party and request that they amend their records.
We want your information to be accurate, complete and up to date so you can ask us to make any rectifications necessary as your details or circumstances change.
Right to erasure (the right to be forgotten).
You can request to have your personal data deleted or removed if there is no compelling reason to keep it, as follows:
- if your personal data is no longer required for the purposes for which we obtained them;
- where the processing of your personal data is based on your consent and you withdraw such consent;
- where the processing of your personal data is based on our legitimate interests and you successfully object to such processing;
- where the personal data is processed unlawfully; or
- where the personal data has to be erased for compliance with a legal obligation.
If the personal data is held for statutory or regulatory requirements it cannot be erased.
Any request made will be discussed with you, unless deletion is an obvious step.
Following erasure we will not retain your information and therefore it is possible that your personal information may be re-obtained from the public domain or social media which may result in contact from our organisation.
Right to restrict processing.
This relates to personal data where the accuracy is contested or where you have objected to our processing based on our legitimate interests or where we no longer require the personal data but you request us to keep. It is a complex area and whilst a decision is being made in consultation with you, we will store the data but not process it.
Right to data portability.
You have the right to take and use your data for other services or purposes. Where the personal data provided by you is processed on the basis of your consent or a contract between us and you, we are required to make this information available to you in a readable easily transferred format.
Right to object.
Where the processing of your personal data is based on our legitimate interests, you have the right to object (based on your particular circumstances) to the way we handle, use or store your personal data. If you object to our processing of your personal data, we will restrict any further processing until we determine whether or not there are any compelling reasons why we should continue the processing.
We do not sell your personal data.
Exercise of your rights.
If you wish to exercise any of your rights in respect of your personal data, please contact us using the details above. Our Data Protection Officer will provide you with further information if required.
We will respond to any exercise of your rights within one month of such request, unless the request is complex in which case we will seek an extension and respond within a further two months thereafter.
We will respond to your requests to exercise your rights at no charge, although repeated or manifestly unfounded or excessive requests may be refused or may incur an administrative charge covering the time and other costs associated with this.
During the registration process we may ask how you wish to be contacted:
- By telephone
- By email
- By post
- By text/SMS
You are free to consent to all or one or more of these, however, the law requires that if you permit us to use only one method, that is the only method we can use. Given your requirements and opportunities that can come up at short notice you may wish to consider more than one contact method.
In the first instance we would request that you discuss any complaints with us.
The ICO website has a template letter to assist you but we are happy to discuss in person if you contact your personal consultant at 0141 xxxx.
If you are not satisfied after we address your complaint you can complain to the:
Information Commissioners Office
The website has a live chat facility, or you can call 0303 123 1113 (local rate)