Shopping Behaviour Xplained data protection Policy

1. Overview

Shopping Behaviour Xplained (“SBXL””) have a legal obligation to appropriately use and safeguard the personal data that it has in its possession, or under its control in accordance with the General Data Protection Regulation (“GDPR”) and the Data Protection Act 2018, together with all other applicable data protection laws (“Data Protection Legislation”).

SBXL adopt a number of methodologies and processes to help brands and retailers engage with shoppers both in stores and on-line by undertaking various forms of market research (“Services”). In the course of providing the Services, SBXL will have access to and may store or process personal data. This policy sets out how SBXL aim to comply with GDPR and it is imperative that all employees and, where applicable, contractors and other third parties are aware of the data protection requirements associated with the provision of the Services and SBXL’s business activities and business model generally.

The GDPR defines “personal data” as any information relating to an identified or identifiable natural person (a data subject); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

2. Purpose and Scope

The procedures and measures set out in this document must be followed at all times by SBXL, its employees, agents, contractors or other parties working for or on behalf of SBXL.

  • Data Protection Legislation is designed to protect the privacy and integrity of personal data held by SBXL, other businesses and organisations.
  • In the context of the data held by SBXL includes (and its status is in brackets):
  • Data that relates to employees. The processing and management of this data is covered separately in our employee policies and procedures (Data Controller). In addition, personal data is processed by David Evans & Co (accountants) and HELP (HR services) and is processed and stored subject to those parties terms and conditions;
  • Data that relates to our clients for whom we provide the Services (Data Controller or Processor);
  • Data that relates to the shoppers we engage with in the course of the provisions of the Services (Data Processor and in some circumstances joint Data Controller); and
  • Data from prospective clients who may be interested in the provision of Services or other third parties who may have queries (Data Processor and Controller).

3. Policy

Under GDPR there are six principles that are set out as the main responsibilities for organisations. These are:

  • 1st: Personal data must be processed lawfully, fairly and in a transparent manner in relation to individuals;
  • 2nd: Personal data must be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or
  • 3rd: Personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed;
  • 4th: Personal data must be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that is inaccurate, having regard to the purposes for which it is processed, is erased or rectified without delay;
  • 5th: Personal data must be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public t, scientific or historical research purposes or statistical purposes subject
  • 6th: Personal data must be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.”

4. Lawful, Fair, and Transparent Data Processing

The GDPR seeks to ensure that personal data is processed lawfully, fairly, and transparently, without adversely affecting the rights of the data subject. The GDPR states that processing of personal data shall be lawful if at least one of the following applies:

  1. The data subject has given consent to the processing of his or her personal data for one or more specific purposes;
  2. Processing is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract;
  3. Processing is necessary for compliance with a legal obligation to which the controller is subject;
  4. Processing is necessary to protect the vital interests of the data subject or of another natural person;
  5. Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
  6. Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the fundamental rights and freedoms of the data subject which require protection of personal data.

5. Types of Personal Data and Processing for Specified, Explicit and Legitimate Purposes

SBXL collects, processes and may hold the following personal data: names, addresses, telephone numbers and e mails, next of kin/ emergency contact details (employees only), national insurance numbers and tax codes (employees only), visual images of shopper- data subjects, together with cookie data on its website (see below), to the extent necessary for its specific purpose. This may include personal data received directly from data subjects (for example, contact details used when a data subject communicates with us) and data received from third parties (for example, names, addresses and telephone numbers of clients, suppliers and shoppers including data captured as a result of surveys carried out for market research purposes).

SBXL only processes and stores personal data for the following specific purposes:

  • To perform contracts with third parties, including clients;
  • For carry out shopper tracking studies on behalf of clients, at the client’s request;
  • For employment law purposes, including processing pay and to fulfil and discharge health and safety obligations;
  • To prevent or detect crime (in the case of CCTV footage – see below);
  • For its own marketing purposes, subject to receiving consent from the relevant data subject;
  • To comply with other statutory obligations or the requirements of SBXL’s insurers or HMRC.

The purposes for which we process personal data will be informed to data subjects at the time that their personal data is collected, where it is collected directly from them, or as soon as possible (not more than one calendar month) after collection where it is obtained from a third party.

6. Accuracy of Data and Keeping Data Up to Date

SBXL shall ensure that all personal data collected and processed is kept accurate and up-to-date. The accuracy of personal data shall be checked when it is collected and at regular intervals thereafter. Data will be destroyed either 90 days after it was generated or at the end of a client project (whichever is the later). Where any inaccurate or out-of-date data is found, all reasonable steps will be taken without delay to amend or erase that data, as appropriate.

7. Timely and Secure Processing

SBXL shall not keep personal data for any longer than is necessary in light of the purposes for which that data was originally collected and processed. When the data is no longer required, all reasonable steps will be taken to erase it without delay. It shall ensure that all personal data collected and processed is kept secure. Further details of the measures in place are set out below at section 15.

8. Accountability and Privacy Impact Assessments

SBXL have persons specifically appointed to deal with data protection matters: For more information please email SBXL shall keep written internal records of all personal data collected, held and processed, which will include but will not be limited to the following: the purposes for which SBXL processes personal data, the categories held, details of how long personal data will be retained by SBXL and the technical, organisational and security measures in place to ensure the security of personal data.

SBXL shall carry out Privacy Impact Assessments when and as required under the GDPR. Privacy Impact Assessments shall be overseen by SBXL data protection officers.

9. The Rights of Data Subjects

The GDPR introduces specific rights for individuals whose data may be processed, this includes:

  1. The right to be informed
  2. The right of access
  3. The right to rectification
  4. The right to erasure
  5. The right to restrict processing
  6. The right to data portability
  7. The right to object
  8. Rights in relation to automated decision making and profiling

10. Keeping Data Subjects Informed

10.1 SBXL shall ensure that the following information is provided to every data subject when personal data is collected:

  1. Details of SBXL including, but not limited to, the identity of its data protection contact;
    The purpose(s) for which the personal data is being collected and will be processed and the legal basis justifying that collection and processing;
  2. Where applicable, the legitimate interests upon which SBXL is justifying its collection and processing of the personal data;
  3. Where the personal data is not obtained directly from the data subject, the categories of personal data collected and processed;
  4. Where the personal data is to be transferred to one or more third parties, details of those parties;
  5. Where the personal data is to be transferred to a third party that is located outside of the European Economic Area (the “EEA”), details of that transfer, including but not limited to the safeguards in place;
  6. Details of the length of time the personal data will be held by SBXL (or, where there is no predetermined period, details of how that length of time will be determined);
  7. Details of the data subject’s rights under the GDPR;
  8. Details of the data subject’s right to withdraw their consent to SBXL’s processing of their personal data at any time;
  9. Details of the data subject’s right to complain to the Information Commissioner’s Office (the ‘supervisory authority’ under the Regulation);
  10. Where applicable, details of any legal or contractual requirement or obligation necessitating the collection and processing of the personal data and details of any consequences of failing to provide it;
  11. Details of any automated decision-making that will take place using the personal data (including but not limited to profiling), including information on how decisions will be made, the significance of those decisions and any consequences.

10.2 The information set out above in section 10.1 shall be provided to the data subject at the following applicable time:

  1. Where the personal data is obtained from the data subject directly, at the time of collection;
  2. where the personal data is not obtained from the data subject directly (i.e. from another party):
  3. If the personal data is used to communicate with the data subject, at the time of the first communication; or
  4. If the personal data is to be disclosed to another party, before the personal data is disclosed; or
  5. In any event, not more than one month after the time at which SBXL obtains the personal data.

11. Data subject access policy

11.1 A data subject may make a subject access request (“SAR”) at any time to find out more about the personal data which SBXL holds about them. SBXL is normally required to respond to SARs within one month of receipt (this can be extended by up to two months in the case of complex and/or numerous requests, and in such cases the data subject shall be informed of the need for the extension).

11.2 All subject access requests received must be forwarded to If dataprotectionofficer@sbxl.comreceives a request under the GDPR it will log it on its GDPR Data Subject Access Request register. It will acknowledge the request by emailing the Data Subject back within 48 hours.

11.3 SBXL does not charge a fee for the handling of normal SARs. SBXL reserves the right to charge reasonable fees for additional copies of information that has already been supplied to a data subject, and for requests that are manifestly unfounded or excessive, particularly where such requests are repetitive.

11.4 In SBXL’s case a Data Controller, the data subject will typically be a client, employee or supplier to us. As Data Processor, the data subject will be either a client or a person included in the data that we will process on behalf of one of our clients which is sent to a third party for the performance of a contract.

Rectification and Erasure of Personal Data

12.1 If a data subject informs SBXL that personal data held by SBXL is inaccurate or incomplete, requesting that it be rectified, the personal data in question shall be rectified, and the data subject informed of that rectification, within one month of receipt the data subject’s notice (this can be extended by up to two months in the case of complex requests, and in such cases the data subject shall be informed of the need for the extension).

12.2 In the event that any affected personal data has been disclosed to third parties, those parties shall be informed of any rectification of that personal data.

12.3 Data subjects may request that SBXL erases the personal data it holds about them in the following circumstances:

  1. It is no longer necessary for SBXL to hold that personal data with respect to the purpose for which it was originally collected or processed;
  2. The data subject wishes to withdraw their consent to SBXL holding and processing their personal data;
  3. The data subject objects to SBXL holding and processing their personal data (and there is no overriding legitimate interest to allow SBXL to continue doing so);
  4. The personal data has been processed unlawfully;
  5. The personal data needs to be erased in order for SBXL to comply with a particular legal obligation.
  6. Unless SBXL have reasonable grounds to refuse to erase personal data, all requests for erasure shall be complied with, and the data subject informed of the erasure, within one month of receipt of the data subject’s request (this can be extended by up to two months in the case of complex requests, and in such cases the data subject shall be informed of the need for the extension).
  7. In the event that any personal data that is to be erased in response to a data subject request has been disclosed to third parties, those parties shall be informed of the erasure (unless it is impossible or would require disproportionate effort to do so).

Restrictions on Personal Data Processing

13.1 Data subjects may request that SBXL ceases processing the personal data it holds about them. If a data subject makes such a request, SBXL shall retain only the amount of personal data pertaining to that data subject that is necessary to ensure that no further processing of their personal data takes place.

13.2 In the event that any affected personal data has been disclosed to third parties, those parties shall be informed of the applicable restrictions on processing it (unless it is impossible or would require disproportionate effort to do so).

Data Portability and Objections to Processing

14.1 SBXL may from time to time process personal data using automated means for distributing marketing information, making payments to suppliers and receiving receipts from clients in the normal course of its business.

14.2 Where data subjects have given their consent to SBXL to process their personal data in such a manner or the processing is otherwise required for the performance of a contract between SBXL and the data subject, data subjects have the legal right under the GDPR to receive a copy of their personal data and to use it for other purposes (namely transmitting it to other data controllers, e.g. other organisations).

14.3 Data subjects have the right to object to SBXL processing their personal data based on legitimate interests (including profiling), direct marketing. In addition, when a data subject objects to SBXL processing their personal data based on its legitimate interests, SBXL shall cease such processing forthwith, unless it can be demonstrated that SBXL’s legitimate grounds for such processing override the data subject’s interests, rights and freedoms or the processing is necessary for the conduct of legal claims.

15. Data Protection Measures

15.1 SBXL shall ensure that all its employees, agents, contractors, or other parties working on its behalf comply with or be made aware of the following when working with personal data:

  1. SBXL’s server is hosted on site. Its IT provider is Total IT. SBXL’s website: is hosted by Lightbox Creative.
  2. SBXL uses Google Mail. The use by SBXL of Google Mail is subject to Google’s data protection policy criteria.
  3. All personal data processed and stored, double encrypted using EndPoint Encryption.
  4. SBXL takes CCTV video footage at various stores across the country and internationally for and on behalf of its clients. Once the
  5. CCTV footage has been taken it is distilled in to a spreadsheet and anonymised. SBXL deletes the CCTV footage once the purpose has been fulfilled and the data has been distilled which is after 90 days or the end of the client project whichever comes last.
  6. Signage is displayed in prominent positions around the various client’s stores;
  7. SBXL therefore processes and stores data for the performance of its contract with its clients. SBXL is obliged to retain personal data for a regulatory, statutory obligation, to comply with its insurers requirements or where it is in SBXL’s legitimate interest to do so;
    Personal data may be transmitted over secure networks only; transmission over unsecured networks is not permitted in any circumstances;
  8. Personal data may not be transmitted over a wireless network if there is a wired alternative that is reasonably practicable;
  9. Personal data contained in the body of an email will be stored appropriately or deleted once the purpose has been fulfilled. All temporary files associated therewith should also be deleted;
  10. Where Personal data is to be transferred in hardcopy form it should be passed directly to the recipient;
  11. Personal data must be handled with care at all times so as to minimise unauthorised disclosure and data security breach. SBXL will have in place suitable arrangements in its offices to protect personal data. In particular:
  12. Access to personal data is restricted to those who need access for the relevant purpose;
  13. Computers are password protected with such passwords being changed at appropriate intervals;
  14. All internal and external hard drives containing personal data are encrypted;
  15. Premises are alarmed and accessed by key pad;
  16. SBXL will at all times have appropriate back up procedures in place, using an encrypted server and Google’s cloud based Apps for Business

15.2 SBXL shall ensure that its employees, agents or contractors and those within SBXL or third parties working on its behalf are made aware and receive appropriate training and guidance as to their obligations under GDPR.

16. Transferring Personal Data to a Country Outside the EEA

16.1 SBXL does not currently transfer any data outside of the EEA

16.2 The transfer of personal data to a country outside of the EEA shall only take place if SBXL have adequate technical, organisation and security measures in place and the data subject has consented to the transfer.

17. Data Breach Notification

17.1 All personal data breaches must be reported immediately to

17.2 If a personal data breach occurs and that breach is likely to result in a risk to the rights and freedoms of data subjects (e.g. financial loss, breach of confidentiality, discrimination, reputational damage, or other significant social or economic damage), an SBXL Data Protection Officer must ensure that the Information Commissioner’s Office is informed of the breach without delay, and in any event, within 72 hours after having become aware of it.


The statement below is the privacy statement SBXL will display on its website (as amended or updated from time to time):

18.1 Our Commitment To Privacy

Your privacy is important to us. To better protect your privacy we provide this notice explaining our online information practices and the choices you can make about the way your information is collected and used. To make this notice easy to find, we make it available throughout the website and at every point where personally identifiable information may be requested.

18.2 The Information We Collect

This notice applies to all information collected or submitted on this website.

On some pages, you can make requests and register to receive materials. The types of personal information collected at these pages are: Name, Email address.

18.3 The Information We DON’T Collect

Credit/Debit Card Information

18.4 How We Use Information

We use the information you provide about yourself solely to fulfil your request. We do not share this information with outside parties. We use return email addresses to answer the email we receive. Such addresses are not used for any other purpose and are not shared with outside parties other than to keep you updated with new products and services from Shopping Behaviour Xplained Ltd.

You can unsubscribe or decline to receive this information at the time of making a request or at any time thereafter. Your details will then be immediately removed from our database.

Finally, we never use or share the personally identifiable information provided to us online in ways unrelated to the ones described above without also providing you an opportunity to opt-out or otherwise prohibit such unrelated uses.

18.5 Our Commitment To Data Security

To prevent unauthorised access, maintain data accuracy, and ensure the correct use of information, we have put in place appropriate physical, electronic, and managerial procedures to safeguard and secure the information we collect online.

18.6 How To Access Or Correct Your Information

You can access all your personally identifiable information that we collect online and maintain by calling us or sending us an email. We use this procedure to better safeguard your information.

You can correct factual errors in your personally identifiable information by sending us a request that credibly shows error.

To protect your privacy and security, we will also take reasonable steps to verify your identity before granting access or making corrections.

18.7 How To Contact Us

Should you have other questions or concerns about these privacy policies, please contact us

18.8 Cookie Policy

A cookie is a small piece of text that is stored on your computer, phone or other mobile device when using a browser to connect to the internet. Cookies have many uses but specifically, they are used to store information about you on your computer. Unless you have specifically set your computer to reject cookies, websites will already have been using cookies to enhance your online experience.

18.9 How we use cookies

Shopping Behaviour Xplained Ltd uses cookies to gain a better understanding of our customers so that we can provide a better online experience. This applies to all visitors to our website, in all jurisdictions.

In order to comply with EU regulations, visitors to our website now have the option of accepting our cookies. We recommend you allow the cookies we set by this website as they help us provide a better service. If you do not want to receive cookies from this website, select cookie settings under the privacy settings in your browser options, then add our domain to the list of websites you do not want to accept cookies from.

The cookies we use on collect basic information about our visitors including what pages have been visited and how they found our website. The information we gather does not identify anyone and we make no attempt to find out who has been to our site.

What we do gain from this information is a better understanding of what our user’s are interested in on our website and how we can improve the experience.

18.10 The cookies we use:

Google Analytics: The Google Analytics cookie contains a randomly generated ID used to recognise your browser when you read a page. The cookie contains no personal information and is used only for web analytics.

Cookie Acceptance: This cookie monitors whether or not you have accepted cookies on our site.

18.11 People who use our online services

We will not give your contact information to any other organisation unless legally obliged to do so.


This policy will be reviewed annually and will also be updated as and when required.