Data Protection & Privacy Policies and Procedures

1. Introduction

Ernest Chemist Limited (“the Company”) is committed to protecting the privacy and security of personal data in accordance with the applicable data protection law Act, 2012 (ACT 843) and regulations. As a drug manufacturing company, retail pharmacy operator, and wholesaler, the Company collects, processes, and stores personal data in various forms as part of its operations. This policy outlines the procedures for protecting the personal data of our customers, employees, suppliers, and other stakeholders.

2.  Purpose

The purpose of this Data Protection & Privacy Policy is to ensure that Ernest Chemist Limited handles all personal data with care and in compliance with applicable laws and regulations. This policy applies to all employees, contractors, and third parties who have access to personal data held by the Company.

3.  Scope

This policy covers all personal data collected, processed, and stored by Ernest Chemist Limited, including data related to customers, employees, suppliers, and other individuals. This includes data collected through our retail pharmacy shops, wholesale and warehouse branches, manufacturing processes, and online platforms.

4.  Data Protection Principles

The Company adheres to the following principles when processing personal data:

• Lawfulness, Fairness, and Transparency: We will process personal data in a

lawful, fair, and transparent manner.

• Purpose Limitation: Personal data will only be collected for specified, legitimate purposes and will not be further processed in a manner that is incompatible with those purposes.
  • Data Minimization: We will ensure that personal data collected is adequate, relevant, and limited to what is necessary in relation to the purposes for which it is processed.
  • Accuracy: Personal data will be accurate and, where necessary, kept up to date.
  • Storage Limitation: Personal data will be retained no longer than necessary for the purposes for which it is processed.
  • Integrity and Confidentiality: Personal data will be processed in a manner that ensures its security, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage.

5.  Types of Personal Data Collected

The Company collects the following types of personal data:

• Customer Data: Name, address, phone number, email address, prescription information, purchase history, date of birth, payment details.
  • Employee Data: Name, contact details, job title, employment history, bank details, social security number, family details, photo of individual, education history, ID number, and performance records.
  • Supplier and Business Partner Data: Contact details, business-related information, contract details, payment information.

• Health-related Data: Prescription records, medical history (where necessary

for the sale of prescription drugs).

• Visitor Data: IP addresses, cookies, and browsing data (if using the Company’s website or online platforms).

6.  Legal Basis for Processing Personal Data

Personal data will be processed based on one or more of the following legal grounds:

• Consent: The individual has given clear consent for the processing of their personal data for a specific purpose.
  • Contractual Necessity: The processing is necessary for the performance of a contract with the individual or to take steps at their request before entering a contract.
  • Legal Obligation: The processing is necessary for compliance with a legal obligation.
  • Legitimate Interests: The processing is necessary for the legitimate interests pursued by the Company or a third party, except where these interests are overridden by the individual’s rights and freedoms.

7.  Data Collection Methods

• Retail Operations: Personal data is collected from customers during the sale of a prescriptible drugs through our pharmacy shops.
  • Wholesale and Warehouse Operations: Bulk customers provide their business information for ordering and delivery purposes.
  • Manufacturing: Data is collected in the form of employee details, supply chain data, and product-related information.

• Online Platform: When customers purchase products online, personal data is

collected through the Company’s website.

8.  Data Retention and Disposal

The Company will retain personal data for as long as necessary to fulfill the purposes for which it was collected. Once personal data is no longer needed for the purposes it was collected for, it will be securely disposed of or anonymized.

9.  Data Security Measures

To protect personal data, Ernest Chemist Limited has implement the following security measures:

• Physical Security: Secure access to offices, warehouses, and other physical locations where data is stored.
  • Technical Security: Use of encryption, firewalls, secure servers, and anti-virus software to protect data stored electronically.
  • Access Control: Restricted access to personal data based on employee roles and responsibilities.
  • Employee Training: Regular training in data protection practices for employees and contractors who handle personal data.

10.  Data Subject Rights

Individuals whose data is processed by the Company have the following rights:

• Right to Access: The right to request access to personal data the Company holds about them.
  • Right to Rectification: The right to request correction of any inaccuracies in their personal data.

• Right to Erasure: The right to request the deletion of their personal data,

subject to legal and contractual obligations.

• Right to Restriction: The right to request the restriction of the processing of their personal data.
  • Right to Data Portability: The right to receive their personal data in a structured, commonly used, and machine-readable format.
  • Right to Object: The right to object to the processing of their personal data based on legitimate interests or direct marketing purposes.

11.  Third-Party Data Sharing

The Company may share personal data with third-party service providers for the purposes of:

• Delivery services (e.g., courier companies).
  • Payment processing providers.
  • IT and data management service providers.
  • Regulatory authorities, if required by law.

Before sharing personal data with third parties, the Company ensures that appropriate data protection agreements are in place to safeguard the personal data.

12.  Data Protection Officer (DPO)

Ernest Chemist Limited has appointed a Data Protection Officer (DPO) to oversee compliance with this policy and applicable data protection laws. The DPO is responsible for:

• Monitoring data protection activities within the Company.
  • Serving as a point of contact for data subjects to exercise their rights.

• Ensuring data protection practices are followed by all employees and third

parties.

• Conducting regular audits to ensure the security of personal data.

13.  Reporting a Data Breach

In the event of a data breach, Ernest Chemist Limited will promptly notify affected individuals and the relevant regulatory authorities in accordance with applicable laws. The Company will take immediate steps to mitigate the impact of the breach and prevent further unauthorized access.

14.  Review and Updates

This Data Protection & Privacy Policy will be reviewed annually or whenever there are significant changes in the Company’s data processing activities or relevant laws. Any changes will be communicated to employees, customers, and other stakeholders as appropriate.

Conclusion

Ernest Chemist Limited is dedicated to protecting the privacy and security of personal data. We commit to upholding the highest standards of data protection and transparency, and to complying with all applicable data protection laws.

For any questions or concerns regarding our data protection and privacy practices, please contact our Data Protection Officer at dpo@ernestchemists.com.gh