Privacy & Data Protection Policy


This policy applies to Wheeler Group LLP, Wheeler Group Consultancy Limited and its wholly owned subsidiary companies and/or partnerships, collectively referred to in this policy as “Wheelers”.

Wheelers acknowledges that everyone has rights with respect to the way in which their personal data is handled.

Wheelers will collect, store and process personal data about its employees (past, present and prospective), clients, suppliers and other third parties in accordance with our statutory obligations, including the General Data Protection Regulation 2016 (GDPR).

Data users (see Definition of Data Protection Terms) are obliged to comply with this policy when processing Personal Data on Wheelers’ behalf. Any breach of this policy may result in disciplinary action.

About This Policy

This policy applies to all individuals working for Wheelers at all levels, including partners (members), directors, senior managers, staff, consultants, agency staff, agents or any other person associated with us wherever located.

The types of personal data that Wheelers may be required to handle include information about current, past and prospective employees, clients, suppliers, users of its website and others with whom Wheelers communicates.

The Personal Data, which may be held on paper or on a computer or other media, is subject to certain legal safeguards specified in the General Data Protection Regulation 2016 (GDPR) and other regulations.

It is Wheelers’ policy to ensure that our compliance with the GDPR and other relevant legislation is clear and demonstrable at all times.

This policy and any other documents referred to in it sets out the basis on which Wheelers will process any Personal Data it collects from Data Subjects, or that is provided to Wheelers by Data Subjects or other sources.

It also sets out rules on data protection and the legal conditions that must be satisfied when Wheelers obtains, handles, processes, transfers and stores personal data.

Anyone processing Personal Data on behalf of Wheelers must only do so as instructed and in accordance with this policy and any other policy or procedure designed to ensure our compliance with our legal obligations.

Definition of Data Protection Terms

Data is the information which is stored electronically, on a computer or in certain paper-based filing systems.

Data Subjects for the purpose of this policy include all living individuals about whom Wheelers hold personal data. A Data Subject need not be a UK national or resident. All Data Subjects have legal rights in relation to their personal information. At Wheelers, Data Subjects include current, past and prospective employees, suppliers, contractors and clients, consultants and advisers.

Personal Data means data relating to a living individual who can be identified from that data (or from that data and other information in Wheelers’ possession). Personal data can be factual (for example, a name, address or date of birth) or it can be an opinion about that person, their actions or behaviour. Personal Data held in relation to suppliers, contractors and clients, consultants and advisers will generally be limited to name, postal address, email, mobile and/or landline number for use in connection with the administration of the business and the professional services provided, including invitations to events and seasonal greetings.

Data Controllers are the people who, or organisations which, determine the purposes for which, and the manner in which, any personal data is processed. They are responsible for establishing practices and policies in line with regulation. Wheeler Group LLP is the data controller of all personal data used in its business for its own commercial purposes.

Data Users are those Wheelers employees whose work involves handling (‘processing’ in Data Protection terms) personal data. Data users must protect the data they handle in accordance with this data protection and any applicable data security procedures at all times. Data users are likely to include people in ‘Administration’ roles (including office management, finance, senior personnel and Partners / Directors).

Data Processors include any person or organisation that is not a data user that processes personal data on Wheelers’ behalf and on Wheelers’ instructions e.g. IT support, pensions, accountants, health insurance brokers.

Processing is any activity that involves use of the data. It includes obtaining, recording or holding the data, or carrying out any operation or set of operations on the data including organizing, amending, retrieving, using, disclosing, erasing or destroying it. Processing also includes transferring Personal Data to third parties.

Sensitive Personal Data includes information about a person’s racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership, physical or mental health or condition or sexual life, or about the commission of, or proceedings for, any offence committed or alleged to have been committed by that person, the disposal of such proceedings or the sentence of any such court in such proceedings. Sensitive Personal Data can only be processed under strict conditions, including a condition requiring the express permission of the person concerned.

Our Principles

Anyone processing personal data must comply with the Article 5 of the GDPR that requires that Personal Data shall be:
  1. processed lawfully, fairly and in a transparent manner in relation to the Data Subject (‘lawfulness, fairness and transparency’)
  2. collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes (‘purpose limitation’)
  3. adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’)
  4. accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’)
  5. kept in a form which permits identification of Data Subjects for no longer than is necessary for the purposes for which the Personal Data are processed; Personal Data may be stored for longer periods insofar as the Personal Data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals (‘storage limitation’)
  6. Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’)
  7. The controller shall be responsible for, and be able to demonstrate, compliance with the principles (‘accountability’)
Wheelers will ensure that it complies with all of these principles both in the processing it currently carries out and as part of the introduction of new methods of processing as appropriate.

Addressing Compliance to the GDPR

The following actions are undertaken to ensure that Wheelers complies at all times with the accountability principle of the GDPR:
  • The legal basis for processing Personal Data is clear and unambiguous
  • All staff involved in handling Personal Data (Data Users) understand their responsibilities for following good data protection practice
  • Training in data protection has been provided to staff as necessary
  • Rules regarding consent are followed
  • Routes are available to data subjects wishing to exercise their rights regarding personal data and such enquiries are handled effectively
  • Regular reviews of procedures involving personal data are carried out
  • Privacy by design is adopted for all new or changed systems and processes
These actions will be reviewed on a regular basis as part of the management review process of the information security management system.

Legal Basis for Processing Personal Data

Under the GDPR there are six legal bases for processing personal data:
  1. For the performance of a contract: the processing is necessary for a contract entered into or potentially to be entered into with Wheelers.
  2. Compliance with a legal obligation: the processing is necessary for Wheelers to comply with the law (not including contractual obligations).
  3. Legitimate business interests: the processing is necessary for Wheelers’ legitimate business interests or the legitimate interests of a third party i.e. data necessary to manage HR-related activities designed to ensure the continuity, growth and success of the organisation, unless there is a good reason to protect the individual’s Personal Data which overrides those legitimate interests.
  4. Vital interests – the processing is necessary to protect someone’s life i.e. emergency contact details.
  5. Public interest – the processing is carried out in the public interest, i.e. is necessary for Wheelers to perform a task in the public interests or for Wheelers’ official functions and the task or function has a clear basis in law.
  6. Consent – the processing is necessary for a contract Wheelers has with the individual.
Wheelers only process personal data for the specific purposes notified to the Data Subject when the data is first collected or for any other purposes specifically permitted by the regulation as above.


Wheelers maintain appropriate security measures against unlawful or unauthorised processing of Personal Data, and against the accidental loss of, or damage to, Personal Data.

Wheelers maintain procedures and technologies to protect the security of all personal data from the point of collections to the point of destruction. Personal data will only be transferred to a Data Processor if they agree to comply with those procedures and policies, or if they put in place adequate measures themselves.

Wheelers maintain data security by protecting the confidentiality, integrity and availability of the Personal Data, defined as follows:

Confidentiality means that only people who are authorised to use the data can access it

Integrity means that the personal data should be accurate and suitable for the purpose for which it is processed

Availability means that authorised users should be able to access the data if they need it for authorised purposes. Personal data is therefore stored on Wheelers’ computer network with appropriate access permissions set.

All of Wheelers’ data is stored on secure servers both locally and backed up remotely in an appropriate form.


Unless it is necessary for a reason allowable in the GDPR, explicit consent must be obtained from a Data Subject to collect and process their Data. Transparent information about our usage of their Personal Data must be provided to Data Subjects at the time that consent is obtained and their rights with regard to their data explained, such as the right to withdraw consent. This information must be provided in an accessible form, written in clear language and free of charge.

If the Personal Data are not obtained directly from the Data Subject then this information must be provided within a reasonable period after the data are obtained and definitely within one month.

Rights of the Individual

The Data Subject also has rights under the GDPR. These consist of:
  1. The right to be informed
  2. The right of access
  3. The right to rectification
  4. The right to erasure
  5. The right to restrict processing
  6. The right to data portability
  7. The right to object
  8. Rights in relation to automated decision making and profiling.

Each of these rights is supported by appropriate procedures within Wheelers that allow the required action to be taken within the timescales set by and stated in the GDPR, some of which may be subject to payment of a reasonable fee to Wheelers based on administrative costs.

Data Retention

In order to comply with the requirement that personal data is kept for no longer than is necessary for the purposes for which the personal data are processed (‘storage limitation’). Wheelers will retain personal data for such periods as are reasonably required for continuing business purposes and/or such periods as are required under contract terms, following which Personal Data will be deleted or destroyed.

Privacy by Design

Wheelers has adopted the principle of privacy by design and will ensure that the definition and planning of all new or significantly changed systems that collect or process Personal Data will be subject to due consideration of privacy issues, including where appropriate the completion of one or more Privacy Impact Assessments (PIA).

Transfer of Personal Data

Transfers of Personal Data outside the European Union will be carefully reviewed prior to the transfer taking place to ensure that they fall within the limits imposed by the GDPR. This depends partly on the European Commission’s judgement as to the adequacy of the safeguards for Personal Data applicable in the receiving country and this may change over time.

Breach Notification

It is Wheelers’ policy to be fair and proportionate when considering the actions to be taken to inform affected parties regarding breaches of Personal Data. In line with the GDPR, where a breach is known to have occurred which is likely to result in a risk to the rights and freedoms of individuals, the relevant Data Protection Authority (DPA) will be informed within 72 hours.

Our Website

You can visit our website without providing any personal information, however IP addresses may be automatically collected and information about your visit and how you use our website for statistical or analytical purposes, which may include the use of ‘Cookies’.

Cookies are tiny files that are saved to your computer when you visit our site in order to give you a better online experience and to enable us to use analytics to see how many people visit our website. These can be blocked by adjusting your browser’s settings as you wish but this might prevent some of the features on our website from working properly.

You may provide us with information by corresponding with us by phone, email, or otherwise as indicated on the website, or in person.

Wheelers may amend this Data Protection Policy from time to time, for example, to keep it up to date or to comply with legal requirements.

For further information on Wheelers’ privacy and data protection policies please contact a Partner.
© Copyright 2023 Wheeler Group LLPWeb Design By Toolkit Websites