This GDPR Privacy Policy (Policy) details how MERCHANT AND MILLS will meet its obligations under GDPR.


1.1          DEFINITIONS:

Client: a business, organisation or individual who receives the benefit of Services provided by Merchant And Mills in accordance with the relevant Contract Documentation.

Consent: agreement which has been freely given and acknowledged by You /Data Subject to be specific, informed and be an unambiguous indication of Your / Data Subject wishes in relation to the Processing of Personal Data relating to You / Data Subject in accordance with the terms of this Policy

Personal Data which is under Your control as a Data Controller passed to Merchant And Mills in order to provide Services to You or to act as a Data Processor for You. In which case You confirm and ensure You have obtained valid Consent from the Data Subject for any Personal Data passed to Merchant And Mills

Contract Documentation which has been agreed and signed by You for Services provided by Merchant And Mills or for Your services to merchant and mills in the form of either a;

  1. Client Contract, which is used for the provision of the Services,
  2. Employment contract
  3. Any other contractual documentation

Data Controller:  the person or organisation that determines when, why and how to process Personal Data. It is responsible for establishing practices and policies in line with the GDPR. Merchant And Mills is the Data Controller of all Personal Data relating to Merchant And Mills Personnel and Personal Data related to Clients Processed in accordance with this Policy.

Data Subject:  a living, identified or identifiable individual about whom Merchant And Mills hold Personal Data. Data Subjects may be nationals or residents of any country and may have legal rights regarding their Personal Data. You (and other relevant Data Subjects) are a Data Subject in respect of this Policy.

Data Processor:  a company, organisation or individual who processes Personal data on behalf of the Data Controller.

Data Protection Contact (DPC):  is Michael Jones (job title) who is responsibility for data protection compliance within Merchant And Mills.

General Data Protection Regulation (GDPR):  the General Data Protection Regulation ((EU) 2016/679). Personal Data is subject to the legal safeguards specified in the GDPR.

GDPR Compliance Plan: the internal plan created by Merchant And Mills to ensure its ongoing committed and compliance to GDPR

Merchant And Mills: whose registered no is  07559928 and whose registered address is 14a Tower Street, Rye, East Sussex, TN31 7AT

Personal Data:  any information identifying a Data Subject or information relating to a Data Subject that  can identify (directly or indirectly) from that data alone or in combination with other identifiers possess or can reasonably access. Personal Data includes Sensitive Personal Data and Pseudonymised Personal Data but excludes anonymous data or data that has had the identity of an individual permanently removed. Personal data can be factual (for example, a name, email address, location or date of birth) or an opinion about that person’s actions or behaviour.

Your Personal Data specifically includes, but is not limited to, any data provided by You on the Contract Documentation and any additional data provided by You in relation to Merchant And Mills providing the Services.

Personal Data Breach:  the loss, or unauthorised access, disclosure or acquisition, of Personal Data

Personnel:  all Merchant And Mills employees, workers contractors, agency workers, consultants, directors, members and others.

Processing or Process:  any activity that involves the use of Personal Data. It includes obtaining, recording or holding the data, or carrying out any operation or set of operations on the data including organising, amending, retrieving, using, disclosing, erasing or destroying it. Processing also includes transmitting or transferring Personal Data to third parties.

Sensitive Personal Data:  information revealing racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership, physical or mental health conditions, sexual life, sexual orientation, biometric or genetic data, and Personal Data relating to criminal offences and convictions.

Services:, Web design and maintenance and as more specifically set out in the Contract Documentation.

You: the person, business or organisation who has Consented to the terms of this Policy by the express written Consent of signing the Contract Documentation for which this Policy forms part of.


2.1          This Policy sets out how Merchant And Mills will handle Your Personal Data

2.2          This Policy sets out what Merchant And Mills expect from You in order for the Merchant And Mills to comply  with GDPR. Your compliance with this Policy is mandatory.

2.3          Merchant And Mills is committed to ensuring that Your Personnel Data is processed in accordance with this Policy.  Protecting the confidentiality and integrity of Personal Data is a critical responsibility that  Merchant And Mills take  seriously at all times.  This Policy has been endorsed at all levels within Merchant And Mills and Merchant And Mills will continue to ensure ongoing compliance through its GDPR Compliance Plan.

2.4         The DPC is responsible for overseeing this Policy and is the main point of contact for all matters relating to data protection with Merchant And Mills.  Contact details for the DPC are as follows;

Michael Jone

Email : [email protected]

Phone number : +44 (0)1797 227758


3.1          Merchant And Mills are committed to the principles relating to Processing of Personal Data set out in the GDPR. You agree and acknowledge that Your Personal Data will be Processed in accordance with those principles which are;

(a)  Processed lawfully, fairly and in a transparent manner (Lawfulness, Fairness and Transparency).

(b)  Collected only for specified, explicit and legitimate purposes (Purpose Limitation).

(c)  Adequate, relevant and limited to what is necessary in relation to the purposes for which it is Processed (Data Minimisation).

(d)  Accurate and where necessary kept up to date (Accuracy).

(e)  Not kept in a form which permits identification of Data Subjects for longer than is necessary for the purposes for which the data is Processed (Storage Limitation).

(f)  Processed in a manner that ensures its security using appropriate technical and organisational measures to protect against unauthorised or unlawful Processing and against accidental loss, destruction or damage (Security, Integrity and Confidentiality).

(g)  Not transferred to another country without appropriate safeguards being in place (Transfer Limitation).

(h)  Made available to Data Subjects and Data Subjects allowed to exercise certain rights in relation to their Personal Data (Data Subject’s Rights and Requests).


4.1         Lawfulness And Fairness, Transparency

Merchant And Mills is Processing Your Personal Data and any relevant data Subject’s Personal Data under the legal reason of consent and legitimate interest for in order for

(a)  Merchant And Mills to deliver the Services to You as set out in the Contract Documentation;

(b) to send newsletters and discounts relating to Merchant and Mills only.

(c) Merchant And Mills to meet its legal compliance obligations.;

4.2          Consent

You agree by signing this Policy and/or the Contract Documentation, which incorporates this Policy, that you expressly Consent that Merchant And Mills can Process Your Personal Data in accordance with this Policy;

(a)  You have the right to withdraw Your Consent at any time by notifying the DPC in writing stating if You wish to withdraw part or all of Your Consent.

(i)  If You wish to withdraw Your Consent for Merchant And Mills to Process Your Personal Data in order to provide You the   Services then Merchant And Mills will remove Your Personal Data as set out in section 9 of this Policy.

(ii) If You wish to withdraw Your Consent for Merchant And Mills to Process Your Personal Data for the purposes of providing the newsletter only, then the DPC will acknowledge Your request and ensure this is actioned within 7 working days.  Your Personal Data will continue to be Processed by Merchant And Mills for the purposes of providing You the Services.

(b) In the event Merchant And Mills wish to Process Your Personal Data for any other Purpose then as set out in this Policy, then Merchant And Mills will require You to provide an additional Consent.


5.1          Merchant And Mills will only Process Your Personal Data for the following purposes;

  1. to enable Merchant And Mills to provide You the Services as set out in the Contract Documentation
  2. to be included on the Merchant And Mills client database which is used for the sole purpose of sending out regular newsletters.



6.1          Merchant And Mills has and will continue to review the Personal Data required to enable us to provide You the Services.  If you feel that any Personal Data Merchant And Mills requests is excessive or not required for the Purposes set out in 5.1, then You should advise the DPC in writing, and we shall investigate, take  appropriate action and update You in respect of the reasons why the Personal data is required or the action taken.


7.1          You shall be responsible for ensuring that all Personal Data provided by You on the Contract Documentation  shall be accurate.

7.2          You shall advise the DPC in writing of any amendments or inaccuracies in Your Personal Data.  Merchant And Mills will ensure such amendments are made within 5 working days

7.3          Merchant And Mills will request that You confirm or update Your Personal Data on an annual basis. Merchant And Mills will send this request to the e-mail address provided by You and You shall respond to   such request within 7 working days confirming or amending Your Personal Data.  Failure to do so may result  in Merchant And Mills ceasing to provide You the Services.


8.1          Merchant And Mills shall store all electronic Personal Data on a separate Server.  Merchant And Mills shall not store Your Personal Data on any hard-drive of any IT hardware owned or used by Merchant And Mills.

8.2          Merchant And Mills shall store Your Personal Data for duration of the Contract Documentation (plus any renewal or extension periods) plus 6 years.

8.3          If You wish Your Personal Data to be deleted prior to the dates set out in 8.2 above then You should send a written request to DPC, who will action such request within 7 working days.


9.1          Protecting Your Personal Data

Merchant And Mills has undertaken all reasonable security measures including but not limited to storing the Personal Data on a separate server, securing the site where to ensure the site where Personal Data is held is secure.

9.2          Reporting A Personal Data Breach

If You suspect their has been a potential or actual breach of Your Personal Data then both parties shall follow the process set out below;

  1. You must write to the DPC as soon as reasonably practicable clearly stating the details of the potential or actual Personal Data Breach (Notice of Breach)
  2. Merchant And Mills will acknowledge Your Notice of Breach within 2 working day
  3. Merchant And Mills will investigate the potential or actual Personal Data Breach and report its findings to You within 3 working days, (unless Merchant And Mills have advised You in writing giving reasonable reasons as to why the investigation will take longer)
  4. If through the investigation Merchant And Mills determines that there has been a Personal Data Breach, then Merchant And Mills will take all necessary action in order to rectify the situation and minimalise any potential or actual damage caused through such a Personal Data Breach.
  5. Merchant And Mills will communicate with You regarding the action being taken.
  6. Merchant And Mills will comply with any guidelines issued by the Information Commissioners Office (ICO) in relation to Personal Data Breach’s, including notifying the ICO when required to do so.


10.1        Merchant And Mills shall not transfer or share Your Personal Data with any 3rd parties except as specifically set out below;

  1. Merchant And Mills may use the following software to process Your Personal Data Michael Jones
  2. If You have Consented to receive a newsletter from Merchant And Mills, Merchant And Mills will share Your Personal Details with a company called Michael Jones who undertake this service on behalf of Merchant And Mills.

10.2        Merchant And Mills shall use its reasonable endeavours to ensure that the 3rd parties stated above comply with GDPR.

10.3        Merchant And Mills shall enter into a data processing contract with such 3rd parties as required under GDPR.

10.4        Merchant And Mills shall advise You in writing if Merchant And Mills changes any 3rd party mentioned in clause 10.1.


11.1        Merchant And Mills are fully committed to protecting Your Personal Data, and advise You to understand Your rights under GDPR.

11.1        You should contact the DPC in writing with any questions about the operation of this Policy, GDPR, Your rights in relation to Personal Data held by Merchant And Mills or if you have any concerns that this Policy is not being or has not been followed. In particular, you should always contact the DPC in the following  circumstances:

  1. if You believe there has been a Personal Data Breach of Your data
  2. if You wish Merchant And Mills to delete or correct any aspect of Your Personal Data held by Merchant And Mills.

12.1        Accountability

12.1.1     When Merchant And Mills is acting as a Data Controller, Merchant And Mills shall implemented appropriate technical and organisational measures in an effective manner, to ensure compliance with data protection principles.

12.1.2     When You are the Data Controller who has permitted Merchant And Mills to process Personal Data held by  You, then You shall ensure that You have the full Consent of the Data Subject that their Personal Data being passed to Merchant And Mills.  You are fully responsible for ensuring that the Personal Data Processed by You and passed to Merchant And Mills complies with all principles of GDPR.

12.1.3     If You are a business or organisation then by signing this Policy / Contract Documentation Your business / organisation is committed to being GDPR compliant and has taken all reasonable actions to achieve this.

12.1.4     You shall indemnify Merchant And Mills for any damages, claims, or costs howsoever arising which  Merchant And Mills incurs as a result of Your breach of GDPR.

12.2        Record Keeping

12.2.1     Merchant And Mills shall keep a copy of this Policy / Contract Documentation signed by You for the same duration as which Merchant And Mills hold Your Personal Data.

12.2.2     Where Merchant And Mills is acting as a Data Processor for You, then You shall notify Merchant And Mills in writing of how such Personal Data shall be Processed.

12.2.3     You shall keep sufficient records in respect of the Personal Data You provide to Merchant And Mills as a Data Processor,   and You shall provide evidence of any Consent if Merchant And Mills are required to demonstrate GDPR compliance.

12.3        Sharing Personal Data

12.3.1     Merchant And Mills shall not share any of Your Personal Data with any 3rd party not set out in this Policy.


13.1        Merchant And Mills  reserves the right to amend this Policy at any time.

13.2        Merchant And Mills shall advise You in writing of any amendments to the Policy and if necessary You will be required to sign this Policy again to confirm Your Consent to the amendments made.


You acknowledge that You read a copy of this Policy and understand that I am responsible for knowing and  abiding by its terms.


Signed .............................................................................

Printed Name .................................................................      Date .................................................