We are committed to safeguarding the personal data of our customers, clients, employees, and other stakeholders. This GDPR Policy outlines how we collect, process, store, and protect personal data in compliance with the General Data Protection Regulation (GDPR) (EU) 2016/679.
1. Purpose
The purpose of this GDPR Policy is to:
- Ensure the lawful processing of personal data.
- Protect the rights and freedoms of individuals with regard to the processing of their personal data.
- Demonstrate our commitment to compliance with GDPR requirements.
2. Scope
- Customers and clients.
- Employees and contractors.
- Business partners and suppliers.
- Website visitors and users of our services.
3. Definition of Personal Data
Personal data refers to any information relating to an identified or identifiable individual, including but not limited to:
- Names, addresses, phone numbers, and email addresses.
- Identification numbers, location data, and online identifiers (e.g., IP addresses).
- Financial information, including bank details.
- Health information, employment history, and any other data that can be used to identify a person.
Special categories of personal data, such as race, religion, political opinions, or biometric data, are subject to stricter rules under the GDPR.
4. Lawful Basis for Processing
We will only process personal data when we have a lawful basis to do so. The legal bases for processing include:
a. Consent:
- The individual has given clear consent for us to process their personal data for a specific purpose.
b. Contractual Obligation:
- The processing is necessary for the performance of a contract with the individual, or to take steps at the request of the individual before entering into a contract.
c. Legal Obligation:
- The processing is necessary to comply with a legal obligation (e.g., tax reporting, employment law).
d. Vital Interests:
- The processing is necessary to protect someone's life or well-being.
e. Legitimate Interests:
- The processing is necessary for the legitimate interests of Himalayan Carpet or a third party, provided it does not override the rights and freedoms of the data subject.
5. Data Subject Rights
Under GDPR, individuals have the following rights regarding their personal data:
a. Right to Access:
- Individuals have the right to request access to their personal data and obtain a copy of it.
b. Right to Rectification:
- Individuals can request the correction of inaccurate or incomplete data.
c. Right to Erasure (Right to be Forgotten):
- Individuals can request the deletion of their personal data when it is no longer necessary for the purposes for which it was collected, or if they withdraw their consent.
d. Right to Restrict Processing:
- Individuals can request that the processing of their data be limited under certain circumstances.
e. Right to Data Portability:
- Individuals have the right to receive their personal data in a structured, commonly used, and machine-readable format, and request the transfer of this data to another organization.
f. Right to Object:
- Individuals can object to the processing of their personal data for certain purposes, such as direct marketing or legitimate interests.
g. Right Not to Be Subject to Automated Decision-Making:
- Individuals have the right not to be subject to decisions made solely by automated means that have legal or significant effects on them.
6. Data Collection and Processing
We collect and process personal data for specific, legitimate purposes, which may include:
- Providing products or services.
- Managing customer relationships.
- Human resources and payroll administration.
- Marketing and communication.
- Compliance with legal obligations.
We will not collect more data than is necessary for the intended purpose, and we will ensure that all personal data is accurate and kept up-to-date.
7. Data Security
We implement appropriate technical and organizational measures to ensure the security of personal data, including:
- Encryption and pseudonymization of data.
- Access control and authentication mechanisms.
- Regular security assessments and audits.
- Procedures to address data breaches and ensure business continuity.
8. Data Retention
We will only retain personal data for as long as necessary to fulfill the purposes for which it was collected or to comply with legal requirements. Once personal data is no longer needed, it will be securely deleted or anonymized.
9. Data Sharing and Transfers
We do not share personal data with third parties unless:
- We have obtained the individual's explicit consent.
- It is necessary to fulfill a contract.
- It is required by law or a legal obligation.
- It is necessary to protect vital interests or the public interest.
If we transfer personal data outside the European Economic Area (EEA), we will ensure that appropriate safeguards are in place, such as standard contractual clauses or reliance on an adequacy decision by the European Commission.
10. Data Breach Notification
In the event of a data breach, we will:
- Take immediate action to contain and mitigate the breach.
- Notify the relevant supervisory authority within 72 hours if the breach poses a risk to the rights and freedoms of individuals.
- Inform affected individuals without undue delay if the breach is likely to result in a high risk to their rights and freedoms.
