Data Protection Policy
1. Introduction
This Data Protection Policy outlines how Nemiah Limited ("we," "our," "the company") collects, processes, stores, and protects personal data in compliance with the General Data Protection Regulation (GDPR) (EU) 2016/679. The policy applies to all personal data handled by the organisation, including that of customers, employees, suppliers, and other third parties.
2. Purpose
The purpose of this policy is to ensure that Nemiah Limited:
- Complies with the legal obligations under GDPR.
- Respects the rights and freedoms of data subjects.
- Safeguards personal data against security threats, unauthorised access, and misuse.
3. Scope
This policy applies to all employees, contractors, partners, and third parties working for or on behalf of Nemiah Limited. It covers all personal data collected, processed, stored, and transmitted by the organisation.
4. Definition of Personal Data
"Personal data" refers to any information that can identify an individual, either directly or indirectly, including but not limited to:
- Name, email address, phone number
- Identification numbers (e.g., national ID, social security number)
- Location data and IP address
- Financial information
- Health records
- Any other information that can be linked to an identifiable person
5. Legal Basis for Processing
We ensure that personal data is processed lawfully, fairly, and transparently. Processing will only be carried out where there is a legal basis, including but not limited to:
- The data subject has given consent.
- Processing is necessary for the performance of a contract.
- Processing is required to comply with a legal obligation.
- Processing is necessary to protect the vital interests of the data subject or another person.
- Processing is required for the performance of a task carried out in the public interest or in the exercise of official authority.
- Processing is necessary for the legitimate interests pursued by the organisation, except where such interests are overridden by the rights and freedoms of the data subject.
6. Principles of Data Processing
Nemiah Limited adheres to the following principles when processing personal data:
- Lawfulness, Fairness, and Transparency: Data will be processed lawfully, fairly, and transparently.
- Purpose Limitation: Personal data will be collected for specified, legitimate purposes and not processed in a manner incompatible with those purposes.
- Data Minimization: Personal data collected will be adequate, relevant, and limited to what is necessary for the intended purpose.
- Accuracy: Personal data will be kept accurate and up-to-date, with every reasonable step taken to ensure that inaccurate data is corrected or deleted.
- Storage Limitation: Data will be stored in a form that allows identification for no longer than necessary for the purposes for which the personal data is processed.
- Integrity and Confidentiality: Personal data will be processed in a manner that ensures its security, including protection against unauthorised or unlawful processing, accidental loss, destruction, or damage.
7. Rights of Data Subjects
Data subjects have the following rights under GDPR:
- Right to Access: Individuals can request access to their personal data held by the organisation.
- Right to Rectification: Individuals have the right to have incorrect or incomplete data corrected.
- Right to Erasure: Data subjects can request the deletion of their personal data where it is no longer necessary or if they withdraw consent.
- Right to Restriction of Processing: Individuals can request the limitation of data processing under certain conditions.
- Right to Data Portability: Data subjects have the right to receive their personal data in a structured, commonly used, and machine-readable format and to transmit that data to another controller.
- Right to Object: Individuals can object to the processing of their data on grounds relating to their situation or for direct marketing purposes.
- Right to Withdraw Consent: Where consent is the legal basis for processing, individuals can withdraw consent at any time.
- Right to Lodge a Complaint: Individuals can lodge a complaint with a supervisory authority if they believe their rights have been infringed.
8. Data Security
Nemiah Limited implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including:
- Encryption of personal data where necessary.
- Regular security assessments and penetration testing.
- Strict access controls, ensuring personal data is accessible only to authorised personnel.
- Regular training for employees on data protection and security best practices.
- Data breach detection, investigation, and notification mechanisms.
9. Data Breaches
In the event of a data breach that poses a risk to the rights and freedoms of individuals, Nemiah Limited will notify the relevant supervisory authority within 72 hours of becoming aware of the breach. Affected individuals will also be informed if the breach is likely to result in a high risk to their rights and freedoms.
10. Data Retention
Nemiah Limited retains personal data only for as long as necessary to fulfil the purposes for which it was collected or to comply with legal, regulatory, or contractual obligations. A retention schedule will be followed to ensure timely deletion or anonymization of personal data that is no longer required.
11. Data Transfers
Nemiah Limited ensures that personal data transferred outside the European Economic Area (EEA) is adequately protected and that data transfers are made in compliance with GDPR, using mechanisms such as:
- Binding corporate rules.
- Standard contractual clauses approved by the European Commission.
- Adequacy decisions from the European Commission.
12. Data Protection Officer (DPO)
Nemiah Limited has appointed a Data Protection Officer (DPO) who is responsible for overseeing the organisation's compliance with GDPR. The DPO can be contacted at:
FAO: Data Protection Officer
Email: dpo@nemiah.uk
Address: 116a Bradshawgate, Leigh, WN7 4NP
13. Policy Review
This Data Protection Policy will be reviewed annually or whenever necessary to comply with legal or organisational changes. Employees are required to comply with this policy, and any breach may lead to disciplinary action.
14. Contact Information
For any inquiries about this policy or to exercise your rights, please contact Nemiah Limited at:
Email: dpo@nemiah.uk
Phone: 01942 914422
Address: 116a Bradshawgate, Leigh, WN7 4NP