Data Protection Policy

retailCURe recognises the need to comply with the Data Protection Act 1998 and understands that it ensures that processing is carried out fairly and lawfully. This policy describes the principles through which retailCURe intends to ensure compliance.

Terms and Abbreviations




Data means information which:

(a) is being processed by means of equipment operating automatically in response to instructions given for that purpose,

(b) is recorded with the intention that it should be processed by means of such equipment,

(c) is recorded as part of a relevant filing system or with the intention that it should form part of a relevant filing system,

(d) does not fall within paragraph (a), (b) or (c) but forms part of an accessible record as defined by section 68, or

(e) is recorded information held by a public authority and does not fall within any of paragraphs (a) to (d).

(Source: Information Commissioner’s Office)

Data Subject

Data subject means an individual who is the subject of personal data.

Personal Data

Personal data means data which relate to a living individual who can be identified:

(a) from those data, or

(b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller,

and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual.

(Source: Information Commissioner’s Office)


Processing, in relation to information or data, means obtaining, recording or holding the information or data or carrying out any operation or set of operations on the information or data, including:

(a) organisation, adaptation or alteration of the information or data,

(b) retrieval, consultation or use of the information or data,

(c) disclosure of the information or data by transmission, dissemination or otherwise making available, or

(d) alignment, combination, blocking, erasure or destruction of the information or data.

Sensitive Data

Sensitive data means personal data consisting of information as to -

(a) the racial or ethnic origin of the data subject,

(b) political opinions,

(c ) religious beliefs or other beliefs of a similar nature,

(d) whether they are a member of a trade union (within the meaning of the Trade Union and Labour Relations (Consolidation) Act 1992),

(e) physical or mental health or condition,

(f) sexual life,

(g) the commission or alleged commission by them of any offence, or

(h) any proceedings for any offence committed or alleged to have been committed by them, the disposal of such proceedings or the sentence of any court in such proceedings.

(Source: Information Commissioner’s Office)

The purpose of this policy is to ensure retailCURe compliance with its obligations under the Data Protection Act.

This policy applies to the collection and processing of all personal data held by retailCURe, falling within the scope of the Act, in all formats including paper, electronic, audio and visual. It applies to all employees and contractors.

retailCURe will comply with the eight data protection principles by putting in place processes to ensure that personal information is:

  1. Processed (which includes holding and using) fairly and lawfully and, in particular, in accordance with the specific processing conditions set out in Schedules 2 and 3 of the Act (see Sensitive and Non-sensitive Data below).
  2. Processed for particular purposes, and not processed in any manner incompatible with those purposes.
  3. Adequate, relevant and not excessive.
  4. Accurate, and where necessary, kept up to date.
  5. Not kept longer than is necessary.
  6. Processed in accordance with the legal rights of the data subjects.
  7. Held securely with appropriate technical and organisational measures taken to guard against unauthorised or unlawful processing of personal data and against accidental loss, damage or destruction.
  8. Not transferred to a country or territory outside the European Economic Area (defined as 15 EU Member States, plus Norway, Iceland and Liechtenstein) unless that country or territory ensures an adequate level of protection in relation to the processing of personal data.

Sensitive and Non-sensitive Data

retailCURe will process non-sensitive personal data in a way that fulfils the conditions outlined in schedule 2 of the Data Protection Act.

Where sensitive personal data is held (this includes information about racial or ethnic origin, political affiliations, religious beliefs, trade union membership, physical or mental health, criminal convictions or legal proceedings), retailCURe will ensure that one of the additional conditions listed in Schedule 3 of the Act is also met.

Individual Rights

retailCURe recognises that access to personal data held about an individual is a fundamental right provided in the Act. It will ensure that all requests from individuals to access their personal data are dealt with as quickly as possible and within the 40 calendar days allowed in the legislation, as long as the data subject meets the requirements set out in this policy.

Data security

In order to ensure the security of personal data, retailCURe has appropriate physical, technical and organisational measures in place.

Monitoring and Review

retailCURe will maintain a record of all Subject Access Requests.


retailCURe may be required to disclose personal data by a court order, or to comply with other legal requirements including prevention or detection of crime, apprehension of an offender or gathering of taxation.