Data Protection Policy
1. Introduction
1.1. We keep certain information about our customers and other users to allow us to monitor performance, achievement and promote sales. It is also necessary to process information so that customers can be offered credit under our insurance policy and to fulfil our legal obligations to investors and Government.
1.2. To comply with the law, information must be collected and used fairly, stored safely and not unlawfully disclosed to any other person. To do this we must comply with the data protection principles set out in the General Data Protection Regulation (GDPR) 2018. In summary the Top Level principles are
Lawfulness, fairness and transparency
- Lawful: Processing must meet the tests described in GDPR [article 5, clause 1(a)].
- Fair: What is processed must match up with how it has been described.
- Transparency: Tell the subject what data processing will be done.
Purpose limitations
- Personal data can only be obtained for “specified, explicit and legitimate purposes” [article 5, clause 1(b)]. Data can only be used for a specific processing purpose that the subject has been made aware of and no other, without further consent.
Data minimisation
- Data collected on a subject should be “adequate, relevant and limited to what is necessary in relation to the purposes for which they are minimum amount of data should be kept for specific processing.
Accuracy
- Data must be “accurate and where necessary kept up to date” [article 5, clause 1(d)]. Baselining ensures good protection and protection against identity theft. Data holders should build rectification processes into data management / archiving activities for subject data.
Storage limitations
- Regulator expects personal data is “kept in a form which permits identification of data subjects for no longer than necessary” [article 5, clause 1(e)]. In summary, data no longer required should be removed.
Integrity and confidentiality
Requires processors to handle data “in a manner [ensuring] appropriate security of the personal data including protection against unlawful processing or accidental loss, destruction or damage” [article 5, clause 1(f)].
1.3. Nextplat Brands and all employees or others who process or use any personal information must ensure that they follow these principles at all times. In order to ensure that this happens, we have developed an internal Data Protection Porcedure to refer to for guidance and training.
1.4. This policy applies to all employees as well as agency and casual employees and any contractors working at Nextplat Brands. It also applies to visitors, such as Auditors, Banking Providers or Government agencies working with us.
2. Data
2.1. Your personal information is exactly what it is: yours. Nextplat Brands only uses data you have provided directly. This may be because you have ordered from us, made an enquiry or met us at the many trade fairs we attend. We use the following data:
- General personal details such as name, contact details and address
- Written phone logs
- Audit of emails sent and received
- Records of sales and buying trends
- Business and trade references
- Financial statements
- Credit checks
- Payment information
3. Security
3.1. When you share your personal data with us, we treat it with care and take our responsibility to protect it seriously.
- Any personal data which we hold is kept securely.
- Personal information is not disclosed either orally, in writing or otherwise to any unauthorised third party.
- Accidental disclosure is avoided by ensuring that all procedures are appropriate and data is stored securely.
4. Notification of data held and processed
4.1. You are entitled to:
- Know what information we hold and process about you and why.
- Know how to gain access to it.
- Know how to keep it up to date.
- Know what Nextplat Brands is doing to comply with its obligations under the General Data Protection Regulation.
5. Rights to access information
5.1. You have the right to access any personal data that is being kept about them either on computer or in certain files.
5.2. In order to gain access a request should be made in writing and passed to the designated data controller.
5.3. We aim to comply with all requests for access to personal information as quickly as possible, but will ensure that it is provided within one month unless there is good reason for delay. In such cases, the reason(s) for delay will be explained in writing to the data subject making the request. Please contact us should you wish to have access to your data.
5.4. Nextplat Brands will not share data with any third parties with the exception of complying to legal requirements, unless required by Government Departments.
6. Data Controller
6.1. Nextplat Brands as a corporate body is the Data Controller under the General Data Protection Regulation, and the Directors are therefore ultimately responsible for the implementation of this. However, a designated Data Controller will deal with the day to day matters.
7. Retention of data
7.1. We are required to keep some forms of information for 6 years. After this period we aim to keep a simple record for all customers and suppliers, identifying their basic details only, such as name, address and contact details.
7.2. Nextplat Brands will aim not to retain data that are held for a particular purpose once that purpose no longer exists.