Last updated: 30 September, 2021
This privacy notice explains the details around process of personal data under the GDPR and the UK’s Data Protection Act 2018. For the purposes of this document, when we say GDPR, we will also mean the UK DPA 2018.
We are Holland & Barrett Retail Limited, registered company number 02758955 and registered address at Samuel Ryder House Barling Way Eliot Park Nuneaton CV10 7RH. We refer to ourselves as “H&B” or “we” or “us” in this document.
20-22 Wenlock Road
H&B is conducting a trial of their new health management platform. Your personal data will be collected from you and processed to assist in the development of the system. H&B will process personal data to evaluate a number of potential health indicators and use that information to provide an evaluation of some areas of your health and potentially make recommendations.
We may collect the following categories of personal data, including;
When you communicate with us, we retain that information to ensure we can provide the right services, for training and for customer support purposes.
Under the GDPR we must have a lawful reason for processing personal data. Information about your health is considered a special category of data and requires a higher level of protection.
Our lawful basis for processing personal data is determined based on the type of data and how we are going to use it, and we list those purposes in this Privacy Notice. There are obligations upon us to process your data in accordance with your rights – see the section ‘Your Rights’.
Sometimes we have collected data from you, and other times we will ask for your permission to collect data from other third parties.
You may withdraw your consent for us to process your data, where the lawful basis is consent. You can do this by writing to us at GDPR@hollandandbarrett.com or by post to Data Protection Officer, Holland & Barrett, Samuel Ryder House, Barling Way, Eliot Park, Nuneaton CV10 7RH.
Note that simply deleting the H&B & Me App from your device will not withdraw any consents you have given.
We collect information directly from you via a mobile phone app. We currently have apps for both IOS and Android. Our app only requires the permissions necessary to securely log you in, and for authentication purposes.
We adhere to both Apple’s and Google’s Application store’s development guidelines with regards to data privacy.
Your information is stored on Amazon’s AWS UK-based Cloud service for storing your data. All data sent to storage is encrypted to, or beyond best practice requirements.
We want to keep you up to date with existing service, offers, or new products and services from time to time. We may send you the information by email or text message, and if you no longer wish to receive this information, you can withdraw your consent at any time using the instructions that are sent at the bottom of every message.
We have implemented a secure system for collecting and storing your data based on best practices. That system is being regularly tested and improved. When we collect your data, it is sent to our servers encrypted. The database on which your personal data is stored is also encrypted, and we use a secure cloud infrastructure from AWS – an Amazon service based in the UK.
We test the application regularly using external security professionals following best practices.
We will share your personal data with a limited number of trusted third parties to help us process and analyse your Personal Data for us and assist us in providing you with accurate recommendations. This includes external consultants who work independently for Holland & Barrett and are considered experts in a particular field, for example, menopause or sleep. Before we share data with any third party, we ensure they meet our strict security and compliance standards, and we may audit them to ensure the standards are being upheld.
The GDPR, and the UK Data Protection Act 2018 give you rights over your personal data. You should be aware of these rights, which are:
Your right of access - You have the right to ask us for copies of your personal information.
Your right to rectification - You have the right to ask us to rectify personal information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete.
Your right to erasure - You have the right to ask us to erase your personal information in certain circumstances.
Your right to restriction of processing - You have the right to ask us to restrict the processing of your personal information in certain circumstances.
Your right to object to processing - You have the right to object to the processing of your personal information in certain circumstances.
Your right to data portability - You have the right to ask that we transfer the personal information you gave us to another organisation, or to you, in certain circumstances.
You are not required to pay any charge for exercising your rights. If you make a request, we have one month to respond to you.
Note that the above rights may have certain limitations depending on the circumstances, such as if there was a legal issue outstanding. In the case that we are unable to comply with any one or your rights for a legitimate reason, we would explain that to you.
If you have a complaint about how your information is being managed, please contact our DPO whose contact details are at the top of this privacy notice. However, if you are not satisfied with the outcome, you can complain directly to the Information Commissioner. Their contact details are below.
Tel: 01625 545745
We may update this Privacy Notice from time to time. We will inform you when we make any major changes to this Privacy Notice and allow you the opportunity to review them. If you are unhappy with the changes, you always have the ability to request that we stop processing your personal data at any time – see above regarding removing your consent.
This Privacy Notice was last updated on 30 September, 2021.