GDPR

Data Protection Policy

For Cress Ltd & Sukin Naturals UK
Effective date: September 2025

1. Introduction

1.1 The Companies are committed to protecting the privacy and rights of individuals whose personal data we process (“Data Subjects”) and to complying with the UK GDPR and the Data Protection Act 2018. ICO+2GOV.UK+2
1.2 This Policy sets out how the Companies collect, use, store, share, transfer and dispose of personal data, and the rights of Data Subjects in relation to that data.
1.3 The Companies are each responsible for ensuring that all staff, contractors and third-party service providers comply with this Policy and with relevant data-protection legislation.

2. Scope

2.1 This Policy applies to all personal data processed by the Companies regardless of format (electronic, paper, audio, etc.).
2.2 It applies to all staff, contractors, agents, consultants, temporary staff, and any third-party processors engaged by the Companies.
2.3 It covers all processing of personal data carried out in connection with the Companies’ operations including but not limited to recruitment, employment, customer and supplier relationships, marketing (including digital marketing), website visitors, events, and international transfers.

3. Definitions

For the purposes of this Policy:

Personal data means any information relating to an identified or identifiable natural person. 

Processing means any operation or set of operations performed on personal data (collection, recording, organising, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure, erasure or destruction).

Data Controller means the entity which determines the purposes and means of the processing of personal data.

Data Processor means an entity which processes personal data on behalf of a controller.

Data Subject means an identified or identifiable natural person whose personal data is processed by the Companies.

Special category data means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, genetic data, biometric data for the purpose of uniquely identifying a person, data concerning health or sex life or sexual orientation. GOV.UK

4. Data Protection Principles

In conducting all personal-data processing the Companies will adhere to the following key principles (as required by UK GDPR and the Data Protection Act 2018): GDPR.eu+1
4.1 Lawfulness, fairness and transparency: processing must be lawful, fair and transparent to the Data Subject.
4.2 Purpose limitation: personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner incompatible with those purposes.
4.3 Data minimisation: personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
4.4 Accuracy: personal data shall be accurate and, where necessary, kept up to date.
4.5 Storage limitation: personal data shall be kept in a form which permits identification of Data Subjects for no longer than is necessary for the purposes for which the personal data are processed.
4.6 Integrity and confidentiality: personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
4.7 Accountability: the Companies shall be responsible for, and able to demonstrate compliance with, the above principles. https://secureprivacy.ai/

5. Lawful Basis for Processing

5.1 The Companies will identify and document a lawful basis for each processing activity. Typical lawful bases include:

  • Consent of the Data Subject.

  • Performance of a contract to which the Data Subject is a party.

  • Compliance with a legal obligation of the Company.

  • The legitimate interests of the Company or a third party (provided the Data Subject’s rights and freedoms do not override those interests). https://secureprivacy.ai/+1
    5.2 Where the Companies process special category data, an additional lawful basis and a condition under the Data Protection Act 2018 will be identified and documented.

6. Data Subject Rights

6.1 Data Subjects have a number of rights under UK GDPR, including:

  • The right to be informed about how their personal data is processed. GOV.UK+1

  • The right of access to their personal data.

  • The right to rectification of inaccurate or incomplete personal data.

  • The right to erasure (in certain circumstances).

  • The right to restrict processing.

  • The right to object to processing (in certain circumstances).

  • The right to data portability (in certain circumstances).
    6.2 The Companies shall have procedures in place to respond to Data Subject requests within the statutory time-limits and to provide clear information about how to exercise these rights.
    6.3 Where personal data is collected from the Data Subject or otherwise, the Companies shall provide a privacy notice which contains, at a minimum, the information required under Articles 13 and 14 of the UK GDPR. GDPR+1

7. Transparency & Privacy Notices

7.1 The Companies will ensure that privacy notices are provided to Data Subjects in a concise, transparent, intelligible and easily accessible form, in clear and plain language. GOV.UK+1
7.2 Each privacy notice will include:

  • The identity and contact details of the data controller(s) (i.e., Cress Ltd and/or Sukin Naturals UK as appropriate).

  • The contact details of the Data Protection Officer or other contact point for data-protection matters (if applicable).

  • The purposes of processing and the lawful basis for the processing.

  • Where processing is based on legitimate interests, those interests.

  • The categories of personal data concerned.

  • The recipients or categories of recipients of the personal data.

  • Where applicable, details of transfers of personal data to a third country or international organisation, and the safeguards.

  • The period for which the personal data will be stored, or the criteria used to determine that period.

  • The existence of the rights of Data Subjects (access, rectification, erasure, restriction of processing, objection, data portability).

  • The right to withdraw consent (where relevant) without affecting the lawfulness of processing based on consent before withdrawal.

  • The right to lodge a complaint with the supervisory authority (Information Commissioner's Office).

  • Whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, and the possible consequences of failure to provide such data.

  • The existence of automated decision-making, including profiling, and meaningful information about the logic involved, as well as the significance and envisaged consequences. GDPR
    7.3 Where personal data is obtained not from the Data Subject, the privacy notice will be provided within one month of obtaining the data (or at the first communication if earlier) or when the data is disclosed to another recipient. ICO

8. Data Security & Breach Management

8.1 The Companies will implement appropriate technical and organisational measures to ensure the security, integrity, confidentiality and availability of personal data (including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage).
8.2 The Companies will ensure that all data-processing systems and processes are subject to risk assessment, appropriate access controls, encryption (where necessary), backups, and secure disposal.
8.3 The Companies will maintain a procedure for the detection, reporting and investigation of personal-data breaches. Where a breach is likely to result in a risk to the rights and freedoms of Data Subjects, the Companies will notify the Information Commissioner’s Office without undue delay and, where required, the Data Subjects themselves.
8.4 The Companies will require all staff to report immediately any data-security incident or suspected breach to the designated person responsible for data protection.

9. Data Retention & Disposal

9.1 The Companies will maintain a data-retention schedule which specifies how long each category of personal data will be retained and the criteria used to determine that period. IT Governance
9.2 Personal data will be securely destroyed or anonymised when no longer required for the purposes for which it was collected.
9.3 Special category data and other high-risk personal data may require longer or more carefully controlled retention periods; any such retention must be documented and justified.

10. International Transfers of Personal Data

10.1 If the Companies transfer personal data outside the UK or the EEA, appropriate safeguards (such as standard contractual clauses, binding corporate rules or an adequacy decision) will be used to protect the data. ICO+1
10.2 The Companies will document any such international transfers and ensure Data Subjects are informed of them via the privacy notice.

11. Data Processing by Third-Party Processors

11.1 Where the Companies engage external processors to process personal data on their behalf, a written contract will be in place which sets out the processor’s specific responsibilities, data-protection obligations, sub-processor rules and security measures. IT Governance
11.2 The Companies will conduct due-diligence on processors to ensure they provide sufficient guarantees to implement appropriate technical and organisational measures and ensure the rights of Data Subjects are protected.

12. Accountability & Governance

12.1 The Companies will maintain records of processing activities as required by Article 30 of the UK GDPR.
12.2 The Companies will conduct periodic reviews of this Policy, data-protection impact assessments (DPIAs) where required, internal audits and staff training to ensure ongoing compliance. IT Governance
12.3 The Companies will appoint (or designate) a person with responsibility for data-protection matters (e.g., a Data Protection Officer (DPO) or representative) and ensure that this person has sufficient resources, access to senior management and independence in their role.

13. Staff Responsibilities & Training

13.1 All staff, contractors and third-party service providers must understand and adhere to this Policy.
13.2 The Companies will provide training and awareness-raising to staff on data-protection issues (including breach-reporting, secure disposal, data minimisation and lawful bases for processing).
13.3 Breaches of this Policy may result in disciplinary action (for employees) or termination of contract (for contractors/third parties).

14. Policy Review & Updates

14.1 This Policy will be reviewed at least annually or more frequently if necessary (for example, if there are changes in legislation, regulation, guidance, or business practices).
14.2 Any changes will be communicated to all relevant staff, contractors and third parties.

15. Contact & Queries

If you have any questions about this Policy, wish to make a request under data-protection legislation, or suspect a breach, please contact:

  • Data Protection Officer / Privacy Lead: [Name]

  • Email: [email address]

  • Postal address: [Company address]
    Both Cress Ltd & Sukin Naturals UK will provide further contact details in their respective privacy notices.