Privacy Notice

This privacy notice is addressed to:

• our suppliers, customers and service providers who are natural persons (such as self-employed persons);
• the representatives or contact persons of our suppliers, customers and service providers who are legal entities such as limited liability companies;
• individuals who contact us with queries or complaints; and
• any other visitors of our business.

This notice applies to all current, potential and former suppliers, customers and service providers.

For the purpose of this Privacy Notice, “Whitworth Bros. Ltd”, “we”, or “us” refers to Whitworth Bros. Ltd based at Victoria Mills, Wellingborough, Northamptonshire, NN8 2DT.

We are a data controller.

It is important that you read this statement so that you know how and why we use information about you. It is also important that you inform us of any changes to your personal information during the time you or your employer is a supplier, customer or service provider with us so that the information which we hold is accurate and current. Should you have any further question in relation to the processing of your personal data, please contact the Data Protection Officer using the address details below.

1. What information do we have about you?

The information that you provide to us is required in order for us to provide or procure goods and/or services, take/make payments from/to you and/or respond to an enquiry and/or complaint you have made. This information may either be directly provided by you or provided by our supplier, customer or service provider (i.e. the legal entity for whom you work).

We may collect various types of personal data about you, including:

• your personal details and identification information (e.g. name, email and/or postal address, landline and/or mobile phone number and car registration number);
• your function (e.g. title, position and name of company);
• for natural persons acting as suppliers, customers or service providers, financial information (e.g.bank account details); and

2. For what purposes do we use your personal data and why is this justified?

Legal basis for the processing

In accordance with the data protection laws, we need a “lawful basis” for collecting and using information about you. There are a variety of different legal bases for using personal data which are set out in the data protection laws. We will only process your personal data if:

• the processing is necessary to perform our contractual obligations towards you or to take pre-contractual steps;
• the processing is necessary to comply with our legal or regulatory obligations; or
• the processing is necessary for our legitimate interests and does not override unduly your interests or fundamental rights and freedoms.

Please note that, when processing your personal data on this last basis, we always seek to maintain a balance between our legitimate interests and your privacy. Examples of such ‘legitimate interests’ are data processing activities performed:

• to procure products and services from our suppliers and service providers
• to offer our products and services to our customers;
• to develop our business and inform our marketing strategy;
• keep our records updated;
• to investigate and respond to enquiries, complaints and requests in relation to our products and services;
• to prevent fraud;
• to sell any part of our business or its assets or to enable the acquisition of all or part of our business or assets by a third party; and
• to meet our corporate and social responsibility objectives.

Purposes of the processing

We process your personal data for the following purposes:

• manage our suppliers, customers and service providers throughout the supply chain;
• the process of applying for and becoming a supplier, customer or service provider (such as making a decision about procuring or providing goods or services and determining the payment terms for invoices;)
• implement tasks in preparation of or to perform existing contracts;
• monitor activities at our sites, including compliance with applicable policies as well as health and safety rules in place;
• to investigate and respond to enquiries, complaints and requests in relation to our products and services;
• manage our IT resources, including infrastructure management and business continuity;
• preserve the company’s economic interests and ensure legal compliance and reporting (such as managing alleged cases of misconduct or fraud, conducting audits and defending litigation);
• manage mergers and acquisitions involving our company;
• archiving and record-keeping;
• billing and invoicing; and
• any other purposes imposed by law.

3. Sharing your information

We will share your personal information with third parties where required by law, where it is necessary to administer the contractual relationship with you or where we have another legitimate interest in doing so. This may include our auditors, banks or other financial institutions to facilitate payments and contractors who work on our systems. We may share your personal information with other third parties, for example with a regulator or to otherwise comply with the law. These third parties are obliged to protect the confidentiality and security of your personal data, in compliance with applicable law.

The personal data we collect from you may also be processed, accessed or stored in a country outside the UK. If we transfer your personal data to external companies in other jurisdictions, we will make sure to protect your personal data in the same manner as we are obliged to do set out here. You may request additional information in relation to international transfers of personal data and obtain a copy of the adequate safeguard put in place by exercising your rights as set out below.

4. How do we protect your personal data?

We have put in place measures to protect the security of your information. Details of these measures are available upon request.

Third parties will only process your personal information on our instructions and where they have agreed to treat the information confidentially and to keep it secure.

We have put in place appropriate security measures to prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal information to those employees, agents, contractors and other third parties who have a need to know. They will only process your personal information on our instructions and they are subject to a duty of confidentiality.

5. How long do we store your personal data?

We will only retain your personal data for as long as necessary to fulfil the purpose for which it was collected or to comply with legal or regulatory requirements.

The retention period is the term of your (or your company’s) supply, customer or service contract, plus the period of time until the legal claims under this contract become time-barred, unless overriding legal or regulatory schedules require a longer or shorter retention period. When this period expires, your personal data is removed from our active systems.

6. What are your rights and how can you exercise them?

You may exercise the following rights under certain circumstances:

• Request access to your personal information (commonly known as a “data subject access request”). This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it.
• Request correction of the personal information that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.
• Request erasure of your personal information. This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing (see below).
• Object to processing of your personal information where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. You also have the right to object where we are processing your personal information for direct marketing purposes.
• Request the restriction of processing of your personal information. This enables you to ask us to suspend the processing of personal information about you, for example if you want us to establish its accuracy or the reason for processing it.
• Request the transfer of your personal information to another party.

If you want to review, verify, correct or request erasure of your personal information, object to the processing of your personal data, or request that we transfer a copy of your personal information to another party, please contact the Data Protection Officer using the address details below.

7. Changes to our privacy notice

We reserve the right to update this privacy statement at any time, and we will provide you with a new privacy statement when we make any substantial updates. We may also notify you in other ways from time to time about the processing of your personal information.