We understand that privacy and the security of your personal information is extremely important. This policy sets out what we do with your information, where and how we collect it, as well as your rights over any personal information we hold about you.
Who are we
When we say ‘we’ or ‘us’ in this policy, we’re generally referring to Sainsbury’s Supermarkets Ltd (registered office: 33 Holborn, London, EC1N 2HT).
What sort of information do we hold?
- Information that you provide to us when you register with us;
- Your account login details, including your user name and chosen password;
- Information about the services that we provide to you and the products you purchase;
- Your contact details; and
- Information from other sources such as from specialist companies that provide customer information and information that is publicly available.
Our legal basis for processing your personal information
Whenever we process your personal information we have to have something called a “legal basis” for what we do. The different legal bases we rely on are:
- Consent: You have told us you are happy for us to process your personal information for a specific purpose;
- Legitimate interests: The processing is necessary for us to conduct our business, but not where our interests are overridden by your interests or rights.
- Performance of a contract: We must process your personal information in order to be able to provide you with one of our products or services;
- Prevention of fraud: Where we are required to process your data in order to protect us and our customers from fraud or money laundering;
- Vital interests: The processing of your personal information is necessary to protect you or someone else’s life;
- Public information: Where we process personal information which you have already made public;
- Legal claims: The processing of your personal information is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity; and
- Legal obligation: We are required to process your personal information by law.
How do we use your information?
There are a number of ways in which we use your personal information, depending on how you interact with us. We may use your information in the following ways:
To provide our products and services – we need to use your personal information to make our products and services available to you. After that, we need to provide them to you and process your payment. And we need to use your details to do all this.
To personalise your shopping experience – we try to understand our customers so we can provide you with a great shopping experience, relevant marketing, personalised offers, shopping ideas and online advertising.
For security – we use your personal information for your protection and the protection of our businesses. This may involve validating the information you provide to us against third party databases. In performing these checks personal data may be disclosed to a Credit Reference Agency which may keep a record of that information. If false or inaccurate information is provided and fraud is suspected details will be retained by the Credit Reference Agency and may be passed to Fraud Prevention Agencies.
Analytics and profiling – we use your personal information for statistical analysis and to help us understand more about our customers.
Contacting you – we use your personal information to contact you: either to conduct market research or to contact you about products and services from us and other companies. We may also contact you in relation to any questions you have raised with us or to discuss the status of your account with us.
Cookies and similar technologies
Who we might share your information with
Our service providers
We work with partners and suppliers so that they can help us deliver our services to you. These third parties process your personal information on our behalf and are required to meet our standards of security before doing so. We only share information that allows them to provide their services to us or to facilitate them providing their services to you.
Other organisations and individuals
We may share your personal information in certain scenarios. For example:
- If we’re discussing selling or transferring part or all of a Sainsbury’s Group business, we may share information about you to prospective purchasers and their advisers – but only so they can evaluate the relevant business; or
- If we are reorganised or sold to another organisation, we may transfer information we hold about you to them so they can continue to provide the Services to you.
- If we are required to by law, under any code of practice by which we are bound or where we are asked to do so by a public or regulatory authority such as the police or the Department for Work and Pensions;
- If we need to do so in order to exercise or protect our legal rights, users, systems and services; or
- In response to requests from individuals (or their representatives) seeking to protect their rights or the rights of others. We will only share your personal information in response to requests which do not override your privacy interests. For example, we will not share your personal information with individuals who are merely curious about you, but we will share your personal information to e.g. insurers, solicitors, employers etc. which have a legitimate interest in your personal information.
International transfers of your data
Keeping you informed about our products and services
We would like to stay in contact with you about Sainsbury’s Business Direct and we do this may do this through the post, by email, text message or by any other electronic means.
We won’t contact you if you tell us not to, but if you receive a service from us we will still need to send you occasional service-related messages. If you wish to amend your preferences, you can do so by emailing email@example.com.
Please note that it can take up a little while for all marketing to stop once you either withdraw your consent or tell us you’d like to opt out of marketing. This is because some marketing may already be in transit.
You have a number of rights under data protection legislation which, in certain circumstances, you may be able to exercise in relation to the personal information we process about you.
- the right to access a copy of the personal information we hold about you;
- the right to correction of inaccurate personal information we hold about you;
- the right to restrict our use of your personal information;
- the right to be forgotten;
- the right of data portability; and
- the right to object to our use of your personal information.
Where we rely on consent as the legal basis on which we process your personal information, you may also withdraw that consent at any time.
If you are seeking to exercise any of these rights, please contact us using the details in the “Contact Us” section below. Please note that we will need to verify your identity before we can fulfil any of your rights under data protection law. This helps us to protect the personal information belonging to our customer against fraudulent requests.
Automated decision making and profiling
We use automated decision making, including profiling, in certain circumstances, such as when it is in our legitimate interests to do so, or where we have a right to do so because it is necessary for us to enter into, and perform, a contract with you.
You have the right not to be subject to a decision based solely on automated processing, including profiling, which has legal effects for you or affects you in any other significant way.
If you are seeking to exercise this right, please contact us using the details in the “Contact Us” section below.
How long do we keep your personal information for?
We take protecting your personal information seriously and are continuously developing our security systems and processes. Some of the controls we have in place are:
- We limit physical access to our buildings and user access to our systems to only those that we believe are entitled to be there;
- We use technology controls for our information systems, such as firewalls, user verification, strong data encryption, and separation of roles, systems & data;
- Systems are proactively monitored through a “detect and respond” information security function;
- We utilize industry “good practice” standards to support the maintenance of a robust information security management system; and
- We enforce a “need to know” policy, for access to any data or systems.
If you have a question or a complaint about this policy, or the way your personal information is processed, please email firstname.lastname@example.org