Sandown Coachworks Data Protection Policy (GDPR)

This is a statement of the Data Protection Policy adopted by Sandown Coachworks.

Responsibility for updating and dissemination of this policy rests with Sandown Coachworks owner and senior management. The policy is subject to regular review to reflect changes in legislation. All staff are required to understand, apply and abide by the policy and if in any doubt to seek advice.

All staff, regardless of department, must receive General Data Protection Regulation and Data Protection Act 1998 awareness training as part of a signed induction process. Ignorance of the GDPR and DPA (98) is unacceptable.


Sandown Coachworks collects and uses certain types of personally identifiable information about clients, customers and suppliers in order to operate. This includes current, past and prospective individuals and entities with whom we conduct business. Personal information, or data, must be dealt with properly however it is collected, recorded and used – whether on paper, electronically, or other means.


The success of our operation and achievement of our objectives depends upon maintaining confidence of those we do business with. Therefore, we need to ensure we treat personal information lawfully and correctly. In doing so, we fully endorse and adhere to the GDPR and the principles set out in the DPA (98).

How is my organisation affected?

The UK’s decision to leave the EU does not affect the implementation of the GDPR in the UK. All organisations operating within the UK that process personal data of individuals within the EU are required to comply with GDPR.

Unlike the previous Data Protection Act 1998, the GDPR and the Data Protection Act 2018 apply to both ‘controllers’ and ‘processors’ of personal data.

For further guidance on the roles of data controllers and processors, please refer to the ICO website.

1. Data shall be processed fairly and lawfully and not processed unless specific conditions are met
2. Data shall be obtained for specified and lawful purpose/s, and not further processed in any other manner
3. Data shall be adequate, relevant and not excessive in relation to the purpose processed
4. Data shall be accurate and, where necessary, kept up to date
5. Data shall not be kept for longer than is necessary for the specified purpose
6. Data shall be processed in accordance with the rights of the data subjects under the Act
7. Data should be subject to technical and organisational measures to prevent damage, destruction or loss
8. Data shall not be transferred outside the EEA unless the country has an adequate level of data protection

Principles

1. Legality, Transparency and Fairness
2. Purpose Limitation
3. Minimisation
4. Accuracy
5. Storage Limitation
6. Integrity and Confidentiality
7. Accountability

Rights

1. The right to be informed
2. The right of access
3. The right to rectification
4. The right to erasure
5. The right to restrict processing
6. The right to data portability
7. The right to object
8. Rights in relation to automated decision making and profiling

We ensure that

  • We complete and regularly update a personal data risk register
  • We attend and review a personal data training and awareness programme
  • We appoint a senior manager with overall accountability and responsibility for personal data
  • We review and update our data protection policy as new legislation emerges
  • We understand what personal data we hold, where it’s held, and where it goes
  • We have a legal basis for our data processing activities
  • We understand and properly define our processing activities
  • We have enforceable written personal data handling agreements with all third-party suppliers
  • We carry out appropriate due diligence on all third-party suppliers
  • We complete and regularly review our data privacy impact assessment
  • We update and regularly test our incident management policy
  • We attend to any subject access requests (SAR) in a timely manner (less than one month)
  • We rectify, restrict, and allow portability of data via safe means
  • We review and update our information security policy on a regular basis
  • We update our annual registration with the ICO
  • We align ourselves, as much as possible, with the objectives and requirements of ISO 27001
  • We meet the requirement of the Cyber Essentials accreditation
  • We check that all the above is kept in order via an appropriate compliance programme

Version History 01 – Data Protection Policy 01022018 – initial document approved by Hadleigh Rossiter
Mercedes.svg
Ferrari.svg
BMW.svg
Honda.svg
Subaru.svg
Rectangle-23.png
Bentley.svg
Malaren.svg
Maserati.svg
Audi.svg
Tesla-Badge.png
Land-Rover.png
Jaguar.png

Sandown Coachworks Blog

Shepperton

Unit E, Rodd Est Fairwater Dr
Off Govett Avenue
Shepperton
TW17 8AB
01932 240471
info@sandowncoachworks.co.uk

Camberley

26 Doman Road
Yorktown Business Park
Camberley
GU15 3DF
01276 408112
camberley@sandowncoachworks.co.uk

Heathrow

Hanworth Trading Estate
Hampton Road West
Hanworth, Feltham
TW13 6DN
020 8755 1850
heathrow@sandowncoachworks.co.uk

Sandown-Motorsport-white-logo-transparent-1-1

All work is carried out in accordance with our Terms & Conditions .

ESTIMATES – No Appointment Necessary

Opening Hours

Monday – Friday 8.00am – 5.30pm

Saturday – Closed

Sunday – Closed

Cyber-Essentials-Logo

Sandown Coachworks is Cyber Essentials Certified under the governments National Cyber Security Centre Scheme as we take protection of customers data seriously.

Services
Support
BS10125-2022 VEHICLE BODY REPAIR - WHITE-BLACK@4x (1)
BS10125 – 125/10776 (TW17)
Shepperton
BS10125-2022 VEHICLE BODY REPAIR - WHITE-BLACK@4x (1)
BS10125 – 125/10897 (GU15)
Camberley
BS10125-2022 VEHICLE BODY REPAIR - WHITE-BLACK@4x (1)
BS10125 – 125/10897 (TW13)
Heathrow
© 2025 Sandown Coachworks Ltd. All rights reserved.
Built by Landmark