Skip to main content

INTRODUCTION

Our organisation is committed to protecting the rights and freedoms of individuals and safely and securely processing their data in accordance with all of our legal obligations. Through the course of our business, we may hold personal data about our employees, clients, suppliers and other individuals for a variety of purposes.

This policy sets out how we seek to protect personal data and ensure that individuals understand the rules governing their use of the personal data.

This Data Protection Policy has been updated in accordance with the provision of GDPR (see definition below).

 

DEFINITIONS

 

GDPR

Means regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

Business Purposes

The purposes for which personal data may be used by us includes:

  • Administrative
  • Personnel including Employee Payroll
  • Contacting individuals as part of a business relationship or services arrangement; and
  • Business Development purposes, including Marketing.

Business purposes include the following:

  • Compliance with our legal obligations and best practices.
  • Ensuring business policies are adhered to (such as policies covering email and internet use).
  • Operational reasons, such as recording transactions, training, ensuring the confidentiality of commercially sensitive information, credit scoring and checking.
  • Investigating complaints of a business nature, including complaints relating to employee conduct.
  • Checking references, ensuring safe working practices, monitoring and managing employee access to systems and facilities and employee absences, administration and assessments.
  • Monitoring employee conduct and employee disciplinary matters
  • Marketing our business and improving our services

Personal Data

‘Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’). 

An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as:

  • a name
  • an identification number (for example, a passport number)
  • location data
  • an online identifier
  • one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Personal data we gather may include:

  • Individuals' Personal Information such as Name, Address, Date of Birth, Telephone Numbers and Email Address
  • Individuals Additional Information such as Educational Background, Financial and Employment details, Marital Status, Nationality, Job Title, CV, Directorships and Private Shareholdings.

Special categories of personal data

Special categories of data include information about an individual's:

  • Property Information: planning applications, property value, property type
  • Racial or Ethnic origin
  • Political opinions
  • Religious or similar beliefs
  • Trade union membership (or non-membership)
  • Physical or mental health condition(s)
  • Criminal offences or related proceedings
  • Genetic and biometric information
  • Any use of special categories of personal data should be strictly controlled in accordance with this policy.

Data controller

‘Data controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by law.

Data processor

‘Processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

Processing

‘Processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. 

Supervisory authority

This is the national body responsible for data protection. The supervisory authority for our organisation is the Information Commissioners Office.

 

THE PRINCIPLES

Our organisation shall comply with the principles of data protection (the Principles) enumerated in the EU General Data Protection Regulation. We will make every effort possible in everything we do to comply with these principles. 

The Principles are: 

1. Lawful, fair and transparent 

Data collection must be fair, for a legal purpose and we must be open and transparent as to how the data will be used. 

2. Limited for its purpose 

Data can only be collected for a specific purpose. 

3. Data minimisation 

Any data collected must be necessary and not excessive for its purpose. 

4. Accurate 

The data we hold must be accurate and kept up to date. 

5. Retention 

We cannot store data longer than necessary. 

6. Integrity and confidentiality 

The data we hold must be kept safe and secure.

 

DATA SOURCES

Personal will be provided with consent directly from the subject or obtained by the Local Planning Authority (LPA).  Where data is obtained from an LPA the firm will only process data categories specified in the ‘Special categories of personal data’ section based on a ‘legitimate interest’ balance-test assessment.

 

DATA RETENTION 

Data held by the firm will be in line with any legal obligations including those Data Retention periods defined under respective countries legal frameworks. Predominantly for our organisation, this will be under the GDPR legislation.

 

DATA STORAGE 

All data will be held on encrypted cloud storage so that a server breach will not compromise the privacy of the information.  All storage arrangement decisions have been based on a Data Protection Impact Assessment (DPIA).  All spreadsheets containing personal data are password protected.

 

DATA ACCESS 

Only authorised individuals within the firm will have access to varying levels of personal data. These access rights are managed by the firm’s Senior Management.

 

TRANSFERRING DATA 

Our organisation may transfer information about you to other group companies for purposes connected with our services, transfer data into the European Economic Area (“EEA”) and outside of the EEA to comply with our legal or contractual requirements. Our organization will only transfer data where we are legally or contractually obliged to, and where safeguards are in place to ensure data is respected and handled lawfully. 

All data transfers are subject to a Data Protection Impact Assessment (DPIA) in order to carry-out the tasks stated in the ‘busienss purposes’ section.

 

INDIVIDUALS RIGHTS 

Individuals have rights to their data which may be exercised in the following ways: 

1. Right to be informed 

  • Individuals will receive privacy notices which are concise, transparent, intelligible and easily accessible, free of charge, which are written in clear and plain language.

2. Right of access 

  • Individuals will be able to access their personal data and supplementary information upon request.
  • Individuals will be allowed to understand and be aware of and verify the lawfulness of the processing activities.
  • This will be completed without delay, and no later than within 4 weeks. This may be extended to two months if the firm is able to adequately justify such an extension.
  • You will be informed accordingly within the initial 4 week period if an extension is to be applied.

3. Right to rectification 

  • Personal Data must be rectified or amended if requested because it is inaccurate or incomplete.
  • Where the firm disagrees please note individuals will receive:
  • the reasons we are not taking action;
  • Your right to make a complaint to the ICO or another supervisory authority; and
  • Your ability to seek to enforce this right through a judicial remedy.
  • This will be completed without delay, and no later than within 4 weeks. This may be extended to two months if the firm is able to adequately justify such an extension.
  • You will be informed accordingly within the initial 4 week period if an extension is to be applied.

4. Right to erasure 

  • Individual’s data will be deleted upon request and there is no compelling reason for its continued processing.
  • The firm will respond with 4 weeks to notify of any reason why it is required to maintain holding the Personal Data. Where the firm disagrees please note individuals will receive:
  • the reasons we are not taking action;
  • Your to make a complaint to the ICO or another supervisory authority; and
  • Your ability to seek to enforce this right through a judicial remedy.
  • Where the firm agrees with the request, this will be completed without delay, and no later than within 4 weeks. This may be extended to two months if the firm is able to adequately justify such an extension. You will be informed accordingly within the initial 4 week period if an extension is to be applied.
  • The firm will keep data for non-customers for a period no longer than 36 months or when planning expires, whichever period is longer. This data will then be deleted from storage.

5. Right to restrict processing 

  • Individuals may request for their Personal Data to be restricted, blocked, or otherwise suppress the processing of their Personal Data.

6. Right to data portability 

  • Individuals can request their data so that they can reuse it for their own purposes or across different services.
  • This data will be provided in a commonly used, machine-readable format, and send it directly to another controller if requested by the individual.

7. Right to object 

  • Individuals may request the objection to data processing based on legitimate interest or the performance of a public interest task.
  • Individuals may request the objection to direct marketing, including profiling.
  • Individuals may request the objection to processing their data for scientific and historical research and statistics.

8. Rights in relation to automated decision making and profiling 

  • Individuals may request further information on how we undertake automated decision making and profiling.
  • Individuals have the right to object to such automated processing, have the rationale explained to them, and request human intervention.

 

REQUESTS AND QUERIES 

If any individual has a request or any query relating to Personal Data and Data Protection they can contact the firm using the following methods: 

You can send an email to this address:                contact@starling-construction.com (Patrick Bowler) 

You can send a letter to our office address:        

Starling Development Group Ltd

23 Westfield Park

Cotham

BS6 6LT

 

We will respond within 72 hours of receipt of any queries received. 

Please refer to the time frames noted above noted under “Individual’s Rights” in relation to Rights to Access, Rectification, and Erasure of data which go beyond the 72 hour response timeframe.

 

DATA BREACH

In the event of a personal data breach a notification will be given to the ICO including the nature of the personal data breach, the name and contact details of the protection officer, the likely consequences of the breach and measures taken to mitigate future risk.

 

PRIVACY POLICIES 

A privacy notice will be supplied at the time the data is obtained if obtained directly from the data subject. If the data is not obtained directly from the data subject, the privacy notice must be provided within a reasonable period of having obtained the data, which means within 4 weeks. 

If the data is being used to communicate with the individual, then the privacy notice must be supplied at the latest when the first communication takes place. 

If disclosure to another recipient is envisaged, then the privacy notice must be supplied prior to the data being disclosed.

 

THIRD PARTY DATA CONTROLLERS AND DATA PROCESSORS 

We may use third party Data Controllers and, or, Data Processors for the purpose of carrying out our business activities. In these instances, the firm will have carried out appropriate due diligence in order to ascertain guarantees under the GDPR, and that the rights of data subjects will be respected and protected.

 

CHANGES TO THIS POLICY 

We may change this policy from time to time. Any significant changes will be notified through electronic communication to recipients whom our organisation holds an email address for. In the instance where an email address is not held, notification will be sent to a registered address.