Form: General Docs/32 Date Issued: January 2026 Approved By: JW Issue: 1
Privacy Policy
Aligned to the UK Data (Use & Access) Act 2025, UK GDPR and the Data Protection Act 2018
Data Controller: DW Health and Safety Ltd Contact Email: [email protected]
1. Who We Are
DW Health and Safety Ltd (“DW Health and Safety”, “we”, “our”, “us”) is a UK-based health and safety consultancy providing advisory, auditing, training, and compliance support services to organisations across multiple sectors.
We are the data controller for personal data processed in connection with our services, website, client relationships, suppliers, associates, and employment-related activities.
2. Personal Data We Collect
We may collect and process the following categories of personal data, depending on our relationship with you:
Clients and Enquiries
- Identity and contact details (name, job title, company, address, email, telephone)
- Contractual and service information
- Health and safety documentation containing personal data
- Communications and correspondence records
Employees and Associates
- Identity and contact details
- Employment or engagement records
- Right-to-work and qualification records
- Training and competency records
- Payroll and payment details
Website and Technical Data
- IP address
- Browser and device information
- Cookie and consent preferences
- Website usage data (aggregate and anonymised where possible)
Special Category Data (limited circumstances)
- Health information included in risk assessments, accident investigations, or occupational health documentation
- Equality and diversity information (where legally required)
3. How We Use Your Data and Lawful Bases
We only process personal data where a lawful basis applies under Article 6 UK GDPR, and Article 9 where special category data is involved.
| Purpose | Data (Main) | Lawful Basis (Art. 6) | DUAA Legitimate Interest | Notes |
|---|---|---|---|---|
| Deliver H&S advisory and consultancy services | Identity, contact, service records | Contract | — | Core service delivery |
| Client communications and support | Contact details, correspondence | Legitimate Interests | Client relationship management | Expected and proportionate |
| Employment and associate management | HR, payment, competency records | Contract; Legal Obligation | — | Employment law compliance |
| Invoicing and financial management | Identity, payment details | Legal Obligation; Contract | — | HMRC compliance |
| Regulatory compliance and audits | Service and contractual records | Legal Obligation | — | H&S and statutory obligations |
| Website analytics (nonprofiling) | Online identifiers | Legitimate Interests or Consent | Quality improvement analytics | Aggregated only |
| Fraud prevention and IT security | Access logs, identifiers | Legitimate Interests | Network and data security | Proportionate safeguards |
4. Special Category Data and Appropriate Policy Document (APD)
Where we process special category data (such as health information within risk assessments or accident investigations), we do so only where strictly necessary, relying on appropriate lawful bases such as legal obligations or explicit consent where required.
We maintain an Appropriate Policy Document (APD) in accordance with the Data Protection Act 2018, setting out safeguards, retention, and handling arrangements for such data.
5. Your Rights
- Right of access (Subject Access Request)
- Right to rectification
- Right to erasure
- Right to restrict processing
- Right to data portability (where applicable)
- Right to object to processing
- Rights relating to automated decision-making
Requests can be made to: [email protected]
6. Who We Share Your Data With
- Clients (where necessary to deliver contracted services)
- Associate consultants working under our instruction
- Professional advisers (legal, accounting)
- IT and cloud service providers
- Regulators and enforcement bodies where legally required
7. International Data Transfers
- UK International Data Transfer Agreement (IDTA)
- Transfer Risk Assessments (TRA)
- Encryption and access controls
8. How We Protect Your Data (Security)
- Role-based access control
- Secure cloud storage
- Password and authentication controls
- Data minimisation practices
- Secure backup and recovery processes
- Incident and data breach response procedures
9. How Long We Keep Your Data (Retention)
| Record Type | Typical Retention | Rationale |
|---|---|---|
| Client contracts and service records | 6 years after contract end | Limitation periods |
| Financial and invoicing records | 6 years | HMRC requirements |
| Employment and associate records | 6 years after end of engagement | Employment law |
| Enquiry records | 3 years | Business management |
| Website analytics | 12–24 months | Proportionate analysis |
| Special category data | Duration of purpose + 12 months | APD safeguards |
10. Cookies and Marketing (PECR Alignment)
- Non-essential cookies are used only with consent
- Analytics cookies are configured without profiling or advertising
- We do not conduct automated marketing profiling
11. Complaints
If you have concerns about how we handle your personal data, please contact us at: [email protected]
You also have the right to lodge a complaint with the Information Commissioner’s Office (ICO): Website: ico.org.uk Telephone: 0303 123 1113
12. Governance and Updates
- Records of Processing Activities (ROPA)
- Legitimate Interests Assessments
- Data breach and incident logs
- Consent records where applicable
This Privacy Policy is reviewed annually or sooner if legal or operational changes require it.