Privacy Policy

Privacy Policy

This Policy sets out the obligations of Norscot Truck and Van Ltd, a company registered in Scotland under number SC079951, whose registered office is at The Capitol, 431 Union Street, Aberdeen AB11 6DA (“the Company”) regarding data protection and the rights of Employees, Customers, Suppliers and Contractors (“data subjects”) in respect of their personal data under EU Regulation 2016/679 General Data Protection Regulation (“GDPR”).

The GDPR defines “personal data” as any information relating to an identified or identifiable natural person (a “data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

This Policy sets the Company’s obligations regarding the collection, processing, transfer, storage, and disposal of personal data. The procedures and principles set out herein must be followed at all times by the Company, its employees, agents, contractors, or other parties working on behalf of the Company.

The Company is fully committed to compliance with the requirements of the General Data Protection Regulation (GDPR) and all other data protection legislation currently in force. The Regulation applies to anyone processing personal data and sets out principles which should be followed and gives rights to those whose data is being processed.

The Company’s Data Protection Officers are Holly Barrack on extension 3116 and Gary Mitchell on 3119 – it is their responsibility to oversee the implementation and compliance monitoring of this Policy including the developing and maintenance of a Data Collection Register and the subsequent audits of our data collection processes and constituent elements.

The Data Protection Officers are tasked with ensuring Data subjects are informed regularly and be the point of contact for handling subject access requests (SAR’s) as well as executing any corrections to data as they arise.

The Data Protection Officers will decide whether a request to stop processing a subjects personal data is executed or not, after having determined if the company’s legitimate grounds  for such processing overrides the data subjects interests, rights and freedoms.

The Data Protection Officers will take measures to ensure that all employees, agents, contractors or other parties working on behalf of the Company are made aware of their individual responsibilities as well as the Company’s under the “GDPR”.

To this end, the Company endorses fully and adheres to the Data Protection Principles listed below. When processing data we will ensure that it is:

  • processed lawfully, fairly and in a transparent way (‘lawfulness, fairness and transparency’)
  • processed no further than the legitimate purposes for which that data was collected (‘purpose limitation’)
  • limited to what is necessary in relation to the purpose (‘data minimisation’)
  • accurate and kept up to date (‘accuracy’)
  • kept in a form which permits identification of the data subject for no longer than is necessary (‘storage limitation’)
  • processed in a manner that ensures security of that personal data (‘integrity and confidentiality’)
  • processed by a controller who can demonstrate compliance with the principles (‘accountability’)

These rights must be observed at all times when processing or using personal information. Therefore, through appropriate management and strict application of criteria and controls, the Company will:

  • observe fully the conditions regarding having a lawful basis to process personal information
  • meet its legal obligations to specify the purposes for which information is used
  • collect and process appropriate information only to the extent that it is necessary to fulfil operational needs or to comply with any legal requirements
  • ensure the information held is accurate and up to date
  • ensure that the information is held for no longer than is necessary
  • ensure that the rights of people about whom information is held can be fully exercised under the GDPR (i.e. the right to be informed that processing is being undertaken, to access personal information on request; to prevent processing in certain circumstances, and to correct, rectify, block or erase information that is regarded as wrong information)
  • take appropriate technical and organisational security measures to safeguard personal information
  • ensure that personal information is not transferred outside the EU, to other countries or international organisations without an adequate level of protection


Throughout employment and for as long as is necessary after the termination of employment, the Company will need to process data about you. The kind of data that the Company will process includes:

  • any references obtained during recruitment
  • details of terms of employment
  • payroll details
  • tax and national insurance information
  • details of job duties
  • details of health and sickness absence records
  • details of holiday records
  • information about performance
  • details of any disciplinary and grievance investigations and proceedings
  • training records
  • contact names and addresses
  • correspondence with the Company and other information that you have given the Company

The Company believes that those records used or, to be used, are consistent with the employment relationship between the Company and yourself and with the data protection principles. 

The data the Company holds will be for management and administrative use only but the Company may, from time to time, need to disclose some data it holds about you to relevant third parties (e.g. where legally obliged to do so by HM Revenue & Customs, where requested to do so by yourself for the purpose of giving a reference or in relation to maintenance support, where the hosting of data is in relation to the provision of insurance, where basic personal data is requested by the legal authorities that does not prejudice either the individual nor the company by so providing).

In some cases the Company may hold sensitive data, which is defined by the legislation as special categories of personal data, about you.  For example, this could be information about health, racial or ethnic origin, criminal convictions, trade union membership, or religious beliefs. 

This information may be processed not only to meet the Company's legal responsibilities but, for example, for purposes of personnel management and administration, suitability for employment, and to comply with equal opportunity legislation. 

Since this information is considered sensitive, the processing of which may cause concern or distress, you will be asked to give express consent for this information to be processed, unless the Company has a specific legal requirement to process such data.


You may, within a period of  one month  of a written request, inspect and/or have a copy, subject to the requirements of the legislation, of information in your own personnel file and/or other specified personal data and, if necessary, require corrections should such records be faulty. 

If you wish to do so you must make a written request to your line Manager.  The Company is entitled to change the above provisions at any time at its discretion.


You are responsible for ensuring that any personal data that you hold and/or process as part of your job role is stored securely.

You must ensure that personal information is not disclosed either orally or in writing, or via web pages, or by any other means, accidentally or otherwise, to any unauthorised third party.

You should note that unauthorised disclosure may result in action under the disciplinary procedure, which may include dismissal for gross misconduct. Personal information should be kept in a locked filing cabinet, drawer, or safe. Electronic data should be coded, encrypted, or password protected both on a local hard drive and on a network drive that is regularly backed up. If a copy is kept on removable storage media, that media must itself be kept in a locked filing cabinet, drawer, or safe.

When travelling with a device containing personal data, you must ensure both the device and data is password protected.  The device should be kept secure and where possible it should be locked away out of sight i.e. in the boot of a car.  You should avoid travelling with hard copies of personal data where there is secure electronic storage available. When it is essential to travel with hard copies of personal data this should be kept securely in a bag and where possible locked away out of sight i.e. in the boot of a car.  


This policy shall be deemed effective as of 1st May 2018. No part of this Policy shall have a retroactive effect and thus shall apply only to matters occurring on or after this date.

The Policy has been approved and authorised by:

Name :-                       George Barrack

Position:-                     Managing Director

Date:-                          20th April 2018

Due for Review:-         31st January 2019

Download this policy as a pdf