1. Objective
  2. Scope of Standards

III. Local Laws

  1. Basic Principles of Processing Personal Data
  2. Purposes for which Personal Data is processed
  3. Sensitive Personal Data

VII. Security of Personal Data

VIII. Rights of Individuals

  1. Transferring Data
  2. Direct Marketing
  3. Automated Decisions

XII. Enforcement Rights

XIII. Audit Procedures

XIV. Change Control

  1. Relations with Data Protection Authorities

Appendix – Sensitive Personal Data



The aim of these Data Protection Standards (the “Standards”) is to provide a consistent level of security and process in relation to Personal Data within the business.


These Standards apply to processing personal data relating to Customers or Suppliers (“Personal Data”).

Processing and process means any action carried out in relation to Personal Data, whether using computers or hard copy means, and includes the collecting, recording, organizing, storing, amending, modifying, using, disclosing, or deleting such data.

Personal Data is any information about any identified or identifiable individual held in any form on any computer or in hard copy and with whom we do business or intends to do business or has done business and includes prospects as well as actual purchasers and vendors.


The objective of these Standards is to establish equality of data protection and data security standards for the collection, use and transfer of Personal Data including subsequent processing of such data elsewhere.


We affirm respect for and commitment to the privacy rights of each individual within the law. We will comply with the following principles when processing Personal Data:

  • Data will be processed fairly and lawfully.
  • Data will be collected for specified, legitimate purposes and not processed further in ways incompatible with those purposes.

Data will be relevant to and not excessive for the purposes for which you are collected.

  • Data will be accurate and, where necessary, kept up-to-date.
  • Data will be kept only as long as it is necessary for the purpose for which it was collected.
  • Data will be processed in accordance with the individual’s legal rights (as described in these Standards or as provided by law).
  • Appropriate technical, physical, and organizational measures will be taken to prevent unauthorized access, unlawful processing, and unauthorized or accidental loss, destruction, or damage to data.

We will strive to ensure that only that Personal Data which is necessary for the purposes of an efficient management of data resources is processed and is always appropriately protected. In order to fulfil contracts or comply with legal obligations the sharing of Personal Data will be necessary to enable business efficiency and to safeguard data and we will have full regard to this in relation to our collection and use of Personal Data.


Personal Data of Customers and Suppliers will be used for many purposes relating to planning and managing suppliers and customers to facilitate cooperation, communication, marketing and teamwork with a view to:

– Maintaining business records relating to past and present suppliers of goods and services;

– Maintaining records relating to past and present customers for use in the business;

– Compliance with legal obligations (Money Laundering, etc) and prevention of crime;

– Conducting auditing, accounting, financial, and economic analyses and investigations, and

– Facilitating business communications, negotiations, transactions, marketing, public relations, events, seminars and training

– Compliance with and enforcement of contractual obligations, defence and protection of legal rights

– Prevention of crime, prosecution of offenders.

Where new processes or purposes are identified which are outside existing notices the Customer or Supplier has received and agreed then affected Customers and Suppliers will be notified of the new purpose of the process before use of their Personal Data commences for the new purpose.

Controlling disclosures

We will disclose Personal Data to the following categories of individuals on a “need to know” basis:

– management at suppliers and advisers

– supply chain personnel and administrative support

– IT administrators

– local and central government and similar bodies or agencies when required by law

– legal and other professional adviser, agents and sub-contractors of the business

– suppliers and providers of services (such as e-marketing host companies, events organisers etc) to the business

– data processor companies used by the business

– complainants, correspondents and subscribers

– other employees


We have no reason to collect sensitive personal data in relation to Customers or Suppliers (sensitive data includes data relating to race, ethnic origin, religious, philosophical or other beliefs, trade union membership or political party membership, health or sex life (orientation) or criminal offences or suspected criminal offences.

Sensitive Personal Data is not to be collected unless specifically authorised and properly identified, collected and protected.

If we collect sensitive personal data in relation to Customers or Suppliers (sensitive data includes data relating to race, ethnic origin, religious, philosophical or other beliefs, trade union membership or political party membership, health or sex life ( orientation) or criminal offences or suspected criminal offences, then in order to lawfully collect such sensitive personal data we must ensure that at the point of collection a full Privacy Notice is given AND obtain written consent for the use of that data from the individual which is to be recorded on the relevant system.

Sensitive Personal Data is to be used only for the purposes for which it is given, kept separately from other data, encrypted or locked away at all times and destroyed when no longer needed in a secure manner.


We are committed to taking appropriate technical, physical, and organizational measures to protect Personal Data against unauthorized access, unlawful processing, accidental loss or damage, and unauthorized destruction. Where Personal Data is to be transferred to an external third party (other than when required by law or to a governmental authority) we will ensure that the intended recipient of the Personal Data has appropriate technical and security measures to protect the Personal Data.

Controlling Access to Personal Data

Access to internal systems that hold Personal Data is limited to authorised staff will be given access to such systems through the use of a unique identifier and password. Access to Personal Data is limited to and provided to individuals for the purpose of performing their job.

Training and sanctions

We will continuously provide training regarding the lawful processing of Personal Data, the need to protect and keep Personal Data accurate and up-to-date, and the need to maintain the confidentiality of the data to which you have access. Authorised staff must comply with these Standards, and we will take appropriate disciplinary action if Personal Data is accessed, processed, or used in any way that is inconsistent with the requirements of these Standards.

Retention of Personal Data

Personal Data will be retained for up to 15 years after the end of the business relationship. Employees that use or maintain Personal Data are responsible for processing such Personal Data in accordance with these standards and our Retention Policy.

We restrict access to Personal Data to persons who have a job-related “need to know” or who have documented access rights, and destroy records only in accordance with our Retention Policy.


Any individual may inquire as to the Personal Data stored or processed about him or her and will be allowed copies of the information held regardless of the location of the data processing and storage (subject to appropriate costs only being incurred and the relevant fee being paid). Requests should be made directly to the person identified from time to time for these purposes.(See the Data Subject Access Request Policy)

The individual has the right to update and amend any Personal Data which is inaccurate by providing written proof of any inaccuracy or error. They may also block the use of any Personal Data until any error or inaccuracy is rectified. (See the Data Subject Complaints Policy)

If access or rectification is denied, the reason for the denial will be communicated and a written record will be made of the request and reason for denial.

If the person demonstrates that the purpose for which Personal Data is being processed is no longer legal or appropriate, the data will be deleted, unless the law requires otherwise.


Transfers outside the business

To Suppliers and Contracted Third Parties:

If suppliers and contractors outside the business have voluntarily undertaken to comply with the obligations of these Standards and are to act as processors with respect to the processing of Personal Data, the following provisions shall apply:

  • we shall ensure that the recipient takes all technical or organisational security measures required for safe and lawful processing. They shall allow inspection of their premises for security and ensure there is an understanding that Personal Data is to be kept securely.
  • Rights ofaudit

    shall be obtained and the right to terminate the agreement if they fail to abide by the requirements. A list of obligations shall be set out in the contract and form the basis of auditing.

  • They shall contractually undertake to process any data received only within the scope of the contract and of the instructions given by us. Any processing for their own purposes or for purposes of third parties shall be contractually excluded.

The transfer of Personal Data in such circumstances shall only be allowed:

  • if the individual has given his/her consent unambiguously to the proposed transfer; or
  • if the transfer is necessary for
  • the performance of a contract between the individual and us or
  • the implementation of pre-contractual measures taken at the instigation of the individual;
  • if the transfer is necessary for the conclusion or performance of a contract concluded or to be concluded in the interest of the individual between the controller and a third party; or
  • if the transfer is necessary or legally required on important public interest grounds, or for the establishment, exercise or defence of legal claims in court; or
  • if the transfer is necessary in order to protect the vital interests of the individual; or
  • if the recipient country/the receiving body ensures an adequate level of data protection for the purposes of these Standards. If the recipient of data is a company which has to comply with these Standards, it is not necessary to check whether there is an adequate level of data protection; or
  • if the receiving body provides sufficient guarantees with regard to the protection of the right of privacy and the exercise of the rights involved. If the recipient of data is a company which has to comply with these Standards, these guarantees result from these Standards.
  • If in doubt as to whether it is permitted to transfer data to another country take advice.

To Other Third Parties:

  • We may be required to disclose certain Personal Data to other third parties:
  • When required by statute or regulation
  • When required in response to administrative or judicial process, including without limitation a subpoena or search warrant
  • When required in order to cooperate with governmental agencies or law enforcement, to the extent permitted by law or regulation
  • When there is an emergency affecting the employee
  • When necessary to lawfully investigate and protect a legal or business interest of the business
  • It is otherwise in the legitimate interests of the business taking into account the likelihood of harm to the individual
  • In all suchinstances

    you must refer the matter for advice.

  • Merger or business reorganization
  • In the unlikely event that we seek to sell business assets or the business or engage in any internalre-organisation

    it may be necessary to share Personal Data with third parties for such purposes. In such circumstances we shall notify the relevant individuals before sharing Personal data with the potential acquirer or merging or re-organising entities where such Personal Data cannot first be anonymised, or shall ensure it is placed under Clean Room conditions subject to adequate contractual clauses regarding confidentiality and return or destruction of such Personal Data on conclusion of the process.


Unless we have positive opt-in consent from the individual which consent has not been withdrawn we will not engage into direct marketing activities.



We will not make totally Automated Decisions in relation to Customers or Suppliers. If Automated Decision making processes are to be put into effect, legal advice must be obtained.



All persons who have access to Personal Data must comply with these Standards. If at any time, a person believes that Personal Data has been processed in violation of these Standards, he or she may report the concern to their line manager or such other person as nominated from time to time.



We will check our customer lists and supplier details at least once every 12 months and will require the individual who obtained the data to prove that the relevant Privacy Notice was provided to the customer or supplier at the time of capture of their personal data.



We may modify these Standards from time to time as needed, for example, to comply with changes in law, regulations or internal processes.


We will respond appropriately to requests from data protection authorities about these Standards or compliance with applicable data protection and privacy laws and regulations. We will, upon request, provide data protection authorities with names and contact details of relevant contact persons within the business.

Revision history

Issued into effect on: 06/03/2018
Reviewed: 30/06/2020


Quick Enquiry
Close Form

Quick Enquiry

+44 (0) 20 7821 0999

Call Us