1 What is this Privacy Policy for?

This privacy policy describes how and why NEEDLES AND HAYSTACKS LIMITED (Company No: 13177444) (we or the Company) acquire and use your personal data.

For the purpose of the Data Protection Act 2018 and the General Data Protection Regulation (EU) 2016/679 (the GDPR), the Company is the controller of the personal data it processes about you. We are registered with the Information Commissioner’s Office with reference number: ZA458583. We also control and operate www.massonmills.co.uk (the Website). This policy sets out how we collect, process, store and protect your personal data.

This policy applies to employees, job applicants, sub-contractors, suppliers, advisers and customers in relation to whom we process personal data.

2 How we collect your personal data

In relation to job applicants and employees, we collect your personal data when you apply for a job with us, either for an interview or during your employment. If you do not provide us with certain personal data we will not be able to review your job application or employ you.

Our customers may be registered companies, sole traders, partnerships individuals or trusts. Where our customer is a registered company, we will process personal data in relation to our contact at that company.

In relation to customers, contractors, sub-contractors, suppliers and advisors, we collect personal data from you when we engage with you, whether it be in person, on the phone or via email. We also collect information when you use the Website.

We may also process personal data about landowners which is in the public domain or from the landowner directly.

The personal data we collect from you may include:

your name, address, telephone number(s) and email address;
information you provide in an application form, CV or HR form;
records of written and verbal communications between us;
information about your transactions with us;
information about your use of the Website which we collect through the use of cookies (please see "Cookies" below for further detail);
photographs on which you may be included if you have attended a social or networking event organised by the Company, or if you are an employee and the photograph relates to a project in which you have been involved.

3 How we use your personal data

We use your personal data in the following ways:

to communicate with you by phone, email and post;
to ensure that the content of the Website is presented to you effectively;
for customers, we use your personal data to provide you with our services during and following your relationship with us and in order to obtain feedback from you about our services and your experience with us;
for job applicants, we use your personal data in order to consider your application;
for employees, we use your personal data in order to comply with your employment contract and for internal administration purposes, including paying your wages, providing you with training and keeping a record of your employment;
for contractors, sub-contractors, suppliers and advisors, we use personal data in relation to keeping in contact with you and maintaining a relationship with you;
in relation to landowners, we use this information to contact the relevant people in respect of any proposal or interest we have in respect of their land.

4 Our legal basis for processing

We process your personal data on the basis that it is necessary for the following purposes:

for the performance of any contract that we enter with you or to take steps at your request prior to entering into a contract;
for the purposes of our legitimate interests in ensuring that we provide you with the best service possible in all our interactions with you, which if you are a customer may include providing you with information about our services which may be of interest to you. We may also have a legitimate interest in processing personal data which relates to potential new projects where we have a commercial interest in pursuing the project; and
for compliance with any legal obligation to which we are subject. We may send emails to customers in relation to services which we think they may be interested in, based on our knowledge of their business and/or property. Where we send such marketing emails we will first obtain your consent for us to do so. Please note that you are able to withdraw your consent at any time by contacting us using the details provided in the contact and complaints section below. This will not affect the lawfulness of any processing that was carried out based on your consent prior to it being withdrawn.

5 Sharing your personal data

We only share your personal data with third parties where it is necessary for us to do so in order to fulfil our obligations to you under our contract, or where we are required to do so in order to comply with a regulatory or legal provision. We will never sell your personal data for direct marketing.

The circumstances in which we may share your personal data with third parties includes:

where we are required to share your personal data, for example with HMRC;
where we use a provider of services, for example in relation to our computer systems or programmes which we use for our business operations including our employee's pension provider and Bright Flair Limited which we use for software services;
where we use consultants such as Derwent Hydro Developments Limited for services;
using security companies to monitor the CCTV we use at some of our sites; and
where we share your personal data with our professional advisers such as insurers and lawyers.

6 CCTV

We may use CCTV monitoring on some of our sites for the purposes of monitoring our operational assets and the area in which we are working (for example our equipment and water flow). Wherever CCTV is in operation you will be notified of this via appropriate signage. The CCTV is monitored and administered by the Company, or the client who owns the land at the particular site. Further information about the administration of CCTV monitoring can be obtained by contacting us. CCTV images are not recorded or retained.

7 Transfers of your personal data

The personal data that we collect from you may be transferred to, or stored at, a destination outside the European Economic Area (EEA). For example, we use Google Drive which is provided by Google LLC, and Dropbox, which is provided by Dropbox International Unlimited Company, both of which may transfer personal data outside of the EEA.

Where we need to transfer your personal data outside the EEA, we will take all steps reasonably necessary to ensure that any such transfer is made securely and that there is adequate protection in place in order to protect your personal data.

Please contact us if you wish to find out more; you are welcome to ask us for a copy of the relevant safeguards implemented in relation to any transfers outside of the EEA.

8 How long we will retain your personal data

For employees, we will retain your personal data for a period of up to seven (7) years following the end of your employment with us. For job applicants, we will retain your personal data for a period of up to two (2) years following us successfully appointing a candidate. In relation to contractors, sub-contractors and suppliers, we will retain your personal data for a period of up to four (4) years following the end of our contractual relationship.

For customers, we will retain your personal data for as long as is necessary to manage our relationship with you and in order to contact you with any important information regarding the installation of any of our products. We expect that we will retain personal for up to ten (10) years following the end of our relationship with you. However, this may be extended and we might need to hold contact details for our former customers indefinitely where it is necessary for us to make infrequent contact with the customer regarding their hydropower operation.

We may also process personal data about landowners. We will retain the personal data for as long as we deem such data to be commercially important to our business.

9 Changes to this policy

We may edit or amend this privacy policy from time to time. If we make any substantial changes to the ways in which we use your personal data we will notify you by email.

10 Your rights

Your personal data is protected under data protection laws and you have a number of rights (explained below) which you can seek to exercise. Please contact us using the details provided in the contact and complaints section below if you have any queries in relation to your rights.

If you seek to exercise your rights we will explain to you whether or not the right applies to you; these rights do not apply in all circumstances.

Right of access – You have a right to access the personal data we hold about you upon request. This is known as a "Data Subject Access Request". You can exercise this right by making a request in writing, by email or by telephone using the contact details in the contact and complaints section below.
Right of rectification – You can ask us to correct or update your personal data to ensure it is accurate and complete.
Right to erasure and right to restrict processing – You can ask us to stop processing and/or to delete your personal data in certain circumstances (for example, where it is processed with your consent, or it is no longer necessary for us to process it).
Right to data portability – You have a right to ask us to provide you with your personal data in a form that suits you, and/or to provide your information to a third party.
Right to object – You have a right to object to our processing of your personal data.
Profiling and automated decisions – You have a right not to be subject to automated decisions which have a legal effect and to be protected by safeguards in respect of any profiling. We do not undertake any automated decision making or profiling.
Right to object to direct marketing – Where you have consented to receive direct marketing, you can change your mind at any time by contacting us. Please allow a few days for us to action your

11 Contact and Complaints

If you have any questions in relation to anything raised in this privacy policy or how we use your personal data, please contact us by writing to us at: Sir Richard Arkwright's Masson Mills, 41 Derby Road, Matlock Bath, Derbyshire, England, DE4 3PY; email us at: info@massonmills.co.uk or call us on 01629 581001.

You also have the right to lodge a complaint with a supervisory authority (the ICO) by writing to Information Commissioner's Office, Water Lane, Wilmslow, SK9 5AF or calling 0303 123 1113.

Further information about how to do this can be found at: www.ico.org.uk.