Data Protection and Privacy Policy

Introduction & Scope

Metrail Construction Ltd are a contractor who specialises in the installation and application of Bridge deck waterproofing, Bridge Expansion joints, and associated Concrete repairs to bridges and structures, within the Highways, Rail, and other commercial sectors.

Metrail Construction Limited are committed to handling data fairly and lawfully and takes our data protection obligations seriously. We ensure that we process Personal Information in compliance with applicable data protection laws, including, without limitation, The Data Protection Act 2018.

Managing Director, Martyn Sherwood has overall responsibility for implementing the Data Protection and Privacy Policy, but the day-to-day implementation is the responsibility of our Data Protection Officer, Fran Sutton. All employees and those who represent Metrail Construction Limited must adhere to this policy.


To ensure adherence to UK GDPR and EU GDPR when processing, storing and sharing personal data.

Arrangements – Metrail Construction Limited

Metrail Construction Limited must comply with the following data protection principles:

  • Lawfulness, Fairness and Transparency Principle: processed lawfully, fairly and in a transparent manner in relation to individuals.
  • Purpose Limitation Principle: collected for specified, explicit and legitimate purposes, and not further processed in a manner that is incompatible with those purposes • Data Minimisation Principle: adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed
  • Accuracy Principle: accurate, and where necessary, kept up to date
  • Storage Limitation Principle: kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed
  • Integrity and Confidentiality Principle: processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures

Metrail Construction must also comply to the Accountability Principle, which requires us to be responsible for and be able to demonstrate compliance with the above bulleted principles

Arrangements–Employees and workers who represent Metrail Construction

All those who work on behalf of Metrail Construction Limited must adhere to the following:

  • Only access personal data they need to be able to undertake their work
  • Keep personal data secure by taking sensible precautions and follow our policy on information security
  • Where applicable follow our clients’ policies and procedures when providing them with our services
  • Use strong passwords to protect electronic information and never share their passwords with colleagues
  • Do not make any unauthorised disclosures of personal data, either within company systems or externally
  • Do not misuse personal data
  • Regularly review personal data to ensure it does not become out of date
  • Securely dispose of personal data when it is no longer required and in line with retention periods
  • Notify the Data Protection Officer immediately if you believe a breach of policy has taken place
  • Attend training on data protection when requested

Processing Personal Data

We process both “personal data” and “special categories of personal data” as defined in the UK GDPR and the EU GDPR. In doing so, we remain mindful of associated conditions imposed on the processing of such special category data.

The categories of individuals we process personal data about include:

  • Our own employers, workforce and those that work on behalf of Metrail Construction Limited
  • Customers who use our services
  • Individuals who work within our customer organisations
  • Individuals who work within our Supplier’s organisations

All personal data is processed in accordance with the UK GDPR and the EU GDPR Requirements. When processing special categories of personal data, it is essential to maintain a high degree of confidentiality and ensure increased safeguards are in place to keep this personal data secure.

We review our personal data processing activities at the Annual Management Review Meeting to ensure the legal basis for the procession of each activity.

Provision of data

Our company personnel, suppliers and partners are obliged to provide personal Information to us. This is so we can verify the identity; to verify members’ accreditations, qualifications; and to provide details of further training and as required. We do this in order to promote technical excellence and standards within the construction industry. Failure to provide information may mean that you cannot into contractual obligations with us.
Our customers are obliged to provide Personal Information to us. This is so we can verify customer data and so that our customers can purchase their chosen service requirements from us. Failure to provide this information may mean that we cannot perform this contract and you would not have access to our products.

How we collect your personal information

MCL collects information through you, for example, when you make enquiries with us or through an application for work or services, or if you contact our customer service team.
Other information will be obtained during your relationship with MCL, from you or third parties, such as your employers, or members of the public, or regulators.

How we use your Information

We may use the Personal Information we collect for the following purposes:

  • To administer and manage your contractual relationship with us
  • To maintain details of any accreditations and qualifications
  • To provide details of training courses and study materials
  • To maintain records of medical examination performance
  • For details of market events and sector network information
  • To provide learning and development services and materials
  • To provide market news, opinions, and key industry developments
  • To enhance and improve the MCL’s service and qualifications
  • To provide customer service support and including training and quality purposes.
  • To maintain and review order histories and invoices
  • To fulfil our disciplinary and regulatory functions
  • For marketing purposes

The law allows us to use the Personal Information as set out above on the basis that the processing is necessary for the performance of a contract with you, or we are acting in our “legitimate interests”, for example, for the purposes of providing goods, services, and support to our customers

Data Sharing

Data sharing is when personal data is shared between organisations which are controllers. Data sharing can take place in a routine scheduled way, or on a one-off basis. Data can also be shared in an emergency when needed.

Any sharing of personal data with other organisations and third parties will be undertaken legitimately and in line with statutory requirements.

Security of Personal Data

We will implement the most appropriate technical and organisational measures to ensure a level of security appropriate to the risk of the personal data we process.
Everyone must ensure that they process personal data securely and do not disclose it to any unauthorised individual or third party either accidentally, negligently, or intentionally.

Data Retention

Personal data is retained for as long as necessary to fulfil the purposes for which it has been collected unless a longer retention period is required by law. When personal data is no longer required for the purpose for which it was collected, or as required by the applicable law, it will be deleted, and/or returned to you in accordance with the applicable law

Individual Rights

Under the UK GDPR and the EU GDPR, individuals have the right:

  • To be informed
  • Of access to their personal data, commonly known as a Subject Access Request
  • To rectify inaccurate personal data
  • To erase their personal data, commonly known as the right to be forgotten
  • To restrict the processing of their personal data
  • To data portability, i.e., to transfer data from one provider to another
  • To object to the processing


  • Not to be subject to a decision based solely on automated processing.

Any Subject Access Request must be notified to the Data Protection Officer by contacting Fran Sutton via email

We will respond to your request without undue delay and no later than one month from receipt of any such request, unless a longer period is permitted by applicable Data Protection Laws, and we may charge a reasonable fee for dealing with your request which we will notify to you. Please note that we will only charge a fee where we are permitted to do so by applicable Data Protection Laws.

Marketing Communications

Metrail Construction Limited may use your personal data to send you marketing communications by mail, telephone, or email. This is necessary for the purposes of the legitimate interests pursued by us, for example, to keep our suppliers and clients updated about products that they might be interested in. For situations where you are purchasing goods and services from us, this is for the performance of the contract with you. For further information on this, see the ‘Your Choices’ section of this Data Protection and Privacy Statement.

Third Party Links and Products on our Services

Our websites, applications and products may contain links to other third-party websites that are not operated by Metrail Construction Limited, and our websites may contain applications that you can download from third parties. These linked sites and applications are not under our control and as such, we are not responsible for the privacy practices or the content of any linked websites and online applications. If you choose to use any third-party websites or applications, any Personal Information collected by the third party’s website or application will be controlled by the Data Protection Policy of that third party. We strongly recommend that you take the time to review the privacy policies of any third parties to which you provide Personal Information.


Metrail Construction Limited, as well as other third parties that provide content, advertising, or other functionality on our Services, may use cookies and other technologies, including web beacons, action tags, pixel tags. Cookies are small text files that can be read by a web server in the domain that put the cookie on your hard drive. Cookies are assigned to and stored in a user’s internet browser on a temporary (for the duration of the online session only) or persistent basis (cookie stays on the computer after the internet browser or device has been closed). Cookies collect and store information about a user’s preferences, product usage, content viewed, and registration information which allows for us to provide users an enhanced and customised experience when engaging with our Products. We may use cookies to store your preferences and settings, help you with signing in, provide targeted ads, and analyse site operations.

For further information on what cookies are, how Metrail Construction Limited and other third parties use them, and for details of how cookies can be disabled, please contact our Head Office where we will be able to advise/consult with our IT department.

Your Choices (e.g. Marketing related emails or otherwise)

Metrail Construction Limited may use your Personal Information (such as your contact details (e.g., name, address, email address, telephone number)) to send you marketing-related correspondence related to our goods and services, in accordance with your email and contact preferences. When we process your Personal Information for marketing purposes, we do so on the basis that it is in our legitimate interests to do so, or in the case of our email notification service, that it is necessary to perform our contract with you.

We do not share Personal Information with third parties for the third parties’ marketing purposes.

We may also use your Personal Information to personalise and to target more effectively our marketing communications to ensure, to the extent possible, that any marketing-related correspondence is relevant to you.

To opt out of receiving marketing-related correspondence from MCL, update your preferences you receive from by contacting Customer Service


If you are concerned that we have not complied with your legal rights under applicable Data Protection Laws, you may contact the Information Commissioner’s Office ( which is the data protection regulator in the UK which is where MCL is located. Alternatively, if you are based outside the UK, you may contact your local data protection supervisory authority.

Changes to this Data Protection Policy

We may change this Data Protection and Privacy Statement from time to time. The “Date last updated” legend at the bottom of this policy states when the Data Protection and Privacy Statement was last updated, and any changes will become effective upon our posting of the revised Data Protection and Privacy Statement. The revised policy will be posted on our website.

Contact Us/Further Information

If you have any queries at all in relation to your data and how we protect your data rights, please contact us: Contact: Fran Sutton, Data Protection Officer
Address: Metrail Construction Ltd, Unit 13 Station Road Industrial Estate, Hailsham, East Sussex, BN27 2EY Email:

This Policy is current from the date indicated and is reviewed on a regular basis, minimum annually.

Date: 14th February 2023