Makura Sport Limited – Data Protection Policy

1. Introduction to this Policy

1.1. Everyone has rights with regard to the way in which their Personal Data (as defined below) is handled. During the course of our activities, we will collect, store and process Personal Data about our customers, suppliers and other third parties, and we recognise that the correct and lawful treatment of this data will maintain confidence in the organisation and will provide for successful business operations.

1.2. The Personal Data, which may be held on paper or on a computer or other media, is subject to certain legal safeguards specified in the Data Protection Act 1998 (the Act), the General Data Protection Regulation (EU) 2016/679 and other regulations as amended or replaced from time to time. The Act is not intended to prevent the processing of personal data, but to ensure that it is done fairly and without adversely affecting the rights of the data subject.
1.3. You should read this data protection policy (“Policy”) carefully as it contains important information about how we will use your Information (as defined below in clause 5.1).
1.4. We may update this Policy from time to time in accordance with clause 18 below. This Policy was last updated on 13 October 2017.

2. About us

2.1. The terms “Makura” or “us” or “we” refer to Makura Sport Limited. We are a company registered in England and Wales under company number 06438687 whose registered office is at Lakeside Fountain Lane, St Mellons, Cardiff, CF3 0FB. The term “you” refers to the individual providing the Information.

2.2. Our Data Protection Officer is Robert Davies, Managing Director.

3. Data Protection

3.1. References in this Policy to:
3.1.1. “Data Protection Law” means the Data Protection Act 1998 and the Privacy and Electronic Communications (EC Directive) Regulations 2003, and/or the EU Regulation 2016/679 (the ‘General Data Protection Regulation’) (as applicable), each as amended and/or replaced from time to time, and all other applicable privacy and data protection laws and regulations, as well as any guidance and/or codes of practice issued from time to time by the Information Commissioner; and
3.1.2. “Personal Data”, “Data Controller” and “Data Processor” and “processing” shall have the meanings given under applicable Data Protection Law.

3.2. For the purposes of the Data Protection Act 1998, we (Makura Sport Limited) are a Data Controller and therefore we are responsible for, and control the processing of, your Personal Data in accordance with Data Protection Law. “Personal Data” has a legal definition but, in brief, it refers to information from which a living person can be identified. Such information must be protected in accordance with Data Protection Law.

4. Data protection principles

4.1 Anyone processing Personal Data must comply with the eight enforceable principles of good practice. These provide that Personal Data must be:
4.1.1 Processed fairly and lawfully.
4.1.2 Processed for limited purposes and in an appropriate way.
4.1.3 Adequate, relevant and not excessive for the purpose.
4.1.4 Accurate.
4.1.5 Not kept longer than necessary for the purpose.
4.1.6 Processed in line with data subjects’ rights.
4.1.7 Secure.
4.1.8 Not transferred to people or organisations situated in countries without adequate protection.

5. Information we may collect about you

5.1. When you deal with us we may collect the following information about you (“Information”):
5.1.1. personal information;
5.1.2. contact information including address, primary email address and/or primary phone number; and
5.1.3. information obtained through our correspondence and monitoring in accordance with clause 13 below.

5.2. Occasionally we may receive information about you from other sources. If so, we will add this information to the Information we already hold about you in order to help us carry out the activities listed below.

6. How long we keep your Information

6.1. Subject to clause 6.2, we will keep your Information only for as long as we need to hold it for the purposes set out in clause 9 below.

6.2. If required, we will be entitled to hold Information for longer periods in order to comply with our legal or regulatory obligations.

7. Legal basis for processing your information

7.1. Under Data Protection Law, we may only process your Information if we have a “legal basis” (i.e. a legally permitted reason) for doing so. We will have a legal basis for processing your Information under this Policy if:
7.1.1. you have given us your consent to process your Information (for which see clause 8 below); or
7.1.2. processing is necessary for the performance of a contract you have entered into (i.e. we need to process your information in order to provide you with goods, services or media); or
7.1.3. processing is necessary for taking any preliminary steps that are required before you can enter into such a contract, provided we only do this at your request; or
7.1.4. processing is necessary to allow us to comply with our legal obligations; or
7.1.5. processing is necessary in order to protect your vital interests (for example your human rights); or
7.1.6. processing is necessary for us to perform tasks that are of public interest or in the exercise of official authority (if applicable); or
7.1.7. processing is necessary for our legitimate interests (e.g. delivery and/or improvement of our services), provided that these legitimate interests are not overridden by your interests (for example your human rights).

7.2. For the purposes of this Policy, our legal basis for processing your Information is:
7.2.1. your consent (for which see clause 8 below); or
7.2.2. subject to your rights set out in clause 16 below, the legitimate interest of providing services to our clients, which requires the processing of your Information to enable us to provide these services to our clients.

8. Your consent to processing

8.1. As noted above, you will be required to give consent to the processing of your Information as set out in this Policy. We will seek this consent when you first submit Information to us. Also, by entering into a contract with us, we may process your Information in our performance of that contract.

8.2. If you do not consent to such processing you should not provide us with any Information.

8.3. If you have previously given consent you may freely withdraw such consent at any time. You can do this by notifying us at any time by contacting the Data Protection Officer indicated in this Policy.

8.4. If you withdraw your consent, and if we do not have another legal basis for processing your information (see clause 7 above), then we will stop processing your Information. If we do have another legal basis for processing your information then we may continue to do so subject to your legal rights (for which see clause 16 below).

8.5. Please note that if we need to process your Information in order to provide our services, and you object or do not consent to us processing your Information, those services may not be available to you.

9. How we use your Information

We may process Information held about you for the following purposes:

9.1. to carry out workforce management and related services and any other obligations arising from any contracts entered into between us and our customers;

9.2. to investigate and address any comments, queries or complaints made by you or our customers regarding our goods and/or services;

9.3. to conduct research, statistical analysis and behavioural analysis (including anonymizing data for these purposes);

9.4. to provide insights based on aggregated, anonymous data collected through the research and analysis referred to at 9.3 above;

9.5. for administration, maintenance and improvements to our services;

9.6. to contact you for marketing purposes (see ‘Marketing and opting out’ in clause 10 below);

9.7. to disclose your information to selected third parties as permitted by this policy (see clause 11 below);

9.8. to notify you about changes to our goods and/or services; and

9.9. to comply with our legal obligations, including obligations relating to the protection of Personal Data.

10. Marketing and opting out

10.1. If you have given permission, we may contact you by telephone and email about our products, services, promotions and special offers that may be of interest to you. We will inform you (before collecting your data) and seek your permission if we intend to use your data for such purposes. If you prefer not to receive any direct marketing communications from us, or you no longer wish to receive them, you can opt out at any time (see below).

10.2. If you have given permission, we may contact you by mail, telephone and email to provide information about products, services, promotions, special offers and other information. We will inform you (before collecting your data) if we intend to use your data for such purposes. If you would rather not receive such third party marketing information from us, or you no longer wish to receive it, you can opt out at any time (see below).

10.3. If you have given permission, we may share your personal data with carefully selected third party organisations and
business partners and they may contact you directly (unless you have asked them not to do so) by mail, telephone and email about products, services, promotions and special offers that may be of interest to you. We will inform you (before collecting your data) and seek your permission if we intend to disclose your data to third parties for such purposes. If you prefer not to receive direct marketing communications from our business partners, or you no longer wish to receive them, you can opt out at any time (see below).

10.4. You have the right at any time to ask us, or any third party, to stop processing your information for direct marketing purposes. If you wish to exercise this right, you should contact us by sending an email to dpo@makurasport.com, or contact the relevant third party using their given contact details, giving us or them enough information to identify you and deal with your request.

11. Disclosure of your information

11.1. We may disclose your Information (including Personal Data):
11.1.1. to other companies within our group of companies (which means our subsidiaries, our ultimate holding company and its subsidiaries, as defined in section 1159 of the UK Companies Act 2006);
11.1.2. to our business partners, service providers or third-party contractors to enable them to undertake services for us and/or on our behalf (and we will ensure they have appropriate measures in place to protect your Information);
11.1.3. to any prospective buyer or seller (and their represenatives) in the event that we sell or buy any business or assets;
11.1.4. if we are under a duty to disclose or share Personal Data in order to comply with any legal obligation, including (but not limited to) any request or order from law enforcement agencies and/or HMRC in connection with any investigation to help prevent unlawful activity; and
11.1.5. to other third parties if you have specifically consented to us doing so.

11.2. If our whole business is sold or integrated with another business your Information may be disclosed to our advisers and any prospective purchasers and their advisers and will be passed on to the new owners of the business.

12. Keeping your Information secure

12.1. We will use technical and organisational measures in accordance with good industry practice to safeguard your Information and in some instances including the use of data encryption.

12.2. While we will use all reasonable efforts to safeguard your Information, you acknowledge that the use of the internet is not entirely secure and for this reason we cannot guarantee the security or integrity of any Information that is transferred from you or to you via the internet.

13. Monitoring

We may monitor and record communications with you (such as telephone conversations and emails) for the purposes of provision of services, quality assurance, training, fraud prevention and compliance purposes. Any information that we receive through such monitoring and communication will be added to the information we already hold about you and may also be used for the purposes listed in clause 9 above.

14. Overseas transfers

14.1. From time to time we may need to transfer your Information to countries outside the European Economic Area, which comprises the EU member states plus Norway, Iceland and Liechtenstein (“EEA”). Non-EEA countries that we may need to transfer your Information to include:
14.1.1. Canada, because our service provider is located there.

14.2. Such countries may not have similar protections in place regarding protection and use of your data as those set out in this Policy. Therefore, if we do transfer your Information to countries outside the EEA we will take reasonable steps in accordance with Data Protection Law to ensure adequate protections are in place to ensure the security of your Information, including:
14.2.1. use of approved contractual clauses; or
14.2.2. ensuring that we only transfer your Information to countries outside the EEA that are subject to a European Commission “positive finding of adequacy” in relation to that country’s data protection laws (which includes Canada, Switzerland, Israel and New Zealand); or
14.2.3. ensuring that we only transfer your Information to persons or entities that are appropriately authorised and/or accredited to process Personal Data in compliance with Data Protection Law.

14.3. By submitting your Information to us in accordance with this Policy you consent to these transfers for the purposes
specified in this Policy.

15. Information about other individuals

If you give us information on behalf of a third party, you confirm that the third party has appointed you to act on his/her/their behalf and has agreed that you can: give consent on his/her/their behalf to the processing of his/her/their Information; receive on his/her/their behalf any data protection notices; and give consent to the transfer of his/her/their Information abroad (if applicable).

16. Your rights

If you are an individual, this section sets out your legal rights in respect of any of your Personal Data that we are holding and/or processing. If you wish to exercise any of your legal rights you should put your request in writing to us (using our contact details in clause 20 below) giving us enough information to identify you and respond to your request.

16.1. You have the right (subject to the payment of a small fee) to request information about Personal Data that we may hold and/or process about you, including: whether or not we are holding and/or processing your Personal Data; the extent of the Personal Data we are holding; and the purposes and extent of the processing.

16.2. You have the right to have any inaccurate information we hold about you be corrected and/or updated. If any of the Information that you have provided changes, or if you become aware of any inaccuracies in such Information, please let us know in writing giving us enough information deal with the change or correction.

16.3. You have the right in certain circumstances to request that we delete all Personal Data we hold about you (the ‘right of erasure’). Please note that this right of erasure is not available in all circumstances, for example where we need to retain the Personal Data for legal compliance purposes. If this is the case we will let you know.

16.4. You have the right in certain circumstances to request that we restrict the processing of your Personal Data, for example where the Personal Data is inaccurate or where you have objected to the processing (see clause 16.6 below).

16.5. You have the right to request a copy of the Personal Data we hold about you and to have it provided in a structured format suitable for you to be able to transfer it to a different data controller (the ‘right to data portability’). Please note that the right to data portability is only available in some circumstances, for example where we are processing your Personal Data under clauses 7.1.1 or 7.1.2 above and the processing is carried out by automated means. If you request the right to data portability and it is not available to you we will let you know.

16.6. Where we are processing your Personal Data under clauses 7.1.6 or 7.1.7, above you have the right, based on your particular situation, to object to such processing. If so, we shall stop processing your Personal Data unless we can demonstrate sufficient and compelling legitimate grounds for continuing the processing which override your own interests.

16.7. You have the right to object to direct marketing, for which see clause 10.4 above.

17. Complaints

If you have any concerns about how we collect or process your Information then you have the right to lodge a complaint with a supervisory authority, which for the UK is the UK Information Commissioner’s Office (“ICO”). Complaints can be submitted to the ICO through the ICO helpline by calling 0303 123 1113. Further information about reporting concerns to the ICO is available at https://ico.org.uk/concerns/.

18. Changes to this Policy

18.1. We keep this Policy under regular review and may change it from time to time. If we change this Policy we will notify you of any changes to this Policy as soon as possible, so that you may be aware of the Information we collect and how we use it at all times. You are responsible for ensuring that you are aware of the most recent version this Policy as it will apply each time we provide goods and/or services to you.

18.2. This Policy was last updated on 13 October 2017.

19. Accessibility

This Policy aims to provide you with all relevant details about how we process your Information in a concise, transparent, intelligible and easily accessible form, using clear and plain language. If you have any difficulty in reading or understanding this Policy, or if you would like this Policy in another format (for example audio, large print or braille), please get in touch with us.

20. Contact us

We welcome your feedback and questions on this Policy. If you wish to contact us, please email us at info@makurasport.com or contact our Data Protection Officer at dpo@makurasport.com or 0330 333 8940