This document sets out the Construction Solutions Limited policy on the protection of the personal data of all business contacts – primarily customers (actual and potential) and service/product providers (actual and potential).



Data Subject – The individual who the data in question relates to, and who may be identified by the data.

GDPR – The European Unions General Data Protection Regulation.

HMRC – The UK’s tax regulator.

The Company – Construction Solutions Limited (CSL), registered office, Unit 3, The Crystal Centre, Elmgrove Road, Harrow, Middx, HA1 2HP

Organisation – This includes both commercial businesses and not-for-profit organisations.

The Company Server – A secure internal server accessible by CSL team members.



Niall Farmer, Business Development Manager, is both the Data Controller and the Data Processor for CSL.

CSL is a small specialist sub-contractor in the construction industry. There is no requirement for a Data Protection Officer to be appointed for a business of this type and size.



As part of the running of CSL, the company obtains contact details of individuals (clients, prospects, service providers etc., as stated in Section 1). These individuals may be acting alone or as part of an organisation.

These details are primarily email addresses, telephone numbers and postal addresses, but could also include LinkedIn information and other contact details. My understanding is that these details may be considered to be within the scope of GDPR if, and only if they can be used to identify named individuals.

For the purpose of this policy, contact details that can be identified only with organisations, or with groups etc. within organisations (for example, a company office address or group email address), are assumed to be outside the GDPR’s scope.

CSL does not actively collect or store ‘sensitive personal data’ as defined in the GDPR, such as ethnic origin or religious or political beliefs. If such data is contained within a document that the company is asked to work on:

·         CSL will not use or share data in any way, other than sharing the document, as necessary, with other parties involved in the project.

·         CSL will delete the document if requested to do so by the client or Data Subject, after the work is completed.






To comply with HMRC’s requirements, The Company needs to obtain a postal address for each client that CSL works for, to be included in invoices that are issued.


For future reference, The Company may store this postal address in a list of client details on The Company Server if it relates to an organisation, or group etc. Within an organisation, but not if it is an individuals address. In either case, The Company may include it in the contacts list in an email account, if The Company thinks it may need it for potential future invoices.




As part of normal email correspondence, email addresses are automatically recorded in the email accounts that are used by CSL employees.


However, The Company does not store these addresses in a separate file, unless they are group email addresses that The Company may need to refer to – for example, the addresses of an accounts team that The Company should send invoices to. In these cases, The Company may store them in a list of client’s details on The Company Dropbox.


When researching potential clients, service providers etc., The Company may store individuals ‘company – based’ email addresses in spreadsheets if, and only if, The Company has obtained them from publicly available sources (such as a company website). The Company will not do this for email addresses associated with individuals outside organisations.


The Company website does not have a login system for visitors. The Company does not collect email addresses via the website, other than those that are automatically added to a list when visitors contact The Company and specify their email addresses – The Company does not process this data or store it elsewhere.


The Company uses mailing lists to inform all parties stated in section one of information relevant to these parties. The mailing lists are held in a secure location on The Company Server and also on a secure mailing system called Mail Chimp.  




As part of normal business communication, individuals’ telephone numbers may be stored (automatically or manually) in the contacts list on The Company’s mobile phones or landline phones.


A number that is stored on The Company mobile telephones might be automatically synchronised into the contacts list in an email account associated with that phone. The Company might also add it to one of these contacts lists manually, if The Company thinks this will help to contact the person.




The Company believes that CSL’s use of the above data is compliant with GDPR, as The Company uses it for contacting people within organisations or groups about work and related matters, and (as per section 5.1) to include postal addresses in invoices. In GDPR terms, The Company believes these to be a ‘lawful basis’ for use of the data.




The data referred to in the above sections is stored on The Company computers that are used by CSL staff members, within The Company Server. The Company computers require a password on start up. If work is undertake off site, The Company staff members will require a password to access The Company Server.


The Company email accounts are password protected, and The Company mobile telephones requires a PIN upon start-up and wake-up.




As required by HMRC, The Company retains each postal address (at least in invoices, and sometimes also in The Company’s spreadsheet of client details, as per section 5.1) for at least six years from the date when it was last used. After that, it will be deleted on request from the client, or it may be deleted as part of a ‘housekeeping’ exercise.




The Company sometimes uses Google Analytics to assess how web users have generally been finding and navigating The Company website; however, The Company does not use it to identify individual visitors.





The Company will not share personal data with any other parties without the Data Subject’s consent, unless it needs to be shared with HMRC for tax audit purposes.




As from 25th May 2018, as part of the process of agreeing work, The Company will ask the client to state that they accept the terms of this policy unless they have already done so. The work will not proceed unless this acceptance is explicitly stated.


The Company will not ask past, inactive clients for retrospective acceptance of this policy; The Company will only ask them about it if they offer The Company further work.


The Company does not believe that, in normal circumstances, there is a requirement for other types of contacts (prospects, service providers etc.) to state their acceptance of this policy.


If someone sends The Company an electronic document containing contact details (for example, the joining instructions for a training course), The Company will not be obliged to delete the document or redact those details, as they will have been supplied to The Company voluntarily. However, The Company will delete the document or redact the details on request from the document provider or Data Subject, unless this would prevent The Company satisfying any legal requirements.


For organisational clients, consent may be given by either (a) a primary contact in the organisation, (b) another person in a suitable position of authority, or (c) the Data Subject.


The Company will record all instances given or withdrawing consent in a log on The Company Dropbox.




The Company acknowledges and respects the rights afforded to Data Subjects under the GDPR, including the rights:

·         To be told, on request, what data The Company can hold about them.

·         To ask for data to be updated, deleted, restricted or moved to another party without hinderance, subject to legal requirements.

·         To complain to the Information Commissioner’s Office about any alleged misuse of data.

Following any request to update, delete, restrict, or move data, The Company will give an initial response within 15 days if at all possible, and (if it goes ahead) carry out the requested action within 30 days. If necessary, The Company will delete relevant emails as well as deleting data from files.




If The Company becomes aware of a possible breach of data protection within The Company, it will be investigated as soon as possible. If The Company finds that a breach has occurred and could result in a risk to anyone’s privacy rights or freedoms, The Company will report it to the Information Commissioner’s Office within 72 hours of determining this.