Data Protection Policy

Our Policy outlines Project Merchandise’s (“the Company”) responsibilities under Data Protection Law regarding the personal data of Clients, Suppliers, Contractors, Prospective Clients, and anyone that the Company deals with. Data Protection Law includes UK GDPR, Data Protection Act 2018, and Privacy and Electronic Communications Regulations 2003, among others.

This Policy governs how the Company and its representatives collect, process, transfer, store, and dispose of personal data. All employees, agents, contractors, and parties working for the Company must adhere to these procedures and principles consistently.

‘consent’
the data subject’s freely given, specific, informed, and unmistakable indication of agreement to the processing of their personal data. This agreement can be expressed through a statement or a clear affirmative action;

‘data controller’
the data controller is the individual, organisation, or entity responsible, either alone or with others, for determining the purposes and methods of processing personal data. In this Policy, Project Merchandise acts as the data controller for all personal data related to clients, business contacts, suppliers, staff, contractors, and any other contacts used for the business’s commercial purposes;

‘data processor’
means a natural or legal person or organisation which processes personal data on behalf of a data controller;

‘data subject’
a living, identified, or identifiable natural person about whom the Company holds personal data;

‘EEA’
the European Economic Area, consisting of all EU Member States, Iceland, Liechtenstein, and Norway;

‘personal data’
any information concerning a data subject who can be identified, directly or indirectly. This identification can be done by referring to an identifier like a name, identification number, location data, online identifier, or factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of the data subject;

‘personal data breach’
a security incident resulting in the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data that is transmitted, stored, or otherwise processed

‘processing’
any operation or series of operations carried out on personal data, whether automated or not. These operations include collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or any other means of making data available, alignment or combination, restriction, erasure, or destruction;

‘pseudonymisation’
the processing of personal data in a way that makes it impossible to attribute the data to a specific data subject without additional information. This additional information is kept separately and is safeguarded by technical and organisational measures to ensure that the personal data cannot be linked to an identified or identifiable individual; and
‘special category personal data’
means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, sexual life, sexual orientation, biometric, or genetic data.

a) The Company is dedicated not only to complying with the law but also to upholding its principles and values. We prioritise the proper, lawful, and fair treatment of all personal data, respecting the legal rights, privacy, and trust of all individuals we engage with.

b) The Company’s appointed data protection contact (“the DPC”) is Chris Dawson, [email protected] who is responsible for administering this Policy and for developing and implementing any applicable related policies, procedures, and/or guidelines.

c) All managers are responsible for ensuring that all employees, agents, contractors, or other parties working on behalf of the Company comply with this Policy and, where applicable, must implement such practices, processes, controls, and training as are reasonably necessary to ensure such compliance.

d) Questions regarding this Policy or Data Protection Law should be directed to the DPC. The DPC should be consulted in the following cases:

1. if consent is being relied upon in order to collect, hold, and/or process personal data;

2. Uncertainty regarding:
• the lawful basis for collecting, holding, or processing personal;
• security measures (whether technical or organisational) required to protect personal data; or
• retention period for specific types of personal data.

3. assistance with data subject rights, including subject access requests;

4. if a personal data breach (suspected or actual) has occurred;

5. sharing personal data with third parties (as controllers or processors);

6. transferring personal data outside of the UK and any questions relating to the legal basis on which to do so;

7. significant new processing activities or changes requiring a Data Protection Impact Assessment.; and

8. when personal data is to be used for purposes different to those for which it was originally collected.

This Policy ensures compliance with Data Protection Law. The UK GDPR outlines the following principles for handling personal data, which data controllers must adhere to and demonstrate compliance as follows:

a) Processed lawfully, fairly, and transparently in relation to the data subject;

b) Collected for specified, explicit, and legitimate purposes, and not further processed in a manner incompatible with those purposes;

c) Adequate, relevant, and limited to what is necessary for purposes for which it is processed;

d) Accurate and kept up to date; inaccurate data must be promptly erased or rectified;

e) Stored in a way that permits identification of data subjects for no longer than necessary; may be stored longer for archival, research, or statistical purposes with appropriate safeguards; and

f) Processed with appropriate security measures to prevent unauthorized processing, loss, destruction, or damage.

The UK GDPR sets out the following key rights applicable to data subjects:

a) The right to be informed;

b) the right of access;

c) the right to rectification;

d) the right to erasure (also known as the ‘right to be forgotten’);

e) the right to restrict processing;

f) the right to data portability;

g) the right to object; and

h) rights with respect to automated decision-making and profiling.

a) Data Protection Law ensures that personal data is processed lawfully, fairly, and transparently, preserving the rights of the data subject. Processing of personal data is lawful if:

1. The data subject has given consent for specific purposes;

2. Processing is necessary for performing a contract with the data subject or taking pre-contractual steps;

3. Processing is necessary to protect vital interests of the data subject or another person;

4. Processing is for a task in the public interest or official authority vested in the data controller; or

5. Processing is for legitimate interests pursued by the data controller or a third party, balancing with the fundamental rights and freedoms of the data subject, particularly if they are a child.

When consent serves as the lawful basis for collecting, holding, and/or processing personal data, the following guidelines apply:

a) Consent must be a clear indication from the data subject, expressed through a statement or positive action. Silence, pre-ticked boxes, or inactivity do not qualify as consent.

b) Consent sections must be distinctly separated from other content in documents.

c) Data subjects have the right to withdraw consent easily at any time, and such requests must be promptly honoured.

d) If personal data is to be processed for a different, undisclosed purpose than originally collected, new consent may be necessary from the data subject.

e) The Company must maintain records of all obtained consents to demonstrate compliance with consent requirements whenever consent is the lawful basis for processing personal data.

a) The Company collects and processes the personal data set out in part 21 of this Policy. This includes:

1. personal data collected directly from data subjects; and

2. personal data obtained from third parties.

b) The Company only collects, processes, and holds personal data for the specific purposes set out in Part 21 of this Policy (or for other purposes expressly permitted by Data Protection Law).

c) Data subjects must be kept informed at all times of the purpose or purposes for which the Company uses their personal data. Please refer to Part 15 for more information on keeping data subjects informed.

a) The Company will only collect and process personal data for and to the extent necessary for the specific purpose or purposes of which data subjects have been informed (or will be informed) as under part 8 above, and as set out in part 21 below.

b) Employees, agents, contractors, or other parties working on behalf of the Company may collect personal data only to the extent required for the performance of their job duties and only in accordance with this Policy. Excessive personal data must not be collected.

c) Employees, agents, contractors, or other parties working on behalf of the Company may process personal data only when the performance of their job duties requires it. Personal data held by the Company cannot be processed for any unrelated reasons.

a) The Company must maintain accurate and current personal data collected, processed, and held by it. This involves rectifying personal data upon a data subject’s request, as detailed in Part 17 below.

b) Personal data accuracy is ensured at collection and regularly thereafter. Inaccurate or outdated personal data will be promptly amended or erased upon identification.

a) The Company shall not keep personal data for any longer than is necessary in light of the purpose or purposes for which that personal data was originally collected, held, and processed.

b) When personal data is no longer required, all reasonable steps will be taken to erase or otherwise dispose of it without delay.

c) For full details of the Company’s approach to data retention, including retention periods for specific personal data types held by the Company, please contact the DPC.

a) The Company guarantees the security and protection of all collected, held, and processed personal data against unauthorised or unlawful processing, as well as accidental loss, destruction, or damage. Detailed technical and organisational measures are outlined in Parts 22 to 27 of this Policy.
b) Technical and organisational measures for protecting personal data are regularly reviewed and evaluated to ensure their ongoing effectiveness and the continual security of personal data.
c) Data security mandates maintaining the confidentiality, integrity, and availability of all personal data by:
1. Limiting access to only authorised individuals with a genuine need;
2. Ensuring personal data is accurate and suitable for its intended purpose; and
3. Providing authorised users with access to personal data as needed for the authorised purpose(s).

a) The DPC is responsible for administering this Policy and for developing and implementing any applicable related policies, procedures, and/or guidelines.

b) The Company adopts a privacy by design approach in all stages of collecting, holding, and processing personal data. Data Protection Impact Assessments will be conducted if any processing poses a significant risk to the rights and freedoms of data subjects (refer to Part 14 for details).

c) All Company employees, agents, contractors, or representatives shall undergo suitable training in data protection and privacy, covering pertinent aspects of Data Protection Law, this Policy, and all other relevant Company policies.

d) The Company’s data protection compliance shall be regularly reviewed and evaluated by means of Data Protection Audits.

e) The Company shall keep written internal records of all personal data collection, holding, and processing, which shall incorporate the following information:

1. the name and details of the Company, its Data Protection Officer, and any applicable third-party data transfers (including data processors and other data controllers with whom personal data is shared);

2. the purposes for which the Company collects, holds, and processes personal data;

3. the Company’s legal basis or bases (including, but not limited to, consent, the mechanism(s) for obtaining such consent, and records of such consent) for collecting, holding, and processing personal data;

4. details of the categories of personal data collected, held, and processed by the Company, and the categories of data subject to which that personal data relates;

5. details of any transfers of personal data to non-UK countries including all mechanisms and security safeguards;

6. details of how long personal data will be retained by the Company;

7. details of personal data storage, including location(s);

8. detailed descriptions of all technical and organisational measures taken by the Company to ensure the security of personal data.

a) Following privacy by design principles, the Company will conduct Data Protection Impact Assessments for new projects and/or uses of personal data involving new technologies. This applies when the processing is likely to pose a high risk to the rights and freedoms of data subjects.

b) The principles of privacy by design should be followed at all times when collecting, holding, and processing personal data. The following factors should be taken into consideration:

1. the nature, scope, context, and purpose or purposes of the collection, holding, and processing;

2. the state of the art of all relevant technical and organisational measures to be taken;

3. the cost of implementing such measures; and

4. the risks posed to data subjects and to the Company, including their likelihood and severity.

c) Data Protection Impact Assessments shall be overseen by the DPC and shall address the following:

1. the type(s) of personal data that will be collected, held, and processed;

2. the purpose(s) for which personal data is to be used;

3. the Company’s objectives;

4. how personal data is to be used;

5. the parties (internal and/or external) who are to be consulted;

6. the necessity and proportionality of the data processing with respect to the purpose(s) for which it is being processed;

7. risks posed to data subjects;

8. risks posed both within and to the Company; and

9. proposed measures to minimise and handle identified risks.

a) The Company shall provide the information set out in Part 15.2 to every data subject:

1. where personal data is collected directly from data subjects, those data subjects will be informed of its purpose at the time of collection; and

2. where personal data is obtained from a third party, the relevant data subjects will be informed of its purpose:

i) if the personal data is used to communicate with the data subject, when the first communication is made; or

ii) if the personal data is to be transferred to another party, before that transfer is made; or

iii) as soon as reasonably possible and in any event not more than one month after the personal data is obtained.

b) Any other information shall be provided in the Company’s Privacy Policy which is available here: https://www.projectmerchandise.com/privacy-policy/ and includes, but is not limited to, details of the purpose for which personal data is being used, the lawful basis, categories of personal data, retention periods, rights of the data subject and where the data is being stored.

a) Data subjects may make subject access requests (“SARs”) at any time to find out more about the personal data which the Company holds about them, what it is doing with that personal data, and why.

b) Employees wishing to make a SAR should do using a Subject Access Request Form, sending the form to the Company’s DPC at [email protected]

c) The DPC shall handle any SARs requests that a data subject makes to the Company. Responses to SARs must normally be made within one month of receipt, however, this may be extended by up to two months if the SAR is complex and/or numerous requests are made. If such additional time is required, the data subject shall be informed.

d) The Company does not charge a fee for the handling of normal SARs. The Company reserves the right to charge reasonable fees for additional copies of information that has already been supplied to a data subject, and for requests that are manifestly unfounded or excessive, particularly where such requests are repetitive.

a) Data subjects have the right to require the Company to rectify any of their personal data that is inaccurate or incomplete.

b) The Company will correct the relevant personal data and notify the data subject of the correction within one month of being informed of the issue. For complex requests, this period may extend by up to two months. If an extension is necessary, the data subject will be notified.

c) In the event that any affected personal data has been disclosed to third parties, those parties shall be informed of any rectification that must be made to that personal data.

a) Data subjects have the right to request that the Company erases the personal data it holds about them in the following circumstances:

1. it is no longer necessary for the Company to hold that personal data with respect to the purpose(s) for which it was originally collected or processed;

2. the data subject wishes to withdraw their consent to the Company holding and processing their personal data;

3. the data subject objects to the Company holding and processing their personal data (and there is no overriding legitimate interest to allow the Company to continue doing so) (see Part 21 of this Policy for further details concerning the right to object);

4. the personal data has been processed unlawfully; or

5. the personal data needs to be erased in order for the Company to comply with a particular legal obligation.

b) Unless there are reasonable grounds to refuse erasure, the Company will fulfil all requests for erasure and notify the data subject of the action within one month of receiving the request. For complex requests, this period may extend by up to two months, with notification provided to the data subject if an extension is necessary.

c) In the event that any personal data that is to be erased in response to a data subject’s request has been disclosed to third parties, those parties shall be informed of the erasure (unless it is impossible or would require disproportionate effort to do so).

a) Data subjects may request that the Company ceases processing the personal data it holds about them. If a data subject makes such a request, the Company shall retain only the amount of personal data concerning that data subject (if any) that is necessary to ensure that the personal data in question is not processed further.

b) In the event that any affected personal data has been disclosed to third parties, those parties shall be informed of the applicable restrictions on processing it (unless it is impossible or would require disproportionate effort to do so).

a) Data subjects can object to the Company processing their personal data for legitimate interests or direct marketing. If objected, the Company will halt processing unless its legitimate reasons override the data subject’s rights or the processing is vital for legal claims.

b) Where a data subject objects to the Company processing their personal data for direct marketing purposes, the Company shall cease such processing promptly.

The following personal data is collected, held, and processed by the Company:

Employee: Contact details, next of kin, address, proof of ability to work in the UK, national insurance number, date of birth, bank details

Customer: Contact details, personal data for delivery purposes, bank details

Supplier: Contact details, bank details

Business Contacts: Contact details

Prospective Clients: Contact details

a) The Company ensures secure communication and transfer of personal data by:

• Not using emails to transfer personal data.

• Encrypting, where possible, any emails that have to contain personal data.

• Marking such emails as “confidential.”

• Storing email content securely.

• Implementing additional security measures as necessary.

The Company ensures secure storage of personal data by:

a) Encrypting electronic copies with passwords;

b) All personal data stored electronically should be backed up regularly;

c) All mobile devices where personal data is stored has 2FA, Face ID and password protection enabled at a minimum; and

d) Restricting personal data transfer to Company-approved devices and ensuring compliance with policy and Data Protection Law by recipient.

When any personal data is to be erased or otherwise disposed of for any reason (including where copies have been made and are no longer needed), it should be securely deleted and disposed of.

The Company shall ensure that the following measures are taken with respect to the use of personal data:

a) No personal data may be shared informally and if an employee, agent, contractor, or other party working on behalf of the Company requires access to any personal data that they do not already have access to, such access should be formally requested from the DPC;

b) Large transfer (10,000 entries of personal data or more in any one transfer) of personal data necessitates authorisation from the DPC;

c) Personal data must be handled carefully and kept from unauthorised access; and

d) When leaving a computer unattended, users must lock the screen.

The Company shall ensure that the following measures are taken with respect to IT and information security:

a) All passwords used to protect personal data should be changed regularly and should not use words or phrases that can be easily guessed or otherwise compromised. All passwords must contain a combination of uppercase and lowercase letters, numbers, and symbols. All software used by the Company is designed to require such passwords;

b) Under no circumstances should any passwords be written down or shared between any employees, agents, contractors, or other parties working on behalf of the Company, irrespective of seniority or department. If a password is forgotten, it must be reset using the applicable method. IT staff do not have access to passwords;

c) All software (including, but not limited to, applications and operating systems) shall be kept up-to-date. The Company’s IT staff shall be responsible for installing any and all security-related updates after the updates are made available by the publisher or manufacturer unless there are valid technical reasons not to do so; and

d) No software may be installed on any Company-owned computer or device without the prior approval of the DPC.

The Company shall ensure that the following measures are taken with respect to the collection, holding, and processing of personal data:

a) All personnel are aware of their responsibilities under Data Protection Law and this Policy;

b) Only relevant personnel have access to personal data necessary for their duties;

c) Sharing of personal data complies with provided information and, if necessary, with data subjects’ consent;

d) Personnel handling personal data receive appropriate training;

e) Supervision is provided for personnel handling personal data;

f) Personnel exercise discretion when discussing work-related matters involving personal data;

g) Regular evaluation of methods for collecting, holding, and processing personal data;

h) Periodic review of all personal data per the Company’s data retention periods;

i) Regular evaluation of personnel handling personal data;

j) Contractual obligations for personnel to adhere to Data Protection Law and this Policy;

k) External parties handling personal data must ensure their employees follow the same standards; and

l) External parties failing in their obligations indemnify and hold the Company harmless.

a) The Company may, from time to time, transfer (‘transfer’ includes making available remotely) personal data to countries outside of the UK. The UK GDPR restricts such transfers in order to ensure that the level of protection given to data subjects is not compromised.

b) Personal data may only be transferred to a country outside the UK if one of the following applies:

1. The UK has issued adequacy regulations confirming that the personal data will receive an adequate level of protection (referred to as ‘adequacy decisions’, ‘adequacy regulations’, or ‘partial findings of adequacy’). Such regulations may apply to a country as a whole, organisation(s), framework(s) or mechanism(s), or to data covered by specific legislation. Since 1 January 2021, transfers of personal data from the UK to EEA countries have continued to be permitted. Pre-existing EU Commission adequacy decisions in effect as at 31 December 2020 are also recognised, subject to ongoing review by the UK Government.

2. Appropriate safeguards are in place including binding corporate rules, standard contractual clauses approved for use in the UK, an approved code of conduct, or an approved certification mechanism. Standard contractual clauses include the International Data Transfer Agreement issued by the Information Commissioner’s Office and the International Data Transfer Addendum to the current EU Commission Standard Contractual Clauses (set out in the Annex of Commission Implementing Decision (EU) 2021/914 of 4 June 2021), issued by the Information Commissioner’s Office. (Contracts entered into on the basis of the old EU Commission Standard Contractual Clauses prior to 21 September 2022 will continue to provide appropriate safeguards until 21 March 2024.)

3. The transfer is made with the informed and explicit consent of the relevant data subject(s).

4. The transfer is necessary for one of the other reasons set out in the UK GDPR including the performance of a contract between the data subject and the Company; public interest reasons; for the establishment, exercise, or defence of legal claims; to protect the vital interests of the data subject where the data subject is physically or legally incapable of giving consent; or, in limited circumstances, for the Company’s legitimate interests.

a) All personal data breaches must be reported immediately to the Company’s Data Protection Officer.

b) Upon suspecting or becoming aware of a personal data breach, employees, agents, contractors, or other parties must refrain from self-investigation and retain all related evidence.

c) If a breach poses a risk to data subjects’ rights and freedoms (e.g., financial loss, confidentiality breach), the DPC must promptly notify the Information Commissioner’s Office within 72 hours.

d) For breaches with a higher risk to data subjects’ rights, the DPC must directly inform all affected data subjects without undue delay.

e) Data breach notifications shall include the following information:

1. The categories and approximate number of data subjects concerned;

2. The categories and approximate number of personal data records concerned;

3. The name and contact details of the Company’s DPC (or other contact point where more information can be obtained);

4. The likely consequences of the breach;

5. Details of the measures taken, or proposed to be taken, by the Company to address the breach including, where appropriate, measures to mitigate its possible adverse effects.

This Policy shall be deemed effective as of 10th June 2024. No part of this Policy shall have retroactive effect and shall thus apply only to matters occurring on or after this date.