Privacy Notice

Date of Issue: May 2021
Issue: 01

This Privacy Notice sets out what personal data Mzuri Holdings Ltd holds regarding data processing activities and explains why and how we collect, store and process Personal Data under the General Data Protection Regulations (the Regulation) together with our terms and conditions. This notice applies to customers, suppliers, visitors and third parties (together referred to as “you”). Mzuri Holdings Ltd is committed to ensuring that we process this information in a correct, fair and lawful manner, respecting the legal rights, privacy and trust of all individuals with who it deals. We may update this Privacy Notice at any time.

Who is the controller?

Mzuri Holdings Ltd Ltd is the controller for the purposes of data protection law. This means that we are responsible for deciding how we hold and use personal data about you. We have appointed the Head of Human Resources as Data Protection Lead, who will act as your first point of contact if you have any questions or concerns about data protection. In the absence of the Data Protection Lead, the point of contact is the Group Financial Controller or Head of IT.

What type of personal data do we hold about you?

Personal data means any information relating to a living individual wo can be identified (directly or indirectly) by reference to an identifier (e.g. name, telephone number, email address). It can be factual e.g. contact details such as customer number, business address or information that may otherwise impact that individual in a personal or business capacity.

We hold and use various types of personal data about you, including for example but not limited to, biographical details e.g. name, address (business or personal depending on the details provided to us), job title, business bank details. We may also hold other personal data such as CCTV images if you are visiting our premises.

We are also often provided with contact details belonging to end consumers e.g. the customer of our customer. Generally, this is for online customers and the data collected is normally name, home address, telephone number and email address. In this instance, Mzuri Holdings Ltd is then the Data Processor. We ensure we meet our obligations as a Data Processor in accordance with GDPR by outlining this in a specific Data Processor Agreement.

Data protection law divides personal data into two categories, ordinary personal data and special category. Special category data relates to ethnic origin, physical or health conditions, biometric data for example. Mzuri Holdings Ltd will comply with applicable laws in respect of such processing. You are not obliged to provide us with your personal information, however, if you do not, we might not be able to carry out the services you have requested of us. This also applies to personal data belonging to others that is provided to us by you.

Why do we hold your personal data and on what legal grounds?

We hold your ordinary personal data for the purpose of the business relationship and contract, as per our terms and conditions which is in our legitimate interest. Data Protection law specifies the legal grounds on which we can hold and use personal data. Most commonly we rely on one or more of the following legal grounds when we process your personal data: consent, legitimate interests or contract. Where we process your data solely on the basis of consent, you are entitled to withdraw your consent at any time. This will not affect the lawfulness before the withdrawal.

How do we use your data?

We use your personal data to for the legitimate purpose of the business relationship to enable us to provide goods and services to our customers. Other examples include, but are not limited to:

• Tracking website usage using Google Analytics to improve our website performance
• Respond to email enquiries
• Send business information and marketing promotions and publications
• Provide you with information about other services we offer that are like those you have already requested or enquired about
• Notify you of upcoming events
• Notify changes to terms and conditions

Who do we share your personal data with?

We will only share your personal data with third parties where we have an appropriate legal ground under data protection law which permits us to do so or so that they can provide services such as financial or administrative services about the operation or our business, for example courier partners, and to any person (where necessary) in connection with their services, such as but not limited to legal representatives, debt recovery or regulatory authorities. We will not share your personal data with businesses that are owned, either wholly, or in part by Mzuri Holdings Ltd without your consent. We will take reasonable steps to ensure those third parties comply with their obligations under GDPR when they handle your personal information and ensure they are only authorised to use personal information for the limited purposes specified to them.

Data Security

We take our data security responsibilities seriously, ensuring we have the most appropriate organisational and technical measures to protect data. To ensure this, we have developed a Data Protection Policy which outlines our obligations under data protection and details how we will comply with these requirements. We may store your information in different places, for example internal systems stored on our secure servers and in the cloud, on email or paper filing systems.

Data Retention

We will not keep your personal data for longer than we need it for our legitimate purposes, however we take into account the following criteria when determining the appropriate retention period for data: the amount, nature and sensitivity of the personal data, the risk of harm from unauthorised use or disclosure, the purpose for which we process your personal data, how long it might be relevant for possible future legal claims or any applicable legal, accounting, reporting or regulatory requirements that specify how long certain records must be kept. More specifically, we will ensure we retain personal data in connection with any warranty periods for our goods and services. Retention periods may differ and therefore we will retain personal data for the longest period.

Some of our external third party suppliers are based outside the EEA so their processing of your personal data will involve a transfer of data outside the EEA. Whenever we transfer your personal data out of the EEA, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:

• We may transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission. For further details, see European Commission: Adequacy of the protection of personal data in non-EU countries.
• Where we use certain service providers, we may use specific contracts approved by the European Commission which give personal data the same protection it has in Europe. For further details, see European Commission: Model contracts for the transfer of personal data to third countries.
• Where we use providers based in the US, we may transfer data to them if they are part of the Privacy Shield which requires them to provide similar protection to personal data shared between Europe and the US. For further details, see European Commission: EU-US Privacy Shield.

Please contact us if you want further information on the specific mechanism used by us when transferring your personal data out of the EEA.

Your rights

• You have the right to make a subject access request. This enables you to receive certain information about how we use your personal data as well as to receive a copy of it and to check we are processing it lawfully.
• Request that we correct incomplete or inaccurate personal data we hold about you.
• Right to request that we delete or remove personal data about you
• Right to restrict our processing of your data.
• Right to request that we transfer your personal data to you in a structured format.

If you would like to exercise any of these rights, please contact the Data Protection Lead in writing. Note that these rights are not absolute and in some circumstances we may be entitled to refuse some or all of your request.

Marketing

If you have given us your contact details, we may use these (in accordance with any preferences you have expressed) to send you marketing communications by email, post, phone, SMS and social media. Mzuri Holdings Ltd has a legitimate interest to promote our products to you, unless you have asked us not to. Our terms and conditions now give you the opportunity to opt-in to marketing material by simply ticking the box. You can also unsubscribe at any time using the link at the bottom of our marketing emails. If you are currently opted-out of our marketing communications, you can choose to opt-in by contacting us directly. Any consent granted for marketing communications will not be shared between Mzuri Holdings Ltd (Group) companies.

If you have any questions, you can contact the Data Protection Lead through the Human Resources Department. You have the right to make a complaint any time. This should be made to the appropriate governing body of the country the business is located in. In the UK, this is the Information Commissioner’s Office (ICO). Further information can be found at www.gdpr.eu.