GDPR Policy


UK data protection law imposes important restrictions on the storage and use of an employee’s personal data. The Company is a data manager and holds personal data on its employees on computer and paper files in relation to human resources and personnel issues. Some of this data, such as medical details and details of gender, race and ethnic origin, will be regarded as sensitive personal data.

    • The Basis for Using your Personal Data

The Company may occasionally ask you for your consent to use your personal data. However, on a day to day basis it will usually process personal data because it is necessary to do so:

      • to enter into or perform a contract with you (including your contract of employment);
      • for the Company to comply with a legal obligation;
      • to protect your vital interests or those of another person; or
      • for the purposes of the legitimate interests of the Company or a third party, provided these interests are not overridden by your interests or fundamental rights or freedoms in relation to your personal data.

The Company only processes your personal data on these grounds because it needs to. Without your personal data, it would not be able to employ you or perform its obligations under your employment contract.

When processing data on the basis of its or a third party’s legitimate interests, these interests will typically relate to the operation and administration of the Company’s business, including the safety of the people and property involved in the business. For example, the Company monitors staff to ensure compliance with the Company’s Acceptable Use Policy (see section Error! Reference source not found.) and to protect its networks and systems.

Whenever the Company processes personal data for a particular purpose, it shall ensure that the processing is adequate, proportionate and not excessive for that purpose.

    • Sensitive Personal Data

The personal data processed by the Company will include special categories of personal data (also known as “sensitive personal data”) such as:

      • information about your physical or mental health or condition in order to monitor sick leave and take decisions as to fitness for work;
      • information about your sexual orientation;
      • information about trade union membership or political opinions; and
      • your racial or ethnic origin or religious or similar information in order to monitor compliance with equal opportunities legislation.

Sensitive personal data will typically be processed because:

      • the Company needs to in order to carry out its duties or exercise its rights as an employer;
      • you have given your free, informed and explicit consent to it being processed by the Company;
      • the information has been made public by you;
      • the Company is required to process the information by law; or
      • the processing is necessary in order for the Company to conduct, defend or exercise a legal claim.
    • Disclosure, Transfer and Storage of Personal Data

The Company will make your personal information available to other persons within the Company or the EH Smith group, and to persons who provide products or services to the Company or the EH Smith group (such as advisers and payroll administrators), regulatory authorities, potential purchasers/investors and as may be required by law.

Your personal information may be transferred to business contacts outside the European Economic Area where necessary in order for the Company to carry out its business (for example, if the Company uses a supplier such as a cloud storage provider or payroll processor outside the European Economic Area). However, the Company shall not transfer personal data outside of the European Economic Area unless there are appropriate safeguards in accordance with applicable data protection law (or an exception applies where the law allows such transfers, for example it is necessary in order to establish, pursue or defend a legal claim). Where the transfer is made on the basis of there being appropriate safeguards, these will either involve the use of contracts approved by the European Union, or result from a European Union decision (such as a decision that a country provides adequate protection for your rights, or the use of an approved data transfer scheme or code of conduct).

Data will not be disclosed to anyone else other than our authorised employees, agents, contractors or advisors (except as required by law) unless you expressly authorise disclosure.

Every effort will be made to ensure that data about you is not retained for longer than is necessary for the purpose(s) for which it is obtained and that the data held is accurate and up-to-date. It is in your own interest to tell the HR Department if your personal circumstances change, for example, if you move house.

    • Your Rights in Relation to your Personal Data

Under applicable data protection law you have certain rights in relation to your personal information. These include:

      • the right to confirmation as to whether or not we have your personal data and, if we do, to obtain a copy of the personal data;
      • where technically feasible, the right to have certain information provided to you in a portable electronic format or have it transmitted to another controller;
      • the right to have inaccurate data rectified;
      • the right to object to your data being used for marketing or on legitimate interests grounds (including for profiling where applicable);
      • where your data is processed on the basis of consent, the right to withdraw that consent;
      • the right to restrict how your personal information is used; and
      • the right to have your data erased in certain circumstances (though this may not apply if it is necessary for us to continue to use the data for a lawful reason).

If you would like further information on your rights or wish to exercise them, please contact the HR Department.

Please keep in mind that there are exceptions to the rights above and, though the Company will always try to respond to your satisfaction, there may be situations where we are unable to do so. If you are not happy with our response, or you believe that your data protection or privacy rights have been infringed, you should contact the UK Information Commissioner's Office, which oversees data protection compliance in the UK. Details of how to do this can be found at

References in this part to “processing” means: Obtaining, recording, holding or carrying out any operation on information and data it holds about you, including the organisation, adaptation or alteration of such information or data, retrieval, consultation or use of information or data, the disclosure of such information or data by transmission, dissemination or otherwise making it available to a third party, or the alignment, combination, blocking, erasure or destruction of any such information or data.

    • Change of Personal Particulars

Please help to keep Company records up-to-date by notifying your Manager and the HR Department of any changes in your:

      • Name
      • Home Address (including Post Code)
      • Telephone Number
      • Person to be informed in case of illness or accident
      • Bank Details
      • Desired Life Policy Beneficiary (ies)