Introduction

Luxury Builders & Constructions Construction Group (the Company) needs to collect and use certain types of information about its employees and others with whom it comes into contact in order to operate as a business. This personal information must be collected and dealt with appropriately whether it is collected on paper, stored in a computer database or recorded on other material and there are safeguards to ensure this under the General Data Protection Regulation 2016 (GDPR).

Policy statement

The Company intends to ensure that personal information is treated lawfully and correctly. To this end the Company endorses fully and adheres to the six principles of data protection, as set out in the Article 5 of the GDPR:

• 1. data will be processed lawfully, fairly and in a transparent manner in relation to individuals
• 2. data will be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes
• 3. data will be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed
• 4. data will be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay
• 5. data will be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed
• 6. data will be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

These principles will be followed at all times when processing or using personal information. Therefore, through appropriate management and strict application of criteria and controls, the Company will:

• 1. observe fully the conditions regarding the fair collection and use of information, including the giving of consent
• 2. meet its legal obligations to specify the purposes for which information is used
• 3. collect and process appropriate information only to the extent that it is needed to fulfill operational needs or to comply with any legal requirements ensure the quality of information used
• 4. ensure that the information is held for no longer than is necessary
• 5. ensure that the rights of people about whom information is held can be fully exercised under the GDPR (ie the right to be informed that processing is being undertaken, to access one’s personal information; to prevent processing in certain circumstances, and to correct, rectify, block or erase information that is regarded as incorrect)
• 6. take appropriate technical and organisational security measures to safeguard personal information
• 7. publicise and abide by individuals’ right to appeal or complain to the supervisory authority (the Information Commissioner’s Office (ICO)) in the event that agreement cannot be reached in a dispute regarding data protection
• 8. ensure that personal information is not transferred abroad with out suitable safeguards.

The Company will ensure that the rights of those about whom information is held, can be fully exercised under the Act. These include:

• 1. the right to be informed that processing is being undertaken
• 2. the right of access to one’s personal information
• 3. the right to prevent processing in certain circumstances and
• 4. the right to correct, rectify, block or erase information which is regarded as wrong information
• 5. the right to be forgotten.

Data Controller

Under the GDPR the Data Controller post is held by the Company’s Finance Director. This role determines for what purpose any personal information held will be used. This role is also responsible for notifying the Information Commissioner’s Office of the data it holds or is likely to hold and the general purposes that this data will be used for.

Data Protection Officer

Under the GDPR the Data Protection Officer for all employee related data is the Company’s HR Manager. The Data Protection Officer for all other categories of personal data outside of employee data, such as those relating to subcontractors, suppliers and other third parties is the Company’s Facilities Manager.