ONLINE PRIVACY STATEMENT

This is the privacy statement for Onolla Group Limited. (Onolla or we) a private company registered in England and Wales with company number 13069124 with its registered office being situated at Studio 14, The Old Power Station, 121 Mortlake High Street, London, United Kingdom, SW14 8SN.

For the purpose of the Data Protection Act 2018 and the UK General Data Protection Regulation (UK GDPR or the Regulation) and any other applicable legislation related to the processing of the personal data from time to time, the data controller is Onolla.

THE UK GENERAL DATA PROTECTION REGULATION

In this statement we have used certain terms which are set out in the UK GDPR:

personal data means any information relating to an identified or identifiable natural person (data subject)

an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person

controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data

processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller

processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction

PRIVACY STATEMENT

What is the lawful reason we use to process personal data?
The four lawful reasons Onolla uses to process personal data are set out in Article 6 of the Regulation. Processing will only be lawful if and to the extent that at least one of the following applies:

• the data subject has given consent to the processing of their personal data for one or more specific purposes (Consent);

processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract (Contract Performance);
processing is necessary for compliance with a legal obligation which we are subject to (Legal Obligations);
processing is necessary for the purposes of the legitimate interests pursued by Onolla or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child (Legitimate Interest).

Consent
Where we process personal data as a result of Consent, we ensure that consent is freely given, specific and informed, and established by a clear affirmative act. Where Consent is withdrawn, we have set out below how this may be undertaken by the data subject.

Contract Performance
Where we enter into a contract with the data subject, processing of personal data may, as a matter of course, be necessary in order to execute such contract or take pre-contract preparation steps.

Legal Obligations
Where there are legal obligations which apply to Onolla, processing of personal data may be required by law.

Legitimate Interest
Where we process personal data as it is necessary for the purpose of our legitimate interests, we do so on the basis of a balanced evaluation of our interests and the rights and freedoms of the data subject which require protection.

The legitimate interest we rely on is that the processing is necessary to provide services to our brand and retail customer, to engage with our suppliers, and to properly operate and improve our business.


We have concluded that the way we manage the processing of personal data results in a cumulation of data subject protections which show that the balance is in favour of Onolla being able to rely on Article 6.1(f) of the Regulation as a lawful reason to process personal data.

Your right to withdrawal of your Consent
As required by the Regulation, Consent should be as easy to withdraw, as it is to give. Data subjects may request that Onolla stops processing their personal data at any time. The withdrawal of Consent does not affect the lawfulness any earlier processing of personal data. You may contact us to withdraw your consent using the contact details at the end of this privacy statement, using the following statement:

WITHDRAWAL OF CONSENT
I [STATE YOUR NAME] hereby withdraw my consent for Onolla Group Limited to process my personal data.

Signed by data subject:
[STATE YOUR NAME ]

Why does Onolla need to collect and store personal data?
We collect and store personal data for the following purposes:

to provide our brand and retail clients with the service they require as a party to a contract with us;
to engage with our suppliers in relation to our business relationships;
to maintain appropriate records within our business;
to comply with our legal obligations such as where a court orders disclosure of personal data;
to carry out our marketing activities;
to carry out analytics to help us understand more about how our services are being used and how they could be improved.

The supply of your personal data is a contractual requirement and if you do not provide your personal data, we may be unable to perform the relevant contract.

We may transfer your personal data to a country outside the UK and European Economic Area. Where we do so, we will take steps to ensure your personal data is protected which includes entering into the UK approved Standard Contractual Clauses to ensure the data transfer is lawful.

How long does Onolla store personal data?

We only keep personal data for as long as is necessary We are committed to ensuring that the information we collect and use is appropriate for its purpose and does not constitute an invasion of the data subject’s right to privacy.

Our usual retention period is for the period of any agreement in place between you and Onolla and two years after the termination of that agreement. However, we may sometimes keep personal data for longer (for example where required by law or to resolve complaints or claims).

Will Onolla share my personal data with anyone else?

Onolla may pass your personal data on to third-party service providers contracted to Onolla. In these circumstances, the third party may be another controller, processor or sub-processor.

Where the third party is a processor or a sub-processor, they are obliged amongst other things, to keep your details securely, and to use them only to fulfil their contractual obligations to Onolla under a processing agreement or terms which comply with Article 28 of the Regulation.

When they no longer need your personal data to fulfill this service, they will dispose of the details in line with Onolla’s data retention policy, or as otherwise set out in the relevant processing agreement.

We will share contact information between our brand and retail customers to facilitate the transactions and arrangements entered into and made between them through Onolla.

Can I find out what personal data you hold about me?
At your request, Onolla will provide access to the personal data we hold about you and how it is processed.

As set out in the Regulation you can request the following information:

identity and the contact details of the person or organisation that has determined how and why to process your personal data;
contact details of the data protection officer, where applicable;
the purpose of the processing as well as the legal basis for processing;
if the processing is based on the Legitimate Interests of Onolla or a third party, information about those Legitimate Interests;
the categories of personal data collected, stored and processed;
recipient(s) or categories of recipients that the personal data is/will be disclosed to;
if we intend to transfer the personal data to a third country or international organisation, information about how we ensure this is done securely. The United Kingdom Information Commissioner’s Office has approved sending personal data to some countries because they meet a minimum standard of data protection. In other cases, we will ensure there are specific measures in place to secure your information;
how long the data will be stored;
details of your rights to correct, erase, restrict or object to such processing or to request the transfer of your personal data to another organisation;
information about your right to withdraw consent at any time;
how to lodge a complaint with the supervisory authority;
whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether you are obliged to provide the personal data and the possible consequences of failing to provide such data;
the source of personal data if it wasn’t collected directly from you;
any details and information of automated decision making, such as profiling, and any meaningful information about the logic involved, as well as the significance and expected consequences of such processing

What forms of ID will I need to provide in order to access this?

Onolla accepts the following forms of ID when information on your personal data is requested: passport, driving licence, birth certificate, utility bill from the previous 3 months.

CONTACT DETAILS
Onolla Group Limited
Contact Name: Suzanne Duckett
Address: Studio 14, The Old Power Station, 121 Mortlake High Street, London, United Kingdom, SW14 8SN
Email: thegreenroom@onolla.com