The Welsh Whisky Company Limited (“The Company”) aims to adhere to the requirements of the General Data Protection Regulations (GDPR), relating to the processing of personal data in manual and electronic records.

Personal data is information that relates to an identifiable person who can be directly or indirectly identified from that information.


The Company commitment requires that personal data must be processed in line with the following basic data protection principles:

  • It will be processed fairly, lawfully and in a transparent manner;
  • It will be collected for a specific, explicit, and legitimate purpose;
  • It will be adequate, relevant and limited to what is necessary for the purposes of processing;
  • It will be accurate and up to date. Every reasonable effort will be made to ensure that inaccurate data is rectified or erased without delay;
  • It will not be kept for longer than is necessary for its given purpose;
  • It will be processed in line with the rights of the individual;
  • It will be processed in a manner that ensures appropriate security of personal data including protection against unauthorised or unlawful processing, accidental loss, destruction or damage by using appropriate technical or organisation measures;
  • It will comply with the relevant GDPR procedures for international transferring of personal data

This includes where third parties process data on behalf of The Welsh Whisky Company Limited.



Whether stored manually or electronically, personal data will be secure as far as is practicable. The Company aims to ensure that manual files holding personal data are securely held with locks and only those who should have access retain the key.  In the case of computerised records, The Company will ensure that strong passwords are established to limit unauthorised access and all laptops that are taken off site will contain necessary information only. Encrypted systems will be used where necessary. Data will not be held for longer than is necessary.  Arrangements for the secure disposal of both paper and electronic records have been established.

All forms of data transfer and storage must be approved by management prior to their use if not supplied by The Company.  Devices such as, floppy disks, memory sticks, USB memory modules, internal and external CD and DVD writers should be considered prohibited unless explicit management consent has been provided.

The transmission of any data from any internal source to a personal computer or storage device is not permitted.



The Company will only disclose information when an individual has provided their express consent, where we are legally obliged to do so or when there is a business requirement to disclose data that is within the remit of the legislation e.g. for any employee benefits operated by third parties, for statutory payment purposes, for HR management and administration and so forth.

Those with access to secure documents will be subject to a strict confidentiality clause in their Statement of Main Terms and Conditions of Employment.  Any individual discovered to be in breach of confidentiality, data protection or common decency with regards to documentation may face disciplinary action.



Individuals have the right to be informed whether The Company processes personal data relating to them and to access such data by submitting a written request to the management.

Individuals will not be charged for the supply of data unless the request is manifestly unfounded, excessive or repetitive, or unless a request is made for duplicate copies to be provided to third parties.

The Company will respond to a request without delay. Access to data will be provided, subject to legally permitted exceptions, within one month as a maximum. This may be extended by a further two months where requests are complex or numerous.

The Company must be informed immediately if it is believed that the data is inaccurate, either as a result of a subject access request or otherwise. Immediate steps will be taken to rectify the information.



If a data breach is likely to result in a risk to the rights and freedoms of individuals, it must be reported to the Information Commissioners Office (‘ICO’) within 72 hours of The Company becoming aware of it.

Individuals will be informed directly in the event that the breach is likely to result in a high risk to the rights and freedoms of that individual.

If the breach is sufficient to warrant notification to the public, The Company will arrange this without undue delay.



Address: The Welsh Whisky Company Limited, Penderyn Distillery, Penderyn, Aberdare CF44 0SX

Telephone: 01685 813300

Email: info@penderyn.wales




First party cookies
First party cookies are set by the website you are visiting and they can only be read by that site.

Third party cookies
Third party cookies are set by a different organisation to that of the website you are visiting. For example, the website might use a third party analytics company e.g. Google, who will set their own cookie to perform this service. The website you are visiting may also contain content embedded from other sites for example YouTube, Flickr or Facebook, which set their own cookies.

Session cookies
Session Cookies are stored temporarily during a browsing session and are deleted from the user’s device when the browser is closed.

Persistent cookies
This type of cookie is saved on your computer for a fixed period (usually a year or longer) and is not deleted when the browser is closed. Persistent cookies are used where we need to know who you are for more than one browsing session. For example, this type of cookie is used to store your preferences or details e.g. your email address that you may have entered it in a form, so that they are remembered for your next visit.

Flash cookies
Many websites use Adobe Flash Player to display video content to users. Adobe utilise their own cookies, which are not manageable through your browser settings but are used by the Flash Player for similar purposes, such as storing preferences or tracking users.

Flash Cookies work in a different way to web browser cookies (the cookie types listed above are all set via your browser); rather than having individual cookies for particular jobs, a website is restricted to storing all data in one cookie. You can control how much data can be stored in that cookie but you cannot choose what type of information is allowed to be stored.