top of page

Data Protection Privacy Notice (GDPR)


The General Data Protection Regulation 2018 (GDPR)


1. Introduction


This privacy notice sets out how Ipswich Accident Repair Centre Limited aim to ensure data protection compliance with the General Data Protection Regulation and ensure that all employees of the company understand the rules that govern the use of personal and sensitive data to which they have access to in the course of their work.


Ipswich Accident Repair Centre Limited collects and holds personal data about its employees, customers, contractors, suppliers and other individuals for business purposes only.


This policy notice also requires all managers and employees to ensure that the Data Protection Officer (DPO) is consulted before any significant new data is collected and/or processed so as to ensure that relevant compliance procedures are, so far as is reasonably practicable, addressed.


2. Scope


This privacy notice is applicable to everyone within the Company and all persons with access to data in any format must be familiar with this policy notice and comply with its content.


This privacy notice is in addition to, and supports all policies or notices relating to information security and data loss. We reserve the right to amend this notice in the light of any new regulations or guidance that may come in force in the future. All staff shall be informed of any modified policy notices for consultation prior to it being implemented.


3. Definitions


Personal Data

Information relating to identifiable individuals, such as job applicants, current and former employees, customers, contractors, suppliers and any relevant agencies


Sensitive Personal Data

Personal data about an individual's racial or ethnic origin, political opinions, religious or non-religious beliefs, trade union memberships, physical or mental health issues, criminal offences or proceedings


Data Subject

Refers to the person of third party to which the data identifies or relates to



Data Protection Officer as appointed by the company to oversee the processing of all data


Business purposes

All personal data shall only be collected and processed for operations reasons in connection with the running of the company


4. Principles of GDPR


The main principles of the General Data Protection Regulation are:


1. Lawfulness, fairness and transparency


2. Purpose limitation


3. Adequate and necessary


4. Accurate


5. Not kept longer than needed


6. Integrity and confidentiality


5. Data Subject Rights


Rights of Access to Information

Under the Data Protection Act 1998 and the Freedom if Information Act 2000, individuals are entitled to request access to information held about them. This includes the right to:

  • speak to the DPO directly about data held about them

  • ask what personal data is held about them and why it is held

  • request access to their own personal data and to receive it within 40 days of their request

  • prevent the processing of the personal data if the data is incorrect or; if processing of the data is likely to cause distress or damage to the individual or other persons

  • have any incorrect data changed so as to be correct

  • to be informed of any data losses or breaches that may affect them directly or indirectly

  • request that the data held on them is erased from the company records

Any subject data access requests received from an individual will be referred immediately to the DPO who will deal with the request. The DPO may ask that individual to help the Company comply with the request.


The DPO will endeavour to respond to any such written requests as soon as is reasonably practicable and in any event, within 40 days for access to records and 21 days to provide a reply.


6. Responsibilities


Data Protection Officer

The Company's appointed Data Protection Officer is Mr. Rick Kerry who has overall responsibility for the day-to-day implementation of this policy and:

  • Keeping the Company Management updated about data protection responsibilities, risks and issues

  • Reviewing of data protection procedures and policies on a regular basis

  • Arranging data protection training for all relevant members of staff

  • Answering questions on data protection from other senior management and staff members or other relevant persons

  • Responding to individuals who request what data is being held on them

  • Checking that data being handled by third parties such as contracts or agreements meets the requirement of this policy

  • Ensure all systems, services, software and equipment meet acceptable security standards

  • Checking and scanning security hardware and software regularly to ensure it is functioning properly

  • Researching third-party services, such as cloud services the company is considering using to store or process data


Managers & Supervisors

All Managers and Supervisors are responsible for ensuring that any personal or sensitive data which they hold or have access to; is kept securely and; that personal information is not disclosed either verbally, in written or electronic format including emails, texts and social media; to any unauthorised third party.


In addition; where a manager or supervisor is responsible for collecting personal data, he/she must ensure it is collected with the consent of the data subject, is necessary and accurate.


If, as part of their duties, other employees not being managers or supervisors, need to collect information about customers or other employees they must comply with this policy.



All employees are responsible for ensuring that any personal data they collect or have access to; is kept securely and; that personal information is not disclosed either verbally, in written or electronic or in digital format including emails, texts and social media; to any unauthorised third party. In addition; each employee is responsible for:

  • ensuring their own personal data that he/she provides to the Company is accurate and up to date

  • informing the DPO of any relevant changes to information previously provided i.e.: address change

  • where any employee is required to collect data from or about a customer or any other person, they must have prior consent from the data subject ensuring that the data is necessary and accurate

All management and employees are reminded that the General Data Protection Regulation (GDPR) does not only apply to records held relating to Company employees, but also to customer files and records. All documents whether hand written or stored in electronic format (including emails) are potentially disclosable in the event of a request from an employee or customer.


All management and employees must, so far as is reasonably practicable, ensure that they carry out their duties in a manner that enables the company to comply with its obligations under the GDPR.


Note: Should an employee change roles during his/her employment or; should they terminate/have terminated their employment with the Company; they shall be bound by the terms of this policy under the General Data Protection Regulation.


7. Business purposes for which data may be processed

The business purposes for which we may collect and use personal data include the following:


Employees and Contractors

Personal data collected and processed may include individuals contact details, education details, National Insurance and pay details, training certificates and diplomas regards education and skills, previous work history, checking of references, marital status and nationality and, any relevant medical and emergency contact details


Payroll and General Administration

Personal data may be used in connection with employees, payroll, general administration of the company's undertaking as a vehicle repairer and any relevant financial activities.


Compliance with Regulations and Statutes

We may be required to collect and hold personal data in order to comply with certain regulations and statutes as imposed upon us and to meet corporate governance and good practice. We may also need to gather personal data and information in the event of any investigations in to our business by regulatory bodies or upon any legal proceedings.


Operational Reasons

Personal and where necessary, sensitive data may be collected and processed for operational reasons that include:

  • Employees welfare

  • Disciplinary matters

  • Training

  • Implementation of safe working practices

  • Quality control

  • Security vetting

  • Recording of financial transactions

  • Investigating complaints

  • Ensuring the confidentiality of commercially sensitive information through monitoring and managing employees access to systems


Business Development

In certain circumstances, it may also be necessary to gather and use data in relation to the marketing of our business and improving our services. Where this is relevant, the processing of the data will be in line with and be in compliance with the GDPR and this policy.


Company Policies

It may be necessary to hold certain personal data in respect to our employees, customers and contractors in order to adhere to our own company policies


8. How the Company will process data

The Company will process personal data in accordance with the principles of data protection in GDPR as follows:


In a lawful, fair and transparent manner

All data including an individuals personal and sensitive data will be processed in a fair, lawful and transparent manner in relation to each individuals' rights. No personal data will be processed without the consent of the individual to whom the data identifies or relates to.


With the consent of individuals

Any personal data collected is subject to active consent by the data subject. This consent can be revoked at any time. The data held shall be used foe business purposes only.


Processing of data limited to legitimate reasons

Personal data will be collected for specified, explicit and legitimate purposes only and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes.


Data collected to be adequate and necessary

The DPO and Senior Management will ensure, so far as is reasonably practicable that personal data collected with be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.


Should it be necessary to collect any sensitive personal data, this shall be strictly controlled in accordance with this policy.


Data processed to be accurate

The DPO and Senior Management will ensure, so far as is reasonably practicable that personal data held will be accurate and, where necessary, kept up to date; all reasonable steps will be take to ensure that any inaccurate personal data is erased or rectified as soon as is practicable.


The Company will not process personal data obtained for one purpose for any unconnected purpose unless the individual concerned has given their consent to do so.


Personal data not to be kept any longer than needed

Personal data will be kept in a format that permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.


With integrity and confidentiality

Personal data will be processed in a manner that ensures appropriates security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.


Data kept securely

The need to ensure that data is kept securely means that precautions will be taken against physical loss or damage, and that both access and disclosure will be restricted. This will be overseen by the DPO who will ensure that personal and sensitive data held will be kept secure in line with the company's Information Security and Data Loss Policy.


Where personal data and sensitive data is kept electronically on computers, access will be password protected as appropriate to security levels. Printed and written personal and sensitive data will be kept secured within a lockable cabinet or room to prevent unauthorised access.


At the end of each working day or when leaving the office for any considerable time, Company personal involved with admin work are instructed to tidy their desk and remove any documents that may contain personal, sensitive or confidential data. Lockable filing cabinets are made available for this purpose also; where any software programmes have been in use, these will be closed down so as to prevent unauthorised access.


Software Password Security

All passwords used in connection with data protection will adhere to the company's Password Protection Policy.


Safe disposal of data

Where required, personal and sensitive data will be disposed of in a secure manner ensuring that it is not available in any format to any persons. Personal and sensitive data in electronic or digital format including emails, texts and social media content will be deleted and removed so far as is practicable, from equipment and servers.


Any personal and sensitive data in paper format required to be removed will be disposed of by means of shredding or if found necessary, via the appointment of a vetted secure data disposal operator.


9. Accountability

Upon request, the company will demonstrate that compliance with the principles of the GDPR are; so far as is reasonably practicable, being met.


This policy is not contractual but indicates how the company intends to meet its legal responsibilities for Data Protection. Any breach will be taken seriously and may result in formal disciplinary action.


Any individual who considers that the policy has not been followed in respect of personal data about themselves should raise the matter with their immediate supervisor or directly with the DPO.


10. Review


Review of the Policy

This policy shall be reviewed at least once every year or in the event of any suspected breach or data loss.


Signed by: Mr. Rick Kerry (DPO)   Date: 1st June 2024

Rick Kerry Signature
bottom of page