This Policy sets out the obligations of Natural World Products Ltd ("the Company") regarding data protection and the rights of customers, suppliers and employees ("data subjects") in respect of their persona; data under the General Data Protection Regulation ("the Regulation").
The Company are committed to safeguarding your data, whether held on computer or in manual files, whilst providing a valuable service. The primary purpose is to protect individuals against possible misuse of information about them held by others.
The Company is obliged to abide by the data protection principles embodied in the Regulation.
The Data Protection Principles
The Policy aims to ensure compliance with the Regulation. The Regulation sets out the following principles with which any party handling personal; data must comply. All personal data shall:
- be processed fairly and lawfully;
- be held only for specified purposes and not used or disclosed in any way incompatible with those purposes;
- be adequate, relevant and not excessive;
- be accurate and kept up-to-date;
- not be kept for longer than necessary for the particular purpose;
- be processed in accordance with data subject's rights;
- be kept secure;
- not be transferred outside the European Economic Area unless the recipient country ensures an adequate level of protection.
Type of data collected by the Company
Personally identifiable information could include your name, address, telephone number, gender, business role, email address, job title, type of business & driver licence number.
In order to secure certain payments, we may also collect your credit card number and expiration date, billing address etc. In addition, we may collect financial information from you (e.g. your bank account information) as is necessary to facilitate payments and information required for VAT purposes.
Personal information such as name, telephone number and email address is collected via our website
e.g. when you express an interest in our product or service.
We may collect personal information offline at marketing events or during phone calls with sales representatives or when you place an inquiry via the telephone.
Why we need your personal data?
The Company requires personally identifiable information to:
- Consider and respond to your job application;
- Respond to your web inquiry;
- Contact you regarding your purchase;
- Collect payments from you;
- Send you information and updates related to you purchase - e.g. invoices, statements, email notification or other information that you have specifically requested;
- Where it is in accordance with your marketing preferences or if you are already trading with us as a customer, we may send email marketing communications to you regarding products or services which we think may be of interest. You have an option to unsubscribe or opt of marketing communications, product or service information;
- In an ongoing effort to understand and serve our customers better, we occasionally conduct customer satisfaction surveys;
The Company will only collect and process personal data where at least one of the following applies:
- the data subject has given consent to the processing of his or her personal data;
- processing is necessary for the performance of a contract to which the data subject is a party e.g. processing credit card details in order to affect payment or in order to take steps at the request of the data subject prior to entering into a contract;
- the data is required for legitimate business interests. These include but are not limited to opening a credit account to make a credit purchase and monitoring staff access to systems and downloads;
- processing is necessary for compliance with a legal obligation to which the controller is subject e.g. reporting of statistics to government bodies;
Except as provided in this policy, we will not provide your personal information to third parties.
The Rights of Data Subjects
The Regulation sets out the following rights applicable to data subjects:
- The right to be informed;
- The right of access;
- The right to rectification;
- The right to erasure (also known as the 'right to be forgotten');
- The right to restrict processing;
- The right to data portability;
- The right to object;
Accuracy of Data and Freedom of Choice
The Company shall ensure that all personal data collected and processed is kept accurate and up-to date. The accuracy of data shall be checked when it is collected and periodically thereafter. Where any inaccurate or out-of-date data is found, all reasonable steps will be taken to amend or erase that data, as appropriate. If you wish to tell us of changes to your personal details or to correct details we hold about you, you should email the Company with your request to data.protection@nwp recycle.com
Secure Processing and Data protection
The Company shall ensure that all personal data collected and processed is kept secure and protected against unauthorised or unlawful processing and against accidental loss, destruction or damage. The Company shall ensure that all its employees, customers, suppliers or other parties working on its behalf comply with the following when working with personal data:
- All emails containing personal data must be encrypted using GDPR compliant mail servers;
- Where any personal data is to be erased or otherwise disposed of for any reason (including where copies have been made and are no longer needed), it will be securely deleted and disposed of. Hardcopies will be shredded on site, and electronic copies will be deleted securely;
- Personal data will be transmitted over secure networks only; transmission over unsecured networks is not permitted in any circumstances;
- Personal data may not be transmitted over a wireless network if there is a wired alternative that is reasonably practicable ;
- All personal data stored electronically will be backed up daily with backups stored onsite and offsite;
- All electronic copies of personal data will be stored securely using passwords and data encryption ;
- All passwords used to protect personal data will be changed regularly and will not use words or phrases that can be easily guessed or otherwise compromised. All passwords will contain a combination of uppercase and lowercase letters, numbers, and symbols. All software used by the Company is designed to require such passwords;
- Under no circumstances will any passwords be written down or shared between any employees, agents , contractors, or other parties working on behalf of the Company, irrespective of seniority or department. If a password is forgotten, it will be reset using the applicable method. IT staff do not have access to passwords.
In addition to the measures above, when working with sensitive personal data the following added security measures and protection is applied:
- Sensitive personal data contained in the body of an email, whether sent or received, will be copied from the body of that email and stored securely. The email itself will be deleted.
- Where sensitive personal data is to be sent by facsimile transmission the recipient should be informed in advance of the transmission and should be waiting by the fax machine to receive the data;
- All hardcopies of sensitive personal data, along with any electronic copies stored on physical, removable media will be stored securely in a locked box, drawer , cabinet or similar ;
- Sensitive personal data will be handled with care at all times and should not be left unattended or on view to unauthorised employees , or other parties at any time ;
- If sensitive personal data is being viewed on a computer screen and the computer in question is to be left unattended for any period of time, the user must will lock the computer screen (by pressing Ctrl, Alt & Delet) before leaving the device.
International Transfers of Data
We are committed to the security of your personal data and will not transfer data outside of the EU unless adequate safeguards are in place to ensure that your rights are protected.
Data Erasure and the Right "to be forgotten"
The Company shall not keep personal data for any longer than is necessary considering the purposes for which that data was originally collected and processed. Notwithstanding we are required under UK tax law to keep your basic personal data (e.g. name, address, contact details) for a minimum of 6 years after which time it may be destroyed . Furthermore, where the expected life of a product
exceeds 6 years , customer sales invoices and relating vendor invoices are retained for longer periods to accommodate customers requiring access to their historical data after the 6-year statutory period has ended. When the data is no longer required, all reasonable steps will be taken to erase it.
The information we use for marketing purposes will be retained until you notify us that you no longer wish to receive this information. Please note that if you opt out of promotional and marketing messages, you may continue to receive certain communications from us, such as notifications about your account.
Data subjects may under certain circumstances request that the Company erases the personal data it holds about them. Unless the Company has reasonable grounds to refuse to erase personal data, all requests for erasure shall be complied with , and the data subject informed of the erasure , within one month of receipt of the data subject's request (this can be extended by up to two months in the case of complex requests, and in such cases the data subject shall be informed of the need for the extension).
Privacy Impact Assessments
The Company shall carry out Privacy Impact Assessments when and as required under the Regulation.
If you have any questions or concerns about this policy or wish to exercise any of your rights as a data subject you can contact us by email directed to the Data Protection Officer on data.protection@nwp-recycle .com or by mail addressed to the Data Protection Officer at Natural World Products Ltd, 32 Glenside Road, Dunmurry, BT17 OLH
Implementation of Policy
This policy shall be deemed effective as of 20th June 2018 and is compliant with the GDPR which came into force on 25 May 2018. No part of this Policy shall have retroactive effect and shall thus apply only to matters occurring on or after this date. This Policy has been approved and authorised by:
Name: Colm Warren
Position: Commercial Director