Privacy

1. Introduction

Surplush is committed to protecting the privacy and data of its employees, customers, and other stakeholders. This GDPR policy outlines our commitment to comply with the General Data Protection Regulation (GDPR) and to safeguard the personal data we process.

2. Scope

This policy applies to all employees, contractors, and any third parties who process personal data on behalf of Surplush.

3. Definitions

Personal Data: Any information relating to an identified or identifiable natural person (data subject).
Data Processing: Any operation or set of operations which is performed on personal data.
Data Controller: An entity that determines the purposes, conditions, and means of processing personal data.
Data Processor: An entity that processes personal data on behalf of the data controller.
Data Subject: An individual whose personal data is being processed.

4. Principles of Data Protection

Surplush adheres to the following principles of data protection:

Lawfulness, Fairness, and Transparency: We process personal data lawfully, fairly, and transparently.
Purpose Limitation: We collect and process personal data for specified, explicit, and legitimate purposes.
Data Minimisation: We ensure that personal data we process is relevant, adequate, and limited to what is necessary for the purposes.
Accuracy: We take reasonable steps to ensure that personal data is accurate and up-to-date.
Storage Limitation: We store personal data for no longer than necessary for the intended purpose.
Integrity and Confidentiality: We maintain the security and confidentiality of personal data through appropriate measures.
Accountability: We are responsible for demonstrating compliance with the principles of data protection.

5. Data Subject Rights

Data subjects have the following rights under GDPR:

Right to access personal data.
Right to rectify inaccurate personal data.
Right to erasure of personal data (right to be forgotten).
Right to restrict processing.
Right to data portability.
Right to object to data processing.
Right not to be subject to automated decision-making, including profiling.

6. Data Security

Surplush has implemented appropriate technical and organisational measures to protect personal data against data breaches, unauthorised access, and other security threats.

7. Data Breach Reporting

Any suspected or actual data breach must be reported to Surplush's Data Protection Officer and relevant authorities within 72 hours of becoming aware of the breach.

8. Training and Awareness

All employees and relevant third parties will receive training on data protection and GDPR compliance.

9. Review and Update

This GDPR policy will be reviewed and updated as needed to ensure compliance with evolving data protection regulations.

10. Contact Information

For questions or concerns regarding this policy or data protection matters, please contact our Data Protection Officer here.