1. Introduction

At WME (West Mercia Energy), we collect and use various types of information about individuals to support our legitimate business activities. This includes current, past, and prospective customers, suppliers, our staff, and other relevant parties. It's important that we handle this personal information responsibly, whether it's stored on paper, electronically, or in any other format. We are committed to complying with the Data Protection Act 2018 and ensuring that personal data is processed lawfully and correctly.

2. Principles of Data Protection

We adhere to the following principles of data protection:

•    Lawfulness, fairness, and transparency: Personal data is processed lawfully, fairly, and transparently.
•    Purpose limitation: Data is collected for specified, explicit, and legitimate purposes and not further processed in a manner incompatible with those purposes.
•    Data minimization: Data collected is adequate, relevant, and limited to what is necessary for the intended purposes.
•    Accuracy: Personal data is accurate, and efforts are made to keep it up to date.
•    Storage limitation: Data is kept for no longer than necessary for the purposes for which it is processed.
•    Integrity and confidentiality: Data is processed in a manner that ensures appropriate security, including protection against unauthorised or unlawful processing and against accidental loss, destruction, or damage.

3. Data Subjects' Rights

Individuals have the following rights regarding their personal data:

•    Right to be informed
•    Right to access their data (Subject Access Request)
•    Right to rectification of inaccurate data
•    Right to erasure of their data (where appropriate)
•    Right to restrict processing (where appropriate)
•    Right to data portability (where appropriate)
•    Right to object to processing (where appropriate)
•    Right not to be subject to automated decision-making, including profiling (where appropriate)

4. Criteria and Controls

We implement the following criteria and controls:

•    Fair collection and use of information
•    Legal obligations regarding the purposes of information use
•    Collection and processing of appropriate information
•    Ensuring information quality
•    Determining the length of time information is held
•    Facilitating the exercise of individuals' rights under the Act
•    Implementing technical and organizational security measures
•    Restricting international data transfers without suitable safeguards
•    Ensuring fair treatment regardless of personal characteristics
•    Clear procedures for handling personal information

5. Additional Measures

In addition to the above, we:

•    Appoint a Data Protection Officer
•    Maintain a Register of Processing Activities (ROPA)
•    Implement a Data Retention and Disposal Policy
•    Investigate and notify personal data breaches promptly
•    Ensure appropriate contracts with third-party data processors
•    Provide training on data protection practices
•    Establish clear procedures for handling inquiries and complaints
•    Regularly review and update our data protection practices
•    Enforce disciplinary action for policy breaches

6.    Contact Information

For any questions or concerns regarding this policy, please contact our Data Protection Officer at dpo@westmerciaenergy.co.uk.