The Grow Shop – GDPR Compliance Statement

The Grow Shop is committed to full compliance with the UK GDPR (General Data Protection Regulation) and the Data Protection Act 2018. This policy outlines how we collect, use, and protect your personal data, and the rights you have under the GDPR.

1. Lawful Basis for Processing

We process personal data under the following lawful bases, in accordance with the UK GDPR:

  • Consent: We obtain explicit consent from individuals when required, such as for marketing communications.

  • Contract: Processing is necessary to fulfill a contract with you, such as processing orders or providing services.

  • Legal Obligation: We may need to process personal data to comply with legal obligations, such as tax or financial regulations.

  • Legitimate Interest: Processing is based on our legitimate interests, such as preventing fraud, improving user experience, or conducting business analysis. We ensure that these interests do not override the rights and freedoms of the data subject.

Where we rely on consent as a lawful basis for processing, we will obtain your consent clearly and transparently, and you have the right to withdraw consent at any time.

2. Data Subject Rights

Under the GDPR, you have the following rights with respect to your personal data:

  • Access your data: You can request a copy of the personal data we hold about you.

  • Rectify incorrect data: You can request that we correct any inaccurate or incomplete data we hold about you.

  • Erase your data (Right to be forgotten): You can request that we delete your personal data, subject to certain conditions.

  • Restrict processing: You can request that we limit how we process your personal data in certain circumstances.

  • Data portability: You can request that we provide your personal data in a structured, commonly used, and machine-readable format, and transmit it to another organisation.

  • Object to processing: You can object to the processing of your personal data, including for marketing purposes.

  • Withdraw consent: You can withdraw your consent at any time, where consent is the lawful basis for processing. This will not affect the lawfulness of processing before the consent withdrawal.

We will respond to your requests within one month. If the request is complex or numerous, we may extend the response time by an additional two months. Requests can be made free of charge.

3. Data Protection Officer (DPO)

If required, a Data Protection Officer (DPO) will be appointed. For now, any data protection queries can be directed to info@thegrowshop.co.uk.

4. Data Security

We implement appropriate technical and organisational measures to protect your personal data, including encryption, secure data storage, access controls, and regular security audits. We also ensure that any third-party processors we work with comply with the same data protection standards.

5. Data Breach Procedure

In the event of a data breach, we will notify the Information Commissioner’s Office (ICO) within 72 hours of becoming aware of the breach, where feasible. Affected individuals will be informed without undue delay if the breach is likely to result in a high risk to their rights and freedoms.

6. Data Retention

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected or as required by law. Once the data is no longer needed, we will securely delete it or anonymise it.