top of page
Privacy Policy


The Data Protection Act 2018 (“DPA 2018”) imposes certain legal obligations in connection with the processing of personal data. We have put together this Privacy Notice as part of our commitment to safeguarding your personal data and to ensure you are aware of what information we hold for you, how we store the data and what we do with it. 


Stonebridge is a data controller within the meaning of the GDPR and we process personal data. We are required under data protection legislation to issue this notice to all individuals for which we hold personal data 


We may amend this Privacy Notice from time to time. If we do so, we will supply you with and/or otherwise make available to you a copy of the amended Privacy Notice. 


This Privacy Notice applies to employees and subcontractors employed or engaged by us. Where parts of this Privacy Notice apply only to certain individuals, it explains how.  

What is personal data? 


Personal data is: “any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”. 

What personal data do we store and what legal bases do we rely on? 


There are six lawful processing conditions. These are:

  • Consent 

  • Legal obligation 

  • Contractual necessity 

  • Vital interest 

  • Public interest 

  • Legitimate interest 

What personal data do we collect and what is our legal basis for processing it? 


We will collect, store, and use the following categories of personal information about you and the basis for processing. For further information, please contact  

We do not typically collect, or process data related to criminal convictions and offences.  

When and how do we collect your personal data?​

We usually collect personal information about employees and subcontractors through the engagement process before you start working, either directly from the individual or sometimes from our client. We will also collect data from you when:

  • You register with us before you start an assignment – we will take down the details we have noted above 

  • You contact us with queries or complaints 

  • You visit our website and fill out an online form such as a ‘Request a Call-back’ form 

  • When you ask one of our team to email you information about a service, such as an umbrella pay illustration 

  • When you have given a third-party permission to share with us the information they hold about you, for example your recruitment agency 

  • We collect data from publicly available sources when you have given your consent to share information or where the information is made public as a matter of law. 

If you are working under a contract for services and have the right to send a substitute or engage helpers, we may need to collect some personal data from them too. This is for health and safety purposes and to ensure the substitute or helper has the necessary skills to provide the services. 

How do we use your personal data and why? 

In order to provide you with the service you have signed up for and to get you paid correctly and on time, we will need to process your personal data. We will only request the information that’s vital for getting you signed up to the service you have chosen. We will endeavour to keep your information as accurate and up to date as possible. We may also need to process your personal data to: 


  • Comply with a legal obligation

  • Help answer your queries and send you non-marketing emails and texts such as your payslip, pay information, opening hours, complaints procedures and updates to this Privacy Notice 

  • To send you service messages such as updates to relevant legislation which applies to you and any changes to the services we provide to you. 

  • Ensure compliance with tax and employment law 

  • To check you are legally entitled to work in the UK 

  • Liaise with your pension provider 

  • Comply with health and safety obligations 

  • Prevent fraud 

  • Manage sickness absence and ascertain your fitness for work 

We need to use your personal data in this manner, so we can comply with legal obligations and administer the contract we have with you. If you fail to provide personal information, then we may not be able to perform the contract we have entered into with you or may be prevented from complying with our legal obligations. 

​We will only use your personal data for the purposes for which we have collected it or another reason which we reasonable consider that we need to use it for which is compatible with the original purpose. If we need to use your personal data for an unrelated purpose, then we will notify you at the time and explain the legal grounds for doing so. 

Where we are required to or permitted by law, we can process your personal data without your consent, such as if required to do so by a government department. 

We do not need your consent if we use special categories of your personal information in accordance with our written policy to carry out our legal obligations or exercise specific rights related to employment law. In limited circumstances, we may approach you for your written consent to allow us to process certain particularly sensitive data. If we do so, we will provide you with full details of the information that we would like and the reason we need it, so that you can carefully consider whether you wish to consent. You should be aware that it is not a condition of your contract with us that you agree to any request for consent from us. 

​​If you fail to provide certain information when requested, we may not be able to perform the contract we have entered into with you (such as paying you or providing a benefit), or we may be prevented from complying with our legal obligations (such as to ensure the health and safety of our workers). 

You acknowledge sensitive information such as name, address and bank details will be included on your remittance advice and accept this will be sent across to you in email format.

Keeping your data secure 


We have put in place robust physical, technical and managerial security measures to prevent your personal information from being used or accessed without authorisation, lost, altered or disclosed to unauthorised parties. We use industry standard TLS certificates to provide encryption of data in transit and our data centres are covered by numerous accreditations, including, but not limited to, PCI DSS, ISO 27001:2013, ISO 14001:2015 and PAS 99:2012. 

We require third parties to respect the security of your data and to treat it in accordance with the law and do not allow them to use your personal data for their own purposes. 

We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so. 

How long will we keep your data for?

We will retain your personal data for as long as is necessary to fulfil the purposes we collected it for. We are also required to retain information in accordance with the law, for legal, accounting and reporting requirements. You can request details of different retention periods by emailing

​In some circumstances we may anonymise your personal information so that it can no longer be associated with you, in which case we may use such information without further notice to you. Once you are no longer an employee, worker or contractor of the company we will retain and securely destroy your personal information in accordance with applicable law and our retention policy then in force.  

Who do we share your personal data with?

We may need to pass your personal data to the following third parties where there is a legitimate interest as well as so we can meet legal and contractual obligations:

  • Government agencies such as HMRC, DWP, Home Office 

  • Your recruitment agency/our client  

  • Companies who host our server and provide our software and business systems 

  • Your pension provider 

  • SMS service provider (for the purposes of communicating with you directly) 

  • The Company's legal and tax advisers 

We require third parties to respect the security of your data and to treat it in accordance with the law and do not allow them to use your personal data for their own purposes. 

​We do not currently transfer your personal data outside the UK. If we need to do so, we will inform you and will ensure that appropriate safeguards are in place where needed.   

​​What are your rights regarding your personal data? 

It is important that the personal information we hold about you is accurate and current. Please keep us informed if your personal information changes during your working relationship with us. 

The GDRP provides individuals with the following rights: 

  • The right to be informed – you can request to be informed about the collection and use of your personal data 

  • The right of access – you have the right to access your personal data and can make a request verbally or in writing 

  • The right to rectification – you have the right to have inaccurate personal data rectified 

  • The right to erasure – you have the right to have personal data erased, in certain circumstances 

  • The right to restrict processing – you have the right to request the restriction or suppression of your personal data, in certain circumstances 

  • The right to data portability – you have the right to obtain and reuse your personal data for your own purposes across different services 

  • The right to object – you have the right to object to the processing of your personal data, in certain circumstances 

  • Rights in relation to automated decision making and profiling – you can object to automated processing or profiling 

Automated decision-making and profiling

Automated decision-making is making a decision solely by automated means without any human involvement and profiling is automated processing of personal data to evaluate certain things about an individual, which can be part of an automated decision-making process.  

We do not make any decisions using automated means and do not envisage so; however we will inform you if this position changes. 

Requesting personal data we hold about you (subject access requests) 

You have a right to request access to your personal data that we hold. Such requests are known as ‘subject access requests’ (“SARs”). 

Please provide all SARs in writing marked for the attention of the Data Protection Officer. If you email us, the email must come from the email address we have on file for you and must be sent to

You can ask for your personal information to be rectified by speaking to our customer services team on 02037 892 490. 

To help us provide the information you want and deal with your request more quickly, you should include enough details to enable us to verify your identity and locate the relevant information.  We will usually ask you for a copy of your passport to verify your identity.  


DPA 2018 requires that we comply with a SAR promptly and in any event within one month of receipt. There are, however, some circumstances in which the law allows us to refuse to provide access to personal data in response to a SAR (e.g. if you have previously made a similar request and there has been little or no change to the data since we complied with the original request). 


We will not charge you for dealing with a SAR. 


You can ask someone else to request information on your behalf – for example, a friend, relative or solicitor. We must have your authority to respond to a SAR made on your behalf. You can provide such authority by signing a letter which states that you authorise the person concerned to write to us for information about you, and/or receive our reply. 

​​Right to withdraw consent 


If you have provided your consent for the process of your personal data for a specific purpose, you have the right to withdraw your consent at any time. To do so, please email and we will no longer process your information for the purpose or purposes you originally agreed to, unless we have another legitimate reason for doing so in law. 


If you have requested details of the information we hold about you and you are not happy with our response, or you think we have not complied with the GDPR or DPA 2018 in some other way, you can complain to us. Please send any complaints in writing marked for the attention of the Data Protection Officer. If you email us, the email must come from the email address we have on file for you and must be sent to .

If you are not happy with our response, you have a right to lodge a complaint with the ICO (   You may also complain directly to the ICO if you have concerns about how we have dealt with your data or any request by you to exercise your rights as a data subject. 

bottom of page