Privacy and Cookie Policy


Version 1.2 - Updated February 2024

  1. Introduction

1.1          J Marsland & Sons Limited is a company trading as Marsland Timber & Building Supplies and Marsland whose business is as Timber, Timber Products, Builders and Hardware Merchant.  For the purposes of this policy it will be referred to as “The Company” 

1.2          The Company is a “Data Controller”, it collects and processes personal information, or personal data relating to its company personnel, customers, contractors, suppliers and contacts (known as “Data Subjects”) in order to manage the working relationship.   This personal information may be held by the Company on paper or in electronic format.  We, the Company, decide how data is held and how personal information is used about you.  We are required under data protection legislation to notify you of the information contained in this privacy policy.

1.3          The Company is committed to being transparent about how it handles your personal information, to protecting the privacy and security of your personal information and to meeting its data protection obligations under the General Data Protection Regulation (“GDPR”) and the Data Protection Act 2018.  The purpose of this document is to make you aware of how and why we will collect and use your personal information both during and after your business relationship with the Company.  We are required under the GDPR to notify you of the information contained within.

 1.4         This policy sets out how the Company handles Personal Data.  It applies to all Data we process regardless of the medium on which that data is stored on persons in connection with the Company. 

1.5          The company has a data compliance manager to oversee compliance with this privacy policy.  If you have any questions about this privacy policy or about how we handle your personal information, please contact Simon Giddings at the registered offices, by email or by phone 01937 585131

1.6          The Company may update this notice at any time and we will make this publically available as soon as is reasonably practical.

  1. Data protection principles

2.1          Under the GDPR, there are six data protection principles the Company must comply with.  These provide that the personal information we hold about you must be:

  • Processed lawfully and in a transparent manner (Lawfulness, Fairness and Transparency)
  • Collected only for the legitimate purposes that have been clearly explained to you and not further processed in a way that is incompatible with those purposes. (Purpose Limitation)
  • Adequate, relevant and limited to what is necessary in relation to those purposes. (Purpose Limitation)
  • Accurate and, where necessary kept up to date (Accuracy)
  • Kept in a form which permits your identification for no longer than is necessary for those purposes (Storage Limitation)
  • Processed in a way that ensures appropriate security of the data (Security, Integrity and Confidentiality)

2.2          The Company is responsible for and must be able to demonstrate compliance with these principles (Accountability)


2.3          Lawfulness, Fairness & Transparency

  • The GDPR restricts our actions regarding Personal Data to specified lawful purposes. These restrictions are not intended to prevent Processing, but to ensure that we only collect, Process and share Personal Data fairly and lawfully and for the specified purposes.
  • The GDPR allows Processing for specific purposes, some of which are set out below:
  • The Data Subject has given their Consent;
  • The Processing is necessary for the performance of a contract between parties;
  • To meet our legal compliance obligations;
  • To protect the Data Subject’s vital interests; or
  • To pursue our legitimate interests for purposes where they are not overridden because the Processing prejudices the interests or fundamental rights and freedoms of Data Subjects. The purposes for which we process Personal Data for legitimate interests need to be set out in applicable Privacy Notices or Fair Processing Notices.

2.4          Purpose limitation

  • Personal Data must be collected only for specified, explicit and legitimate purposes. It must not be further processed in any manner incompatible with those purposes.
  • Personal Data cannot be used for new, different or incompatible purposes from that disclosed when it was first obtained unless the Data Subject is informed of the new purposes and they have consented where necessary.

2.5          Data minimisation

  • Personal Data will only be processed when business related duties require it. It must be adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed.
  • Data will not be collected excessively
  • When Personal Data is no longer needed for specified purposes, it will be deleted or anonymized.

2.6          Accuracy

  • We will ensure the Personal Data we use and hold is accurate, complete, kept up to date and relevant to the purpose for which we collected it. The accuracy of any Personal Data will be checked at the point of collection and at regular intervals afterwards.  All reasonable steps will be taken to destroy or amend inaccurate or out-of-date Personal Data.

2.7          Storage limitation

  • Personal Data will not be retained in a form which permits the identification of the Data Subject for

Longer than needed for the legitimate business purpose or purposes for which we originally collected it including for the purpose of satisfying any legal, accounting or reporting requirements.

  • The Company will maintain retention policies and procedures to ensure Personal Data is deleted after a reasonable time for the purposes for which it was being held, unless a law requires such data be kept for a minimum time.

2.8          Security, integrity and confidentiality

  • The Company is responsible for protecting the Personal Data it holds. The company will develop, implement and maintain safeguards appropriate to our size, scope and business, our available resources, the amount of Personal Data that we own or maintain on behalf of others and identified risks.  We will regularly evaluate and test the effectiveness of those safeguards to ensure security of our Processing of Personal Data.
  • The Company will implement reasonable and appropriate security measures against unlawful or unauthorised Processing of Personal Data and against the accidental loss of, or damage to, Personal Data, exercising particular care in protecting Sensitive Personal Data from loss and unauthorised access, use or disclosure.
  • Personal Data retained is to be accurate and suitable for the purpose for which it is processed and that only people who have a need to know and are authorised to use the Personal Data can access it.


  1. How do we collect your personal information?

3.1          The company may collect personal information about you in a variety of ways.  We collect personal information directly in dealings with the individual’s concerned.  We may also use third parties such as debt collection and credit reference agencies and through our Website.  Examples of sources of data we collect about you or your company;

  • Account application from
  • Other application forms for events or training courses
  • When you talk to us on the telephone, personally or communicate with us via social media or website.
  • In emails and letters
  • When you use our website
  • Cookies
  • When you interact on Social Media
  • Email tracking facilities
  • In surveys
  • In financial reviews where a form of credit is offered
  • Payment and transactional data
  • The internet
  • Publicly available information
  • Bought in accredited third party marketing lists

3.2          If you are using our credit facilities, then we will collect more data of a financial or personal nature in order to assess the level of credit that we can offer you.  This data could come from internal or third party services that we may utilise in determining your credit worthiness.  There third parties will have their own privacy notices and data sharing policies.  The companies we use for this are:-

  • Credit reference agency
  • Trade references (as offered by yourselves)
  • Banks and building societies (as offered by yourselves)
  • Debt collection agencies
  • Fraud prevention agencies Public Information and Companies House
  • Other trade associations you may be a member of.

3.3          We will also collect additional personal information throughout the period of your business relationship with use.  This may be collected in the course of your work-related activities.  Whilst some of the personal information you provide to us is mandatory and/or is a statutory or contractual requirement, some of it you may be asked to provide to us on a voluntary basis.  We will inform you whether you are required to provide certain personal information to us or if you have a choice in this.

  1. What types of personal information do we collect about you?

4.1          Personal information is any information about an individual from which that person can be directly or indirectly identified.  It doesn’t include anonymised data, i.e. where all identifying particulars have been removed; such as email e.g:  There are also “special categories” of personal information such as information on criminal convictions and offences, which require a higher level of protection because it is of a more sensitive nature.

4.2          The Company collects, uses and processes a range of personal information about you, this may include;

  • Your contact details, including your name, title, address, telephone number and email address.
  • Where business is a partnership we may require details as above of such partners as exist.
  • Company registration number.
  • VAT registration number
  • Information about your use of our IT systems, including usage of telephones, email & internet
  • Photographs, CCTV onsite.

4.3          The Company may also occasionally collect, use and process special categories of your personal information.

  1. Why and how do we use your personal information?

5.1          Your privacy is protected by law.  Data Protection law says that we are allowed to use personal information only if we have a proper reason to do so.  This includes sometimes sharing outside the Company.

5.2          We will only use your personal information when the law allows us to. These are known as the legal bases for processing. We will use your personal information in one or more of the following circumstances:

  • where we need to do so to perform the employment contract, consultancy agreement or contract for services we have entered into with you (contractual)
  • where we need to comply with a legal obligation (legal duty)
  • Where it is necessary for our legitimate interests (or those of a third party), and your interests or your fundamental rights and freedoms do not override our interests. Our legitimate interests include:

-    performing or exercising our obligations or rights under the direct relationship that exists between the Company and you as its company personnel

-    pursuing our business by employing (and rewarding) company personnel

-    performing effective internal administration and ensuring the smooth running of the business

-    ensuring the security and effective operation of our systems and network

-    protecting our confidential information

-    conducting due diligence

  • when you consent to it (consent)

5.3.         The purposes for which we are processing, or will process, your personal information are to:

  • administering the contract we have with you
  • enable us to maintain accurate and up-to-date records and contact details
  • responding to your enquiries
  • process applications for account services
  • extend credit to you or your company
  • credit checking
  • provide you with information about other goods and services we are offering as a Merchant
  • notify you about changes to our terms and conditions
  • For research and statistical analysis
  • communicate with you about new products, news, events, updates to your account and other activities we may be involved in
  • provide advice or guidance about using our services
  • warranty service on cheques
  • collect and recover money that is owing to us
  • tailor your experience on our website
  • communicate with you on Social Media
  • respond to complaints and seek to resolve them
  • ensure compliance with your statutory and contractual rights
  • ensure compliance with statutory and/or regulatory requirements and obligations
  • meet our obligations under health and safety laws
  • prevent fraud
  • monitor your use of our IT systems to ensure compliance with our IT-related policies
  • ensure network and information security and prevent unauthorised access and modifications to


  • ensure effective business administration, including accounting and auditing
  • ensure adherence to Company rules, policies and procedures
  • enable us to establish, exercise or defend possible legal claims

5.4.         We may also occasionally use your personal information where we need to protect your vital interests (or someone else’s vital interests).

5.5.         We process this data on the basis of our legitimate interest to run the Company in an efficient and proper way for the benefit of our customers, potential customers, contractors, suppliers, company personnel and contacts. This includes managing our financial position, planning and audit, communications, business capability and to exercise our rights set out in agreements and contracts. We also process your personal data where required to comply with laws and regulations that apply to us.  A list of third parties involved includes:

  • Accountants / External compliance auditors
  • Land agents; for property rentals
  • Solicitors
  • IT support
  • Health and Safety
  • Insurers
  • Google & Social Media

5.6.         Please note that we may process your personal information without your consent, in compliance with these rules, where this is required or permitted by law.

  1. What if you fail to provide personal information?

6.1.         If you fail to provide certain personal information when requested or required, we may not be able to perform the contract we have entered into with you, or we may be prevented from complying with our legal obligations. You may also be unable to exercise your statutory or contractual rights.

  1. Why and how do we use your sensitive personal information?

7.1.         We will only collect and use your sensitive personal information, which includes special categories of personal information such as relating to health and information about criminal convictions and offences, when the law additionally allows us to.

7.2.         Some special categories of personal information, i.e. information about your health or medical conditions are processed so that we can perform or exercise our statutory obligations.

7.3.         If we are running an event or training course that you are personally attending, then we may collect more sensitive data such as dietary requirements or access needs if applicable.

7.4.         We may also process these special categories of personal information where we have your explicit written consent. In this case, we will first provide you with full details of the personal information we would like and the reason we need it, so that you can properly consider whether you wish to consent or not. It is entirely your choice whether to consent. Your consent can be withdrawn at any time.

7.5.         The purposes for which we are processing, or will process, these special categories of your personal information, and information about any criminal convictions and offences, are to:

  • Comply with HMRC policy in relation to VAT and Disability
  • Administer the contract we have entered into with you
  • Ensure compliance with your statutory and contractual rights

7.6.        We may also occasionally use your special categories of personal information where it is needed for the establishment, exercise or defence of legal claims.

  1. Change of purpose

8.1.         We will only use your personal information for the purposes for which we collected it. If we need to use your personal information for a purpose other than that for which it was collected, we will provide you, prior to that further processing, with information about the new purpose, we will explain the legal basis which allows us to process your personal information for the new purpose and we will provide you with any relevant further information. We may also issue a new privacy notice to you.

  1. Who has access to your personal information?

9.1.         Your personal information may be shared internally within the Company, including all Company Personnel.

9.2.         The Company may also share your personal information with third-party service providers (and their designated agents), including:

  • External organisations for the purposes of conducting pre-contractual reference and employment background checks.
  • External IT services
  • External Auditors
  • Professional advisors such as lawyers and accountants
  • Insurance providers


9.3.         We may also need to share your personal information with a regulator or to otherwise comply with the law.


9.4.         We may share your personal information with third parties where it is necessary to administer the contract we have entered into with you, where we need to comply with a legal obligation, or where it is necessary for our legitimate interests (or those of a third party).


9.5.        We will only share the Personal Data we hold with third parties, such as our service providers if:

  • Sharing the Personal Data complies with the Privacy Notice provided to the Data Subject and, if required, the Data Subject’s Consent has been obtained;
  • The third party has agreed to comply with the required data security standards, policies and procedures and put adequate security measures in place;
  1. How does the company protect your personal information?

10.1.      The Company has put in place measures to protect the security of your personal information. It has internal policies, procedures and controls in place to try and prevent your personal information from being accidentally lost or destroyed, altered, disclosed or used or accessed in an unauthorised way. In addition, we limit access to your personal information to those company personnel, workers, agents, contractors and other third parties who have a business need to know in order to perform their job duties and responsibilities.

10.2.      Where your personal information is shared with third-party service providers, we require all third parties to take appropriate technical and organisational security measures to protect your personal information and to treat it subject to a duty of confidentiality and in accordance with data protection law. We only allow them to process your personal information for specified purposes and in accordance with our written instructions and we do not allow them to use your personal information for their own purposes.

10.3.      Staff are trained and regularly updated to ensure they are treating you data within the guideline of this notice.

10.4.      We must also regularly test our systems and processes to assess compliance and review all the systems and processes to ensure they comply with this Privacy Standard. We check that adequate governance controls and resources are in place to ensure proper use and protection of Personal Data.

10.5.      The Company also has in place procedures to deal with a suspected data security breach and we will notify the Information Commissioner’s Office and you of a suspected breach where we are legally required to do so.

  1. How long does the Company keep your personal information?

11.1.      The Company will only retain your personal information for as long as is necessary to fulfil the purposes for which it was collected and processed, including for the purposes of satisfying any legal, tax, health and safety, reporting or accounting requirements. There are various lengths of time that data is kept for depending on the need and other laws that we adhere to. You have the right to be forgotten on our database as long as there isn’t an over-riding legitimate business need.

11.2.      Unless we explain otherwise to you, we’ll hold your personal information based on the following retention periods for personal data:

  • Training records 12 months after the certificate period ends
  • Account & Financial Records                 7 years
  • Credit reports and warning notices 6 years
  • Related company accounts to agreements 3 years
  • Accidents/Insurance                                 Indefinite


  1. Your rights in connection with your personal information

12.1.      It is important that the personal information we hold about you is accurate and up to date. Please keep us informed if your personal information changes. The Company cannot be held responsible for any errors in your personal information in this regard unless you have notified the Company of the relevant change.

12.2.      As a data subject, you have a number of statutory rights. Subject to certain conditions, and in certain circumstances, you have the right to:

  • Request access to your personal information – this is usually known as making a data subject access request and it enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it.
  • Request rectification of your personal information – this enables you to have inaccurate or incomplete personal information we hold about you corrected.
  • Request the erasure of your personal information – this enables you to ask us to delete or remove your personal information where there’s no compelling reason for its continued processing e.g. it’s no longer necessary in relation to the purpose for which it was originally collected.
  • Restrict the processing of your personal information – this enables you to ask us to suspend the processing of your personal information, e.g. if you contest its accuracy and so want us to verify its accuracy.
  • Object to the processing of your personal information – this enables you to ask us to stop processing your personal information where we are relying on the legitimate interests of the business as our legal basis for processing and there is something relating to your particular situation which makes you decide to object to processing on these grounds.
  • Data portability – this gives you the right to request the transfer of your personal information to another party so that you can reuse it across different services for your own purposes.


12.3.      If you wish to exercise any of these rights, please contact our data compliance manager in writing. We may need to request specific information from you in order to verify your identity and check your right to access the personal information or to exercise any of your other rights. This is a security measure to ensure that your personal information is not disclosed to any person who has no right to receive it.

12.4.      In the limited circumstances where you have provided your consent to the processing of your personal information for a specific purpose, you have the right to withdraw your consent for that specific processing at any time. This will not, however, affect the lawfulness of processing based on your consent before its withdrawal. If you wish to withdraw your consent, please contact our data compliance manager. Once we have received notification that you have withdrawn your consent, we will no longer process your personal information for the purpose you originally agreed to, unless we have another legal basis for processing.

12.5.      If you believe that the Company has not complied with your data protection rights, you have the right to make a complaint to the Information Commissioner’s Office (ICO) at any time. The ICO is the UK supervisory authority for data protection issues.

12.6.      There is usually no fee to access your personal information. However we may charge a reasonable fee if your request for access is unfounded or excessive, we may in certain circumstances refuse to comply with the request.

  1. Transferring personal information outside the European Economic Area


13.1.      The Company will not transfer your personal information to countries outside the European Economic Area.


  1. Direct Marketing

14.1.      We are subject to certain rules and privacy laws when marketing to our customers.

14.2.      A Data Subject’s prior consent is required for electronic direct marketing (for example, by email, text or automated calls). The limited exception for existing customers allows organisations to send marketing texts or emails if they have obtained contact details in the course of a sale to that person, they are marketing similar products or services, and they gave the person an opportunity to opt out of marketing when first collecting the details and in every subsequent message.

14.3.      You have the right to object to direct marketing at any time.

  1. Automated decision making


15.1        Automated decision making occurs when an electronic system uses your personal information to make a decision without human intervention.


15.2.      We do not envisage that any employment decisions will be taken about you based solely on automated decision making, including profiling. However, we will notify you in writing if this position changes.


  1. Changes to this privacy notice


16.1.      The Company reserves the right to update or amend this privacy notice at any time, including where the Company intends to further process your personal information for a purpose other than that for which the personal information was collected or where we intend to process new types of personal information.

                We will issue you with a new privacy notice when we make significant updates or amendments. We may also notify you about the processing of your personal information in other ways.


  1. Reporting a Personal Data Breach


17.1.      We have put in place procedures to deal with any suspected Personal Data Breach and will notify Data Subjects or any applicable regulator where we are legally required to do so.


17.2.      If you know or suspect that a Personal Data Breach has occurred, do not attempt to investigate the matter yourself. Immediately contact the person or team designated as the key point of contact for Personal Data Breaches. You should preserve all evidence relating to the potential Personal Data Breach.


  1. Changes to this Privacy Standard


18.1.      We reserve the right to change this Privacy Standard at any time so please check back regularly to obtain the latest copy of this Privacy Standard.


18.2.      This Privacy Standard does not override any applicable national data privacy laws and regulations in countries where the Company operates.