Wood Bros GDPR Privacy Notice


You will be aware of the General Data Protection Regulation (GDPR) that becomes law on the 25th May 2018. This notice sets out Wood Bros implementation of the GDPR as it affects purchase orders, invoice terms, terms of business and the processing and retention of personal data.

We have set out some definitions to help you understand the processes that Wood Bros is following in the implementation of the GDPR.


These definitions aim to clarify roles and terms used in the implementation of this regulation.

  • Data Controller is the person or entity that decides how and why data are processed.
  • Data Processor, in relation to personal data, means any person (other than an employee of the data controller) who processes the data on behalf of the data controller.
  • Data Protection Impact Assessments a process to help identify and minimise data protection risks.
  • Data Subject means a ‘natural person whose personal data is processed by a controller or processor’.
  • GDPR – the General Data Protection Regulation (EU) 2016/679.
  • Personal Data means ‘any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person’.

For the purposes of complying with the GDPR and the terms of this notice, Wood Bros is the Data Processor and you or your company is the Data Controller.

Personal data processed by the Data Processor can include Data Subject’s (the end consumer) identifiers such as:

    • name
    • email
    • address
    • telephone number
    • queries

The Data Controller’s obligations

These obligations include:

  • determining the reasons for and methods of processing personal data;
  • implementing policies that advise data subjects of the reason for collecting and processing their personal data;
  • informing the data subjects’ rights in relation to GDPR;
  • ensuring that information as required by GDPR is available to a data subject prior to collecting their personal data;
  • ensuring contracts with data processors comply with the GDPR;
  • Ensuring that only information that is necessary for the accomplishment of said services, are collated.

The Data Controller consents to the Data Processor using any holding, subsidiary or group company to assist in the provision of the services and as such agrees that these affiliated companies may also process personal data on behalf of the Data Controller. The Data Processor shall, however, remain liable for the acts and omissions of such holding, subsidiary or group company.

The Data Processor’s obligations

The Data Processor is responsible for processing personal data on behalf of a Data Controller. The obligations of a Data Processor, according to the terms of this notice and the GDPR, are to:

  1. only act on the written instructions of the controller (unless required by law to act without such instructions);
  2. ensure that people employed to process personal data have been required to commit themselves in writing via an employment agreement or some other contractual document to confidentiality, or are under an appropriate statutory obligation of confidentiality;
  3. engage a sub-processor only with the prior consent of the Data Controller and a written contract;
  4. assist the Data Controller in providing subject access and allowing data subjects to exercise their rights under the GDPR;
  5. assist the Data Controller in meeting its GDPR obligations in relation to the security of processing, the notification of personal data breaches and data protection impact assessments;
  6. delete or return all personal data to the Data Controller as requested at the end of the contract but subject to meeting the obligations of our product guarantee;
  7. work with the controller with whatever information it needs to ensure they both are meeting their Article 28 processing obligations of the GDPR and
  8. co-operate with supervisory authorities such as the Information Commissioner’s Office (ICO).


The Data Controller and the Data Processor are responsible for ensuring personal data are protected through the application of appropriate technical and organisational measures to prevent personal data being accidentally or deliberately compromised and to also:

  • demonstrate the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
  • test, assess and evaluate the effectiveness of its technical and organisational measures to ensure the security of the processing of personal data.
  • demonstrate the effectiveness of its cybersecurity (the protection of our networks and information systems from attack)

Wood Bros is committed to the ‘security principle’ that goes beyond the way personal data is stored or transmitted. In practice this means:

  • the data can be accessed, altered, disclosed or deleted only by those authorised to do so (and that those people only act within the scope of the authority that is given to them);
  • the data Wood Bros holds are accurate and complete in relation to why they are processed and
  • the data remains accessible and usable even if they have to be recovered therefore preventing any damage or distress to the individuals concerned.


The following data from a data subject may be used in the delivery of your service:

  • Name
  • Address
  • Telephone number
  • Mobile numbers
  • Email addresses

Other details may be submitted about the data subject within the scope of delivering the service and/or order. This data may be subject to change but only via written notice from the Data Controller.