Cookies on this website
We use cookies to ensure that we give you the best experience when using our website.    You may prefer to disable cookies on this site and on others.  The most effective way to do this is to disable cookies in your browser.  We suggest consulting the Help section of your browser or taking a look at the About Cookies website which offers guidance about cookies.

Aim of the policy

This policy is issued by the company, hereinafter referred to as “Fry”.

 The aim of this policy is to help us achieve our goals of protecting Personal Data by:

  • informing those employed and providing services to Fry (“we” or “us”) of the types of Personal Data that we hold and/or service providers process on our behalf, and what we do with the data;

  • making sure that our rules and the legal standards for handling and managing personal information are clear and concise, in accordance with the applicable regulations and requirements;

  • ensuring that those responsible for the collection, handling and processing of Personal Data have been provided the appropriate and continued guidance and training to ensure that they are fully aware of their data protection responsibilities: and

  • providing assurance that Fry recognises both the importance and value of Personal Data.

This policy contains two parts: in the first part you will be informed how we treat your Personal Data we may need to process due to the employment relationship.

The second part serves as a manual in terms of how you should comply with our data protection aims and obligations.

What is Personal Data

“Personal Data” is any information that relates to an identified or identifiable living individual who can be identified from the data, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, or an online identifier. 

“Sensitive personal Data” is Personal Data consisting of information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, physical or mental health or condition, sexuality, biometric and genetic data.

Personal Data also covers data relating to criminal convictions and offences and “processing” means any operation which is performed on Personal Data, such as collection, recording, organisation, structuring, storage, adaptation or any kind of disclosure or other use.

Scope and Applicability

This policy applies to all Fry employees, temporary workers, consultants, contractors and third parties who have access to and/or handle Personal Data in any way on behalf of Fry (“you”).

Fry holds Personal Data about its employees and temporary workers, its consultants, contractors and third parties (the “Data Subjects”) for a variety of business purposes. This policy sets out how we seek to protect Personal Data and ensure that you understand the rules governing the use of Personal Data to which you will have access to in the course of your work.


The Policy

Fry is committed to ensuring that Personal Data (in all formats) collected and processed by us will be done so in line with applicable privacy and data protection laws, including the EU General Data Protection Regulation or “GDPR”.

Part 1: How we handle your data

We hold Personal Data as outlined above for a variety of business purposes.

We will only process your Personal Data for the specific purposes notified to you or the other Data Subjects or for any other purposes specifically permitted by law or under the GDPR.

This policy supplements our  Information Security Policy. We may supplement or amend this policy and related policies and guidelines from time to time to reflect any changes in legislation, regulatory guidance or internal policy decisions. We will keep you duly informed of such changes.

Data Protection Principles

As we process Personal Data we must comply with the six GDPR principles summarised below and as provided for in more detail within Annex A to this policy.  We are required to comply with and be able to demonstrate compliance with these principles.

Personal Data shall be:

  1. processed fairly, lawfully and transparently;

  2. collected for specified, explicit and legitimate purposes and not further processed in a way which is incompatible with those purposes;

  3. adequate, relevant and limited to what is necessary for the purpose for which it is processed; accurate and, where necessary, kept up to date;

  4. not kept longer than necessary; and

  5. processed in a manner that ensures appropriate security of the Personal Data. 

Employee, temporary workers and consultants’ Personal Data

This policy covers Personal Data we hold about Fry employees and temporary workers and consultants, which include your name, address, bank account details, passport information, salary information, training and compliance records, recruitment records, and disciplinary and claim records.

The information can be held in hard copy or digital form. We process Personal Data as part of our day to day business, for management and administrative purposes, only if and to the extent that at least one of the following applies:

  1. it is necessary for the performance of the contract to which you are party or in order to take steps at your request prior to entering into the contract, including payroll processing, monitoring of performance, manage benefits, discipline and dismissal proceedings;

  2. it is necessary so as to comply with our legal obligations, including insurance scheme management, such as accident insurances and accident records, and for the protection of health and safety at work;

  3. it is necessary for the purpose of the legitimate interests pursued by us, including work mobility and internal recruitment; or

  4. based on your freely given, specific, informed and unambiguous consent, including to confer benefits in connection with your employment or consultancy. 

Disclosure of Personal Data

We may disclose your Personal Data to third parties residing within the EU who assist us in providing our services and process your Personal Data on our behalf and under our control (“Processors”).

To ensure that the Personal Data will be used only to the extent necessary and in compliance with legal requirements and our instructions, we have bound our Processors by concluding Data Processing Agreements with them. This way, we made sure that your Personal Data will be processed only for the purposes mentioned above. The Personal Data will be therefore be shared with Fry (to be contacted at  as well as with third parties involved in the processing of your data such as payroll companies, insurance and pension providers, social security.

Sensitive Personal Data

On some occasions we may collect information about individuals that is defined by the GDPR as ‘special categories of personal data’ and special rules will apply to the processing of this data. In this policy we refer to ‘special categories of personal data’ as ‘Sensitive Personal Data’.

We may collect, hold or process Sensitive Personal Data relating to staff including, as appropriate (and provided such processing is specifically authorised or required by law):

  • information about your physical or mental health or condition in order to monitor sick leave and take decisions as to fitness for work or as part of absence, sickness or health and safety records;

  • data we need to process so as to comply with legal requirements and obligations to third parties; and

  • data we need to process in order to enrol employees in and terminate employees from various benefits schemes such as pensions

In most cases, in order to process Sensitive Personal Data, we must obtain explicit consent from the individual concerned, though sometimes the processing may be necessary to comply with our legal obligations. Regarding consent, the Data Subjects may withdraw their consent at any time, which shall have no effect on the lawfulness of processing before its withdrawal. Any questions on whether consent is required should be directed to the Managing Director.

Purely financial Personal Data is not technically defined as sensitive data by the GDPR. However, particular care should be taken when processing such data, as any breach relating to financial data will be taken very seriously.  You must take reasonable steps to ensure that all Personal Data we hold about you is accurate and updated as required. For example, if your personal circumstances change, please inform the Managing Director, so that your records can be updated.

Data Storage Periods

In accordance with the legal requirements we will store Personal Data not longer than necessary. In terms of the employment relationship we will store your Personal Data for the period of the performance of the contract. Afterwards, if not any storage periods by law, such as tax regulations, oblige us to store the Personal Data for a longer period of time, it will be deleted.

Annex C provides a schedule of data retention periods.

Transferring Personal Data outside the European Union (EU)

We may transfer Personal Data to parties residing in countries outside of the European Union (“Third Countries”), Third Countries may have different data protection standards than your country of residence. However, we will take reasonable measures to ensure an adequate level of data protection when transferring your Personal Data to those parties.

You can request a copy of each measure we have taken to ensure an adequate level of data protection of your Personal Data. Concerning this matter, please contact us via the contact options provided within the ‘Disclosure of Personal Data ‘ paragraph on the previous page.

The Data Subject’s Rights

You are entitled to exercise several rights regarding the processing of your Personal Data. Depending on the specifics of the case, you may be entitled to exercise some or all of the following rights. You may:

  • request proper rectification, erasure or restriction of your Personal Data, e.g. because it is incomplete or inaccurate, it is no longer needed for the purposes for which it was collected, the consent on which the processing was based has been withdrawn, or you have taken advantage of an existing right to object to the data processing; in case the Personal Data is processed by third parties, your request for rectification, erasure or restriction will be forwarded also to such third parties unless this proves impossible or involves disproportionate effort;

  • in case processing in based on consent (for example in some cases regarding processing of Sensitive Personal Data): refuse to provide and – without impact to data processing activities that have taken place before such withdrawal or to any other existing legal justification of the processing activity in question – withdraw your consent to processing of your Personal Data at any time;

  • require to receive the Personal Data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format and to transmit those data to another controller without hindrance from our side; where technically feasible you shall have the right to have the Personal Data transmitted directly from us to another controller;

  • lodge complaints before the competent data protection regulators. 


In case you want to contact us, please email 


Part 2: How we want to handle your personal data entrusted to us

As an employee, temporary worker, consultant or contractor of Fry you may be involved with the processing of Personal Data. This may arise in the context your particular position and may concern Personal Data for example of other Fry employees and temporary workers, its visitors and guests, its consultants, contractors or third parties such as brand partners.

This part of the policy shall serve as a guideline on how to treat Personal Data and assure compliance with statutory obligations and our internal data protection policy.

Notification – reporting

You have an obligation to immediately report actual or potential data protection compliance failures and any data breaches. This allows us to investigate the failure and take remedial steps if necessary. In certain situations, Fry may even be obliged to notify the Data Protection Authority of any compliance failures that are material.

All data breaches must be reported in line with the requirements and guidance within the Fry Information Security Policy. All notifications and data breaches will be managed by the Privacy Officer.

Data security

All Personal Data must be kept secure so as to protect against loss, compromise or misuse. Where other organisations process Personal Data as a service on our behalf, the Fry Legal Department will establish what, if any, additional specific data security arrangements need to be implemented in contracts with those third-party organisations.

Storing and disposing data securely

  • In cases when data is stored on printed paper, it is to be kept in a secure place where unauthorised personnel cannot access it.

  • Data stored on a computer must be protected by strong passwords that will be changed when compromise is suspected, in compliance with the Fry Information Security  policy

  • Data stored on CDs or memory sticks must be locked away securely when they are not being used.  Data stored on this media must be encrypted or password protected when taken off-site. Memory sticks are only to be used as data transfer devices and not data storage devices.

  • Servers containing Personal Data must be kept in a secure location, away from general office space and only accessed by those who are authorised.

  • Data will be regularly backed up in line with the Fry backup procedures.

  • All servers containing sensitive data will be approved and protected by security software and strong firewalls.

When disposing of printed Personal Data, this must be shredded in line with the Fry Information Security policy. No destruction of a record should take place without assurance that:

  • the record is no longer required by any part of the business;

  • no work is outstanding by any part of the business;

  • no litigation or investigation is current or pending which affects the record; and

  • there are no current or pending formal access requests which affect the record. 

Data retention 

In line with the Statutory data retention requirements detailed in Annex C , all Personal Data held by us will be retained for no longer than is necessary. What is necessary will depend namely on the purposes and legal basis for the processing, applicable to each case. 

Transparent Information

You as well as other Data Subjects, have the right to be informed in a concise, transparent, and clear language of the processing relating to your Personal Data, in accordance with the GDPR.

Subject access requests

You as well as other Data Subjects have the right to obtain confirmation as to whether or not Personal Data is being processed. Therefore, they may request access to the Personal Data and information held about you, in accordance with the GDPR, and we will respond to such requests in a timely manner and in line with country specific data protection legislation.

If you wish to request a Subject Access Request, you should contact your Managing Director.


All Fry employees will receive training on this policy and their responsibility regarding the protection of Personal Data and information security. New joiners will receive training as part of the induction process. Further training will be provided on a periodic basis or whenever there is a substantial change in the applicable regulations or our policy and procedures.

Completion of training is compulsory.

Right to rectification

You as well as any Data Subject, have the right to obtain, without undue delay, the rectification of inaccurate personal data concerning yourself. Taking into account the purposes of the processing, you may also have incomplete Personal Data completed, including by means of providing a supplementary statement.

Restriction of processing

You as well as any Data Subject, have the right to request the restriction of Processing, in the cases expressly mentioned in the GDPR (such as when the accuracy of the Personal Data is contested by you, for a period so as to enable Fry to verify the accuracy of the Personal Data).

Data portability

Upon request, you, as well as any Data Subject, can request to receive a copy of your Personal Data in a structured format. This right may only be exercised when the processing is based on consent or on a contract. All requests should be processed within one month, provided there is no undue burden and it does not compromise the privacy of other individuals.. Please contact in case of questions.

Right to be forgotten

You or any Data Subject may request that any personal information held on you is deleted or removed, and any third parties who process or use that data must also comply with the request. An erasure request can be refused if an exemption applies, namely, if the processing is necessary for the purposes of carrying out obligations and rights of Fry in the field of employment, social security and social protection law.

Right to object

You or any other Data Subject has the right to object, on grounds relating to your particular situation, at any time, to processing of your personal data which is based on legitimate interests or the performance of a task in the public interest, as well as to the processing of your Personal Data for direct marketing purposes.

Data audit and register

In line with the requirements of the GDPR, we will register what Personal Data is held, where it is stored, how it is used, who is responsible and any further regulations or retention timescales that may be relevant. Regular data audits to manage and mitigate Personal Data risks will be carried out.

This policy requires you to ensure that the Managing Director will be consulted before any new data processing activity is initiated to ensure that relevant compliance steps are addressed. Any new processing activity must be included in the records of Fry personal data processing activities.

Transferring Personal Data Outside the European Economic Area (EEA)

The GDPR requires that when organisations transfer Personal Data outside the EEA, they take extra steps to ensure that the data is properly protected.

The European Commission has determined that certain countries provide an adequate data protection regime. These countries include Andorra, Argentina, Canada, Guernsey, Isle of Man, Israel, New Zealand, Switzerland, Faroe Islands, Jersey and Uruguay. This list may be updated from time to time.

In transferring Personal Data to countries outside the EEA (which are not on the approved list) it will be necessary to enter into specific legal agreements, following the guidelines of the European Commission.

Advice should be sought from the Fry Legal and/or HR Department before transferring takes place.

Consequences of failing to comply

We take compliance with this policy very seriously. Failure to comply puts both you and Fry at risk. The potential penalties under the GDPR are very material (up to € 20 million or 4% of a Fry’s worldwide turnover), in addition to reputation damage.

The importance of this policy means that failure to comply with any requirement may lead to disciplinary action, up to dismissal, in line with the applicable laws in every Fry market. If you have any questions or concerns about anything in this policy, do not hesitate to contact

Annex A: Data Protection Principles

Article 5 of the GDPR requires that personal data must be:

  1. processed lawfully, fairly and in a transparent manner in relation to individuals;

  2. collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;

  3. adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;

  4. accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;

  5. kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals; and

  6. processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

Annex B: Data Protection Glossary

Article 4 of the GDPR defines, among others, the following concepts:

Biometric data - means personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopy data;

Consent of the data subject - any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;

Controller - the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data;

Data concerning health - personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status;

Genetic data - personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question;

Personal Data - any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

Personal data breach - a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;

Processing - any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

Processor - a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;

Pseudonymisation - the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person;

Special categories of personal data – the processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation;

Third party - a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data. 

Annex C: Statutory Data Retention Requirements



Statutory Retention Periods

Statutory Authority

Accident books, accident records/


3 years from the date of the last

entry (or, if the accident involves a

child/ young adult, then until that

person reaches the age of 21). (See

below for accidents involving

chemicals or asbestos)

The Reporting of Injuries, Diseases and

Dangerous Occurrences Regulations 1995

(RIDDOR)(SI 1995/3163) as amended, and

Limitation Act 1980. Special rules apply

concerning incidents involving hazardous

substances (see below).

Accounting records

3 years for private companies, 6 years

for public limited companies

Section 221 of the Companies Act 1985 as

modified by the Companies Acts 1989 and 2006

Income tax and NI returns, income

tax records and correspondence

with HMRC

Not less than 3 years after the end of

the financial year to which they


The Income Tax (Employments) Regulations

1993(SI 1993/744) as amended, for example by

The Income Tax (Employments) (Amendment No.

6) Regulations 1996 (SI 1996/2631)

Retirement Benefits Schemes –

records of notifiable events, for

example, relating to incapacity

6 years from the end of the scheme

year in which the event took place

The Retirement Benefits Schemes (Information

Powers) Regulations 1995(SI 1995/3103)

Statutory Maternity Pay records,

calculations, certificates (Mat B1s)

or other medical evidence

3 years after the end of the tax year

in which the maternity period ends

The Statutory Maternity Pay (General)

Regulations 1986(SI 1986/1960) as amended

Wage/salary records (also

overtime, bonuses, expenses)

6 years

Taxes Management Act 1970

Records relating to working time

2 years from date on which they

were made

The Working Time Regulations 1998 (SI


Identifiable employee

6 Years