Cookies Policy cookies-policy
General Data Protection Regulation (GDPR) Policy general-data-protection-regulation-gdpr-policy
Privacy Policy privacy-policy
Terms & Conditions terms-conditions
Environmental Policy environmental-policy
Slavery Policy slavery-policy

GDPR Policy


We hold personal data about our employees, clients, suppliers and other individuals for a variety of business purposes. This policy sets out how we seek to protect personal data and ensure that staff understand the rules governing their use of personal data to which they have access in the course of their work. In particular, this policy requires staff to ensure that the Data Protection Officer (DPO) be consulted before any significant new data processing activity is initiated to ensure that relevant compliance steps are addressed.

What is GDPR?

Keeping information about clients and staff confidential makes clear business sense but it is also required by law. The EU General Data Protection Regulation (GDPR) defines the ethical handling of personal data. Replacing legislation written before the digital age, the regulation became EU law in 2016, enforceable from 25th May, 2018.


Business purposes: The purposes for which personal data may be used by us: Personnel, administrative, financial, regulatory, payroll and business development purposes.

Business purposes include the following:

  • Compliance with our legal, regulatory and corporate governance obligations and good practice
  • Gathering information as part of investigations by regulatory bodies or in connection with legal proceedings or requests
  • Ensuring business policies are adhered to (such as policies covering email and internet use)
  • Operational reasons, such as recording transactions, training and quality control, ensuring the confidentiality of commercially sensitive information, security vetting, credit scoring and checking
  • Investigating complaints - Checking references, ensuring safe working practices, monitoring and managing staff access to systems and facilities and staff absences, administration and assessments
  • Monitoring staff conduct, disciplinary matters
  • Marketing our business
  • Improving services

Personal data

  • Information relating to identifiable individuals, such as job applicants, current and former employees, agency, contract and other staff, clients, suppliers and marketing contacts.
  • Personal data we gather may include: individuals' contact details, educational background, financial and pay details, details of certificates and diplomas, education and skills, marital status, nationality, job title, and CV.

Sensitive personal data

  • Personal data about an individual's racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership (or non-membership), physical or mental health or condition, criminal offences, or related proceedings—any use of sensitive personal data should be strictly controlled in accordance with this policy.

Data Controller

  • An organization that determines the way in which personal data is processed. The controller must be able to demonstrate compliance with the principles and ensure contracts with data processors comply with the GDPR. Each data controller must also pay a fee to the Information Commissioner’s Office.

Data Processor

  • An organization that processes personal data, but only in accordance with the instructions of the data controller. This can include subcontractors and agents. Processors must maintain records of personal data and processing activities and will have legal liability if responsible for a breach.


  • Collecting, disclosing, storing, using or any other operation performed upon personal data. If you use personal data in any way, you will be “processing” it.


This policy applies to all staff. You must be familiar with this policy and comply with its terms. This policy supplements our other policies relating to internet and email use. We may supplement or amend this policy by additional policies and guidelines from time to time. Any new or modified policy will be circulated to staff before being adopted.

Who is responsible for this policy?

As our Data Protection Officer, has overall responsibility for the day-to-day implementation of this policy.