For the purposes of the General Data Protection Regulation (GDPR), PandaPak Ltd is the Data Controller. The scope also includes personal data that is collected through our websites, by telephone, through Live Chat and through any related social media applications. This means that we determine what data is collected, how this data is going to be used and how this data is protected.

It is important that you read this notice, together with any other privacy notice we may provide on specific occasions when we are collecting or processing personal data about you, so that you are aware of how and why we are using such information. If you have questions about how we process personal data, or would like to exercise your data subject rights, please use the information supplied in the Contact Us section.

We may gather, store, and utilize various types of personal information about you. Please note that this list is not exhaustive and includes:

• Personal contact information: This involves details like your name, title, addresses, phone numbers, and personal email addresses.
• Business contact details: This encompasses your position, company name, company address, and business contact information, such as phone numbers and email addresses.
• Age/Date of birth
• Bank account details and information about tax/vat status
• Additional data related to trading information, especially for credit arrangements
• Information obtained through electronic means, such as CCTV footage and geolocation data for deliveries, when you visit our site or receive deliveries from us
• Cookie information and details about your usage of our information and communication systems.

We collect personal data from you for various purposes, including:

• Fulfilling contractual obligations with you or the entity you represent. In some cases, it may be your organization that has provided us with your personal data.
• Initiating and completing commercial transactions for the purchase of products and/or services with you or the entity you represent.
• Delivering products you have purchased directly or indirectly from us.
• Communication with suppliers of goods and services.
• Maintaining accounts and other business records.
• Carrying out marketing activities, electronic or otherwise, including sharing within the Bunzl group.
• Compliance with legal or regulatory requirements, including health and safety obligations.
• Addressing complaints or queries from our customers and suppliers.
• Generating data analytics to monitor and enhance the performance of our website.
• Ensuring the security and proper functioning of our websites and underlying business infrastructure.

Additionally, we may collect supplementary information from third parties, including credit reference agencies.

To facilitate effective use and navigation of our websites, we collect the following technical information from each visitor:

• IP (Internet Protocol) address used for connecting your device to the Internet.
• Login details, browser type and version, cookies, time zone settings, browser plug-in types and versions.
• Operating system and platform.
• Information about your visit, including the URL (Uniform Resource Locators) clickstream to, through and from our site.

We collect and use personal data based on the belief that it is in our legitimate interests, necessary for fulfilling a contract, or with your consent, to operate our business and provide requested services. In certain instances, legal obligations may require the use or disclosure of personal data, such as complying with requests from official bodies.

When processing data on the lawful basis of legitimate interest, we take care to ensure that our interests and fundamental rights do not take precedence over yours.

We may share your personal data, but only when essential, whether it's necessary or mandated by legal requirements. This sharing may involve collaboration with our professional advisors and service providers, including:

• Accountants
• Legal experts
• Consultants
• Insurers
• Information technology and communications service providers
• Suppliers
• Logistics and transport services

Additionally, we may share personal data with competent law enforcement or regulatory authorities as mandated by law or during the acquisition or sale of businesses or assets.

Our commitment is to establish the required safeguards to ensure that personal data, for which the company bears legal responsibility, remains adequately protected and is used appropriately when entrusted to a third party.

We are committed to retaining your data for only as long as necessary to meet our business needs and comply with legal or regulatory obligations governing the retention of personal data. Throughout the retention period, we ensure that your personal data is consistently safeguarded with appropriate security measures.

In establishing the appropriate retention timeframe for personal data, we assess factors such as the volume, nature, and sensitivity of the data, potential risks associated with unauthorized use or disclosure, the specific purposes for data processing, the feasibility of achieving those purposes through alternative methods, and the relevant legal requirements.

We are committed to implementing measures to safeguard your data, employing appropriate security protocols to prevent accidental loss, unauthorized access, alteration, or disclosure of your personal data. Access to your personal data is restricted to individuals, agents, contractors, and other third parties with a legitimate business need to know.

It's important to note that we do not have control over events occurring between your device and the boundaries of our information infrastructure. Recognizing the various information security risks, you should take necessary steps to protect your own information. We assume no liability for breaches that occur beyond our control.

You are under no obligation to furnish personal data to us, but in cases where you engage in a contract for our services or products, providing personal data may be necessary. Without the requisite personal data, we may be unable to deliver our services or products to you.

We reserve the right to utilize your personal data for internal marketing initiatives within our organization. Our communication will be directed only to individuals who have explicitly expressed their consent to receive marketing messages or when it aligns with our legitimate interests. If you object to receiving marketing communications, whether electronic or otherwise, kindly inform us, and we will promptly cease such contact. It is imperative to note that, irrespective of your marketing preferences, we may still find it necessary to contact you for the fundamental purpose of delivering services and products.