nationwide metal recycling logo
Find Location
Call Us Now

Privacy Policy

Your Privacy Matters to Us

We're committed to protecting your personal information and your right to privacy

Our Commitment to Your Privacy

At Nationwide Metal Recycling, we take the protection of your personal information seriously. This privacy policy explains how we collect, use, store, and protect your personal data in compliance with the General Data Protection Regulation (GDPR) and UK data protection laws.

We are committed to being transparent about our data practices and empowering you with control over your personal information.

GDPR Compliant

We follow strict data protection principles and have implemented comprehensive security measures to safeguard your personal information. Your privacy rights are at the heart of everything we do.

Company Information

Nationwide Metal Recycling Limited is a metal and waste recycling business operating from multiple locations across East England.

Head Office

Martells Quarry, Slough Lane
Ardleigh, Essex, CO7 7RU

ICO Registration

Our ICO registration number is:

Z323472X

Data Protection Lead

Sheila Edwards

sheila@nmrecycling.co.uk

Our Locations

  • Cambridge Depot: Barnwell Junction, Swann Road, Cambridge, Cambridgeshire, CB5 8JZ
  • Colchester Depot: 16 Commerce Way, Whitehall Industrial Estate, Colchester, Essex, CO2 8HW
  • Eye Depot: The Yard, Denham Street, Nr Eye, Suffolk, IP21 5EX
  • Hitchin Depot: Bridge Works, Cadwell Lane, Hitchin, Hertfordshire, SG4 0SA
  • Spalding Depot: 5A Fen Road, Holbeach, Spalding, Lincolnshire, PE12 8QA

For any questions or requests regarding your personal information, please contact our Data Protection Lead using the email address above.

Your Privacy Rights Under GDPR

We are committed to protecting your rights to privacy. Under GDPR, you have the following rights regarding your personal data:

Right to Be Informed

You have the right to know what personal data we process about you and why we process it.

Right of Access

You can request a copy of all personal information we hold about you through a Subject Access Request.

Right to Rectification

You can ask us to correct any inaccurate or incomplete personal data we hold about you.

Right to Erasure

Also known as the "right to be forgotten," you can request that we delete your personal data in certain circumstances.

Right to Restrict Processing

You can ask us to limit the way we use your personal data in certain situations.

Right to Object

You have the right to object to processing based on our legitimate interests or for direct marketing purposes.

How to Exercise Your Rights

To exercise any of these rights, please contact our Data Protection Lead at sheila@nmrecycling.co.uk. We will respond to your request within one month, or inform you if we need additional time (up to three months for complex requests).

Personal Data We Collect

As a scrap metal dealer and recycling business, we collect and process various types of personal information to comply with legal requirements and operate our business effectively.

Customer & Supplier Information

When you do business with us, we may collect:

  • Identity Information: Names, addresses, copy driving licenses, passports, and utility bills for identity verification
  • Contact Details: Email addresses, telephone numbers, and business addresses
  • Financial Information: Bank account details, cheques, receipts, and BACS payment information
  • Vehicle Information: Vehicle registration numbers
  • Business Information: Scrap metal dealer license numbers, waste carrier registration numbers
  • Transaction Records: Invoices, receipts, accounts, VAT and tax returns

Employee Information

For our employees, we process:

  • Personal Details: Names, addresses, contact details, and next of kin information
  • Employment Records: CVs, contracts of employment, appraisals, and references
  • Financial Information: Pay rates, bank details, and payroll information
  • Health Information: With explicit consent (which can be withdrawn at any time), we may process health information relevant to employment

CCTV & Security

We operate CCTV cameras at our facilities for security purposes. CCTV footage is retained for one month unless needed for crime investigation.

CCTV Footage

Identity Documents

Financial Records

Vehicle Details

License Information

Employment Data

Why We Collect Your Data

We only collect and process personal data when we have a lawful basis to do so. Here's why we process your information:

Legal Obligations

As a scrap metal dealer, we are required by legislation to keep certain records for three years, including:

  • Names and addresses of suppliers of scrap metal
  • Identity verification documents (copy driving licenses, passports, utility bills)
  • Financial records (cheques and receipts confirming electronic transfers)
  • Vehicle registration numbers
  • Scrap metal dealer license numbers and related documentation
  • Waste carrier registration numbers and environmental permits

Legal Compliance

The Scrap Metal Dealers Act 2013 requires us to maintain detailed records of all scrap metal transactions. This legislation helps prevent metal theft and ensures traceability in the recycling industry.

Legitimate Business Interests

We also process personal information when it's in our legitimate interests as a business, including:

  • Security & Safety: CCTV footage for premises security and crime prevention
  • Business Operations: Invoices, receipts, and accounts for financial management
  • Compliance: VAT and tax returns, environmental permits
  • Record Keeping: License documentation and waste shipment information

Contractual Obligations

For our employees, we process personal data pursuant to employment contracts, including:

  • Payroll and bank details for salary payments
  • Contact details for work-related communications
  • Employment records for performance management
  • Health information (with explicit consent) for occupational health purposes

Consent for Special Category Data

For sensitive information such as health records, we always obtain your explicit consent before processing. You can withdraw this consent at any time by contacting our Data Protection Lead.

How Long We Keep Your Data

We only retain personal data for as long as necessary to fulfill the purposes for which it was collected or to comply with legal obligations.

Retention Periods by Data Type

Legal Requirement: 3 Years

  • Identity verification documents (passports, driving licenses, utility bills)
  • Scrap metal transaction records
  • Supplier and customer names and addresses
  • Vehicle registration numbers
  • Scrap metal dealer license documentation
  • Waste carrier registration records
  • Environmental permits and waste shipment information

Financial Records: 6 Years

  • Invoices and receipts
  • Accounts and financial statements
  • VAT and tax returns
  • Employee payroll and bank details
  • Employment contracts and related documents

CCTV Footage: 1 Month

CCTV footage is automatically deleted after one month unless it's needed for the investigation of a crime, in which case it may be retained longer and shared with police services.

Data Minimization

We follow the principle of data minimization - we only collect and retain the minimum amount of personal data necessary for our purposes. When retention periods expire, we securely delete or destroy the information.

Secure Disposal: All personal data is disposed of securely, either through on-site shredding or via GDPR-compliant confidential waste disposal services.

How We Share Your Personal Data

We share personal data internally on a strict need-to-know basis only. Access to identity records and personnel files is limited to designated individuals with appropriate security measures in place.

Internal Data Sharing

  • Hard copy documents are stored in locked, fireproof filing cabinets
  • Electronic files are encrypted and password-protected
  • Access rights are regularly monitored and reviewed
  • Staff receive data protection training

External Data Sharing

We do not sell, rent, or trade your personal information to third parties. We only share personal data externally when:

Professional Advisers

Accountants, solicitors, and other professional advisers who assist with our business operations (under confidentiality agreements).

Police Services

When required for the investigation or detection of crime, including metal theft.

Regulatory Bodies

Local authorities, Environment Agency, HMRC, or VAT Commissioner when required by law.

Court Orders

When we're legally required to do so pursuant to a court order or legal process.

Service Providers

We work with trusted service providers who process personal data on our behalf under strict GDPR-compliant contracts:

  • IT Support: Plan-IT Consulting Limited (cyber security and IT infrastructure)
  • Cloud Storage: Secure, encrypted cloud storage providers
  • Document Destruction: Confidential waste disposal companies
  • Website Services: Web hosting and maintenance providers

No International Transfers

We do not transfer your personal data outside of the United Kingdom. All data processing takes place within the UK under UK GDPR protection.

How We Protect Your Data

We take the security of your personal information very seriously. We have implemented comprehensive physical, organizational, and technical measures to protect your data from unauthorized access, loss, or misuse.

Physical Security Measures

  • All premises are protected by alarm systems and CCTV cameras
  • Visitors are supervised at all times
  • Areas containing personal data are secured with locks and complex security codes
  • Computer screens are positioned to prevent casual viewing
  • Hard copy materials are stored in locked, fireproof filing cabinets
  • Clear desk policy is enforced outside of working hours
  • Special category data (medical records, ID documents) are kept separately with restricted access
  • Mobile equipment (laptops) are encrypted and locked away when not in use
  • Electronic data is backed up off-site
  • Servers are kept in locked rooms
  • Secure on-site shredding or certified waste disposal for document destruction

Organizational Security Measures

  • Regular policy reviews and updates
  • Senior management commitment to data protection
  • Designated Data Protection Lead with appropriate resources
  • Comprehensive staff training on data protection
  • Disciplinary procedures for policy breaches
  • Regular file handling audits and spot checks
  • Designated staff for data deletion with specific training
  • Strict procedures for authenticating identity of callers and contacts

Technical Security Measures

  • Anti-virus and anti-spyware tools on all computers
  • Full disk encryption on all devices
  • Strong password protection (sharing passwords is a disciplinary offense)
  • Automatic security patch downloads
  • Automatic screen locking when inactive
  • Prevention of unauthorized software downloads
  • Restricted USB and removable media usage (encryption required)
  • Access rights on strict need-to-know basis
  • Regular access rights reviews
  • Encryption of data before cloud uploads
  • Email encryption for sensitive information
  • Work email accounts required (personal emails prohibited)

Cyber Security Insurance

We maintain cyber security insurance to provide additional protection. In the event of an IT-related data breach, affected individuals may be offered free access to identity protection services through our insurers.

Regular Security Reviews

Our security measures are reviewed, tested, and evaluated at least annually. We also conduct Data Protection Impact Assessments whenever introducing new processes that may affect your data.

Our Data Breach Response

While we take extensive measures to protect your data, we recognize that breaches can occur. We have comprehensive procedures in place to respond quickly and appropriately.

ICO Guidance: Tell it all. Tell it fast. Tell the truth.

We follow the Information Commissioner's Office advice on responding to personal data breaches with transparency and urgency.

Our Response Process

  1. Immediate Assessment: Our Data Protection Lead evaluates the breach, how it occurred, and the associated risks to affected individuals and the company
  2. Senior Management Support: Management is committed to supporting the Data Protection Lead, regardless of the breach's severity
  3. ICO Notification: If there's a risk to data subjects, we report the breach to the ICO within 72 hours, with explanations for any delays
  4. Individual Notification: When risks are high, we notify affected individuals directly. For large-scale breaches, we may issue press releases and website notifications
  5. Risk Mitigation: We take immediate corrective action to reduce risks and prevent similar breaches
  6. Investigation: We conduct thorough investigations with support from our IT provider (Plan-IT Consulting Limited) when necessary
  7. Police Reporting: Any theft of data - whether through physical theft, system hacking, or employee misconduct - is reported immediately to police
  8. Documentation: All breaches, investigations, corrective actions, and ICO reports are documented in our data protection risk register

Breach Prevention

We record all personal data breaches in our risk register, no matter how minor, including:

  • Non-compliance with clear desk policy
  • Unauthorized access attempts
  • Lost or misplaced documents
  • System vulnerabilities
  • Staff training gaps

This comprehensive recording helps us identify patterns, strengthen our security, and prevent future breaches.

Encryption Benefits

We encrypt high-risk personal data including identification records, financial information, and health records. Encryption significantly reduces risks to individuals following a breach.

How to Exercise Your Rights

We make it easy for you to access, correct, or delete your personal information. Here's how to exercise your GDPR rights:

Making a Request

You can submit requests in any format - there's no required wording or official form. You can contact us:

  • By Email: sheila@nmrecycling.co.uk
  • By Phone: Call our Data Protection Lead at 01206 231 534
  • By Post: Write to our Data Protection Lead at our head office address
  • In Person: Visit any of our six locations and speak with a manager

Response Time

We respond to all requests within one month. For complex requests, we may need up to three months - if so, we'll inform you within the first month and explain why additional time is needed.

Subject Access Requests (SARs)

When you request access to your personal data:

  1. We'll log your request in our data protection risk register
  2. We may ask you to clarify what specific information you're seeking (with your agreement)
  3. We'll search our relevant files, email systems, and CCTV footage as applicable
  4. If you made the request electronically, we'll provide the data electronically
  5. We'll provide all your personal data unless we have specific legal reasons not to

Organized Record Keeping

To facilitate quick responses to your requests, we maintain well-organized records:

  • Customer Files: Single file per customer containing all transaction records, identity documents, and communications
  • Employee Files: Individual files with medical/health information in separate encrypted subfolders
  • Security Access: Identity records and financial details stored in separate, restricted-access locations
  • Efficient Retrieval: Centralized email and document management systems

No Charge

Subject access requests and most other rights requests are completely free of charge. We only charge a reasonable administrative fee for manifestly unfounded, excessive, or repetitive requests.

If We Cannot Fulfill Your Request

In rare cases where we cannot fulfill a request (for example, due to legal obligations to retain certain records), we'll explain our reasons and seek legal advice if necessary. You always have the right to complain to the ICO if you're unsatisfied with our response.

Information Commissioner's Office

While we strive to handle all data protection concerns directly, you have the right to lodge a complaint with the UK's data protection supervisory authority.

Information Commissioner's Office

Phone: 0303 123 1113

Website: ico.org.uk

Contact NM Recycling First

We encourage you to contact us directly first:

sheila@nmrecycling.co.uk

01206 231 534

When to Contact the ICO

You can contact the Information Commissioner's Office if:

  • You have concerns about how your personal information has been processed
  • You believe we haven't responded adequately to your request
  • You want independent advice about data protection issues
  • You wish to file a formal complaint about our data practices

Our Commitment to Resolution

We take all privacy concerns seriously and will work diligently to resolve any issues. If you're unhappy with how we've handled your data or responded to your request, please let us know so we can make it right.

Policy Updates

We review and update this privacy policy regularly to ensure it remains accurate and compliant with current data protection laws.

Last Updated: January 2026 | Next Review: January 2027

Changes to This Policy

When we make significant changes to this privacy policy, we will:

  • Update the "Last Updated" date at the top and bottom of this page
  • Notify affected individuals directly when changes materially affect their rights
  • Post prominent notifications on our website for major updates
  • Maintain previous versions for reference

Questions or Concerns?

If you have any questions about this privacy policy or our data practices, we're here to help:

Email Us

Data Protection Lead:

sheila@nmrecycling.co.uk

Call Us

Head Office:

01206 231 534

Mon-Fri: 8am-5pm
Sat: 8am-12pm

Visit Us

Martells Quarry, Slough Lane
Ardleigh, Essex, CO7 7RU

View All Locations

Questions About Your Privacy?

Our Data Protection Lead is here to help with any questions or concerns about your personal information.

Email Data Protection Lead Call 01206 231 534 Contact Us