Spedition Services Ltd (SSL) is committed to conducting its business in accordance with all applicable data protection legislation, including the Data Protection Act 2018 and the UK GDPR, while maintaining the highest standards of ethical conduct. This commitment forms part of the organisation’s integrated Quality and Environmental Management System (QMS/EMS).
In determining the context of the organisation and the needs and expectations of interested parties, SSL recognises the protection of personal data as a critical compliance obligation and business requirement. Relevant interested parties include customers, employees, regulatory authorities, and other stakeholders who expect secure and lawful handling of personal information.
Privacy and compliance with data protection legislation are integral to our operational processes and risk-based thinking. Risks and opportunities associated with the processing of personal data are identified, assessed, and managed to ensure the confidentiality, integrity, and availability of such data.
This Privacy Policy explains what personal information we collect, how we use it, and how individuals can access, update, or request deletion of their personal data. For the purposes of this Privacy Policy, “we” refers to SSL.
We take the protection of personal data very seriously and implement appropriate technical and organisational controls to prevent unauthorised access, loss, or misuse. Personal data is collected only for specified, explicit, and legitimate purposes, including obtaining contact information and fulfilling contractual and legal obligations, and is limited to what is necessary.
Where applicable, environmental considerations related to information management, such as secure disposal of physical records and reduction of paper usage, are addressed in line with the organisation’s environmental objectives.
This documented information is controlled and maintained in accordance with the organisation’s document control procedures.
This Privacy Notice explains and describes:
SSL collects and processes personal data as part of its operational activities within the scope of its integrated Quality and Environmental Management System (QMS/EMS).
In line with the organisation’s context, compliance obligations, and the needs and expectations of interested parties, personal data is collected and used to support effective service delivery, business operations, and continual improvement.
We collect information to manage customer accounts and to support our business processes, including:
The information we hold may include details relating to your identity, service usage, service requirements, account information, and payment arrangements.
Personal data is obtained through controlled processes, including contact forms, email correspondence, telephone communications, face-to-face interactions, and completed order documentation.
Only data that is necessary, relevant, and proportionate is collected. This supports the organisation’s risk-based approach to ensuring that personal data is adequate for its intended purpose while minimising unnecessary data processing.
Personal data is maintained as documented information within controlled systems, including Customer Data records and Customer SOP files, in accordance with document control and data protection procedures.
SSL does not sell personal data to third parties. Personal data may only be disclosed where required to meet legal and regulatory obligations, fulfil contractual requirements, support credit protection activities, or where explicit consent has been obtained.
Appropriate technical and organisational controls are implemented to ensure the confidentiality, integrity, and availability of personal data, while also considering environmental aspects such as secure disposal of records and reduction of physical resource usage.
We use your information to maintain effective relationships with customers and to provide and enhance the products and services we offer. This may include informing you of relevant service updates or improvements where these are considered beneficial.
In particular, personal data is used to:
Personal data is processed only where there is a lawful basis to do so, including the fulfilment of contractual obligations, compliance with legal and regulatory requirements, legitimate business interests, or where explicit consent has been obtained.
Individuals have the right to withdraw consent at any time, where applicable.
All processing activities are subject to appropriate technical and organisational controls to ensure the confidentiality, integrity, and availability of personal data. These controls are implemented in line with the organisation’s risk-based approach and are periodically reviewed for effectiveness.
Where relevant, environmental considerations such as minimising unnecessary data storage and reducing reliance on physical documentation are incorporated into operational practices in support of the organisation’s environmental objectives.
In accordance with identified business processes, compliance obligations, and the needs and expectations of interested parties, personal data may be shared with:
All third-party providers are subject to a defined approval and monitoring process. This includes verification of their compliance with applicable data protection legislation, including GDPR, and the implementation of appropriate data processing agreements and confidentiality obligations.
Personal data is only shared where it is necessary, relevant, and proportionate to the intended purpose, and where a lawful basis for processing has been established.
Controls are in place to ensure that data shared externally is protected against unauthorised access, loss, or misuse.
Third-party relationships are managed in accordance with the organisation’s risk-based approach, including periodic review of supplier performance and compliance.
Where applicable, environmental considerations, such as secure handling and disposal of physical records, are also taken into account.
All data-sharing activities are conducted in accordance with documented procedures and are subject to ongoing monitoring and review to ensure continued compliance and effectiveness.
Personal data is collected through controlled channels, including contact forms, email communications, telephone interactions, and completed order documentation.
The provision of personal data through these channels does not automatically constitute consent; instead, processing is carried out based on an identified lawful basis.
Depending on the nature of the interaction, personal data is processed on one or more of the following legal bases:
Where consent is relied upon, it is obtained in a clear and transparent manner, and individuals are informed of their right to withdraw consent at any time without affecting the lawfulness of processing carried out prior to withdrawal.
SSL ensures that all lawful bases for processing are identified, documented, and periodically reviewed as part of its risk-based approach.
Appropriate technical and organisational controls are implemented to ensure that personal data is processed fairly, lawfully, and transparently.
All activities relating to the collection and use of personal data are conducted in accordance with documented procedures and are subject to monitoring and continual improvement within the QMS/EMS framework.
SSL implements appropriate technical and organisational measures to protect personal data against unauthorised access, loss, alteration, disclosure, or destruction, as part of its integrated QMS/EMS.
In accordance with the organisation’s risk-based approach, security controls are determined, implemented, and maintained based on the nature of the data processed, the associated risks, and applicable legal and regulatory requirements.
These controls are designed to support the confidentiality, integrity, and availability of personal data and are subject to ongoing review to ensure their continued suitability, adequacy, and effectiveness.
All employees with access to personal data are required to comply with internal policies, confidentiality obligations, and applicable data protection legislation.
Third-party service providers involved in the processing of personal data are subject to contractual arrangements, including data processing agreements, and are required to implement equivalent levels of security controls.
Security measures are periodically reviewed and updated to reflect changes in operational requirements, risk assessments, regulatory expectations, and relevant technological developments.
Where appropriate, environmental considerations such as secure disposal of physical records and reduction of unnecessary data duplication are incorporated into information management practices in support of the organisation’s environmental objectives.
Retention periods are defined and maintained within a controlled Data Retention Schedule, which forms part of the organisation’s documented information and is subject to periodic review to ensure continued suitability, compliance, and effectiveness.
The duration for which personal data is retained depends on the nature of the information, the purpose of processing, and associated risk considerations.
Retention decisions are made in line with a risk-based approach and relevant compliance obligations.
In certain circumstances, personal data may be retained for longer periods where necessary to:
Once the retention period has expired, personal data is securely deleted, anonymised, or otherwise disposed of in accordance with defined procedures and applicable environmental considerations, including minimising unnecessary storage of physical and electronic records.
All retention activities and security-related controls are managed as documented information within the QMS/EMS and are subject to internal audit, management review, and continual improvement processes.
Subject to applicable legal and regulatory conditions, these rights include:
Where requests conflict with legal, regulatory, or contractual obligations, SSL will inform the individual of the applicable restrictions and, where permitted by law, provide the reasons for refusal.
Requests for access to personal data may be submitted at any time and are handled through a controlled data subject rights process.
Upon receipt of a valid request and successful identity verification, SSL will provide information relating to personal data held, subject to applicable legal, regulatory, and contractual obligations.
Individuals also have the right to object to certain types of data processing where such processing is based on legitimate interests or is used for specific purposes permitted under applicable legislation.
Where an objection is raised, we will assess the request in accordance with applicable legal requirements and determine whether the processing must cease or whether compelling legitimate grounds or legal obligations permit continued processing.
Where personal data is no longer required for the purposes for which it was collected and no legal retention requirement applies, it will be securely deleted or anonymised in accordance with the organisation’s Data Retention Schedule and documented information control procedures.
SSL manages all data subject rights requests through controlled procedures to ensure timely response, appropriate verification of identity, and compliance with statutory timeframes.
All requests are handled as controlled documented information and managed in accordance with defined procedures, including recording, tracking, and responding within statutory timeframes, and are subject to ongoing review and continual improvement within the organisation’s QMS/EMS.
Individuals are encouraged to raise concerns if they believe that personal data has been collected, used, or handled in a manner that is unfair, misleading, inappropriate, or non-compliant with applicable requirements.
Feedback and suggestions for improvement of data handling processes are also welcomed as part of the organisation’s continual improvement framework.
This Privacy Notice is designed to provide clear and accessible information; however, further details or clarification can be requested at any time via the organisation’s support channels, account management function, or Data Protection contact point at privacy@spedition.co.uk.
Upon receipt of a complaint or data-related concern, SSL establishes and maintains a controlled record of the complaint as documented information within the QMS/EMS.
Personal data collected in relation to complaints is processed solely for the purposes of investigation, resolution, service improvement, and compliance monitoring.
Aggregated and anonymised complaint statistics may be produced for reporting and management review purposes and will not identify individuals.
Where it is necessary to investigate and resolve a complaint, personal data may be shared with relevant internal or external parties.
Where possible and appropriate, confidentiality preferences will be considered; however, anonymity cannot always be guaranteed where disclosure is necessary for fair resolution.
All complaint-related records are retained in accordance with the organisation’s Data Retention Schedule and are securely stored with access restricted based on defined roles and responsibilities.
Where regulatory or enforcement action is taken, SSL may publish information in accordance with legal obligations and transparency requirements.
All complaint handling activities are subject to monitoring, internal audit, and continual improvement processes to ensure effectiveness and compliance within the QMS/EMS framework.
Cookies are categorised as essential and non-essential.
Non-essential cookies are only used where appropriate consent has been obtained in accordance with applicable data protection and ePrivacy legislation.
Users are provided with appropriate controls to manage cookie preferences.
Where third-party cookies or tracking technologies are used, these are subject to the respective third party’s privacy policies and applicable contractual and data protection requirements.
SSL ensures appropriate oversight of third-party processing activities in accordance with its supplier management and risk-based approach.
This Privacy Notice is a controlled document within the QMS/EMS and is subject to periodic review to ensure continued compliance with applicable legal, regulatory, and organisational requirements.
Updates are approved, version-controlled, and published where necessary to reflect changes in legislation, operational processes, or risk assessments.
This Privacy Notice applies only to SSL websites and services.
External websites linked from our platforms operate under their own privacy policies, which users are encouraged to review.
SSL does not accept responsibility for the privacy practices, content, or security of external websites and advises users to exercise appropriate caution when accessing third-party services.
For all complaints, questions, or requests relating to personal data, individuals may contact:
SSL Data Protection Contact
privacy@spedition.co.uk
The personal data processed by SSL depends on the services you receive and typically includes information provided in connection with those services.
SSL EMEA L.L.C-FZ is also a data controller and has responsibility and accountability in respect of personal data processed as part of your service.
Yes. Our Privacy Policy is available on our website.
SSL maintains documented policies and procedures covering:
Compliance is monitored through internal audits and management review processes.
Yes. Impact assessments are completed using the ICO’s recommended DPIA template.
Yes. SSL relies on sub-contractors to provide certain services.
All sub-contractors are required to comply with SSL Information and Security policies and applicable data protection obligations.
Where personal data is transferred outside the United Kingdom, SSL ensures appropriate safeguards are implemented, including:
Yes. SSL has established processes to ensure individuals can exercise their rights under applicable data protection legislation.
These include rights relating to:
Yes. All employees complete mandatory data protection training, with additional role-specific training where appropriate.
Data protection compliance is overseen by the Board of Directors.
Operational responsibility is assigned to designated personnel within the organisation.
SSL maintains documented incident management and business continuity procedures covering:
Personal data breaches are assessed and reported in accordance with regulatory requirements.
Yes. SSL implements controls relating to:
Access is restricted to authorised personnel based on business need.
SSL implements:
Access to systems and data is granted on a need-to-know basis.
Yes. SSL operates a formal joiners, movers, and leavers process to manage user access rights.
All users are assigned unique credentials, and access logs are monitored.
Password controls are implemented in accordance with internal security policies.
Personal data is retained in accordance with SSL’s Data Retention Policy.
When data is no longer required, it is securely destroyed using approved methods, including:
For further information regarding the data that SSL holds or for any related enquiries, please contact your account manager or our support team at:
