This website uses cookies to ensure you get the best experience on our website. Learn more


GDPR Policy

Introduction to GDPR

The Company is committed to meeting its data protection obligations and being transparent about the processing of personal data as defined under the General Data Protection Regulations 2018. As an organisation, we have a need to obtain and use personal data about those with whom we come into contact, whether this be employees, professional contacts, members of the public etc, in order to carry out our work. Under GDPR legislation we are required to handle and process this data lawfully. This policy details the requirements and responsibilities in this respect, as well as our actions to ensure compliance. This policy applies to the personal data of job applicants, employees, workers, and former employees. This type of data is referred to as HR-related personal data.


GDPR is concerned with the following aspects:

  • Personal Data - information that relates to an identifiable or identified living individual (the data subject). This may include items such as a name, a reference number, location data or other specific factors that identify the person
  • Data Processing – includes organising, adapting or altering data; the use or retrieval of data; disclosure of data; destruction or erasure of data
  • Sensitive Personal Data – relates to one or more of the following – race; political opinion; religious belief; trade union membership; health – physical or mental; sexual orientation or life; biometric data; criminal offences
  • Criminal Records – information regarding an individual's criminal convictions and offences or information relating to criminal allegations or proceedings

Data Protection Principles

The Company will process HR-related personal data in line with the six data protection principles:

  1. Process data in a transparent and fair manner and in accordance with the law
  2. Collect personal data only for necessary purposes (legitimate and specified)
  3. Processes data only where it is adequate, relevant and limited to what is necessary for the purpose of processing
  4. Keep accurate personal data and take all reasonable steps to delete inaccurate data without delay
  5. Keep personal data only for necessary timescales
  6. Adopt measures to ensure data is secure

Data Storage

Any personal data held, either in electronic or paper formats, will be stored securely and only used for the purposes for which it has been obtained. This personal data will be stored for appropriate timescales as determined by legislation. Any electronic devices, i.e. computer systems, mobile phones, tablets etc will be completely reset and wiped before they are sold on/disposed of or no longer used by the Company.

Where the Company relies on third parties to process or handle personal data on its behalf, such parties are subject to written contracts with regards to compliance with necessary legislation and requirements.

Data Access and Accuracy

All individuals have the right to access personal data held about them. The Company will take steps to ensure this information is up to date, by making any changes it is notified of, and/or routinely ensuring that information is still correct and accurate.

Subject Access Requests

Individuals can make a request from which the Company will confirm to him/her:

  • whether their data is processed and to whom their data is disclosed
  • how long the data will be held
  • their rights with regards to the correction or erasure of data
  • their rights to complain to the Information Commissioner
  • their rights around automated decision-making processes

The Company will also provide to the individual a copy of the personal data undergoing processing.

To make a Subject Access request please email the HR Manager where the Company will aim to deal with the request as soon as is reasonably practicable and within one month of the request being made. It should be noted where the request is manifestly unfounded or excessive the Company is not legally obliged to comply with the request.

Data Breaches

If the Company becomes aware of any data breaches that pose a risk to individuals, these will be reported to the Information Commissioner within 72 hours. All breaches will be recorded regardless of whether they are reportable.

If the breach is likely to result in high risk, the individuals concerned will be notified and provided with information regarding actions taken.

International Data Transfers

The Company does not transfer HR-related personal data outside of the EEA.