Get a Quote

Data Protection Policy

Policy Purpose

This policy sets out how Rim MIX Limited (“the Company”) complies with the General Data Protection Regulation (GDPR) and ensures the lawful, fair and transparent processing of personal data.

Scope

This policy applies to all employees, contractors and third parties who process personal data on behalf of the Company. It covers all personal data received, stored, processed or shared in the course of delivering a range of engineering services.

Data Protection Principles

The Company adheres to GDPR principles, ensuring that personal data is:

  • Lawfully, fairly and transparently processed.
  • Collected for specified, explicit, and legitimate purposes.
  • Adequate, relevant and limited to what is necessary.
  • Accurate and kept up-to-date.
  • Stored no longer than necessary.
  • Securely processed with appropriate safeguards.

Lawful Bases for Processing

The Company processes personal data under the following lawful bases:

➢ Contract: To fulfil contractual obligations with clients, suppliers and employees.

➢ Legal Obligations: To comply with applicable employment, tax and regulatory laws.

➢ Legitimate Interests: For managing business operations, project records, and quality assurance.

➢ Consent: Where required (e.g., marketing communications.

Categories of Personal Data Processed

The Company may process:

  • Client Data – Contact details, project information and billing details.
  • Employee Data – HR records, payroll information and emergency contacts.
  • Supplier Data – Business contacts and payment details.

Sensitive (special category) data is only processed where necessary and with additional safeguards.

Data Storage and Retention

  • Personal data is stored securely in digital or physical formats.
  • Access is restricted to authorized personnel only.
  • Data is retained only for as long as necessary (e.g., contracts: 6 years after completion, employee records: in line with HR law).
  • Data is securely deleted or anonymized once retention periods expire.

Data Sharing

➢ Data is shared only with trusted third parties (e.g., accountants, IT providers) under written agreements ensuring GDPR compliance.

➢ Data will not be sold or transferred.

Data Subject Rights

Individuals have the right to:

  • Access their personal data
  • Rectify inaccurate data
  • Request erasure (where legally permissible)
  • Restrict or object to processing
  • Request data portability
  • Withdraw consent (where applicable)

Requests will be handled within one month in accordance with GDPR requirements.

Data Security

➢ Strong passwords, encryption and firewalls are in place.

➢ Physical files are kept in secure and locked storage.

➢ Staff receive GDPR and data security training.

➢ Regular reviews are conducted to identify and mitigate risks.

Data Breach Management

In the event of a personal data breach:

  • The appointed lead will assess the severity of the breach
  • The ICO will be notified within 72 hours if required
  • Affected individuals will be informed where there is a high risk to their rights and freedoms
  • Any breaches will be documented, investigated and reviewed

Roles and responsibilities

➢ Management: Ensure company-wide compliance

➢ Management: Monitor compliance, handle data subject requests and liaise with regulators

➢ Employees: Follow this policy and report any concerns

Review

This policy will be reviewed annually or sooner if regulations or business practices change.