Data Protection Policy for Employees, Workers & Consultants


1.1 The Company takes the security and privacy of all personal data very seriously. The Company will comply with any legal obligations imposed on it by law including the EU General Data Protection Regulation (“GDPR”) in respect of data security and data privacy.

1.2 This Policy sets out how the Company will handle the personal data of our customers, suppliers, employees, workers and other Third Parties. The procedures and principles set out in this Policy must be followed as all times by the Company, its employees, agents, contractors or others working on behalf of the Company. It also explains your obligations and the requirements of you when processing or storing personal data in the course of working for, or on behalf of the Company.

1.3 The Company has put in place a number of GDPR Related Notices and Policies and it is essential that you read and are familiar with these which include:

1. Our Website Privacy Notice;

2. Our Employee, Workers & Contractor Privacy Notice; and

3. Our Data Retention Policy

1.4 You must also comply with all such Related Policies and Notices and documentation. Any breach of same may result in disciplinary action.

1.5 The Company is committed not only to the strict letter of the law but the spirit of it too and places high importance on the lawful and fair handling of all personal data respecting the legal rights, privacy, and trust of all individuals it deals with. It recognises that the correct and lawful treatment of Personal Data is essential to our reputation and maintaining confidence in us and will assist us in running a successful business operation.

1.6 This Policy does not form part of your contract of employment or contract for services with the Company and can be amended at any time. It is intended that this Policy is fully compliant with GDPR and domestic legislation. If any conflict arises between this policy and applicable law then the Company intends to comply with the law.


Data Controller: the person or organisation that determines when, why and how to process Personal Data. It is responsible for establishing practices and policies in line with the GDPR. We are the Data Controller of all Personal Data relating to our Personnel and Personal Data used in our business for our own  commercial purposes.

Data Subject: a living, identified or identifiable individual about whom we hold Personal Data.

Consent: agreement which must be freely given, specific, informed and be an unambiguous indication of the Data Subject's wishes by which they, by a statement or by a clear positive action, signifies agreement to the processing of Personal Data relating to them.

Personal Data Breach: any act or omission that compromises the security, confidentiality, integrity or availability of Personal Data or the physical, technical, administrative or organisational safeguards that we or our third-party service providers put in place to protect it. The loss, or unauthorised access, disclosure or acquisition, of Personal Data is a Personal Data Breach.

EEA: The 28 countries in the EU, and Iceland, Liechtenstein and Norway.

Pseudonymisation or Pseudonymised: replacing information that directly or indirectly identifies an individual with one or more artificial identifiers or pseudonyms so that the person, to whom the data relates, cannot be identified without the use of additional information which is meant to be kept separately and secure.

Related documents means Our Website Privacy Notice; Our Employee, Workers & Contractor Privacy Notice; and Our Data Retention Policy.


3.1 “Personal data” means information which relates to a living person who can be identified from that data (a “data subject”) on its own or when taken together with other information which is likely to come into our possession. It includes any expression of opinion about the person and an indication of the intentions of us or others, in respect that person. It does not include anonymised data. Personal Data includes Sensitive Personal Data as defined at 4.1 below and Pseudonymised Personal Data but excludes anonymous data or data that has had the identity of an individual permanently removed. Personal data can be factual (for example, a name, email address, location or date of birth) or an opinion about that person's actions or behaviour.

3.2 This policy applies to all personal data whether it is stored electronically, on paper or otherwise.


4.1 “Special categories of personal data” are types of personal data consisting of information as to:

a) racial or ethnic origins;
b) political opinions;
c) religious or philosopohical beliefs;
d) trade union membership;
e) genetic or biometric data;
f) health;
g) sex life and sexual orientation; and
h) any criminal convictions and offences.


5.1 “Processing” means any operation which is performed on personal data such as:

a) collection, recording, organisation, structuring or storage;
b) adaption or alteration;
c) retrieval, consultation or use;
d) disclosure by transmission, dissemination or otherwise making available;
e) alignment or combination; and
f) restriction, destruction or erasure.

5.2 This includes processing personal data which forms part of a filing system and any automated processing.


6.1 The GDPR sets out the following principles with which any party including
you handling personal data must comply. All personal data must be:

a) Processed lawfully, fairly, and in a transparent manner in relation to the data subject. (Lawfulness, Fairness and Transparency)

b) Collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes. Further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes. (Purpose Limitation)

c) Adequate, relevant, and limited to what is necessary in relation to the purposes for which it is processed. (Data Minimisation)

d) Accurate and, where necessary, kept up to date. Every reasonable step must be taken to ensure that personal data that is inaccurate, having regard to the purposes for which it is processed, is erased, or rectified without delay. (Accuracy)

e) Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed. Personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes, subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of the data subject. (Storage Limitation)/

f) Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organisational measures. (Security, Integrity and Confidentiality)

6.2 The Company is responsible for and must be able to demonstrate compliance with the data protection principles listed above. Some of these principles and the steps you must take to ensure compliance with them are explained in more detail below.


7.1 The GDPR seeks to ensure that personal data is processed lawfully, fairly, and transparently, without adversely affecting the rights of the data subject.

7.2 The GDPR states that processing of personal data shall be lawful if at least one of the following applies:

a) The data subject has given consent to the processing of their personal data for one or more specific purposes;

b) The processing is necessary for the performance of a contract to which the data subject is a party, or in order to take steps at the request of the data subject prior to entering into a contract with them;

c) The processing is necessary for compliance with a legal obligation to which the data controller is subject;

d) The processing is necessary to protect the vital interests of the data subject or of another natural person;

e) The processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller; or

f) The processing is necessary for the purposes of the legitimate interests pursued by the data controller or by a third party, except where such interests are overridden by the fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

7.3 If the personal data in question is “special category data” then at least one of the following additional conditions must be met:

a) The data subject has given their explicit consent to the processing of such data for one or more specified purposes (unless EU or EU Member State law prohibits them from doing so);

b) The processing is necessary for the purpose of carrying out the obligations and exercising specific rights of the data controller or of the data subject in the field of employment, social security, and social protection law (insofar as it is authorised by EU or EU Member State law or a collective agreement pursuant to EU Member State law which provides for appropriate safeguards for the fundamental rights and interests of the data subject);

c) The processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent; 

d) The data controller is a foundation, association, or other non-profit body with a political, philosophical, religious, or trade union aim, and the processing is carried out in the course of its legitimate activities, provided that the processing relates solely to the members or former members of that body or to persons who have regular contact with it in connection with its purposes and that the personal data is not disclosed outside the body without the consent of the data subjects;

e) The processing relates to personal data which is clearly made public by the data subject;

f) The processing is necessary for the conduct of legal claims or whenever courts are acting in their judicial capacity;

g) The processing is necessary for substantial public interest reasons, on the basis of EU or EU Member State law which shall be proportionate to the aim pursued, shall respect the essence of the right to data protection, and shall provide for suitable and specific measures to safeguard the fundamental rights and interests of the data subject;

h) The processing is necessary for the purposes of preventative or occupational medicine, for the assessment of the working capacity of an employee, for medical diagnosis, for the provision of health or social care or treatment, or the management of health or social care systems or services on the basis of EU or EU Member State law or pursuant to a contract with a health professional, subject to the conditions and safeguards referred to in Article 9(3) of the GDPR;

i. The processing is necessary for public interest reasons in the area of public health, for example, protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of EU or EU Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject (in particular, professional secrecy); or 

j. The processing is necessary for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes in accordance with Article 89(1) of the GDPR based on EU or EU Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection, and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.

7.4 It is essential that when handling, using or processing personal data whether that of a client, customer, fellow employee or other third party that there is a lawful basis for doing so. If you are in any doubt about this you should seek guidance from Rose Cowan.

7.5 Ordinarily when we are dealing with our customer we will be processing their personal data in order to fulfil their order, so we will be processing it in accordance with a contract we have with them.


8.1 Personal Data must be accurate and, where necessary, kept up to date. It must be corrected or deleted without delay when inaccurate.

8.2 You must ensure that the Personal Data we use and hold is accurate, complete, kept up to date and relevant to the purpose for which we collected it. You must check the accuracy of any Personal Data at the point of collection. You must take all reasonable steps to destroy or amend inaccurate or out-of-date Personal Data. 

8.3 Your obligations with regard to the accuracy of your own personal data are explained in the Privacy Notice provided to you.


9.1 Personal Data must be secured by appropriate technical and organisational measures against unauthorised or unlawful processing, and against accidental loss, destruction or damage.

9.2 We have developed a range of safeguards to protect personal data within the course of our business. Everyone who works for, or on behalf of, the Company including you has responsibilities in this regard. You:

 Must only access personal data covered by this policy and related documentation if you need it for the work you do for or on behalf of the Company and only if you are authorised to do so. You should only use the data for the specified lawful purpose for which it was obtained.

 Must handle all personal data with care at all times and it should not be left unattended or on view to unauthorised employees, agents, sub-contractors, or other parties at any time;

 Must not share personal data informally.

 Must keep personal data secure and not share it with unauthorised people.

 Must regularly review and update personal data which you have to deal with for work. This includes telling us if your own contact details change.

 Must not make unnecessary copies of personal data and should keep and dispose of any copies securely.

 Must use strong passwords.

 Must not under any circumstances write down passwords or share them with any other employees, agents, contractors, or other parties working on behalf of us, irrespective of seniority or department. If a password is forgotten, it must be reset using theapplicable method. 

 Must lock your computer screens when not at your desk.

 Must encrypt personal data before transferring it electronically to authorised external contacts.

 Must consider anonymising data or using separate keys/codes so that the data subject cannot be identified.

 Must not save personal data to your own personal computers or other devices.

 Must never transfer data outside the European Economic Area except in compliance with the law and with authorisation.

 Must lock drawers and filing cabinets. Do not leave paper with personal data lying about.

 Must not take personal data away from Company’s premises without authorisation from your line manager or Rose Cowan.

 Must ensure that when you are disposing of personal data you do so in accordance with the Data Retention Policy and it is shredded and disposed of securely when you have finished with it.

 Must assist the Company in ensuring and achieving adherence to the Organisational Measures set out below. This would, for example, include informing Rose Cowan of any workers, agents, contractors, or other parties working on behalf of the Company so that they can be provided with relevant documentation;

 Must ensure that all emails containing personal data are encrypted

 Must transmit personal data over secure networks only; transmission over unsecured networks is not permitted in any circumstances;

 Must ensure that where personal data is to be sent by facsimile transmission the recipient should be informed in advance of the transmission and should be waiting by the fax machine to receive the data;

 Must ensure that personal data is handled in accordance with the Data Protection Principles

 Must ensure that all hardcopies of personal data, along with any electronic copies stored on physical, removable media are stored securely in a locked box, drawer, cabinet, or similar;

 Must not store personal data on any mobile device (including, but not limited to, laptops, tablets, and smartphones), whether such device belongs to the Company or otherwise without authorisation. Such devices must be kept securely and appropriate safeguards must be in place including mandatory use of passwords/passcodes and encryption.

 Must not transfer personal data to any device belonging to agents, contractors, or other parties working on behalf of the Company unless authorised to do so and the party in question has agreed to comply fully with the letter and spirit of this Policy and of the GDPR (which will include demonstrating to the Company that all suitable technical and organisational measures have been taken);

 Must ask for help from our Data Protection Manager, Rose Cowan if you are unsure about data protection or if you notice any areas of data protection or security we can improve upon.


10.1 The Company will ensure that the following measures are taken with respect to the collection, holding, and processing of personal data:

a. All employees, agents, contractors, or other parties working on our behalf shall be made fully aware of both their individual responsibilities and the Company’s responsibilities under the GDPR and under this Policy and related documentation, and shall be provided with a copy of this Policy;

b. Only employees, agents, sub-contractors, or other parties working on our behalf that need access to, and use of, personal data in order to carry out their assigned duties correctly shall have access to personal data held by us 

c. All employees, agents, contractors, or other parties working on our behalf handling personal data will be appropriately qualified to do so;

d. All employees, agents, contractors, or other parties working on behalf of the Company handling personal data shall be required and encouraged to exercise care, caution, and discretion when discussing work-related matters that relate to personal data, whether in the workplace or otherwise;

e. Methods of collecting, holding, and processing personal data shall be regularly evaluated and reviewed;

f. All personal data held by us shall be reviewed periodically, as set out in our Data Retention Policy;

g. All employees, agents, contractors, or other parties working on our behalf handling personal data will be bound to do so in accordance with the principles of the GDPR and this Policy and related documentation;

h. All agents, contractors, or other parties working on behalf of the Company handling personal data must ensure that any and all of their employees who are involved in the processing of personal data are held to the same conditions as our employees arising out of this Policy and the GDPR; and

i. Where any agent, worker, consultant, contractor or other party working on our behalf handling personal data fails in their obligations under this Policy or GDPR that party shall indemnify and hold us harmless against any costs, liability, damages, loss, claims or proceedings which may arise out of that failure.


11.1 Rose Cowan shall be responsible for overseeing the implementation of this Policy and for monitoring compliance with it, the Company’s other data protection-related documentation, and with the GDPR and other applicable data protection legislation.

11.2 The Company shall keep written internal records of all personal data collection, holding, and processing, which shall incorporate the following information:

a. The name and details of the Company, its Data Protection
Manager, any applicable third-party data processors;
b. The purposes for which the Company collects, holds, and
processes personal data;
c. Details of the categories of personal data collected, held, and
processed by the Company, and the categories of data subject to
which that personal data relates;
d. Details of any transfers of personal data to non-EEA countries
including all mechanisms and security safeguards;
e. Details of how long personal data will be retained by the Company
(please refer to the Company’s Data Retention Policy); and
f. Detailed descriptions of all technical and organisational measures
taken by the Company to ensure the security of personal data.


12.1 The Company shall carry out Data Protection Impact Assessments for any
and all new projects and/or new uses of personal data which involve the
use of new technologies and the processing involved is likely to result in a
high risk to the rights and freedoms of data subjects under the GDPR.

12.2 Data Protection Impact Assessments shall be overseen by Rose Cowan
and shall address the following:

a. The type(s) of personal data that will be collected, held, and

b. The purpose(s) for which personal data is to be used;

c. The Company’s objectives;

d. How personal data is to be used;

e. The parties (internal and/or external) who are to be consulted;

f. The necessity and proportionality of the data processing with respect to the purpose(s) for which it is being processed;

g. Risks posed to data subjects;

h. Risks posed both within and to the Company; and

i. Proposed measures to minimise and handle identified risks.


13.1 We have robust measures in place to minimise and prevent data breaches from taking place.

13.2 If a personal data breach occurs and that breach is likely to result in a risk to the rights and freedoms of data subjects (e.g. financial loss, breach of confidentiality, discrimination, reputational damage, or other significant social or economic damage), the Data Protection Manager must ensure that the Information Commissioner’s Office is informed of the breach without delay, and in any event, within 72 hours after having become aware of it.

13.3 In the event that a personal data breach is likely to result in a high risk, the Data Protection Manager must ensure that all affected data subjects are informed of the breach directly and without undue delay.

13.4 Data breach notifications shall include the following information:

a. The categories and approximate number of data subjects concerned;
b. The categories and approximate number of personal data records concerned;
c. The name and contact details of the Company’s data protection officer (or other contact point where more information can beobtained);
d. The likely consequences of the breach;
e. Details of the measures taken, or proposed to be taken, by the Company to address the breach including, where appropriate, measures to mitigate its possible adverse effects.

13.5 If you know or suspect that a Personal Data Breach has occurred, do not attempt to investigate the matter yourself. You must immediately report the matter to Data Protection Manager and keep any evidence you have in relation to the breach.


14.1 Data Subjects have rights when it comes to how we handle their Personal Data. These include rights to:

(a) withdraw consent to processing at any time;
(b) receive certain information about the Data Controller's processing activities;
(c) request access to their Personal Data that we hold (This is commonly referred to as a “subject access request’ or ‘SAR’);
(d) prevent our use of their Personal Data for direct marketing purposes;
(e) ask us to erase Personal Data if it is no longer necessary in relation to the purposes for which it was collected or processed or to rectify inaccurate data or to complete incomplete data;
(f) restrict processing in specific circumstances;
(g) challenge processing which has been justified on the basis of our legitimate interests or in the public interest;
(h) request a copy of an agreement under which Personal Data is transferred outside of the EEA;
(i) object to decisions based solely on automated processing, including profiling (ADM);
(j) prevent processing that is likely to cause damage or distress to the Data Subject or anyone else;
(k) be notified of a Personal Data Breach which is likely to result in high risk to their rights and freedoms;
(l) make a complaint to the supervisory authority; and
(m) in limited circumstances, receive or ask for their Personal Data to be transferred to a third party in a structured, commonly used and machine readable format.

14.2 You must verify the identity of an individual requesting data under any of the rights listed above (do not allow third parties to persuade you into disclosing Personal Data without proper authorisation).


15.1 Data subjects can make a ‘subject access request’ (‘SAR’) to find out the information we hold about them. This request must be made in writing. If you receive such a request you should forward it immediately to the Rose Cowan who will coordinate a response.
15.2 If you would like to make a SAR in relation to your own personal data you should make this in writing to Rose Cowan.
15.3 We must respond within one month unless the request is complex or numerous in which case the period in which we must respond can be extended by a further two months.
15.4 There is no fee for making a SAR. However, if a request is manifestly unfounded or excessive we may charge a reasonable administrative fee or refuse to respond to your request.


16.1 The Company is subject to certain rules and privacy laws when marketing to our customers.

16.2 You should be aware that a Data Subject's prior consent is required for electronic direct marketing (for example, by text, email or automated calls). There is a limited exception to this known as “soft opt out” for existing customers which allows us to send marketing texts or emails if we  have obtained contact details in the course of a sale to that person, we  are marketing similar products or services, and we gave the person an  opportunity to opt out of marketing when first collecting  he details and in every subsequent message. We rely on our legitimate interest as an organisation to market to our existing customers who have stayed with us. 

16.3 The right to object to direct marketing must be explicitly offered to the Data Subject in an intelligible manner so that it is clearly distinguishable from other information.

16.4 A Data Subject's objection to direct marketing must be promptly honoured. If a customer opts out at any time, their details should be suppressed as soon as possible. Suppression involves retaining just enough information to ensure that marketing preferences are respected in the future.

16.5 We retain customers' personal data in accordance with our Retention Policy.

16.6 It is important that you ensure that you comply with the rules regarding direct marketing.


17.1 Generally we are not allowed to share Personal Data with third parties unless certain safeguards and contractual arrangements have been put in place.

17.3 We require any Third Parties with whom we share personal data to keep it confidential and secure and to protect it in accordance with the law. They are only permitted to process personal data for the lawful purpose for which it has been shared and in accordance with our instructions. We will use Data Processor Agreement where applicable.

17.4 In the event that you intend sharing personal data with any Third Party you should ensure that you have a lawful basis for doing so, that you have appropriate authorisation from the Data Protection Manager and that adequate safeguards and contractual arrangements are in place.


18.1 The Company will only transfer personal data to countries outside of the EEA where it is lawful to do so.

18.2 The transfer of personal data to a country outside of the EEA shall take place only if one or more of the following applies:

a. The transfer is to a country, territory, or one or more specific sectors in that country (or an international organisation), that the European Commission has determined ensures an adequate level of protection for personal data;

b. The transfer is to a country (or international organisation) which provides appropriate safeguards in the form of a legally binding agreement between public authorities or bodies; binding corporate rules; standard data protection clauses adopted by the European Commission; compliance with an approved code of conduct approved by a supervisory authority (e.g. the Information Commissioner’s Office); certification under an approved certification mechanism (as provided for in the GDPR); contractual clauses agreed and authorised by the competent supervisory authority; or provisions inserted into administrative arrangements between public authorities or bodies authorised by the competent supervisory authority;

c. The transfer is made with the informed consent of the relevant data subject(s);

d. The transfer is necessary for the performance of a contract between the data subject and the Company (or for pre-contractual steps taken at the request of the data subject);

e. The transfer is necessary for important public interest reasons;

f. The transfer is necessary for the conduct of legal claims;

g. The transfer is necessary to protect the vital interests of the data subject or other individuals where the data subject is physically or legally unable to give their consent; or

h. The transfer is made from a register that, under UK or EU law, is intended to provide information to the public and which is open for access by the public in general or otherwise to those who are able to show a legitimate interest in accessing the register.


19.1 It is fundamental to the running of our business that Data Protection law is adhered to.

19.2 The Company can face potential fines of up to 20 million euros or 4% of global annual turnover whichever is greater.

19.3 Any deliberate or negligent breach of this policy by you may result in disciplinary action being taken against you in accordance with our disciplinary procedure. Depending on the seriousness of the breach it may be categorised as gross misconduct and a potential outcome could be the termination of employment by way of summary dismissal.

19.4 It is a criminal offence to conceal or destroy personal data which is part of a subject access request. This conduct would also amount to gross misconduct under our disciplinary procedure, which could result in your dismissal.

19.5 You should also be aware that knowingly or recklessly obtaining, disclosing or retaining personal data without the consent of the Data Controller may result in criminal proceedings.

The Company reserves the right to amend this Policy at any time.

If you have any questions about this Policy or any related documentation then please contact Rose Cowan.

Implementation of Policy
This Policy shall be deemed effective as of 25 th May 2018 and shall thus apply only to matters occurring on or after this date.

Woodburn Engineering Ltd

Woodburn Engineering was established as a small steel fabrication company over 30 years ago in Carrickfergus.

Office: 9am-5pm Mon-Fri
Deliveries: 8am-5pm Mon-Fri