DATA PROCESSING POLICY

1. This Data Processing Policy (the Policy) sets out how FAITHFULL processes Personal Data it handles when carrying out its business operations and providing its services. 

2. FAITHFULL is committed to: 

• ensuring its data processing activities are protected through implementing the appropriate technical and organisational measures, including for the security of processing; 
• documenting its processing activities to ensure that it is aware of how, where, and when it is processing personal data, the purpose for that processing and the measures it is using to keep that data secure; and  
• implementing appropriate secure methods for transferring personal data in place for its processing and for any sub-processors’ processing, as well as any necessary supplementary measures. 

3. FAITHFULL operates this Policy in compliance with the:

• European Union General Data Protection Regulation (GDPR); and  
• the United Kingdom General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (UK) (DPA) (collectively, UK Privacy Law), as applicable to the data processing activities being carried out. The definitions adopted in this Policy are as defined in UK Privacy Law. 

1. This Policy applies to FAITHFULL in its capacity as a Data Controller. Under the GDPR and UK Privacy Law FAITHFULL acts as a Data Controller with respect to its direct relationship with its customers, employees and contractors. 
2. This Policy applies to individuals, businesses and operations that are captured by the rights and obligations of the GDPR and the UK Privacy Law. FAITHFULL is committed to respecting the privacy of Data Subjects and protecting Personal Data. 

1. FAITHFULL has developed the following principles to follow when processing Personal Data: 

• Personal Data will be processed lawfully, fairly, in a transparent manner and in accordance with the relevant law, being the: 
• GDPR for EU based Data Subjects; and 
• the UK Privacy Law for UK based Data Subjects,  
• Personal Data will be collected for specified and legitimate purposes and will not be processed further in ways which are not compatible with those purposes;  
• the Personal Data collected will be relevant and limited to what is necessary in relation to the purposes for which it is processed; 
• Personal Data will only be used in a manner that is relevant to the purpose of its collection;  
• individuals based in the EU or the UK may be asked to provide their consent for the collection, processing, and transfer of their Personal Data in connection with FAITHFULL’s services, if appropriate or required;  
• Personal Data will be accurate and kept up-to-date, and where necessary, FAITHFULL will take reasonable steps to ensure that Personal Data that is inaccurate or incomplete will be amended or deleted;  
• if a Data Subject requests that their Personal Data is deleted or amended (refer to Data Subject Rights Policy and Procedure), FAITHFULL will do so if the request complies with the relevant law;  
• Personal Data will be processed in accordance with Data Subjects’ legal rights as a Data Subject;  
• Personal Data will be kept in a form which permits the identification of Data Subjects for no longer than is necessary for the purposes for which the Personal Data are collected and processed;  
• FAITHFULL will make sure it has in place up-to-date and appropriate technical, physical and organisational measures to prevent any unauthorised access, unlawful processing, unauthorised or unintentional loss, destruction or damage to Personal Data;  
• if there is any breach of the processing of Personal Data that may constitute a data breach, FAITHFULL will follow the process set out in its Data Breach Response Plan;  
• Personal Data will only be processed in accordance with any Standard Contractual Clauses in place, if relevant; 
• FAITHFULL will ensure that it implements any specific supplementary measures as required to provide an essentially equivalent level of protection for the Personal Data to the GDPR or UK Privacy Law; and  
• FAITHFULL will have Standard Contractual Clauses in place with its own group entity located in Australia and any processors or sub-processors and require them to implement any specific supplementary measures as required to provide an essentially equivalent level of protection for Personal Data to the GDPR or UK Privacy Law. 

2. If FAITHFULL amends the way in which it processes Personal Data, it will consider whether its Privacy Policy needs to be updated. If so, it will ensure that itadvisesindividuals that its Privacy Policy has been updated.

As part of providing its services, FAITHFULL collects Personal Data from its customers, including: 

• customer representative full name;  
• contact information, such as physical address, email address, and mobile number of the customer representative; 
• location information; 
• Internet Protocol address;  
• payment details such as credit card number, expiry date and CVV code; and 
• other information that may be required for the provision of FAITHFULL’s services. 

.FAITHFULL, as a Data Controller, obtains Personal Data directly from its customers through the following sources:

• During account creation; 
• through the FAITHFULL platform or its third-party logistics suppliers when customers make orders for products; 
• when customers, users or individuals email or otherwise contact FAITHFULL; and 
• when customers lodge enquiries through the FAITHFULL website. 

FAITHFULL primarily processes Personal Data for the purpose of providing its customers with its services. FAITHFULL may also process Personal Data for its business operational purposes, including:  

• management of its relationships with its customers;  
• processing payments;  
• performance and security monitoring of its services; 
• carrying out its obligations under its contracts with its customers; and 
• meeting any obligations it may have under law or as mandated by relevant courts. 

1. FAITHFULL processes limited Special Category Data when customers directly provide it to FAITHFULL in communications. 

2. FAITHFULL seeks explicit consent for the processing of the Special Category Data of end users from the end users when they enter the Special Category Data into the FAITHFULL platform, and it only processes the Special Category Data for:

• The purpose of providing its services to its customers; and 
• After the Special Category Data is anonymised, to improve its services. 

3. FAITHFULL ensures that the Special Category Data is only dealt with and shared internally on a “need to know” basis to the team
members who will be involved with those improvements.

4. FAITHFULL understands that explicit consent requires the Data Subject to
specifically, actively and unambiguously provide an informed express statement of
consent to the processing of the Special Category Data.

5. FAITHFULL seeks explicit consent from the end users of its customers to process
Special Category Data about them through:
Seeking a specific, informed and unambiguous indication of the end user’s consent in a clear oral or written statement when the end user enters the Special Category Data on FAITHFULL’s platform; 

• specifying the processing that requires the explicit consent; and 
• seeking this consent separately from any other consents being sought from end users. 
  

6. FAITHFULL understands that it cannot infer consent from a Data Subject or end user’s actions alone (affirmative action), as this does not signify explicit consent.  

7. FAITHFULL understands that explicit consent degrades over time and it will prompt customers to seek consent from end users again either at:  

• Appropriate intervals based on the scope and expectations of the original consent provided by the end-user; or  
• If FAITHFULL’s processing operations evolve or if the purposes for collection change. 
  
  
  
  

1. FAITHFULL shares Personal Data with GDPR compliant sub-processors to provide its services. FAITHFULL requires contractual obligations and any appropriate supplementary measures on its sub-processors to ensure they apply the same level of data protection as those imposed in this Policy.  
2. FAITHFULL’s current sub-processors are set out in the table below. 

FAITHFULL maintains an Internal Data Processing Register as a Data Controller in which it records its processing activities in its capacity as a Data Controller, including: 

• the processing activity or business process for the processing of the Personal Data;  
• the purpose for processing the Personal Data;  
• the legal basis for processing the Personal Data; 
• the category of Data Subject whose Personal Data is being processed; 
• how a Data Subject that Personal Data relates to can exercise their Data Subject rights under the GDPR or UK Privacy Law; 
• the category of Personal Data being processed;  
• the source of the Personal Data being processed;  
• the category of recipient of the processed Personal Data;  
• whether the Personal Data is transferred to any Data Processors or sub-processors;  
• whether the Personal Data is transferred to any third countries; 
• the details about the suitable safeguards in place for the Personal Data;  
• how long the Personal Data will be retained for;  
• the technical, organisational and supplementary measures used to keep the Personal Data secure;  
• whether there is a need for a Data Protection Impact Assessment or any risks with the Personal Data;  
• whether there is a Joint Controller for the Personal Data; and 
• the applicable privacy regime for the Personal Data (either the GDPR or UK Privacy Law).