Data Protection Policy and Privacy Notice
Note: This document serves an interim policy and public notice pending an internal review ahead of changes to Data Protection law in the United Kingdom.
Who We Are
Merrehill Ltd is a company registered in England under company number 5518204. We manage and make decisions about personally identifiable information we hold, as well as conducting specific activities using data provided by other companies, on their behalf.
What We Do
Our main line of business is business-to-business digital direct marketing, which usually consists of delivering
marketing communications to people’s business email address on behalf of our clients.
How To Contact Us
Our Data Protection Officer (DPO) is the main contact for anyone who wants to discuss matters covered under this policy or the law, including any person whose personal data we have come into contact with and used or stored, whether for our own purposes or on behalf of another company.
You can telephone our DPO directly on 01625 800 586. A message can be left at any time the DPO is unable to take your call, and any telephone number you leave will be used only for the purpose of contacting you regarding your enquiry.
You can also send the DPO an email to dpo@merrehill.co.uk.
If you would prefer to write to us, our office address is:
Merrehill Ltd
Unit 6, Bridge Street Mills
Bridge Street
Macclesfield
SK11 6QA
UNITED KINGDOM
Personally Identifiable Information
Merrehill stores and uses information that could be used to identify a living person. The purpose of this storage
and use will vary depending on the area of the business that it pertains to. Where consent is required or used as the basis for storage and use of personal information, this will be clearly communicated, and the person providing their consent has the right to withdraw it at any time.
Human Resources
We store information relating to employees and contractors so that we have adequate records to be able to
contact, manage and pay them, and meet our legal obligations as an employer. This information may be sent to
another company working on our behalf, where the relationship is defined by a contract, and they are not permitted to use the information in any way we have not explicitly asked them to. Only certain authorised
personnel within the company have access to this information.
Sales
Whenever we sell products and services, we collect and store information about the person or people we have
dealt with in the course of the sale, including prior to any sale taking place, in order to serve the mutual interests of our own and our clients’ or prospective clients’ companies. This information usually consists of names and contact details associated with a business, and is used for the purpose of completing the sale, managing service delivery, and marketing further products and services in the future.
Marketing
We conduct direct marketing activities in order to obtain new and repeat business, and sometimes this requires
that we store and use names and business contact details of specific people whom we know or believe to be the
most appropriate recipient of our marketing communications. Most of this is done in-house, however it is sometimes necessary to transfer mailing lists to other companies who conduct some of this work on our behalf. Since we obtain published or offered contact details for people in their business role, we believe their privacy rights are balanced with our business interests.
Purchasing
From time to time we may store names and business contact details of individual people working for our suppliers’ business. This is necessary to ensure we are able to contact the relevant people and maintain a relationship to the benefit of both our and their business.
Service Delivery
Merrehill is a marketing business, so we also collect, store and use personally identifiable information including names, addresses, telephone numbers, email addresses and demographic information for the purpose of
delivering services to our clients. Any marketing communications sent to individuals as part of our service delivery processes include clear information identifying the sender, and a means to opt out of further such communications. Where information pertains to businesses and individual people working within them,
marketing communications on behalf of our clients may be delivered to our mailing lists without the prior consent of the recipient, unless and until the recipient informs us they no longer wish to receive such communication. Since we are contacting people in their business role using published or offered contact details,
we believe their privacy rights are balanced with the legitimate interest of our clients’ business. We also deliver marketing communications directly to our clients’ own mailing lists, which they provide to us on their terms. In such cases, we would manage requests to opt out of further communication and inform our client of the
recipient’s wishes.
Sources of Personal Information
Information about individuals may originate from different sources, including being collected from the person
themselves. We agree to disclose the source of any data we hold about a person upon their request. Such
requests should be directed to the Data Protection Officer.
Rights of Data Subjects
People whose information we hold are called “data subjects”. We respect the rights of data subjects and will work with anyone exercising those rights to ensure their expectation of privacy is met. Anyone wishing to make a request under their legal rights should contact our Data Protection Officer in the first instance.
Where we are storing or using someone’s personal information because it has been provided to us by another company to use on their behalf, we will work with the other company to ensure data subjects’ rights are upheld.
Where the data subject contacts us to make a request, we will help them to contact the relevant company who can deal with that request.
Anyone has the right to object to the use of their personal information for the purpose of direct marketing at any time, and Merrehill will always respect such a decision, provided that it is communicated clearly and that
we can verify the identity of the person making the request. This can be as simple as making the request from the same email address or telephone number that we associate with the person. We do not use data subject
requests to collect further information about a person, and any additional contact details obtained in the course of such discussions are used only in connection with that request, so that we can maintain clear and informative communication with the person and ensure their needs and expectations are met.
If a data subject is unhappy with the way Merrehill or its Data Protection Officer have collected, stored or used their personal information, or the way we have dealt with their request, we acknowledge that they have the right to lodge a complaint with the Information Commissioner’s Office in the United Kingdom.
Data Storage and Security
As Merrehill is committed to the environment, we do our best to store information relating to our business on computer systems rather than paper files, although it is often necessary to print or write upon such items as payslips, cheques and invoices, which will usually contain information about the recipient. While these and similar items are ordinarily transferred quickly in sealed envelopes or given directly to the recipient, any storage of them is managed by authorised staff who ensure that unauthorised persons do not have direct access.
The majority of information is however stored in computer systems. Critical systems such as those relating to finance and service delivery are regularly backed up and/or continuously mirrored to protect against data loss, and are physically located in secure premises.
It is our policy that data stored electronically be protected from unauthorised access, accidental deletion and malicious hacking attempts. In addition to internal processes, we employ third party service providers to manage elements of this.
Data Retention
Except where a legal obligation to retain data exists, Merrehill does not store personal information for any longer than is necessary for its defined purpose. Wherever an individual has expressed that they no longer wish to have information we hold about them used for the purpose under which we hold it, we must continue to store certain identifiers to ensure that person’s information does not re-enter our systems at a later date. This data is stored apart from data that is in current use, is clearly labelled and access to it is restricted.
Data we hold on behalf of other companies will be held according to their wishes, and for a further 12 months following the completion of the last service we provided to them, so as to preserve their ability to give us further instruction without having to provide the data again, unless otherwise agreed. When data is no longer to be retained, its removal, deletion or erasure will be performed according to processes suitable for the medium, for example the secure shredding of paper documents, deletion from internal systems, or overwriting (wiping) of hard disks.
Contact Us
If you have any questions about this privacy policy or our data practices, please contact us:
Merrehill Ltd
Unit 6 Bridge Street Mills
Bridge Street
Macclesfield
SK11 6QA
Phone: 01625 70 80 40
Email: info@merrehill.co.uk