Privacy Notice

Effective from: 15th September 2022

We understand that your privacy is important to you and that you care about how your personal data is used and shared. We respect and value the privacy of everyone who uses our services and will only process information in ways that are consistent with your rights, and our obligations under the law.

Our privacy notice exists to provide you with key information about:

  • The data we process and why
  • What happens to your data
  • Sharing and transfers of data
  • How your data is kept secure
  • Your data protection rights
  • How to contact us
  • How to make a complaint

Your acceptance of this notice occurs when you use the OPRL website. If you do not understand or accept the privacy notice, you must stop using our services immediately. Please contact us if you need assistance.

About Us

OPRL is a not-for-profit company limited by guarantee registered in England and Wales under company number 06853461.The OPRL scheme aims to deliver a simple, consistent and UK-wide recycling message on retailer and brand packaging. All surpluses are reinvested into the Company’s activities to promote recycling of packaging.

Our Data Protection Lead is responsible for handling compliance with data protection law, and for effectively handling all queries from data subjects about their personal data. Our ICO Registration Number is ZA821258.

OPRL Ltd
Beaumont House
Beaumont Road
Banbury
OX16 1RH

Data Protection Lead: Rebecca Wormleighton
Email: dataprivacy@oprl.org.uk

Our processing

The table below lists our processing activity, the data we collect and our lawful basis for doing so.

Processing activityData processedLawful basis
Handling enquiriesName, telephone number or email addressArticle 6 (f) Legitimate interest
Delivering products and services, and providing customer supportName, email addressArticle 6 (f) Legitimate interest
Detecting and monitoring security risks, and protecting our online servicesIP address, device(s) usedArticle 6 (f) Legitimate interest
Enhancing our products and services by soliciting feedback and undertaking market researchName, contact detailsArticle 6 (f) Legitimate interest
Publishing a testimonial or case study from a named contactNameArticle 6 (b) Consent
Sending direct marketing via emailName, email address, job title, organisationArticle 6 (f) Legitimate interest
Maintaining a marketing unsubscribe or Do Not Contact ListName, email addressArticle 6 (c) Legal obligation
Managing data subject’s rights, requests and complaintsName, contact details, communications historyArticle 6 (c) Legal obligation

Managing enquiries

When you submit an enquiry to us, your information is added to our customer relationship management system (CRM), and we use it to respond to your enquiry and manage our communications.

If you do not take up any of our products and services, we will delete your details from our CRM 3 years after we deem the enquiry closed. If you would like your data deleted before then, please let us know.

Delivering products and services

We must process a limited amount of personal data to provide our services to you including setting up website user accounts, keeping a record of our communications and issuing invoices for payment.

We will process your personal data in this way for as long as you are a named contact for our business customer. When requested, user website accounts will be closed and deleted after 2 years We will retain a history of our communications and transactions for at least 5 years for taxation and legal purposes.

Protecting our online services

We use certain tools and systems to protect and secure our online services. From time to time we may also need to use your personal data to investigate, detect and prevent fraudulent or malicious behaviour. We may also monitor users to make sure our system is being used in accordance with our terms.

In these instances, we will process your personal data for as long as you use our services, or there is an open investigation. We may need to retain the data for legal purposes.

Soliciting feedback and undertaking market research

We solicit feedback from our customers to enhance and improve our services. We view this as a legitimate business interest. If you do not wish to be contacted for such purposes you can opt-out or unsubscribe at any time by clicking the unsubscribe link in any email we have sent, or by contacting us directly.

We will retain this information for as long as you remain a customer, or until you opt-out.

Publishing testimonials

If we want to publish your named testimonial or feedback, we will ask for your consent to do so in writing. You can revoke your consent at any time by contacting us. We will seek to remove the published information as soon as possible.

We will retain this information for as long as you remain a customer or until you revoke consent and ask for it to be deleted.

Sending direct marketing via email to our subscribers

We operate an email marketing list to keep our members up to date with company news, send out promotional offers, and market new products and services. We do this using the soft opt-in mechanism under the Privacy and Electronic Communications Regulations, and using the lawful basis of legitimate interests. You can opt-out by clicking the unsubscribe link in any email we have sent, or by contacting us directly.

Your personal data will be retained until you unsubscribe, or we cease to operate the email marketing list.

Maintaining a marketing unsubscribe list

We must keep a record of all requests to unsubscribe from our marketing email list. This helps us to uphold the request now and, in the future, ensuring the contact is not re-added to the list in error further down the line.

Your personal data will be retained until we cease to operate the email marketing list.

Managing data subject’s rights, requests and complaints

We have a duty to uphold your data protection rights and to respond to your requests in a timely fashion. To do this, we will need to process and store a limited amount of information about you.

For example, if you submit a subject access request, we will need to keep a log of your request, and the steps we’ve taken to respond to you. We will retain records of this nature for a period of at least 3 years and maybe longer if the request is complex, a complaint is submitted or has resulted in an investigation by the ICO.

Cookies

We use a range of cookies on our website which is detailed further in our Cookie Policy.

Sharing and transfers of data

Our current list of data processors includes:

  • Office365
  • HubSpot
  • Tinker Tailor Design
  • GoCardless
  • Dext
  • Stripe
  • Xero
  • PREP
  • The Accounts Place
  • Wise

We require all data processors to respect the security of your personal data and to treat it in accordance with the law. Data processors are not allowed to use your personal data for their own purposes; we only permit them to process your personal data for specified purposes and in accordance with our instructions.

Some of our data processors will store some of your personal data in the UK. This means that it will be fully protected under UK data protection laws.

Some of our data processors will store your personal data within the European Economic Area (the “EEA”). Transfers of personal data to the EEA from the UK are permitted without additional safeguards.

Some of our data processors will store and process your personal data in countries outside of the UK and EEA. These are known as “third countries”. In these instances we take additional steps to ensure that your personal data is protected and secured as it would be within the UK including:

  • Processing personal data in or to countries that are deemed to provide an adequate level of protection for personal data.
  • Using standard contractual clauses or specifically approved contracts, or other measures approved from time to time by the Information Commissioner’s Officer, which ensure the same levels of personal data protection.

Please contact us for further information about the particular data protection safeguards used by us when transferring your personal data to a third country.

How your data is kept secure

We have implemented a range of measures to protect your data including:

  • Putting appropriate security measures in place, to prevent your personal data from being accidentally lost, used, altered, disclosed or accessed in an unauthorised way.
  • Limiting access to your personal data on a ‘need to know’ only basis.
  • Ensuring our staff are trusted and trained in data protection compliance and confidentiality.
  • Carrying out compliance checks on our data processors, making sure they are honouring their data protection obligations
  • Following due process to deal with any suspected personal data breach.
  • Only transferring your data outside of the European Economic Area (EEA) with the required safeguards and guarantees in place
  • Only retaining your personal data for as long as necessary to fulfil the purpose we collected it for.

Your data protection rights

At any point you can exercise your:

  • Right to be informed – we publish this Privacy Notice to supply all the information you need. If you have any questions, please contact us.
  • Right of access – please contact us for a copy of the data we hold about you.
  • Right to rectification – please let us know if the data we hold about you is out of date or inaccurate and we’ll update it.
  • Right to erasure – if you no longer want to use our services, please contact us and we’ll delete the data we’re able to. We may need to retain certain information for legal or taxation purposes.
  • Right to restrict processing – upon request, we will always restrict processing to only what is necessary.
  • Right to object – if you want us to stop processing, and the processing isn’t necessary, a legal obligation or part of an existing contractual agreement; we’ll oblige.
  • Right of portability – we will happily support reasonable requests to transfer your data to another organisation should you require it.
  • Right to object to automated decision making and profiling – we don’t carry out any form of automated decision making or profiling at present.

If you’re unhappy with the way we’re processing your data, please contact us. If we ever refuse to uphold your rights, we will provide you with a reason why. You then have the right to complain to your data protection authority as detailed below.

How to contact us

To exercise all rights, queries or complaints in relation to this Privacy Notice please contact our Data Protection Lead, Rebecca Wormleighton, by email to dataprivacy@oprl.org.uk.

How to make a complaint

If this does not resolve your issue to your satisfaction, you have the right to lodge a complaint with the UK’s Supervisory Authority, the Information Commissioner’s Office.

Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire SK9 5AF

Tel: 0303 123 1113

Web: https://ico.org.uk/make-a-complaint/

Last Updated August 2024