At Project Merchandise we prioritise the protection and privacy of personal data in compliance with the Data Protection Act 2018, the General Data Protection Regulation (GDPR) the Data (Use and Access) Act 2025 and any other applicable legislation “Data Protection Legislation”. This Privacy Statement outlines our compliance standards and our expectations for our supply chain to uphold similar data protection standards.

Our Commitment to Data Protection

Data Handling

We handle personal data with utmost care, ensuring confidentiality, transparency, integrity, and security. This includes implementing appropriate technical and organisational measures to protect against unauthorised or unlawful processing and accidental loss or destruction of data.

Legal Compliance

We adhere to the requirements of the Data Protection Legislation by safeguarding the rights and freedoms of individuals in the processing of their personal data.

Accountability

We take responsibility for our data processing activities and continuously strive to improve our data protection practices. This includes appointing a nominated person within our organisation to oversee compliance with data protection laws and regulations.

Expectations for Our Supply Chain

Compliance Requirement

Supply chain partners must ensure that their data processing activities align with the requirements set forth in the Data Protection Legislation. This involved the need to understand and abide by the principles and obligations outlined in the legislation, including lawful processing, data subject rights, and accountability.

It is essential for our supply chain partners to have a thorough comprehension of the Data Protection Legislation as they apply to their specific operations. This includes familiarity with key concepts such as lawful bases for processing, data subject consent, and data protection principles.

Data Handling Standards

We require our suppliers to handle personal data with the same level of care and diligence as we do, ensuring lawful, fair, and transparent processing. This includes implementing appropriate security measures to protect against unauthorised access, disclosure, alteration, or destruction of personal data.

Contractual Obligations

Our contracts with suppliers include provisions for data protection, outlining expectations and responsibilities regarding the handling of personal data. This includes requirements for data security, confidentiality, and the role they play as a data processor on our behalf.

Implementation of Measures

Our supply partners should implement appropriate technical and organisational measures to safeguard personal data against unauthorised access, disclosure, alteration, and destruction. This involves adopting robust security protocols, encryption mechanisms, access controls, and data breach response procedures when processing personal data under our instructions.

Collaborative Compliance Monitoring

Compliance with data protection laws is an ongoing commitment. Our supply chain partners should regularly review and assess their data processing practices to ensure ongoing compliance with the Data Protection Legislation. This includes awareness of updates to data protection laws and adjusting practices accordingly.

Compliance with data protection laws is a shared responsibility. We encourage open communication and collaboration with our supply chain partners to address any data protection concerns or issues that may arise. Working together ensures that data protection standards are maintained throughout our business ecosystem.

Monitoring and Review

We regularly monitor and review our supply chain’s data protection practices to ensure ongoing compliance and alignment with our standards. This includes conducting audits and assessments of our suppliers’ data protection practices.

Data Breaches

In the event of a personal data breach, we have procedures in place to respond promptly and effectively to mitigate any potential risks to the rights and freedoms of individuals. This includes:

Notifying the relevant supervisory authority, such as the Information Commissioner’s Office (ICO), without undue delay and, in any event, within 72 hours of becoming aware of the breach, unless the breach is unlikely to result in a risk to the rights and freedoms of individuals.

Informing affected individuals directly and without undue delay if the breach is likely to result in a high risk to their rights and freedoms.

Taking appropriate measures to address the breach, including implementing additional security measures and providing support to affected individuals.

Assessing the data breach to ensure that changes are made to minimise any future data breaches.

Our supply partners understand that if they are involved in a data breach when processing personal data that we control, they shall inform us immediately.

How to Contact Us

If you have any questions or concerns about our data protection practices or this Privacy Statement, please contact our Data Protection Contact: Chris Dawson, <a href=”mailto:[email protected]” target=”_blank” rel=”noopener”>[email protected]</a>.

To find out how we handle your personal data, please see our Privacy Policy.

Updates to This Statement

We reserve the right to update this Privacy Statement to reflect changes in our data handling practices or legal requirements. We encourage you to review this Statement periodically for any updates.