- About Us
We are the Academy of Chocolate (hereinafter referred to collectively as ‘we’ or ‘us’). We can be contacted by email at ‘firstname.lastname@example.org’; or by telephone on 0208 673 6300.
As Britain’s leading chocolate professionals the Academy of Chocolate (‘AoC’), believes that eating fine chocolate is one of life’s great pleasures, uniting members to taste, discuss, demonstrate and debate issues regarding sourcing, transparency and the journey from bean to bar. This is achieved by connecting and utilising its extensive network of contacts and members in the provision of education and training programmes, including events, awards; and in the provision of a broad range of networking initiatives.
Members of AoC have, agreed to participate in programmes run by the Academy of Chocolate (‘AoC’).
When carrying out our activities, we process personal data about our Members; Friends; Sponsors; Winners and Entrants of the Academy of Chocolate Awards; and Employees, the Board and Volunteers (all referred to collectively as ‘members of AoC’). We also process the personal data of
Events, Press and Other Contacts.
We understand that privacy is important to you, whatever your relationship with us. We respect and value your privacy and will only collect and use your personal data in ways that are described here, and in a way that is consistent with our objectives and obligations, and your rights under the law.
For clarity, one of the specific purposes of AoC is to promote and encourage networking and contact between our members. To achieve this and fulfil our obligations of membership we will organise competitions and education and networking events and notify members of AoC about them in order that they have opportunity to participate and thereby fulfil their commitments as members.
- What Does This Policy Cover?
- Data Protection Officer
We have a dedicated Data Protection Officer (“DPO”), whom you can contact using the details in Part 1 above, marking your communication ‘For the attention of the DPO’.
- What Are My Rights?
Under the General Data Protection Regulation (EU Regulation 2016/679) (the ‘GDPR’), you have the following rights in respect of any personal data from which you can be identified, which we will always work to uphold:
- The right to access the personal data we hold about you. Part 10 will tell you how to do this.
- The right to have your personal data rectified if any of your personal data held by us is inaccurate or incomplete. Please contact us using the details in Parts 1 and 3 to find out more.
- The right to be forgotten, i.e. the right to ask us to delete or otherwise dispose of any of your personal data that we have. Please contact us using the details in Parts 1 and 3 to find out more.
- The right to restrict (i.e. prevent) the processing of your personal data.
- The right to object to us using your personal data for a particular purpose or purposes.
- The right to data portability. This means that, if you have provided personal data to us directly, we are using it with your consent or for the performance of a contract, and that data is processed using automated means, you can ask us for a copy of that personal data to re-use with another service or business in many cases.
- Rights relating to automated decision-making and profiling, save that we do not use your personal data in this way.
Further information about your rights can also be obtained from the Information Commissioner’s Office (‘https://ico.org.uk’) and/ or your local Citizens Advice Bureau.
If you have any cause for complaint about our use of your personal data, you have the right to lodge a complaint with the Information Commissioner’s Office.
- Information We Collect
We may collect some or all of the following personal data from you, which varies according to your relationship with us:
- Full name;
- Date of birth;
- Home address, telephone number and email address;
- Business name, address, telephone number and email address;
- Twitter and Instagram accounts;
- Job title and/or profession;
- Award results;
- Why We Process Your Personal Data
Under the GDPR, we must always have a lawful basis for collecting and using personal data. We process your personal data on the basis that it is necessary for our performance of the membership agreement or other contract with you; because you have consented to our use of your personal data (relevant for direct marketing by email or other electronic means); because it is in our legitimate business interests to do so; or it is necessary in compliance with a legal obligation.
When we use your personal data, we will always consider if it is fair, does not adversely affect your rights and if it is within your reasonable expectations. We will balance your rights and our legitimate interests to ensure that we use your personal data in ways that are not unduly intrusive or unfair.
Depending on your relationship with us, we may process your personal data for one or a number of the following reasons:
- Providing, managing and administering our relationship with you as members of AoC, including informing you about the services we are required to provide to you, keeping a record of your membership and facilitating payment of your membership fees;
- Making arrangements for and conducting and keeping records of all entrants and winners of the Academy of Chocolate Awards and other competitions and awards;
- Communicating with you, which may include responding to emails or calls from you and notifying you about news events, promotions, programmes, competitions and networking events for members of AoC;
- Where applicable, supplying you with information by email or other electronic means that you have opted-in to receive (noting that you may unsubscribe or opt-out at any time by notifying the DPO as detailed with Parts 1 and 3;
- Fundraising and campaigning if applicable about current issues, including administering such campaigns and making arrangements to receive donations; and
- For statutory, financial reporting, other regulatory compliance, employment, and recruitment purposes.
With your permission and/or where permitted by law, we may also use your personal data for direct marketing purposes, which may involve providing you with information by email, telephone, post or other electronic means.
You will not be sent any unlawful marketing or spam and we will always work to fully protect your rights and comply with our obligations under the GDPR and the Privacy and Electronic Communications (EC Directive) Regulations 2003, and you will always have the opportunity to opt-out.
- How Long Will You Keep My Personal Data?
We will not keep your personal data for any longer than is necessary in light of the reason(s) for which it was first collected. Unless we explain to you otherwise, we will hold your personal information:
- For as long as we have a reasonable business need, such as managing and administering our relationship with you, managing our operations and answering questions and addressing issues raised by past members of AoC;
- For as long as you remain a member of AoC or are otherwise involved with them;
- As long as we consider reasonable and necessary in terms of historic records for past Award winners and entrants, subject to appropriately reducing the detail of the personal data held over time; and
- Otherwise in line with legal and regulatory requirements and best practice guidance concerning recommended retention periods.
- Security, Storing and Transfer Of Personal Data
We use appropriate technical and organisational measures and precautions to protect your personal data and to prevent the loss, misuse or alteration of your personal data
Whilst, unfortunately, the transmission of information via the internet is not completely secure, we will do our best to protect your personal data transmitted in this way and will put in place appropriate encryption and, where relevant, password protection of documents. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access
We use Microsoft Office 365, [Mailchimp] [and/or DropBox] [Eventbrite] [EKM] products, which are multi-tenant cloud services, for our internal office use. This means that internal documents and information generated by us are stored in cloud services hosted within the European Economic Area (EEA).
- Do You Share My Personal Data?
Save as set out below, we will not share any of your personal data with any third parties for any purposes. We will never share or sell your personal data to a third-party organisation for marketing, fundraising, or campaigning purposes
We might transfer your personal data to a secure data processor for them to carry out data processing operations on our behalf. This might, for example, include payment processing and/or payroll and tax matters and other operations where considered beneficial. Where this occurs we will take steps to ensure that your personal data is handled safely, securely, and in accordance with your rights and our obligations.
In some limited circumstances, we may be legally required to share certain personal data, which might include yours, if we are involved in legal proceedings or complying with legal obligations, a court order, or the instructions of a government authority.
On some occasions we might consider it necessary to approach you to seek consent before releasing your personal data to a third party.
- How Can I Access My Personal Data?
If you want to know what personal data we have about you, you can ask us for details of that personal data and for a copy of it (where any such personal data is held). This is known as a “subject access request”.
All subject access requests should be made in writing and sent to the email or postal addresses shown in Part 1, marked for the attention of the ‘Data Protection Officer’, as detailed in Part 3.
There is not normally any charge for a subject access request. If your request is ‘manifestly unfounded or excessive’ (for example, if you make repetitive requests) a fee may be charged to cover our administrative costs in responding.
We will normally respond to your subject access request within 3 weeks and, in any event, not more than one month of receiving it and aim to provide a complete response, including a copy of your personal data within that time. In some cases, however, particularly if your request is more complex, more time may be required up to a maximum of three months from the date we receive your request. You will be kept fully informed of our progress.