GDPR & Data Privacy Policy

W. M. Ironwork Ltd

Newton Tracey, Barnstaple, Devon, EX31 3PN
Tel: 01271 858444
Website: www.wmi.uk.com
Created: 22/05/2018
Reviewed: 24/09/2025

Introduction

W. M. Ironwork Ltd (“the Company”) is committed to protecting the personal data of employees, clients,
and business partners. This policy explains how the Company complies with the UK General Data Protection
Regulation (UK GDPR), the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations (PECR).

Scope

This policy applies to all employees, contractors, and third parties handling personal data on behalf of the Company.

Policy

Scope of Data Collected

The Company may collect and process the following categories of personal data:

Employees

• Full name, address, date of birth, National Insurance number, tax code, pay rates, pension details.
• Contact details (phone, email).
• Medical information (where required for employment or health & safety purposes).
• Biometric data (fingerprints for clocking-in systems).

Clients

• Company/individual names, registered addresses, company numbers.
• Contact details (phone, email, site addresses).
• Credit and financial information.
• Order, delivery, and invoicing records.

Lawful Bases for Processing

Processing will only take place where a lawful basis applies:

• Contractual necessity – Art. 6(1)(b)
• Legal obligation – Art. 6(1)(c)
• Legitimate interests – Art. 6(1)(f)
• Consent – Art. 6(1)(a)

Special Category Data

Special category data (e.g., medical, biometric) will be processed under:

• Employment law obligations – Art. 9(2)(b)
• Health & safety requirements – Art. 9(2)(h)

Data Retention

Data is retained only as long as necessary. Typical retention periods include:

Employees

• General employee data: 6 years after employment ends.
• Payroll/tax records: 6 years.
• Pension records: 6 years after benefits end.
• Health surveillance records: up to 40 years.

Clients

• Client data: 6 years after the last contract unless a longer period is required for insurance or regulatory reasons.

At the end of the retention period, data will be securely deleted or destroyed.

Data Security

• Digital data stored on password-protected servers.
• Paper documents kept in secure, locked facilities.
• Cloud storage (if used) encrypted and access-controlled.
• Access restricted to authorised personnel only.

Data Sharing

Data will not be shared with third parties unless a lawful basis applies. Sharing may occur with:

• Regulatory bodies such as HMRC or the ICO.
• Professional advisers (insurers, accountants, bankers).
• Suppliers or subcontractors necessary for fulfilling client contracts.

All third parties must demonstrate GDPR compliance.

Data Subject Rights

Individuals have the right to:

• Be informed about data use.
• Access personal data.
• Request rectification or erasure.
• Restrict or object to processing.
• Request data portability.
• Avoid automated decision-making and profiling.

Requests can be made verbally or in writing and will be answered within one month.

Marketing

The Company will only send marketing communications where:

• Prior consent has been given, or
• A soft opt-in applies under PECR, with a clear opt-out option.

Data Breaches

Any suspected breach must be reported immediately to the Data Protection Officer (DPO).

• The ICO will be notified within 72 hours where required.
• Affected individuals will be informed if there is a high risk to their rights and freedoms.

Roles and Responsibilities

Data Protection Officer / Responsible Person:
Mr S. P. West (Director)
W. M. Ironwork Ltd, Newton Tracey, Barnstaple, Devon, EX31 3PN
Tel: 01271 858444

Supervisory Authority

Information Commissioner’s Office (ICO)
Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Tel: 0303 123 1113
Website: www.ico.org.uk

Non-Compliance

Employees who fail to comply with this policy may face disciplinary action, up to and including dismissal for serious breaches.

Implementation of the Policy

The Company’s senior management is responsible for implementation and review.
All employees must support and comply with the policy.
New employees will be informed during induction.

Monitoring Policy

The policy will be monitored continuously to ensure effectiveness.

Reviewing Policy

This policy will be reviewed and revised where necessary following incident investigations or organisational changes.

Policy Amendments

If changes are made, senior management will ensure all relevant employees are notified.
Written notice and/or training may be provided.

Additional Information

For further information or clarification, contact your manager.
If dissatisfied with any decision, employees may use the Company’s formal Grievance Procedure.
Where statutory requirements change, this policy will update automatically.

Document Control Table

Version	Date	Author	Changes
1.0	22/05/2018	Clive Williams	Initial version created
2.0	24/09/2025	Luke Cane	Regulatory updates & formatting