Data Protection Policy

Data Protection Policy

1. Introduction and Purpose

This Data Protection Policy establishes Bamford Bus Company's commitment to protecting personal data in accordance with UK data protection legislation, including the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, as amended by the Data (Use and Access) Act 2024.

This policy applies to all personal data processed by Bamford Bus Company in the course of our manufacturing operations, including data relating to employees, customers, suppliers, contractors, visitors, and other stakeholders.

1.1 Policy Objectives

  • Ensure compliance with UK data protection legislation
  • Protect the rights and privacy of data subjects
  • Establish clear accountability and governance structures
  • Minimise data protection risks across all business operations
  • Promote a culture of data protection awareness throughout the organisation

2. Scope and Application

This policy applies to:

  • All employees, directors, officers, contractors, and temporary workers
  • All personal data processed by the company, regardless of format (paper, electronic, or otherwise)
  • All business operations, including manufacturing, human resources, sales, marketing, procurement, and administration
  • Third-party processors acting on behalf of the company

3. Roles and Responsibilities

3.1 Board of Directors

The Board has ultimate responsibility for ensuring the company's compliance with data protection legislation and shall:

  • Approve data protection policies and strategies
  • Allocate adequate resources for data protection compliance
  • Receive regular reports on data protection compliance and risks
  • Ensure data protection is embedded in corporate governance

3.2 Data Protection Officer (DPO)

Bamford Bus Company has appointed a Data Protection Officer who shall:

  • Monitor compliance with UK GDPR and related legislation
  • Advise on data protection impact assessments (DPIAs)
  • Act as point of contact with the Information Commissioner's Office (ICO)
  • Provide training and awareness programs
  • Investigate data protection complaints and incidents
  • Maintain records of processing activities

Contact Details:

3.3 Senior Management

Department heads and senior managers must:

  • Ensure their teams comply with this policy
  • Report data protection risks and incidents to the DPO
  • Facilitate data protection training within their departments
  • Conduct periodic reviews of data processing activities

3.4 All Employees

Every employee must:

  • Comply with this policy and related procedures
  • Complete mandatory data protection training
  • Report suspected data breaches or non-compliance immediately
  • Handle personal data securely and confidentially
  • Seek guidance from the DPO when uncertain

4. Data Protection Principles

Bamford Bus Company shall ensure that all personal data is processed in accordance with the following principles:

4.1 Lawfulness, Fairness and Transparency

Personal data shall be processed lawfully, fairly and in a transparent manner. We shall:

  • Identify and document a lawful basis for all processing activities
  • Provide clear and accessible privacy notices
  • Be open and honest about how we use personal data
  • Not process data in ways that would be unexpected or misleading

Lawful Bases for Processing:

We rely on the following lawful bases as appropriate:

  • Consent (where freely given, specific, informed and unambiguous)
  • Contract (where processing is necessary to perform a contract)
  • Legal obligation (where required by law)
  • Vital interests (to protect someone's life)
  • Public task (where required for official functions)
  • Legitimate interests (where we have a recognised legitimate interest that does not override data subjects' rights)

4.2 Purpose Limitation

Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner incompatible with those purposes. We shall:

  • Clearly define and document the purpose for collecting personal data
  • Only use data for the purposes notified to data subjects
  • Conduct a compatibility assessment before using data for new purposes
  • Obtain fresh consent where required for new purposes

4.3 Data Minimisation

We shall only collect and process personal data that is adequate, relevant and limited to what is necessary for the specified purposes. We shall:

  • Regularly review data collection forms and processes
  • Avoid collecting data "just in case" it might be useful
  • Periodically review data held and delete unnecessary information
  • Use anonymisation or pseudonymisation where full personal data is not required

4.4 Accuracy

Personal data shall be accurate and, where necessary, kept up to date. We shall:

  • Implement processes to verify data accuracy at collection
  • Provide mechanisms for data subjects to update their information
  • Promptly correct or erase inaccurate or incomplete data
  • Review and update data on a regular basis

4.5 Storage Limitation

Personal data shall not be kept for longer than is necessary for the purposes for which it is processed. We shall:

  • Establish and document retention periods for all categories of personal data
  • Implement automated or manual deletion procedures
  • Conduct periodic reviews to identify data that can be deleted
  • Securely dispose of data that has reached the end of its retention period

See Section 12 and the separate Data Retention Policy for detailed retention schedules.

4.6 Integrity and Confidentiality

Personal data shall be processed in a manner that ensures appropriate security, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage. We shall:

  • Implement appropriate technical and organisational measures
  • Conduct regular security risk assessments
  • Encrypt sensitive data in transit and at rest
  • Control access to personal data on a need-to-know basis
  • Maintain business continuity and disaster recovery plans

4.7 Accountability

We shall be responsible for, and able to demonstrate, compliance with the data protection principles. We shall:

  • Maintain comprehensive documentation of processing activities
  • Conduct data protection impact assessments where required
  • Implement data protection by design and by default
  • Review and update policies and procedures regularly
  • Maintain audit trails and compliance records

5. Lawful Bases for Processing

5.1 Determining the Lawful Basis

Before processing any personal data, we must identify and document the appropriate lawful basis. The lawful basis must be:

  • Determined before processing begins
  • Documented in our records of processing activities
  • Included in our privacy notices to data subjects
  • Reviewed periodically to ensure it remains valid

5.2 Legitimate Interests

Where we rely on legitimate interests as the lawful basis, we shall conduct and document a Legitimate Interests Assessment (LIA) considering:

  • The purpose and benefit of the processing
  • Whether the processing is necessary for that purpose
  • The impact on individuals and their reasonable expectations
  • Whether there are less intrusive ways to achieve the purpose
  • Whether the legitimate interest is overridden by the individual's interests, rights or freedoms

Recognised Legitimate Interests under the Data (Use and Access) Act 2024 include:

  • Direct marketing purposes
  • Fraud prevention and detection
  • Network and information security
  • Internal administrative purposes
  • Reporting possible criminal acts

5.3 Consent

Where we rely on consent, we shall ensure it is:

  • Freely given (without pressure or negative consequences for refusing)
  • Specific (clearly related to particular processing activities)
  • Informed (data subjects understand what they are consenting to)
  • Unambiguous (through clear affirmative action, not pre-ticked boxes)
  • Easily withdrawable (as easy to withdraw as to give)

We shall maintain records of when and how consent was obtained and make it easy for individuals to withdraw consent at any time.

6. Special Category Data

Special category data includes information about an individual's:

  • Racial or ethnic origin
  • Political opinions
  • Religious or philosophical beliefs
  • Trade union membership
  • Genetic data
  • Biometric data (where used for identification)
  • Health data
  • Sex life or sexual orientation

6.1 Processing Special Category Data

We shall only process special category data where we have:

  • Identified both a lawful basis under Article 6 UK GDPR, AND
  • Identified a special category condition under Article 9 UK GDPR

Common conditions in manufacturing contexts include:

  • Explicit consent of the data subject
  • Processing necessary for employment law obligations (e.g., sickness absence, health and safety)
  • Protection of vital interests where the data subject is incapable of giving consent
  • Processing necessary for legal claims
  • Occupational health purposes (subject to professional secrecy obligations)

6.2 Enhanced Safeguards

When processing special category data, we shall implement enhanced safeguards including:

  • Strict access controls limiting access to authorised personnel only
  • Enhanced encryption and security measures
  • Mandatory data protection impact assessments
  • Regular audits of processing activities
  • Specific staff training on handling sensitive data

7. Data Subject Rights

Bamford Bus Company respects and facilitates the following rights of data subjects under UK GDPR:

7.1 Right to be Informed

Data subjects have the right to be informed about the collection and use of their personal data through clear and accessible privacy notices.

7.2 Right of Access (Subject Access Requests)

Data subjects have the right to obtain:

  • Confirmation that we are processing their personal data
  • Access to a copy of their personal data
  • Information about how their data is being processed

Response Procedure:

  • All subject access requests must be forwarded to the DPO immediately
  • We shall respond within one month of receipt (extendable by two months for complex requests)
  • We shall verify the identity of the requestor before providing information
  • We shall provide information free of charge unless the request is manifestly unfounded or excessive
  • Under the Data (Use and Access) Act 2024, we may refuse vexatious or excessive requests after appropriate consideration

7.3 Right to Rectification

Data subjects have the right to have inaccurate or incomplete personal data corrected. We shall respond within one month and notify third parties where applicable.

7.4 Right to Erasure ("Right to be Forgotten")

Data subjects may request deletion of their personal data where:

  • The data is no longer necessary for the purpose it was collected
  • They withdraw consent (where consent was the lawful basis)
  • They object to processing based on legitimate interests and there are no overriding legitimate grounds
  • The data has been unlawfully processed
  • Erasure is required to comply with a legal obligation

This right is not absolute and may be refused where we have compelling grounds to continue processing (e.g., legal obligations, legal claims, or public interest).

7.5 Right to Restrict Processing

Data subjects may request restriction of processing where:

  • They contest the accuracy of  the data (pending verification)
  • Processing is unlawful but they do not want erasure
  • We no longer need the data but they need it for legal claims
  • They have objected to processing (pending verification of legitimate grounds)

7.6 Right to Data Portability

Where we process data based on consent or contract, and processing is carried out by automated means, data subjects have the right to:

  • Receive their personal data in a structured, commonly used and machine-readable format
  • Transmit that data to another controller without hindrance

7.7 Right to Object

Data subjects have the right to object to:

  • Processing based on legitimate interests or public task
  • Direct marketing (absolute right – we must stop immediately)
  • Processing for research or statistical purposes (unless compelling grounds exist)

7.8 Rights Related to Automated Decision-Making

Under the Data (Use and Access) Act 2024, the scope of restricted automated decision-making has been narrowed to focus on significant decisions based entirely or partly on special category data.

Data subjects have rights regarding such decisions including:

  • The right to be informed about the automated decision-making
  • The right to obtain human intervention
  • The right to express their point of view
  • The right to contest the decision

7.9 Exercising Rights

Data subjects may exercise their rights by:

  • Emailing: [email protected]
  • Writing to: Data Protection Officer, 201 Galgorm Road, Ballymena BT42 1SA
  • Telephoning: 02825641212

8. Privacy Notices and Transparency

8.1 Privacy Notice Requirements

We shall provide clear, concise and easily accessible privacy notices to all data subjects at the time of data collection, including:

  • Identity and contact details of the controller and DPO
  • Purposes of processing and lawful basis
  • Legitimate interests (where applicable)
  • Categories of personal data and recipients
  • Details of transfers to third countries
  • Retention periods or criteria for determining them
  • Information about data subject rights
  • Right to withdraw consent (where applicable)
  • Right to lodge a complaint with the ICO
  • Whether providing data is a contractual or legal requirement
  • Information about automated decision-making

8.2 Privacy Notice Types

We maintain separate privacy notices for:

  • Employees and job applicants
  • Customers and prospects
  • Suppliers and business contacts
  • Website visitors
  • Visitors to company premises

Privacy notices shall be reviewed annually and updated as necessary to reflect changes in processing activities.

9. Data Security Measures

9.1 Technical Measures

Bamford Bus Company implements the following technical security measures:

  • Access Controls: Role-based access controls ensuring personnel can only access data necessary for their role
  • Encryption: Encryption of personal data in transit (TLS/SSL) and at rest (AES-256 or equivalent)
  • Secure Authentication: Multi-factor authentication for systems containing personal data
  • Firewalls and Network Security: Network segmentation, intrusion detection systems, and regular security patching
  • Backup and Recovery: Regular encrypted backups with tested restoration procedures
  • Secure Disposal: Certified data destruction methods for hardware and media containing personal data
  • Audit Logging: Comprehensive logging of access to and processing of personal data

9.2 Organisational Measures

  • Information Security Policy: Comprehensive information security policies and procedures
  • Staff Training: Mandatory data protection and security awareness training for all staff
  • Access Management: Regular reviews of user access rights and prompt removal of leavers' access
  • Clear Desk Policy: Requirement to secure documents containing personal data when not in use
  • Secure Storage: Lockable cabinets for paper records; encrypted storage for electronic records
  • Data Protection Impact Assessments: Mandatory DPIAs for high-risk processing activities
  • Vendor Management: Security requirements in contracts with data processors
  • Physical Security: Controlled access to premises and secure areas containing personal data
  • Incident Response: Documented data breach response procedures

9.3 Security Reviews

We shall conduct:

  • Annual information security risk assessments
  • Quarterly access rights reviews
  • Periodic penetration testing and vulnerability scanning
  • Regular reviews of security policies and procedures

10. Data Breach Management

10.1 What Constitutesa Data Breach

A personal data breach means a breach of security leading to:

  • Accidental or unlawful destruction of personal data
  • Loss or alteration of personal data
  • Unauthorised disclosure of personal data
  • Unauthorised access to personal data

Examples include:

  • Loss or theft of devices containing personal data
  • Email sent to incorrect recipient
  • Ransomware or cyber attack
  • Unauthorised access to systems or records
  • Accidental disclosure of confidential information

10.2 Reporting Requirements

Under the Data (Use and Access) Act 2024, notification requirements have been updated:

To the Information Commission:

  • We must notify the Information Commission within 96hours (extended from 72 hours) where a breach is likely to result in a highrisk to individuals' rights and freedoms (the threshold has been raised from "risk" to "high risk")
  • Use the Information Commission's single-entry point for breach notifications

To Affected Individuals:

  • We must notify affected individuals without undue delay where a breach is likely to result in a high risk to their rights and freedoms
  • Communication must be in clear and plain language

10.3 Data Breach Response Procedure

Step 1: Containment and Recovery (Immediate)

  • Contain the breach to prevent further data loss
  • Secure affected systems
  • Preserve evidence for investigation

Step 2: Notification (Within 24 hours internally)

  • Report immediately to the DPO and line manager
  • Contact details: dpo@[company].co.uk / [emergency number]
  • Do not attempt to resolve the breach without notifying the DPO

Step 3: Assessment (Within 48-72 hours) The DPO shall assess:

  • The nature and severity of the breach
  • The type and volume of personal data involved
  • Whether special category data is affected
  • The likely consequences for affected individuals
  • Whether notification to the Information Commission is required
  • Whether notification to individuals is required
  • Mitigating actions required

Step 4: Notification (Within 96 hours if required) If the breach meets notification thresholds:

  • Notify the Information Commission via their online portal within 96 hours
  • Notify affected individuals without undue delay if high risk exists
  • Notify relevant third parties (processors, clients, insurers)

Step 5: Documentation and Review

  • Document all breaches in the data breach register (regardless of notification requirement)
  • Investigate root causes
  • Implement corrective actions to prevent recurrence
  • Report to senior management and Board as appropriate
  • Review and update security measures and policies

10.4 Data Breach Register

The DPO shall maintain a register of all data breaches recording:

  • Date and time of breach
  • Nature of the breach
  • Personal data affected
  • Number of individuals affected
  • Likely consequences
  • Actions taken to mitigate harm
  • Whether notification was required and provided
  • Lessons learned and preventive measures

11. International Data Transfers

11.1 Transfer Restrictions

Personal data shall not be transferred outside the United Kingdom unless:

  • The destination country has been granted an adequacy decision by the UK government, OR
  • Appropriate safeguards are in place (e.g., Standard Contractual Clauses, Binding Corporate Rules), OR
  • A specific derogation applies (e.g., explicit consent, contractual necessity)

11.2 Current Adequacy Decisions

As of February 2026, the UK recognises the following as providing adequate protection:

  • European Economic Area (EEA) countries
  • Countries with EU adequacy decisions (subject to UK review)
  • Other countries as designated by the UK government

11.3 Transfer Assessment Process

Before transferring personal data internationally, we shall:

  • Identify the destination country and data recipient
  • Determine whether an adequacy decision exists
  • If no adequacy decision, implement appropriate safeguards (typically UK Standard Contractual Clauses)
  • Conduct a Transfer Risk Assessment considering local laws and practices
  • Document the transfer mechanism and assessment
  • Obtain DPO approval before proceeding

11.4 Prohibited Transfers

We shall not transfer personal data to countries or organisations where:

  • No adequate protection exists and no appropriate safeguards can be implemented
  • Local laws would undermine the protection afforded by safeguards
  • The transfer would violate UK or EU sanctions or trade restrictions

12. Data Retention Overview

Bamford Bus Company shall retain personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by law.

Detailed retention periods for specific categories of data are set out in the separate Data Retention Policy.

12.1 Key Retention Principles

  • Personal data shall not be kept indefinitely "just in case"
  • Retention periods shall be based on legal requirements, business needs, and industry standards
  • Data shall be reviewed periodically and deleted when no longer required
  • Retention periods shall be documented and justified
  • Secure disposal procedures shall be followed for all deleted data

12.2 Retention Period Determination

When determining retention periods, we consider:

  • Legal and regulatory obligations (e.g., tax, employment, health and safety laws)
  • Contractual obligations
  • Limitation periods for potential legal claims
  • Business operational needs
  • Data subjects' reasonable expectations
  • Industry standards and best practices

12.3 Early Deletion

Data may be deleted before the standard retention period expires where:

  • The purpose for which it was collected has been fulfilled
  • A data subject exercises their right to erasure
  • Consent is withdrawn (where consent was the lawful basis)
  • The data is no longer required for any lawful purpose

13. Data Protection by Design and Default

13.1 Data Protection by Design

When developing new systems, processes, products or services that involve processing personal data, we shall:

  • Consider data protection implications from the outset
  • Implement appropriate technical and organisational measures
  • Integrate data protection safeguards into the design
  • Use privacy-enhancing technologies where appropriate
  • Conduct a Data Protection Impact Assessment (DPIA) where required

13.2 Data Protection by Default

We shall ensure that, by default:

  • Only personal data necessary for the specific purpose is processed
  • Data is only accessible to those who need it
  • Personal data is not made publicly accessible without explicit action
  • Retention periods are applied automatically
  • Privacy settings are set to the most restrictive by default

13.3 Data Protection Impact Assessments (DPIAs)

A DPIA is mandatory where processing is likely to result in high risk to individuals' rights and freedoms, including:

  • Systematic and extensive evaluation or scoring of individuals
  • Large-scale processing of special category data
  • Systematic monitoring of publicly accessible areas on a large scale
  • Use of new technologies where the impact is unclear
  • Processing that may prevent individuals from exercising rights or accessing services

DPIA Process:

  1. Describe the processing and its purposes
  2. Assess the necessity and proportionality of the processing
  3. Identify and assess risks to individuals
  4. Identify measures to mitigate the risks
  5. Consult with the DPO
  6. Seek data subjects' views where appropriate
  7. Document the assessment and outcomes
  8. Review and update as necessary

The DPO must be consulted on all DPIAs and may escalate to the Information Commission where high risks cannot be adequately mitigated.

14. Third-Party Data Processors

14.1 Processor Selection

When engaging third-party processors to process personal data on our behalf, we shall:

  • Conduct due diligence on the processor's security and data protection capabilities
  • Verify their track record and certifications (e.g., ISO 27001, Cyber Essentials)
  • Assess their compliance with UK GDPR requirements
  • Obtain assurances regarding sub-processors
  • Evaluate their data breach response procedures

14.2 Processor Contracts

All data processing arrangements must be governed by a written contract that includes:

  • Subject matter and duration of processing
  • Nature and purpose of processing
  • Type of personal data and categories of data subjects
  • Obligations and rights of the controller
  • Processor's obligations including:
    • Process data only on documented instructions
    • Ensure confidentiality of processing personnel
    • Implement appropriate security measures
    • Assist with data subject rights requests
    • Assist with data breach notifications
    • Delete or return data at end of contract
    • Submit to audits and inspections
  • Requirements for sub-processor engagement
  • Liability and indemnity provisions
  • Data protection and security standards

14.3 Processor Management

We shall:

  • Maintain a register of all data processors
  • Conduct regular reviews of processor performance
  • Monitor processor compliance with contractual obligations
  • Require notification of any security incidents
  • Exercise audit rights periodically or following incidents
  • Review and update processor contracts regularly

14.4 Sub-Processors

Processors must:

  • Obtain our prior written consent before engaging sub-processors
  • Impose equivalent data protection obligations on sub-processors
  • Remain fully liable for sub-processor performance

15. Employee Data Protection Obligations

15.1 General Obligations

All employees must:

  • Comply with this policy and related data protection procedures
  • Complete mandatory data protection training upon induction and annually thereafter
  • Handle personal data securely and confidentially
  • Only access personal data necessary for their role
  • Report any suspected data breaches or non-compliance immediately
  • Not remove personal data from company premises without authorisation
  • Return all data and devices upon termination of employment

15.2 Specific Roles

Certain roles carry additional responsibilities: HR Personnel:

  • Ensure employment data is collected and processed lawfully
  • Maintain confidentiality of sensitive employee information
  • Implement secure recruitment and onboarding processes
  • Manage employee data subject rights requests

IT Personnel:

  • Implement and maintain technical security measures
  • Manage access controls and user permissions
  • Monitor systems for security incidents
  • Ensure secure data backup and recovery

Marketing Personnel:

  • Ensure consent is obtained for marketing communications
  • Maintain opt-out lists and respect unsubscribe requests
  • Comply with electronic marketing regulations (PECR)
  • Keep marketing databases up to date and accurate

Sales Personnel:

  • Collect customer data in accordance with privacy notices
  • Share customer data only with authorised recipients
  • Maintain confidentiality of customer information

15.3 Consequences of Non-Compliance

Failure to comply with this policy may result in:

  • Disciplinary action up to and including dismissal
  • Civil liability for the company
  • Criminal prosecution in serious cases
  • Regulatory enforcement action by the Information Commission
  • Reputational damage

16. Training and Awareness

16.1 Training Requirements

Bamford Bus Company shall provide:

  • Induction Training: All new employees must complete data protection training as part of their induction
  • Annual Refresher Training: All employees must complete annual data protection awareness training
  • Role-Specific Training: Additional training for employees handling sensitive data or performing specific data protection functions
  • Ad-Hoc Training: Training on specific topics as needed (e.g., following policy changes, incidents, or regulatory updates)

16.2 Training Content

Training shall cover:

  • UK GDPR and Data Protection Act 2018 requirements
  • Recent changes under the Data (Use and Access) Act 2024
  • Company data protection policies and procedures
  • Data subject rights and how to respond to requests
  • Data security best practices
  • Data breach identification and reporting
  • Consequences of non-compliance

16.3 Training Records

The DPO shall maintain records of all data protection training including:

  • Employee name and department
  • Training date and type
  • Topics covered
  • Assessment results (where applicable)
  • Refresher training due dates

17. Monitoring and Compliance

17.1 Compliance Monitoring

The DPO shall monitor compliance through:

  • Regular audits of data processing activities
  • Review of data subject rights requests and responses
  • Analysis of data breach incidents and trends
  • Assessment of training completion rates
  • Testing of security controls and procedures
  • Evaluation of processor compliance

17.2 Records of Processing Activities

We maintain comprehensive records of processing activities including:

  • Name and contact details of the controller and DPO
  • Purposes of processing
  • Categories of data subjects and personal data
  • Categories of recipients (including international transfers)
  • Retention periods
  • Technical and organisational security measures

17.3 Reporting

The DPO shall provide:

  • Quarterly Reports to senior management on:
    • Data protection compliance status
    • Data subject rights requests received and handled
    • Data breaches and incidents
    • Training completion rates
    • Key risks and issues
  • Annual Reports to the Board on:
    • Overall data protection compliance
    • Significant incidents and lessons learned
    • Policy and procedure updates
    • Training and awareness initiatives
    • Regulatory developments
    • Strategic recommendations

18. Regulatory Engagement

18.1 Information Commission

The Information Commission (formerly ICO, restructured under the Data (Use and Access) Act 2024) is the UK's independent data protection regulator.

Contact Details:

18.2 Registration

Bamford Bus Company is registered with the Information Commission as a data controller:

  • Registration Number: [Insert Number]
  • Renewal Date: [Annual]

We shall ensure our registration is kept up to date and renewed annually.

18.3 Cooperation with Regulator

We shall:

  • Respond promptly to any inquiries from the Information Commission
  • Cooperate fully with investigations and audits
  • Implement recommendations and enforcement notices
  • Notify the Information Commission of any material changes to our processing activities

18.4 Complaints

Data subjects have the right to lodge a complaint with the Information Commission if they believe their data protection rights have been violated.

We encourage data subjects to contact us first to resolve concerns, but we respect their right to complain directly to the regulator at any time.

19. Policy Review and Updates

19.1 Review Frequency

This policy shall be reviewed:

  • Annually as a minimum
  • Following significant regulatory changes
  • Following major data breaches or incidents
  • Following significant changes to our processing activities
  • Following changes to our business structure or operations

19.2 Version Control

  • The DPO is responsible for maintaining the current version of this policy
  • All policy updates must be approved by the Board
  • Version history shall be maintained
  • Updated policies shall be communicated to all employees

19.3 Related Policies and Documents

This policy should be read in conjunction with:

  • Data Retention Policy
  • Information Security Policy
  • Data Breach Response Procedure
  • Privacy Notices (employees, customers, suppliers, website)
  • Subject Access Request Procedure
  • Data Protection Impact Assessment Procedure
  • International Data Transfer Procedure
  • Electronic Communications and Marketing Policy

20. Contact Information

For any questions or concerns regarding data protection, please contact:

Data Protection Officer

  • Name: Richard Solomon
  • Email: [email protected]
  • Telephone: 02825641212
  • Address: 201 Galgorm Road, Ballymena BT4s 1SA

To exercise your data protection rights or make a complaint:

  • Email: [email protected]
  • Write to: Data Protection Officer, Wrightbus, 201 Galgorm Road, Ballymena BT42 1SA

 To complain to the regulator:

  • Information Commission
  • Website: org.uk
  • Telephone: 0303 123 1113
  • Address: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
Wrightbus

Get in touch

Wrightbus has been at the forefront of transport innovation since 1946, relentlessly pushing the boundaries with its commitment to quality, style and safety.

Talk to Us Download a brochure