Makura Sourcing Limited - Data Protection Policy
1. Introduction to this Policy
1.1. Everyone has rights with regard to the way in which their Personal Data (as defined
below) is handled. During the course of our activities, we will collect, store and process
Personal Data about our customers, suppliers and other third parties, and we recognise that
the correct and lawful treatment of this data will maintain confidence in the organisation
and will provide for successful business operations.
1.2. The Personal Data, which may be held on paper or on a computer or other media, is
subject to certain legal safeguards specified in the Data Protection Act 1998 (the Act), the
General Data Protection Regulation (EU) 2016/679 and other regulations as amended or
replaced from time to time. The Act is not intended to prevent the processing of personal
data, but to ensure that it is done fairly and without adversely affecting the rights of the
data subject.
1.3. You should read this data protection policy (“Policy”) carefully as it contains important
information about how we will use your Information (as defined below in clause 5.1).
1.4. We may update this Policy from time to time in accordance with clause 18 below. This
Policy was last updated on 13 October 2017.
2. About us
2.1. The terms “Makura” or “us” or “we” refer to Makura Sourcing Limited. We are a
company registered in England and Wales under company number 06438687 whose
registered office is at Lakeside Fountain Lane, St Mellons, Cardiff, CF3 0FB. The term “you”
refers to the individual providing the Information.
2.2. Our Data Protection Officer is Robert Davies, Managing Director.
3. Data Protection
3.1. References in this Policy to:
3.1.1. “Data Protection Law” means the Data Protection Act 1998 and the Privacy and
Electronic Communications (EC Directive) Regulations 2003, and/or the EU Regulation
2016/679 (the ‘General Data Protection Regulation’) (as applicable), each as amended
and/or replaced from time to time, and all other applicable privacy and data protection laws
and regulations, as well as any guidance and/or codes of practice issued from time to time
by the Information Commissioner; and
3.1.2. “Personal Data”, “Data Controller” and “Data Processor” and “processing” shall have
the meanings given under applicable Data Protection Law.
3.2. For the purposes of the Data Protection Act 1998, we (Makura Sourcing Limited) are a
Data Controller and therefore we are responsible for, and control the processing of, your
Personal Data in accordance with Data Protection Law. “Personal Data” has a legal
definition but, in brief, it refers to information from which a living person can be identified.
Such information must be protected in accordance with Data Protection Law.
4. Data protection principles
4.1 Anyone processing Personal Data must comply with the eight enforceable principles of
good practice. These provide that Personal Data must be:
4.1.1 Processed fairly and lawfully.
4.1.2 Processed for limited purposes and in an appropriate way.
4.1.3 Adequate, relevant and not excessive for the purpose.
4.1.4 Accurate.
4.1.5 Not kept longer than necessary for the purpose.
4.1.6 Processed in line with data subjects' rights.
4.1.7 Secure.
4.1.8 Not transferred to people or organisations situated in countries without adequate
protection.
5. Information we may collect about you
5.1. When you deal with us we may collect the following information about you
(“Information”):
5.1.1. personal information;
5.1.2. contact information including address, primary email address and/or primary phone
number; and
5.1.3. information obtained through our correspondence and monitoring in accordance with
clause 13 below.
5.2. Occasionally we may receive information about you from other sources. If so, we will
add this information to the Information we already hold about you in order to help us carry
out the activities listed below.
6. How long we keep your Information
6.1. Subject to clause 6.2, we will keep your Information only for as long as we need to hold
it for the purposes set out in clause 9 below.
6.2. If required, we will be entitled to hold Information for longer periods in order to comply
with our legal or regulatory obligations.
7. Legal basis for processing your information
7.1. Under Data Protection Law, we may only process your Information if we have a “legal
basis” (i.e. a legally permitted reason) for doing so. We will have a legal basis for processing
your Information under this Policy if:
7.1.1. you have given us your consent to process your Information (for which see clause 8
below); or
7.1.2. processing is necessary for the performance of a contract you have entered into (i.e.
we need to process your information in order to provide you with goods, services or media);
or
7.1.3. processing is necessary for taking any preliminary steps that are required before you
can enter into such a contract, provided we only do this at your request; or
7.1.4. processing is necessary to allow us to comply with our legal obligations; or
7.1.5. processing is necessary in order to protect your vital interests (for example your
human rights); or
7.1.6. processing is necessary for us to perform tasks that are of public interest or in the
exercise of official authority (if applicable); or
7.1.7. processing is necessary for our legitimate interests (e.g. delivery and/or improvement
of our services), provided that these legitimate interests are not overridden by your
interests (for example your human rights).
7.2. For the purposes of this Policy, our legal basis for processing your Information is:
7.2.1. your consent (for which see clause 8 below); or
7.2.2. subject to your rights set out in clause 16 below, the legitimate interest of providing
services to our clients, which requires the processing of your Information to enable us to
provide these services to our clients.
8. Your consent to processing
8.1. As noted above, you will be required to give consent to the processing of your
Information as set out in this Policy. We will seek this consent when you first submit
Information to us. Also, by entering into a contract with us, we may process your
Information in our performance of that contract.
8.2. If you do not consent to such processing you should not provide us with any
Information.
8.3. If you have previously given consent you may freely withdraw such consent at any time.
You can do this by notifying us at any time by contacting the Data Protection Officer
indicated in this Policy.
8.4. If you withdraw your consent, and if we do not have another legal basis for processing
your information (see clause 7 above), then we will stop processing your Information. If we
do have another legal basis for processing your information then we may continue to do so
subject to your legal rights (for which see clause 16 below).
8.5. Please note that if we need to process your Information in order to provide our
services, and you object or do not consent to us processing your Information, those services
may not be available to you.
9. How we use your Information
We may process Information held about you for the following purposes:
9.1. to carry out workforce management and related services and any other obligations
arising from any contracts entered into between us and our customers;
9.2. to investigate and address any comments, queries or complaints made by you or our
customers regarding our goods and/or services;
9.3. to conduct research, statistical analysis and behavioural analysis (including anonymizing
data for these purposes);
9.4. to provide insights based on aggregated, anonymous data collected through the
research and analysis referred to at 9.3 above;
9.5. for administration, maintenance and improvements to our services;
9.6. to contact you for marketing purposes (see 'Marketing and opting out' in clause 10
below);
9.7. to disclose your information to selected third parties as permitted by this policy (see
clause 11 below);
9.8. to notify you about changes to our goods and/or services; and
9.9. to comply with our legal obligations, including obligations relating to the protection of
Personal Data.
10. Marketing and opting out
10.1. If you have given permission, we may contact you by telephone and email about our
products, services, promotions and special offers that may be of interest to you. We will
inform you (before collecting your data) and seek your permission if we intend to use your
data for such purposes. If you prefer not to receive any direct marketing communications
from us, or you no longer wish to receive them, you can opt out at any time (see below).
10.2. If you have given permission, we may contact you by mail, telephone and email to
provide information about products, services, promotions, special offers and other
information. We will inform you (before collecting your data) if we intend to use your data
for such purposes. If you would rather not receive such third party marketing information
from us, or you no longer wish to receive it, you can opt out at any time (see below).
10.3. If you have given permission, we may share your personal data with carefully selected
third party organisations and
business partners and they may contact you directly (unless you have asked them not to do
so) by mail, telephone and email about products, services, promotions and special offers
that may be of interest to you. We will inform you (before collecting your data) and seek
your permission if we intend to disclose your data to third parties for such purposes. If you
prefer not to receive direct marketing communications from our business partners, or you
no longer wish to receive them, you can opt out at any time (see below).
10.4. You have the right at any time to ask us, or any third party, to stop processing your
information for direct marketing purposes. If you wish to exercise this right, you should
contact us by sending an email to dpo@makurasourcing.com, or contact the relevant third
party using their given contact details, giving us or them enough information to identify you
and deal with your request.
11. Disclosure of your information
11.1. We may disclose your Information (including Personal Data):
11.1.1. to other companies within our group of companies (which means our subsidiaries,
our ultimate holding company and its subsidiaries, as defined in section 1159 of the UK
Companies Act 2006);
11.1.2. to our business partners, service providers or third-party contractors to enable them
to undertake services for us and/or on our behalf (and we will ensure they have appropriate
measures in place to protect your Information);
11.1.3. to any prospective buyer or seller (and their representatives) in the event that we
sell or buy any business or assets;
11.1.4. if we are under a duty to disclose or share Personal Data in order to comply with any
legal obligation, including (but not limited to) any request or order from law enforcement
agencies and/or HMRC in connection with any investigation to help prevent unlawful
activity; and
11.1.5. to other third parties if you have specifically consented to us doing so.
11.2. If our whole business is sold or integrated with another business your Information may
be disclosed to our advisers and any prospective purchasers and their advisers and will be
passed on to the new owners of the business.
12. Keeping your Information secure
12.1. We will use technical and organisational measures in accordance with good industry
practice to safeguard your Information and in some instances including the use of data
encryption.
12.2. While we will use all reasonable efforts to safeguard your Information, you
acknowledge that the use of the internet is not entirely secure and for this reason we
cannot guarantee the security or integrity of any Information that is transferred from you or
to you via the internet.
13. Monitoring
We may monitor and record communications with you (such as telephone conversations
and emails) for the purposes of provision of services, quality assurance, training, fraud
prevention and compliance purposes. Any information that we receive through such
monitoring and communication will be added to the information we already hold about you
and may also be used for the purposes listed in clause 9 above.
14. Overseas transfers
14.1. From time to time we may need to transfer your Information to countries outside the
European Economic Area, which comprises the EU member states plus Norway, Iceland and
Liechtenstein (“EEA”). Non-EEA countries that we may need to transfer your Information to
include:
14.1.1. Canada, because our service provider is located there.
14.2. Such countries may not have similar protections in place regarding protection and use
of your data as those set out in this Policy. Therefore, if we do transfer your Information to
countries outside the EEA we will take reasonable steps in accordance with Data Protection
Law to ensure adequate protections are in place to ensure the security of your Information,
including:
14.2.1. use of approved contractual clauses; or
14.2.2. ensuring that we only transfer your Information to countries outside the EEA that
are subject to a European Commission "positive finding of adequacy" in relation to that
country's data protection laws (which includes Canada, Switzerland, Israel and New
Zealand); or
14.2.3. ensuring that we only transfer your Information to persons or entities that are
appropriately authorised and/or accredited to process Personal Data in compliance with
Data Protection Law.
14.3. By submitting your Information to us in accordance with this Policy you consent to
these transfers for the purposes
specified in this Policy.
15. Information about other individuals
If you give us information on behalf of a third party, you confirm that the third party has
appointed you to act on his/her/their behalf and has agreed that you can: give consent on
his/her/their behalf to the processing of his/her/their Information; receive on his/her/their
behalf any data protection notices; and give consent to the transfer of his/her/their
Information abroad (if applicable).
16. Your rights
If you are an individual, this section sets out your legal rights in respect of any of your
Personal Data that we are holding and/or processing. If you wish to exercise any of your
legal rights you should put your request in writing to us (using our contact details in clause
20 below) giving us enough information to identify you and respond to your request.
16.1. You have the right (subject to the payment of a small fee) to request information
about Personal Data that we may hold and/or process about you, including: whether or not
we are holding and/or processing your Personal Data; the extent of the Personal Data we
are holding; and the purposes and extent of the processing.
16.2. You have the right to have any inaccurate information we hold about you be corrected
and/or updated. If any of the Information that you have provided changes, or if you become
aware of any inaccuracies in such Information, please let us know in writing giving us
enough information deal with the change or correction.
16.3. You have the right in certain circumstances to request that we delete all Personal Data
we hold about you (the ‘right of erasure’). Please note that this right of erasure is not
available in all circumstances, for example where we need to retain the Personal Data for
legal compliance purposes. If this is the case we will let you know.
16.4. You have the right in certain circumstances to request that we restrict the processing
of your Personal Data, for example where the Personal Data is inaccurate or where you have
objected to the processing (see clause 16.6 below).
16.5. You have the right to request a copy of the Personal Data we hold about you and to
have it provided in a structured format suitable for you to be able to transfer it to a
different data controller (the ‘right to data portability’). Please note that the right to data
portability is only available in some circumstances, for example where we are processing
your Personal Data under clauses 7.1.1 or 7.1.2 above and the processing is carried out by
automated means. If you request the right to data portability and it is not available to you
we will let you know.
16.6. Where we are processing your Personal Data under clauses 7.1.6 or 7.1.7, above you
have the right, based on your particular situation, to object to such processing. If so, we
shall stop processing your Personal Data unless we can demonstrate sufficient and
compelling legitimate grounds for continuing the processing which override your own
interests.
16.7. You have the right to object to direct marketing, for which see clause 10.4 above.
17. Complaints
If you have any concerns about how we collect or process your Information then you have
the right to lodge a complaint with a supervisory authority, which for the UK is the UK
Information Commissioner’s Office (“ICO”). Complaints can be submitted to the ICO through
the ICO helpline by calling 0303 123 1113. Further information about reporting concerns to
the ICO is available at https://ico.org.uk/concerns/.
18. Changes to this Policy
18.1. We keep this Policy under regular review and may change it from time to time. If we
change this Policy we will notify you of any changes to this Policy as soon as possible, so that
you may be aware of the Information we collect and how we use it at all times. You are
responsible for ensuring that you are aware of the most recent version this Policy as it will
apply each time we provide goods and/or services to you.
18.2. This Policy was last updated on 13 October 2017.
19. Accessibility
This Policy aims to provide you with all relevant details about how we process your
Information in a concise, transparent, intelligible and easily accessible form, using clear and
plain language. If you have any difficulty in reading or understanding this Policy, or if you
would like this Policy in another format (for example audio, large print or braille), please get
in touch with us.
20. Contact us
We welcome your feedback and questions on this Policy. If you wish to contact us, please
email us at info@makurasourcing.com or contact our Data Protection Officer at
dpo@makurasourcing.com or 0330 333 8940