1.1 Mail Workshop Limited (“MWL”) acts as a data processor on behalf of its customers who, as data controllers, submit data to MWL for the purpose of contracting MWL to despatch items that it has stored and/or packed and prepared for despatch to given addresses. MWL processes their data to this end and in order to provide supporting and related services. In certain cases the data so provided will relate to an identifiable subject and so is defined as “personal data” under EU General Data Protection Regulation 2016/679 (“GDPR”). This document serves the purpose of the written contract required to be in place between MWL and its customers (“Controller”) clarifying their responsibilities and liabilities under GDPR.
2.1 MWL will act only on the written instructions of the Controller in processing any data supplied (“the Data”), personal or otherwise, unless required by law to act without such instruction. Agreement to trade with MWL under written Sales Agreements or by written acceptance of provided quotation for services is taken to constitute consent to process the Data solely for the purposes necessary to perform the contracted services.
2.2 MWL will ensure that any people processing or accessing the Data are subject to a duty of confidence. All staff of MWL are bound by the terms of MWL’s Staff Data Policy regarding correct and lawful processing.
2.3 MWL will take appropriate measures to ensure the security of processing the Data, such that are outlined in MWL’s Data Policy as published on MWL’s website.
2.4 MWL will only engage sub-processors of the Data with the prior consent of the Controller and a written contract. By submitting the Data for delivery by a chosen courier or tracked postal provider, such shipment being governed by prior written Sales Agreement or by written acceptance of provided quotation for services, the Controller consents to MWL passing any of the Data necessary to that courier or tracked postal provider for processing for their contracted purpose of conducting that delivery. Any other sub-processing of the Data will be subject to a further and separate written agreement.
2.5 MWL will assist the Controller in meeting any stated obligations regarding the provision of subject access to their personal data and any other rights under GDPR. Should MWL receive such a request directly, it will in the first instance refer the request to the Controller, inform the data subject that it has done so, and subsequently act according to the reasonable instruction of the Controller in providing further information or access.
2.6 MWL will assist the Controller in meeting any stated obligations regarding security of processing of the Data. The Controller is advised to incorporate the Details of Processing in this contract into their own data policy, and is advised that elements relating the usage and storage of data therein are liable to form a central part of any such policy.
2.7 MWL will notify the Controller of any personal data breaches relating to the Data, and any resultant data protection impact assessments, in line with its obligations under GDPR.
2.8 MWL will submit to audits and inspections of its processing practices by any supervisory authority, and provide the Controller with any information required to meet an equivalent audit or inspection or any connected legal obligations.
2.9 MWL will immediately inform the Controller if it is asked by a third-party to infringe GDPR or any other applicable data-protection law in relation to the Data.
3.1 MWL processes the Data on behalf of the Controller by formatting supplied information such that it is suitable for entry into any relevant despatch systems, and by using that information to produce and print despatch documentation. Subsequent to despatch the Data will be retained for a period in order to facilitate the resolution of any queries from the controller regarding the status of despatches.
3.2 MWL processes the Data for the purpose of enabling delivery to the Controller’s requested recipient addresses. The Data may contain a number of types of “personal data”, frequently consisting of name and address information and sometimes also accompanying telephone numbers and/or email addresses. Those names may be connected with either business or home addresses, and their usage for both business and personal purposes. While it is conceivable there may be “personal Data” relating to vulnerable persons, to children, and to other special categories of person within the Data, this in current practice will not be identifiable therein, nor is the purpose of processing related to that status.
3.3 MWL’s general policy is that there should be no reason for the Controller to supply definable “sensitive personal data” to MWL for the purposes of its processing. Should MWL become aware of such instances, the Controller will be advised on ways in which the Data can be supplied that does not constitute qualification as “sensitive”. Should there be no alternative to the Controller supplying “sensitive personal data” to meet its processing deeds, MWL will agree a separate written arrangement regarding its safe usage and storage.
3.4 MWL retains files within which the Data is supplied for a period of 30 days following last processing, after which they are deleted.
3.5 In cases where the Data has been used for courier despatch, the Data is retained for a period of 90 days following despatch within MWL’s central courier database prior to its anonymisation by the removal of any identifiable personalising information.
3.6 In cases where the Data has been used for courier despatch or for tracked postal despatch, the Data is submitted by MWL to the supplier of that despatch service for the purpose of conducting delivery, and will then be stored by that supplier in line with their own processing terms.
3.7 Personal data processed using MWL’s designated warehouse/stock management system is stored therein for a period of 1 year prior to anonymization by removal of personally-identifying name and address details.
3.8 Information, including the Data where applicable, that is submitted to MWL by email is stored for a period of 2 years after submission prior to archiving in an encrypted form offsite.
3.9 The Controller is under no obligation to supply the Data to MWL by email and is encouraged not to do so where the Data constitutes “personal data” under GDPR, although MWL recognises that the Controller holds ultimate responsibility and control over how the Data is submitted and used. Secure forms of transmission, deleted 30 days after use, are alternatively available to Controllers that do not have their own such method in place.
3.10 The Controller holds responsibility for ensuring that the Data it provides to MWL for processing complies with all legal obligations. Specifically, (a) the Controller verifies that the Data, and any record therein, has been made subject to a valid and documented “lawful basis for processing” under GDPR, (b) the Controller verifies that it has complied with any valid and reasonable subject request for removal or deletion it has received and that no records of such subjects exist within the Data, (c) the Controller verifies that the Data does not contain any record that is required to be excluded by either MPS or TPS registration as appropriate, (d) the Controller verifies that it is willing and able to cooperate with any compliance requirements made of it under GDPR.
4.1 MWL does not indemnify the Controller against any data breach or against any other financial harm resultant from its lawful processing of the Data, other than by prior additional arrangement or other than as governed by law.
4.2 Nothing within this contract relieves MWL of its own direct responsibilities and liabilities under GDPR.
Mail Workshop Limited is registered with the ICO, registration number ZA251735.
For further information or questions regarding processing of data, please email [email protected]