GDPR Policy


This policy has been written to correspond with the 12 steps identified by the UK Information Commissioner’s Office (ICO) as a checklist in preparation for the General Data Protection Regulation (GDPR) which applies from 25 May 2018.

1. Awareness

This policy document and the associated review and documentation of personal data held by HAHN Plastics Ltd (HAHN) has been instigated by the company’s UK Director, Howard Waghorn and approved at a board meeting of the company.

All employees of the company have been made aware of GDPR and have access to a copy of this policy document. Senior employees within the Sales, Marketing and Procurement areas have been involved in the production of the parts of this policy that refer to Customers and Suppliers.

2. Information held by HAHN

The various types of information held by HAHN; any organisations with whom that information is shared and the data retention periods are detailed in the annex to this document.

3. Communicating privacy information

Personal information will either be gathered by HAHN or in the case of prospective employees, by the external HR consultant employed by HAHN, who will identify HAHN as the potential employer.

Information collected and retained by HAHN is either for employment purposes or for managing the accounts of customers and suppliers. As no use will be made of this information for profiling other than for employment suitability and no information will be shared with other parties for marketing purposes, it is not considered necessary to provide individual privacy notices. People will be informed about the purposes to which their information will be used by notes attached to employment records and customer credit account application forms and the HAHN website will be amended to include details for customers and suppliers.

4. Individuals’ rights

HAHN recognise the following rights of individuals:

  • the right to be informed
  • the right of access
  • the right of rectification
  • the right to erasure
  • the right to restrict processing
  • the right to data portability
  • the right to object, and the right not be subject to automated decision-making including profiling.

    As HAHN will not be processing information by automated means, the right to data portability should not be applicable. With regard to the other rights, HAHN considers that provision of access to this document will allow employees to assess the information retained by HAHN and request for its deletion or amendment.

5. Subject access requests

All requests to access personal information must be submitted to the UK director, Howard Waghorn, either in writing or by email to

HAHN will respond to all access requests within one month from the date of the access request and provided that the request is not refused, HAHN will provide that information without charge.

Only requests for access to the individual’s own information will be considered.

Should an access request be refused, HAHN will provide written details of the reason for the refusal and will inform the individual of their right to complain to the supervisory authority and to a judicial remedy. The refusal details will be provided within one month of the date of the access request.

6. Lawful basis for processing personal data

HAHN recognise the requirement for personal data to be processed lawfully, fairly and in a transparent manner.

Of the six lawful bases for processing personal data, only two apply to HAHN. In the majority of cases, the lawful basis will relate to a Contract – either a contract of employment with an employee or a trading contract with a customer or supplier. In all these cases it will be necessary to process personal data in order to successfully manage the contract, as without the data, it would not be possible to complete the contract.

The main exception to the Contract lawful basis occurs in relation to the autoenrolment pension scheme, where the basis for processing personal data is Lawful Obligation, as HAHN is legally obliged to provide an autoenrolment pension scheme.

7. Consent

Consent is one of the 6 lawful bases for processing personal data. Although HAHN is gathering personal data with the consent of the individuals, specific consent is not required as HAHN is being provided with information in connection with mutually agreed contracts or in relation to legal obligations.

8. Children –this section is not applicable to HAHN as the company does not buy from, sellto or employ children.

9 Data Breaches

HAHN recognises its responsibility to have procedures in place to detect, report and investigate a personal data breach.

Personnel information is recorded solely in paper format and filed in locked cabinets, which are accessible to only the Office Manager and the UK Director, with the latter having sole access to files for Office-based employees. Data breach would be evident from physical damage to the locked cabinets. In the event of a breach, HAHN will inform all employees in order that bank details can be changed if required. Reporting the breach to the police will be considered on a case-by-case basis.

Customer and supplier information is recorded in the accounting software used by HAHN. This information is backed-up on a daily basis to a cloud-based system. HAHN utilise a computer security system operated by the related company HAHN Kunststoffe in Germany, to protect against viruses, malware and hacking etc. Should HAHN be advised of a data breach in respect of computer-stored information, this information will be passed to all suppliers and customers.

Hard copy paper files including copy sales invoices are also retained in respect of Customers and Suppliers. Theses files are stored in cabinets which are in open view of office-based employees and are housed in areas not accessible to non-employees.

10. Data protection by design and data protection impact assessments (DPIA)

HAHN recognises that privacy by design is an express legal requirement under GDPR. In order to comply with this requirement, HAHN has designed this policy in accordance with the 12 steps advised by the ICO and has revised the content of its Employee Record form and Customer Application for Credit Account form accordingly.

The ICO lists examples of situations in which data processing is likely to result in high risk to individuals, resulting in DPIAs being mandatory. These examples are:

  • where a new technology is being employed
  • where a profiling operation is likely to significantly affect individuals
  • where there is processing on a large scale of the special categories of data.

As an SME processing data under either Contract or Legal Obligation bases, HAHN does not consider that the personal data is processed in line with any of the above examples, nor is it considered that the data processing is likely to result in high risk to individuals. As such DPIAs are not considered appropriate.

11. Data Protection Officers

The person responsible for data protection compliance at HAHN is the UK director, Howard Waghorn.

HAHN does not require a formally designated Data Protection Officer, as HAHN is not a public authority; nor is it an organisation that carries out the regular and systematic monitoring of individuals on a large scale, nor is it an organisation that carries out the large scale processing of special categories of data, such as health records, or information about criminal convictions.

12. International

HAHN is not involved in cross-border processing, i.e. HAHN does not have establishments in more than one EU member state, nor does it carry out processing that substantially affects individuals in other EU states.

As such there is no requirement to determine a separate lead data protection supervisory authority.


GDPR Policy version 1 April 2018.

HAHN Plastics Ltd - General Data Protection Regulation    
Information held by HAHN Plastics Ltd    
Types of data Provided By Shared with by HAHN
1  Personal data for current and former employees    
Name; address; date of birth; gender; start date Employee Payroll bureau; HMRC; Auto emrolment pension
    provider and pension administration company;
Phone number Employee Not shared
Email address Employee Pension provider and pension admin.
Next of kin - emergency contact details Employee Not shared
CV; details of education Employee Not shared
References from previous employers Previous employers Not shared
Initial interview notes HAHN Not shared
Salary HAHN Payroll bureau; HMRC; Auto emrolment pension
    provider and pension administration company;
Bank details Employee Auto emrolment pension provider and
    pension administration company;
    HAHN Kunststoffe ( for payment purposes)
Tax codes HMRC Payroll bureau
P60s and similar tax notices HAHN HMRC
In-house reviews HAHN Not shared, unless disciplinary, which may be
    shared with HAHN legal advisors
Accident records HAHN May be shared with Insurers and HSE
Details of hours worked, holidays and similar information HAHN Payroll bureau

Data retention period - information in respect of current employees is retained throughout the period of their employment.

Information on former emplyees is retained for 2 years following the date of departure


2     Prospective employees - all information wil be gathered by HAHN external HR consultant


Name; address; phone number; email address; CV; details of education; information relating to previous employment, such as salary; reasons for leaving; Prospective employee External HR consultant
References from previous employers Previous employers External HR consultant
Talent measurement - personal details are not provided External provider External HR consultant


Data retention period - for successful candidates, all information will be transferred to personnel files and retained in accordance with section 1. above. For unsuccessful candidates, all hard copy data will be shredded. Electronic data such as CVs, may be retained by the external HR consultant, for future roles at HAHN.


3    Customer information

Name; address; contact details; company registration number        Customer        Credit insurer

if applicable


HAHN Plastics Ltd - General Data Protection Regulation    
Information held by HAHN Plastics Ltd    
Types of data Provided By Shared with by HAHN
Names of proprietors in the case of partnerships or sole traders Customer

Credit insurer

Delivery addresses Customer Freight companies
Credit information Credit insurer Not shared
Trading records HAHN Not shared
Data retention period - 7 years    
4  Customer credit card information    
Card number; name on card; expiry date; security code Customer Credit card organisation


Data retention period - no hard copies or electronic records of card information are retained.

5    Supplier information

Name; address; contact details; bank details Supplier Not shared
Trading records HAHN Not shared

Data retention period - 7 years