HewardMills – Privacy Policy

General information and contact details

HewardMills Ltd is a Data Protection Officer (DPO) service, which provides the best available DPO support for large multinational companies. It provides regulatory advice to help clients comply with the GDPR, ePrivacy Regulations and cybersecurity requirements as well as the legal and regulatory requirements arising from emerging technologies (collectively our ‘Services’).

The purpose of this Privacy Policy is to inform you, when you visit our website, https://hewardmills.com, about our policies on the collection, use, and disclosure of personal data in the event that you decide to use our Services, contact us or apply for a job with us.

HewardMills Ltd is the controller of the personal data we process, unless otherwise stated. If you have any questions about this privacy policy or our privacy practices, please contact us in any of the following ways:

  • By email at: dpo@hewardmills.com
  • By post at: 15 Old Bailey, London, United Kingdom, EC4M 7EF
  • By phone at: +44 (0) 20 3367 1245

Data Collection and Use


Log Data

Whenever you visit our website, we use a third-party service, Google Analytics, to collect information sent by your browser (known as “Log Data”). Log Data may include information such as your computer’s Internet Protocol (“IP”) address, browser version, pages of our website that you visit, the time and date of your visit, the time spent on those pages, and other statistics. This information is only processed in a way that does not identify you.

The purpose of implementing such processing is to maintain and monitor the performance of our website and to improve it as well as our Services. The legal basis we rely on to process your personal data in this specific situation is Article 6(1)(f) of the GDPR, which allows us to process personal data when it is necessary for the purposes of our legitimate interests. When we use the legitimate interest legal basis, we need to provide a rationale and assess the proportionality and necessity of the processing and the balance between our legitimate interests and your rights and interests. Our legitimate interest in this situation lies in ascertaining the number and type of visitors on our website, as well as understanding the use made of it and any potential issues to be resolved. As the information processed does not identify you, the processing in this specific situation does not materially impact your rights, freedom or interests. This information can be retained for up to 38 months from your last action on our website.

Please note that you have a right to object to the processing based on legitimate interests. Please contact us at dpo@hewardmills.com if you wish to object.

Links to Other Sites

Our website may contain links to other sites. If you click on a third-party link, you will be directed to that site. Please note that any external site is not operated by HewardMills Ltd. Therefore, we strongly advise you to review the Privacy Policy of any external site. HewardMills Ltd has no control over, and assumes no responsibility for, the content, privacy policies, or practices of any third-party sites or services.


When contacting us, or enquiring about or using our Services, we may require you to provide us, either by email or through an online form, with certain personal data, including but not limited to identity and contact details such as your name, telephone number, email address and postal address. The data that we collect will be used to register you as a client, contact or identify you for the facilitation and provision of our Services and to manage our relationship with you. We may also receive personal data indirectly when your personal data is given to us by our client in the course of the provision of our Services, for instance if you are our client’s key contact employee.

The legal basis we rely on to process your personal data is Article 6(1)(b) of the GDPR, which relates to processing necessary to enter into a contract or to perform it once concluded. Not providing us with this information may prevent us from properly identifying you as our client and providing you with efficient Services or answers tailored to your requests.

We will only retain your personal data for as long as reasonably necessary to fulfil the purposes for which we collected it, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. Regulatory provisions such as the Limitation Act 1980 or the VAT Act 1994 require us to keep some basic information, such as contracts concluded with our clients or service delivery records for 6 years after the end of a contract. We may retain your personal data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation with respect to our relationship with you.


When you apply for a job with us, we may process the personal data necessary to assess your suitability for the job you apply for. The data collected include identity and contact details, previous experience, education and referees. Depending on stage of the recruiting process, other information may be required such as criminal records.

The legal basis we rely on for processing your personal data in this context is Article 6(1)(b) of the GDPR, which relates to processing necessary to perform a contract or to take steps at your request before entering a contract. This information is necessary for us to decide if we want to hire you and to enter into an employment contract with you.

If your application is unsuccessful, the data will be retained for 6 months from the end of the recruitment process. If the application is successful, the data as well as additional HR data will be retained for at least the period of employment. In this case, recruitment information (such as references) will be kept for 6 months from the end of employment, while your employee file will be retained for 6 years from the end of employment.


We value your trust in providing us with your personal data, and accordingly HewardMills Ltd strives to maintain adequate security and protection methods. For instance, only employees or contractors who have signed strict confidentiality agreements may access your personal data. If they fail to comply with their confidentiality obligations their contract may be terminated or they may be subject to disciplinary sanctions. We also use end-to-end encryption to protect your data while in transit as well as during storage. Our expert IT team is continuously reviewing and improving our security measures to prevent any breach or security incident.

Service Providers

We may employ third-party companies and individuals, including but not limited to any or all of the following reasons:

  • To facilitate and market our Services;
  • To provide Services on our behalf;
  • To perform Services-related services; and/or
  • To assist us in analysing how our Services are used.

These service providers may include:

  • Information management companies (such a Metataxis Ltd)
  • Information security companies
  • Consulting firms (such as Protiviti Inc.)
  • Law firms
  • Audit firms

If you use our website, these third parties may have access to your personal data to enable them to perform the tasks assigned to them on our behalf. However, we require all third parties to respect the security of your personal data and we ensure through contractual provisions that they treat it and protect it in accordance with the law. For instance, we ensure that they also use end-to-end encryption. We do not allow our third-party service providers to disclose or use the information for any other purpose than the ones specified in this policy.


As a global DPO, we aim to develop our international reach and we already have a presence in China, South Africa and the US. For recruitment purposes, analytics purposes and to provide our Services, we may need to transfer your personal data to our contractors and service providers in those countries, as well as wherever our clients are.

Many of these countries are outside the European Economic Area (EEA) and are not covered by adequacy decisions. In those circumstances, transfer of data will be legally based on contractual provisions between us and the recipient, approved by the European Commission, to impose on the recipient the same protection and security obligations as if they were in the EEA.

Children’s Privacy

Our Services are designed for a general audience and do not address anyone under the age of 13. We do not knowingly collect personal data from children under 13. If we discover that a child under 13 has provided us with personal data, we will immediately delete this from our servers. If you are a parent or guardian and you are aware that your child has provided us with personal data, please contact us so that we will be able to take the necessary action.

Your data protection rights

Under data protection laws, you have various rights such as the right of access that gives you the right to ask us for copies of any of your personal data that is in our possession; the right to rectification that allows you to rectify and complete information that you think is inaccurate or incomplete; and the right to erasure that gives you the right to ask us to erase your personal data in certain circumstances. You also have the right to restriction of processing, to object to processing and to data portability.

These rights available to you may depend on our reason for processing your information and the circumstances. You are not required to pay any charge for exercising your rights, unless your request is clearly unfounded, repetitive or excessive. We will respond to any legitimate requests within one month. In the event that your request is clearly unfounded, repetitive or excessive or if we are not in a position to identify you, we are entitled to refuse to act on your request.

Please contact us at dpo@hewardmills.com if you wish to make a request.

Changes to This Privacy Policy

We keep our privacy policy under regular review to make sure it is up to date and accurate. In the future, we will highlight any changes to this privacy policy in this section.

Contact Us

If you have any questions or suggestions about our Privacy Policy, do not hesitate to contact us at dpo@hewardmills.com