CAMELLIA PLC PRIVACY POLICY

Camellia Plc is committed to protecting the privacy of those with whom we interact and we recognise the need to respect and protect the personal information that is collected or disclosed to us.

Information at a glance

This Privacy Policy is intended to tell you how we use your personal information, and we’ve tried to explain what we do in enough detail to give you the information you need at a glance, with the option of following a link if you want to find out more. If you still can’t find the information you need, you can email us at dpo@camellia.co.uk.

We only collect data that you enter into the Camellia plc website www.camellia.plc.uk (“Website”), for example to submit an enquiry, send an email or where you sign up to our mailing list. If you subscribe to any of our mailing lists, we will use your information to send you the information you have requested.

We use cookies which collect information about the usage and performance of our Website. The information that the cookies collect is anonymous other than your IP address. We use this information to analyse usage of our Website by visitors to improve its performance and to inform decisions about content, layout and operation of the Website and our services or products, where applicable.

This Privacy Policy explains what data we process, why we process such data, how it is legal and your rights. It is provided in a layered format so that you can click through to the specific areas set out below:

1. Who we are and important information

2. What personal information do we collect about you?

3. How is your personal data collected?

4. How do we use your personal data?

5. To whom do we disclose your personal data?

6. What do we do to keep your information secure?

7. Data Retention – how long will we store/keep or use your personal data?

8. Accessing your personal data and other rights you have

1. Who are we and important information

Camellia Plc is the parent company of the Camellia Group (made up of different legal entities), and more details can be found at www.camellia.plc.uk. This Privacy Policy is issued on behalf of Camellia Plc and gives you information on how we collect and process your personal information through your use of the Website.

When we mention Camellia Plc, "we", "us" or "our" in this Privacy Policy, we are referring to personal information collected or processed on this Website. Each Camellia Group company or third party website is individually responsible for collecting and processing your personal information where you have clicked through to their website.

It is important that you read this Privacy Policy together with any other privacy notice we, a member of the Camellia Group or third party may provide if you click through to their websites. You should make sure that you are fully aware of how and why your personal information is being used.

Please note that this Privacy Policy supplements other notices and privacy policies and is not intended to override them. Camellia Plc is the controller and responsible for this Website.

This Website is not intended for children and we do not knowingly collect data relating to children.

How to contact us

Our data protection officer (“DPO”) is responsible for overseeing questions in relation to this Privacy Policy. If you have any questions about this Privacy Policy, including any requests to exercise your legal rights, please contact the DPO at this email address: dpo@camellia.co.uk

You have the right to make a complaint at any time to the Information Commissioner's Office (“ICO”), the UK regulator for data protection issues, at www.ico.org.uk. We would, however, appreciate the chance to deal with your concerns before you approach the ICO so please contact us in the first instance.

Changes to this Privacy Policy and your duty to inform us of changes

It is important that you check back often for updates, as we may change this Privacy Policy from time to time. The date at the end of this Privacy Policy states when it was last updated and any changes will become effective upon our posting of the revised Privacy Policy. We will provide notice to you by email or by posting notice of the changes on our Website or through any relevant services if these changes are material.

It is important that the personal information we hold about you is accurate and current. Please keep us informed if your personal information changes during your relationship with us.

Third party links

We may include links on our Website to third party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share personal information about you. We do not control these third party websites and are not responsible for their privacy notices. When you leave our website, we encourage you to read the privacy notice of every website you visit.

2. What data do we collect about you?

Personal data, or personal information, means any information about you from which you can be identified, directly or indirectly.

For example, information which identifies you may consist of your name, email address, location data and online identifier (e.g. cookies identifiers and your IP address). When we combine other information (i.e. information that does not, on its own, identify you) with personal data, we treat the combined information as personal information.

We may, where applicable, collect, use, store, process and transfer different kinds of personal data about you which we have grouped together as follows:

Identity Data includes first name, last name and title
Contact Data includes address, email address and telephone number
Technical Data includes internet protocol (IP) address (IP addresses are a string of numbers assigned to a device by an internet service provider), your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, and other technology on the devices you use to access this Website, e.g. smartphone, tablet or laptop
User Behaviour / Engagement Data includes usage session dates and duration, page views, features and functions used, preferences and settings selected, feedback and responses to surveys
Marketing and Communications Data includes your preferences in receiving marketing from us and our third parties and your communication preferences

We also collect, use and share aggregated data such as statistical or demographic data for the purposes set out in the table below. Aggregated data could be derived from your personal data but is not considered personal data in law as this data will not directly or indirectly reveal your identity. For example, we may aggregate your User Behaviour / Engagement Data to calculate the percentage of users accessing a specific Website feature. However, if we combine or connect aggregated data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal information which will be used in accordance with this Privacy Policy.

This personal data will be subject to our retention policy set out in section 7 below.

3. How is your personal data collected?

We use different methods to collect data from and about you including:

a) Personal data you provide directly. You may give us your Identity Data, Contact Data or Marketing and Communications Data by filling in forms or by corresponding with us by email, phone, post or otherwise. This includes personal data you provide when you:

set-up preferences and notifications/alerts on our Website;
participate in surveys or questionnaires;
sign up to our mailing lists; or
otherwise interacting with us.

b) Automated technologies or interactions. As you interact with our Website, we may automatically collect Technical Data and User Behaviour / Engagement Data about your equipment, browsing actions and patterns. We collect this personal data by using cookies and other similar technologies. Please see section 4 below for further details.

4. How do we use your personal data?

We will only use your personal data when the law allows us to, for the following purposes:

where it is necessary for our legitimate interests, and your interests and fundamental rights do not override those interests; and
where we need to comply with a legal obligation.

Purposes for which we will use your personal data

We have set out in the table below a description of all the ways we may use your personal data, and the legal basis we rely on to do so. We have also identified what our legitimate interests are where appropriate.

Note that we may process your personal data for more than one lawful ground depending on the specific purpose. Please contact us if you need details about the specific legal ground we are relying on to process your personal data where more than one ground has been set out in the table below.

Purpose/Activity	Type of data	Lawful basis for processing including basis of legitimate interest
To manage our relationship with you which will include: (a) Notifying you (where applicable) about changes to our terms or Privacy Policy (b) Asking you to leave a review or take a survey	(a) Identity (b) Contact (c) User Behaviour / Engagement (d) Marketing and Communications	(a) Necessary to comply with a legal obligation (b) Necessary for our legitimate interests (to keep our records updated and to study how you use our Website)
To enable you to partake in a prize draw, competition or complete a survey	(a) Identity (b) Contact (c) User Behaviour / Engagement (e) Marketing and Communications	Necessary for our legitimate interests (to study how you use our Website, to analyse our market, products, and other services, and to create sales, marketing and promotional plans and programmes)
To administer and protect our business and this Website (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data)	(a) Identity (b) Contact (c) Technical (d) User Behaviour / Engagement (e) Marketing and Communications	(a) Necessary for our legitimate interests (for running our business, provision of administration and IT services, network security, to prevent fraud and in the context of a business reorganisation or group restructuring exercise) (b) Necessary to comply with a legal obligation
To deliver relevant Website content to you and measure or understand its effectiveness	(a) Identity (b) Contact (c) User Behaviour / Engagement (e) Marketing and Communications (f) Technical	Necessary for our legitimate interests to study how our Website is used, to grow our business and to inform our marketing strategy
To use data analytics to improve our Website, marketing, customer relationships and experiences	(a) Technical (b) User Behaviour / Engagement	Necessary for our legitimate interests (to define types of users of our Website, to keep our Website updated and relevant, to develop our business and to inform our marketing strategy)

Legitimate interest

The law allows us to use your personal data as set out in the table above on the basis that we are acting in our “legitimate interests”. i.e. we have good, sensible, practical reasons for processing your personal data which is in the interests of Camellia Plc in conducting and managing our business to enable us to give you the best and most secure experience. To do so, we have considered the impact on your interests and rights before we process your personal data for our legitimate interests.

We do not use your personal data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law).

Marketing communications

Camellia Plc may use your personal data to provide you with email notifications and other communications by email, post or telephone in accordance with your preferences, as provided to us by you.

Opting out

You can ask us to stop sending you emails, ask us to stop contacting you in any other way at any time by following the opt-out links on any communication message sent to you or by contacting us at any time.

Cookies

Camellia Plc, as well as certain other third parties that provide content or other functionality on our Website may use cookies and other technologies, including web beacons, action tags, pixel tags, in certain areas of our Website.

For more information about the cookies we use, please see Cookie Policy.

5. To whom do we disclose your personal data?

We may share your personal data with the parties set out below for the purposes set out in the table above. We do not sell any of your personal data to third parties, however, we may disclose your personal information to the following entities:

Service Providers: We use third party service providers that act as our “processors” to help us to administer certain activities and services on our behalf, such as analysing usage of our products and services, email support services, tracking effectiveness of our marketing campaigns and to help us operate our systems such as website hosting and IT support. Here are examples of third-party service providers we use:
- Email Support Services – to assist us in ensuring our email service functions to provide you with our services; and
- Analytics Service Providers – to assist us in understanding the usage of our products and other services and enable us to improve our services.
Third parties to whom we may choose to sell, transfer or merge parts of our business or our assets. Alternatively, we may seek to acquire other businesses or merge with them. If a change happens to our business, then the new owners may use your personal data in the same way as set out in this Privacy Policy.
Third parties when required by Law or to protect our services: We will disclose your personal data to comply with applicable law or respond to valid legal process, including from our regulators, law enforcement or other government agencies, to protect our users (e.g. to prevent spam or attempts to defraud users of our services); to operate and maintain the security of our services (e.g. to prevent or stop an attack on our systems or networks), or to protect the rights or property of Camellia Plc, including enforcing any terms or agreements governing the use of our services.

We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.

6. What do we do to keep your information secure?

We have put in place appropriate physical and technical measures to prevent your personal data from being accidentally lost, used, altered, disclosed or accessed in an unauthorised way. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality. However, please note that although we take appropriate steps to protect your personal information, no website, device, online application or transmission of data, computer system or wireless connection is completely secure and therefore we cannot guarantee the security of your personal information.

We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

7. Data Retention – How long we will store/keep or use your personal data?

Camellia Plc retains personal data for as long as necessary to fulfil the purposes we collected it for, as outlined in this Privacy Policy. When your personal information is no longer required for the purpose it was collected or as required by applicable law, it will be deleted and/or returned to you in accordance with applicable law.

To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal, regulatory or other requirements. We may keep your personal data for up to 3 months after you no longer wish to receive regulatory updates but may retain personal data for longer periods where necessary, for example, where you have entered a photography competition and we need to retain proof of your entry and your consent for us to use your photos.

8. Accessing your personal data and other rights you have

The Company will collect, store and process your personal data in accordance with your rights under applicable data protection laws. You have the right to:

Request access to your personal data (commonly known as a "data subject access request"). This enables you to receive a copy of the personal data we hold about you.
Withdraw consent (including for direct marketing) at any time where you have consented to our processing of your personal data. In the event you wish to withdraw your consent to processing, please contact us using the details provided in the ‘How to contact us’ section above.
Request the transfer of your personal data to you or to a third party. We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use.
Request correction of the personal data that we hold about you. If you think that any information is incorrect or incomplete, please let us know. To the extent required by applicable laws, we will rectify or update any incorrect or inaccurate personal data about you.
Request erasure (‘right to be forgotten’). You have the right to have your personal data deleted ‘erased’ or removed in certain specified situations.
Request restriction of processing of your personal data. You have the right in certain specified situations to require us to stop processing your personal data but to only store your personal data.
Object to processing of your personal data where we rely on a legitimate interest as our legal grounds for processing. If you object to us processing your personal data we must demonstrate compelling grounds for continuing to do so.

Enforcing Your Rights

If you wish to enforce any of your rights under applicable data protection laws, then please contact us at dpo@camellia.co.uk. We will respond to your request without undue delay and by no later than one month from receipt of any such request, unless the request is particularly complex, in which case it could take us longer than a month, but we will notify you and keep you updated. Please be aware that there are exceptions and exemptions that apply to some of the rights which we will apply in accordance with the data protection laws.

What we may need from you

We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

June 2022