Privacy Policy
1. Purpose and Scope of this Privacy Policy
IBERVEG UK LTD (“the Company”) collects, uses, shares, and retains certain Personal Data about Personal data current, past, and prospective consumers, customers, suppliers, business contacts, employees, and other individuals in the course of its business activities. Personal Data must be Processed in accordance with the UK General Data Protection Regulation (UK GDPR) , and where applicable, the General Data Protection Regulation (Regulation (EU) 2016/679), along with other relevant national and European privacy laws and regulations (collectively referred to as “Data Protection Law”).
The Company recognises the importance of treating Personal Data in a lawful, fair, and transparent mannerand is committed to meeting its obligations under Data Protection Law. This Privacy Policy Privacy Policy explains how the Company handles Personal Data.
This Privacy Policy applies to all individuals who interact with IBERVEG UK LTD in any capacity, including employees, customers, suppliers, and other third parties
The term Personal data is used throughout this Privacy Policy to refer to any information relating to an individual from which that individual can be identified. Other key data protection terms are defined in Schedule 1.
This Privacy Policy explains how the Company collects and uses Personal Data in the course of its business operations, including data obtained through:
- telephone calls, emails, and other communications;
- service providers and third parties;
- the Company’s website (the “Site");
- social media platforms.
In this Privacy Policy, references to the Site and social media platforms are collectively referred to as"Online Tools".
Personal Data may be provided to the Company directly by the individual or by a third party acting on their behalf.
This Privacy Policy may be supplemented by additional privacy notices relating to specific services or relationships.
2. Personal Data the Company Processes
The nature of the Personal Data that the Company holds depends on its relationship with the individual, the form of communication, and the services involved.
In general, the types of Personal Data processed fall under three broad categories:
- Employees;
- Business Contacts;
- Customers.
The Company aims to ensure that all Personal Data it holds is accurate, up-to-date and held only for as long as necessary.Personal Data is stored in as few locations and copies as reasonably possible.Relevant personnel are trained to manage data responsibly and avoid unnecessary duplication.
Further detail on the categories of Personal Data is provided in Schedule 2.
3. How the Company Uses Personal Data
The Company uses Personal Data for a variety of business-related purposes.These purposes will depend on the individual’s relationship with the Company, but may include:
- managing employment records and HR operations;
- ensuring employee welfare and health and safety;
- providing goods and services;
- maintaining communication and responding to enquiries;
- monitoring quality and improving products or services;
- conducting research and analysis to better understand customers;
- delivering marketing content in accordance with preferences;
- customising digital experiences on Online Tools;
- managing internal operations and IT systems;
- handling complaints and legal requests;
- complying with legal and regulatory obligations;
- protecting the legal rights and interests of the Company.
4. Automated Decision-Making
The Company may use automated systems to assist with certain decisions. These are generally used for standardised or routine processes. Where such systems are used in ways that significantly affect individuals, additional information will be provided..
5. Responsibility for Personal Data
IBERVEG UK LTD is responsible for ensuring that Personal data is processed lawfully, securely, and in accordance with this Policy and Data Protection Law..
When engaging third parties to process Personal Data, the Company ensures they are subject to appropriate safeguards and contractual obligations to maintain data protection standards.
6. Sharing of Personal Data
The Company may share Personal Data with trusted third partiesas required for business purposes, including service providers, advisers, and regulatory authorities.. Personal Data may also be received from third parties in the same context.
Details of the types of third parties with whom Personal Data may be shared are outlined in Schedule 4.
In limited circumstances, the Company may be legally required to disclose Personal Data without the individual’s consent, such as to law enforcement authorities or regulators..
7. International Transfers of Personal Data
Where necessary, the Company may transfer Personal Data to countries outside the United Kingdom and the European Economic Area (EEA),including countries that may not offer the same level of data protection..
In such cases, the Company ensures appropriate safeguards are appropriate safeguardssuch as standard contractual clauses approved by the UK Information Commissioner’s Office or the European Commission.
For more information on international transfers, see the Schedule 8.
8. Security of Personal Data
The Company implements appropriate physical, technical, organisational, and legal measures to safeguard Personal Data. These include:
- IT protections such as firewalls, encryption, and antivirus software;;
- Secure storage for physical documents;
- policies and training for staff on data handling and security.
Where third parties process Personal Data on the Company’s behalf, they are required to implement similar security measures.
While the Company strives to protect Personal Data, no system can be completely secure. Any suspected data breach or concern should be reported promptly..
More details can be found in the Company’s security policy, available upon request.
9. Legal Basis for Processing Personal Data
The Company is required to identify a valid legal basis under Data Protection Law for processing Personal Data. These are outlined in Schedule 5 and may include:
- performance of a contract;
- compliance with legal obligations;
- legitimate business interests;
- explicit consent (particularly for special category data);
- protection of vital interests;
- tasks carried out in the public interest.
Where the Company relies on legitimate interests, these may relate to business efficiency, legal compliance, fraud prevention, or improving customer service.
Consent will be obtained consent where required by law, especially for the processing of sensitive Personal Data..
10. Monitoring
The Company may monitor and record communicationssuch as phone calls and emails for the following purposes:
- quality control and training;
- handling complaints or disputes;
- ensuring compliance with Company's policies;
- detecting and preventing fraud or other unlawful activity.
The Company may also use CCTV in its premises. For more information, see the Schedule 6.
11. Retention of Personal Data
Personal Data is retained only as long as necessary to fulfil its purpose or to comply with legal and regulatory requirements. Data retention periods depend on the nature of the data and the reasons for its collection.
In general, data may be retained for the following reasons:
- legal or regulatory compliance;
- responding to legal claims or disputes;
- auditing and business analysis;
- handling post-employment or post-service obligations.
For more specific retention information, see Schedule 8.
12. Personal Data Rights
Under Data Protection Law, individuals have a number of rights regarding their Personal Data. A summary is provided in Schedule 7, and includes:
- the right to access Personal Data;
- the right to correct or update inaccurate data;
- the right to request deletion of data ("right to be forgotten");
- the right to restrict or object to processing;
- the right to data portability;
- rights in relation to automated decision-making and profiling.
To exercise these rights, individuals may contact the Company as outlined below.
13. Who to Contact About Personal Data
If you have any questions, concerns, or requests regarding this Privacy Policy or your Personal Data, please contact:
info@iberveg..com - Schedule 8
14. Review and Updates
This Privacy Policy is reviewed regularly and may be updated to reflect changes in legal obligations, business practices, or data processing activities..
This Privacy Policy was last updated on 09/06/2025.
SCHEDULE 1
Definitions of Key Data Protection Terms
- "Data Breach" refers to any incident involving a failure of security that results in the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data that has been transmitted, stored, or otherwise Processed.
- "Data Controller" means the organisation or individual who determines the purposes for which, and the manner in which, Personal Data is Processed.
- "Data Processor" refers to a third party who Processes Personal Data on behalf of the Data Controller (for instance, a company providing payroll or IT services).
- "European Economic Area" (or "EEA") comprises the member states of the European Union, along with Iceland, Liechtenstein, and Norway. Although the United Kingdom has left the EU, references to the EEA may still be relevant in certain contexts under UK data protection legislation.
- "Personal data" means any information relating to an identified or identifiable living individual. This includes, but is not limited to:
- a person's name or identification number;
- details that relate to a specific geographical location; or
- any data uniquely linked to that person.
- “Processing” encompasses any operation or set of operations performed on Personal Data. This includes the collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure, erasure or destruction of Personal Data. Such activities may be carried out manually or through automated systems. The terms “Process” and “Processing” are to be interpreted accordingly.
- "Profiling" refers to the automated Processing of Personal Data for the purpose of evaluating or predicting aspects of an individual’s performance, behaviour, choices or preferences.
- "Sensitive Personal Data" (also referred to as “Special Category Data”) includes Personal Data that reveals information regarding an individual’s racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership. It also includes the Processing of genetic and biometric data (such as fingerprints or facial images), health-related information, details concerning an individual’s sex life or sexual orientation, and data relating to criminal convictions and offences.
SCHEDULE 2
Types of Personal Data
| TYPE OF PERSONAL DATA | EXAMPLES |
|---|---|
| CONTACT DETAILS | Full name, home address, e-mail address and telephone number. |
| GENERAL PERSONAL DATA | Gender, marital and family status, date and place of birth, physical characteristics and expression of personal preferences or intentions. |
| EDUCATIONAL AND EMPLOYMENT HISTORY | Academic qualifications, details of current and previous employers, employment history, professional skills and experience, professional licences, memberships and affiliations. |
| OFFICIAL IDENTIFICATION | National Insurance number, passport number, tax identification number, driving licence number or other forms of official identification. |
| FINANCIAL DATA | Payment card details (credit or debit), bank account information, financial account numbers and other financial information. |
| SERVICE-RELATED INFORMATION | Information about an individual’s position as a company officer, director, partner, or their ownership or management role within an organisation. |
| MARKETING AND CUSTOMER ENGAGEMENT | Marketing preferences and responses to customer service or satisfaction surveys. |
| ONLINE USAGE DATA | The Company may collect Personal Data when an individual uses online services or tools. This may include social media account identifiers, IP addresses, and other online identifiers (insofar as they are considered Personal Data), along with any information provided to the Company via its online platforms. |
| ADDITIONAL DATA FROM THIRD-PARTY SOURCES | The Company and its service providers may enhance the Personal Data collected with information from third-party sources (for example, publicly accessible social media profiles, online services, third-party data providers, and business partners). |
SCHEDULE 3
General Staff Guidelines
All individuals working for or with IBERVEG UK LTD who handle Personal Data have a responsibility under this Privacy Policy to ensure that Personal Data is collected, stored, and processed appropriately, securely, and in full compliance with Data Protection Law. Staff must remain vigilant to adhere strictly to this Privacy Policy. Should any uncertainty arise, employees are encouraged to seek guidance using the contact details provided in Schedule 8.
- Access to Personal Data governed by this Privacy Policy is strictly limited to those who require it to perform their work duties.
- Employees must safeguard all Personal Data by adopting sensible security measures, including the use of strong, confidential passwords which must never be shared. Where applicable, IBERVEG UK LTD will ensure that Personal Data is encrypted both in storage and during transmission.
- Personal Data must not be shared informally. Requests for access to Personal Data should be made through the appropriate line manager.
- Disclosure of Personal Data to unauthorised persons, whether inside or outside the company, is strictly prohibited.
- Files containing Personal Data should be regularly reviewed and updated. Any Personal Data no longer necessary for business purposes must be securely and permanently deleted.
- Training is provided to relevant employees to ensure they fully understand their responsibilities when handling Personal Data. Any employee who feels they have not received sufficient training should report this to their manager.
- Paper records containing Personal Data should be securely stored when not in use or securely shredded and disposed of if no longer needed.
- Employees must ensure that printed materials or paper documents containing Personal Data are not left unattended in places where unauthorised persons could view them, such as printers or shared desks.
- Electronic storage of Personal Data must be protected against unauthorised access, accidental deletion, and malicious attacks.
- If Personal Data is stored on removable media, such as USB drives, these must be kept securely when not in use.
- All servers and computers containing Personal Data must be protected in line with IBERVEG UK LTD’s Information Security Policy.
- Downloading Personal Data onto personal devices, including laptops or PCs, is generally prohibited unless explicit permission is granted by a line manager and the download is essential to carry out the employee’s duties.
- Employees should be aware that IBERVEG UK LTD reserves the right to inspect all files stored on its network, including emails. During any investigation concerning employee conduct, appointed investigators will have unrestricted access to relevant records and premises. They are authorised to examine, copy, or remove any files, desks, cabinets, or other storage without prior consent, provided this falls within the scope of their investigation. No data should be deleted or destroyed once an investigation has commenced.
- Employees must maintain the confidentiality of all Confidential Information — including Personal Data and non-public business information — at all times, both during and after their employment with IBERVEG UK LTD.
- Disclosure of any Confidential Information to third parties who are not employed by the IBERVEG UK LTD group is prohibited without prior consent from a direct manager or a company director, except where disclosure is made to professional advisers of the company who are aware of the confidential nature of the information.
SCHEDULE 4
Type of Third Party
| TYPE OF THIRD PARTY | EXAMPLES |
|---|---|
| SERVICE PROVIDERS AND ADVISORS | External third-party service providers, including but not limited to: pension and payroll providers; security personnel; accountants; auditors; expert consultants; solicitors and other professional advisors; travel service providers; call centre operators; IT systems, support and hosting providers; marketing, advertising and data analysis providers; banks and financial institutions managing the Company’s accounts; document and records management companies; and other outsourced service providers assisting IBERVEG UK LTD with its business operations. |
| GOVERNMENT / JUDICIAL AUTHORITIES | IBERVEG UK LTD may also disclose Personal Data to: (a) Government or public authorities (including, but not limited to, courts, regulatory agencies, law enforcement bodies, tax authorities, and agencies conducting criminal investigations); and (b) Third-party participants in legal proceedings, including their accountants, auditors, solicitors, and other advisors and representatives, where deemed necessary or appropriate by the Company. |
| OTHER | A purchaser or prospective purchaser of a business unit of IBERVEG UK LTD. |
SCHEDULE 5
Legal Bases for Processing
| Purpose of Processing | Consent | Contractual Necessity | Legal Requirement | Legitimate Interests |
|---|---|---|---|---|
| To communicate with individuals | ● | ● | ● | |
| For the employment relationship | ● | ● | ● | |
| To provide products and services | ● | ● | ||
| To improve the quality of the Company’s products and services, for training, and to maintain information security | ● | ● | ||
| To manage commercial risks | ● | ● | ||
| To carry out research and analysis | ● | ● | ||
| To provide marketing information | ● | ● | ||
| To manage the Company’s business operations and IT infrastructure | ● | ● | ● | |
| To manage complaints, feedback and queries | ● | ● | ● | |
| To comply with applicable laws and regulations | ● | |||
| To personalise the user experience when using Online Tools | ● | ● |
SCHEDULE 6
CCTV Policy & Procedures
The purpose of the Company’s CCTV system is to ensure the health and safety of employees and customers, safeguard the security of Company personnel and property, and to prevent and detect criminal activity, including theft.
The Company ensures that the use of CCTV is compliant with the requirements of Data Protection Law. Employees are expected to comply with this CCTV policy, and any failure to do so may result in disciplinary action, up to and including dismissal.
Access to the CCTV system and recordings
Access to the CCTV system and any recorded footage is strictly limited to authorised personnel, including security staff and members of the management team.
Cameras
The Company operates CCTV cameras located throughout its warehouses, office buildings, and retail premises. Clear signage is displayed in all monitored areas to inform individuals of CCTV surveillance. These systems operate continuously, 24 hours a day, seven days a week.
Processing of Images
Recorded images and related data, which may include audio, will be retained for no more than 30 days from the date of recording. After this period, the system will automatically overwrite the data. However, the Company reserves the right to retain images for a longer duration where there are legitimate reasons for doing so. Any retained footage will be securely stored and used strictly for the specific purpose for which it was retained. Once that purpose no longer applies, the footage will be securely deleted by a designated individual, ensuring that the data cannot be reconstructed or accessed by third parties.
Employees authorised to process CCTV images must do so in accordance with established procedures and must uphold the security of the data at all times. Any employee found to be using the CCTV system or footage in an unauthorised manner may be subject to disciplinary proceedings, up to and including dismissal. Unauthorised use includes, but is not limited to: sharing images containing personal data with unauthorised individuals, including other employees; copying CCTV footage to external media or publishing it online or in print; and circulating such footage via email, telephone or the internet.
Access to and Disclosure of Images to Third Parties
Access to and disclosure of recorded images is strictly controlled. Disclosure to third parties will only occur under specific and lawful circumstances. These may include: preventing injury or damage to property; compliance with legal obligations; obtaining legal advice or for legal proceedings; or with the consent of the data subject or their authorised representative.
Requests from law enforcement agencies for access to CCTV footage should only be fulfilled upon receipt of a formal written request confirming that a criminal investigation is underway. In urgent cases, the Company may allow footage to be viewed prior to receiving the written request, provided the law enforcement agency agrees to supply it as soon as reasonably practicable.
The Company also reserves the right to share personal data with specific third parties for legitimate business purposes. These may include: insurance providers, medical professionals, pension and medical insurance administrators, and contracted security services.
Access by Data Subjects
In accordance with Data Protection Law, individuals have the right to access images in which they appear. This right applies equally to employees and members of the public. Please refer to Schedule 8 for further details.
Disciplinary Purposes
The Company reserves the right to utilise CCTV footage in disciplinary proceedings. Such footage may be used as part of, or in support of, an investigative process. All relevant parties will be given the opportunity to view and respond to the footage. Examples of disciplinary use include, but are not limited to: establishing facts in cases where other evidence is conflicting; investigating alleged stock losses, theft, or misuse of timekeeping systems; or examining incidents involving health and safety breaches.
SCHEDULE 7
Data Subject Rights
| RIGHT | DESCRIPTION | WHEN DOES THIS APPLY? |
|---|---|---|
| RIGHT OF ACCESS TO PERSONAL DATA | Individuals have the right to obtain a copy of the Personal Data held about them by the Company, along with information on how it is used. | This right applies at all times while the Company holds the individual’s Personal Data, subject to certain exemptions. |
| RIGHT TO RECTIFICATION OF PERSONAL DATA | Individuals may request that inaccurate or incomplete Personal Data be corrected or completed. | This right applies whenever the Company holds inaccurate or incomplete Personal Data, subject to certain exemptions. |
| RIGHT TO ERASURE OF PERSONAL DATA (RIGHT TO BE FORGOTTEN) | Individuals can request that their Personal Data be deleted from the Company’s records. This right is limited to specific circumstances. | Applies, for example, when: The data is no longer required for the purpose it was collected; Consent has been withdrawn and there is no other legal basis for processing; An objection to processing has been raised and no overriding legitimate grounds exist; The data has been unlawfully processed; The data must be erased to comply with legal obligations. |
| RIGHT TO RESTRICT PROCESSING | Individuals may request a temporary halt to the use of their Personal Data, although the Company may continue to store it. | Individuals may obtain their Personal Data in a structured, commonly used and machine-readable format and may ask for it to be transferred directly to another organisation, where technically feasible. |
| RIGHT TO DATA PORTABILITY | Individuals may obtain their Personal Data in a structured, commonly used and machine-readable format and may request that it be transferred directly to another organisation, if technically feasible. | Applies when: The data was provided by the individual; The processing is based on consent or contract; The processing is carried out by automated means. |
| RIGHT TO OBJECT TO PROCESSING | Individuals may object to the use of their Personal Data in certain circumstances. The Company may continue processing if there are overriding legitimate grounds or legal claims involved. | Applies where processing is based on the Company’s legitimate interests or is for direct marketing purposes. |
| RIGHTS REGARDING AUTOMATED DECISION-MAKING AND PROFILING | Individuals have the right not to be subject to decisions based solely on automated processing that significantly affects them. They may request human intervention. | Not applicable where: Processing is necessary for a contract; Authorised by law; Based on explicit consent. |
| RIGHT TO WITHDRAW CONSENT | Where processing is based on consent, individuals may withdraw that consent at any time. | Applies only where the legal basis for processing is the individual’s consent. |
| RIGHT TO LODGE A COMPLAINT | Individuals may lodge a complaint with a relevant data protection authority if they believe their Personal Data has been mishandled. | This right is available at any time. Complaints can be made to the authority in the individual’s country of residence or employment if within the EEA. |
SCHEDULE 8
Contact details
IBERVEG UK LTD
For any queries or concerns relating to the matters outlined in this document, please contact:
Data Protection Team
IBERVEG UK LTD
E-mail: info@iberveg.com
Alternatively, you may reach out to the Company’s appointed Data Protection Representative for further assistance on any data protection matters.