top of page

Privacy Policy


Wavetree understands the importance of protecting personal information and is committed to complying with the UK General Data Protection GDPR (GDPR).

GDPR sets out the rules for how organisations must process personal data about living individuals. It gives individuals the right to find out what personal data is held about them by organisations and to request to see, correct or erase personal data held.

Wavetree needs to collect and process personal data about individuals, including employees, customers, and suppliers, it interacts with to carry out its business effectively.

This policy sets out the responsibilities of Wavetree to ensure compliance with the relevant data protection legislation in relation to the collection, use, retention, transfer, disclosure, and destruction of any personal data.


This policy applies to all personal data collected and processed by or on behalf of Wavetree in the conduct of its business and applies to both electronic personal data and to manual filing systems.


Wavetree has overall responsibility for its compliance as a data controller and data processor with the GDPR.

Where third party companies act as data processors, they are aware of and comply with the contents of this policy.

All employees are responsible for ensuring that they meet the requirements of the GDPR. They should familiarise themselves with this policy and related documents.


Wavetree has adopted the following principles to govern its collection, use, retention, transfer, disclosure, and destruction of personal data:


Principle 1: Lawfulness, Fairness and Transparency.

Principle 2: Purpose Limitation.

Principle 3: Data Minimisation.

Principle 4: Accuracy.

Principle 5: Storage Limitation.

Principle 6: Integrity and Confidentiality.

Principle 7: Accountability.


In practice this means that Wavetree must:


  • Tell the data subject what processing will occur, the processing must match the description given to the data subject, and it must be for one of the purposes specified in the applicable section of the GDPR.

  • Specify exactly what the personal data collected will be used for and limit the processing of that personal data to only what is necessary to meet the specified purpose.

  • Store any personal data only for as long as it is strictly required for the purposes for which they are processed.

  • Have in place processes for identifying and addressing out-of-date, incorrect, and redundant personal data.

  • Store personal data in a way that limits or prevents identification of the data subject, wherever possible.

  • Use appropriate technical and organisational measures to ensure the integrity and confidentiality of personal data is maintained at all times, including protection against unauthorised or unlawful processing, and against accidental loss, destruction, or damage.

  • Demonstrate that the data protection principles (outlined above) are met for all personal data for which it is responsible.


Wavetree adopts physical, technical, and organisational measures to ensure the security of personal data. This includes the prevention of loss or damage, unauthorised alteration, access or processing, and other risks to which it may be exposed by virtue of human action or the physical or natural environment.


Access to personal data

Employees have access to personal data only where it is required as part of their functional remit.


All data subjects are entitled to make a Subject Access Request to ask Wavetree whether it holds any personal data relating to them and, if so, to be given a description of and a copy of that personal data.


In addition data subjects are entitled to:


  • Object to processing of their data.

  • Object to automated decision-making and profiling.

  • Request data rectification.

  • Request data erasure.


All data subject requests and processes are co-ordinated by a Wavetree Director in accordance with the subject access request procedure (WTUKGDPR05).


Data Protection by Design

Wavetree is committed to meeting the GDPR requirement to consider data privacy at the initial design stages of a project as well as throughout the lifecycle of the relevant data processing.


Data Protection Impact Assessments (DPIA) will be carried out where necessary for all new systems and projects in line with the DPIA procedure (WTUKGDPR08).


Compliance Monitoring

Breaches of this policy will be investigated, and appropriate actions taken in accordance with the information security incident procedure (WTUKGDPR09). In case of a security breach that is likely to affect people’s rights and freedoms the Information Commissioner’s Office (ICO) will be informed within 72 hours of Wavetree becoming aware of the breach in line with the personal data breach notification procedure (WTUKGDPR10).



Data Subject Consent

Wavetree obtains personal data only by lawful and fair means and, where appropriate with the consent of the individual concerned.


Consent will be obtained and managed in accordance with the consent procedure (WTUKGDPR04) for the collection, processing, and/or transfer of personal data which includes provisions for:


  • Determining what disclosures should be made in order to obtain valid consent.

  • Providing data subjects with information as to the purpose of the processing of their personal data.

  • Ensuring the request for consent is presented in a manner which is clearly distinguishable from any other matters, is made in an intelligible and easily accessible form, and uses clear and plain language.

  • Ensuring the consent is freely given.

  • Providing a simple method for a data subject to withdraw their consent at any time.


The consent may be given orally, electronically or in writing. The associated receipt or form for consent should be retained, along with a record of the facts, date, content, and method of disclosure.


Data Processing

Wavetree uses the personal data of its employees and customers for the following purposes:


  • The general running and business administration of the company.

  • To provide services to their customers based on contracts.

  • The ongoing administration and management of customer services.


The company does not process personal data unless processing is necessary for:


  • The performance of a contract to which the data subject is party or to take steps at the request of the data subject prior to entering into a contract.

  • Compliance with a legal obligation to which the data controller is subject.

  • The purposes of the legitimate interests pursued by the data controller or by a third party, or;

  • The data subject has given consent to the processing of their personal data for one or more specific purposes.


Wavetree maintains and updates a register of processing activity (WTUKGDPR01) where it is established what data the company collects and where, and the lawful basis for processing such data.


Data Quality

Wavetree adopts all necessary measures to ensure that the personal data it collects and processes is complete and accurate, and is updated to reflect the current situation of the data subject.


Data sharing and transfer

Personal data are not transferred outside the UK or the European Economic Area unless an adequate level of protection for the rights and freedoms of the data subjects in relation to the processing of their personal data can be ensured.


Personal data in any format are not shared with a third party organisation without a valid business reason, a contract, or data sharing agreement in place, or without the data subject’s consent.


Digital Marketing

Where personal data processing is approved for digital marketing purposes, the data subject must be informed at the point of first contact that they have the right to object, at any stage, to having their data processed for such purposes.


If the data subject puts forward an objection, digital marketing related processing of their personal data must cease immediately and their details should be kept on a suppression list with a record of their opt-out decision, rather than being completely deleted.


However, where digital marketing is carried out in a ‘business to business’ context, there is no legal requirement to obtain an indication of consent to carry out digital marketing to individuals provided that they are given the opportunity to opt-out.



This policy benefits Wavetree by:

  • Promoting transparency and accountability, and fostering a data protection culture across the company.

  • Ensuring compliance with the GDPR.

  • Ensuring employee confidence and compliance in their processing of personal data, being fully informed and aware of their responsibilities and obligations.

  • Reducing the risk of financial penalties and reputational damage from non-compliance.


Listed below are documents that relate to and are referenced by this policy:


WTUKGDPR02 Register of processing activity.

WTUKGDPR04 Consent procedure.

WTUKGDPR05 Subject access request procedure.

WTUKGDPR08 DPIA procedure.

WTUKGDPR09 Information security incident procedure.

WTUKGDPR10 Personal data breach notification procedure.



  • Retained EU law version of the General Data Protection GDPR (GDPR) (GDPR (EU) 2016/679)

  • Privacy and Electronic Communications (ED Directive) GDPRs 2003

  • Human Rights Act 2004

  • Computer Misuse Act 1990

  • Crime and Disorder Act 1998

  • Disability Discrimination Act 1995



Automated Processing

Any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to an individual, in particular to analyse or predict aspects concerning that individual’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.

Profiling is an example of automated processing.

Data Controller

The person or organisation that (either alone or jointly or in common with other persons or organisations) determines when, why and how to process personal data. It is responsible for establishing practices and policies in line with the data protection legislation.

Data Privacy Impact Assessment (DPIA)

Tools and assessments used to identify and reduce risks of a data processing activity.

Data Processor

This refers to any person (other than an employee of the data controller), public authority, agency or other organisation which processes personal data on behalf of the data controller.

Data Subject

A living, identified, or identifiable individual who is the subject of personal data.

Information Commissioner’s Office (ICO)

The UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

Personal data

Any information relating to an identifiable person.

Processing or Process

Any activity that involves the use of personal data. It includes obtaining, recording, or holding the data, or carrying out any operation or set of operations on the data including organizing, amending, retrieving, using, disclosing, erasing, or destroying it. Processing also includes transmitting or transferring personal data to third parties.


Document information

Policy/Procedure owner

Neil Hamilton, Director, Wavetree

Date approved by Directors


Review Date

To be reviewed annually or as the business dictates.

Date of Last Review


Version 2.0

01/02/2024 Updated version

bottom of page