1. Introduction

AD Building Contractors is committed to ensuring compliance with the General Data Protection Regulation (GDPR) and protecting the privacy of individuals whose personal data we process. This policy outlines our responsibilities under GDPR and explains how we ensure that all personal data is collected, stored, processed, and disposed of in a lawful, fair, and transparent manner.

2. Scope

This GDPR Policy applies to all personal data processed by AD Building Contractors, including that of our clients, subcontractors, and employees. The policy covers all aspects of data collection, storage, processing, and disposal, whether the data is stored electronically or physically. All employees and subcontractors are required to adhere to this policy.

3. Definitions

• Personal Data: Any information that can directly or indirectly identify an individual, such as a name, address, contact details, or any other personal information.
• Data Subject: The individual whose personal data is being processed.
• Data Controller: AD Building Contractors, as the organisation that determines the purpose and means of processing personal data.
• Processing: Any operation performed on personal data, including collection, storage, use, transmission, or destruction.
• Data Processor: A third party that processes personal data on behalf of the Data Controller.
• GDPR: The General Data Protection Regulation (EU) 2016/679, which governs the processing of personal data in the EU and the UK.

4. Principles of GDPR

AD Building Contractors adheres to the following principles outlined by GDPR:

• Lawfulness, Fairness, and Transparency: We process personal data lawfully, fairly, and in a transparent manner. Data subjects are informed of the purposes for data collection and how it will be used.
• Purpose Limitation: We collect personal data for specific, explicit, and legitimate purposes and do not process it further in a way that is incompatible with those purposes.
• Data Minimisation: We collect only the personal data that is necessary for the relevant business purpose.
• Accuracy: We take reasonable steps to ensure that the personal data we hold is accurate and kept up to date.
• Storage Limitation: Personal data is kept only for as long as is necessary for the purposes for which it was collected.
• Integrity and Confidentiality: We process personal data securely to protect it against unauthorised access, loss, or damage.
• Accountability: AD Building Contractors takes responsibility for complying with these principles and can demonstrate our compliance through our policies and procedures.

5. Lawful Basis for Processing

We process personal data based on the following lawful grounds, as outlined by GDPR:

• Contract: Processing is necessary to perform a contract with the data subject (e.g., providing building services to clients).
• Legal Obligation: Processing is required to comply with a legal obligation (e.g., health and safety regulations).
• Legitimate Interests: Processing is necessary for the legitimate interests of AD Building Contractors (e.g., running our business and managing our contracts), provided these interests are not overridden by the data subject’s rights.

6. Data Collection

AD Building Contractors collects personal data for the purpose of fulfilling contracts with clients and managing business relationships. The types of data we collect may include:

• Client names, addresses, and contact details
• Details of building projects and work adaptations
• Contact details of occupational therapists (where applicable)

We ensure that personal data is collected in a lawful and transparent manner, with the individual’s consent where necessary. Individuals are informed of their rights, the purpose of the data collection, and how their data will be used.

7. Data Storage and Security

We ensure the security of personal data by implementing appropriate technical and organisational measures. These include:

• Digital Data: Stored on password-protected devices with secure access controls, up-to-date antivirus software, and firewalls. Sensitive data is encrypted to protect it from unauthorised access.
• Physical Data: Stored in secure, locked filing cabinets with access restricted to authorised personnel.
• Access Control: Only authorised employees and subcontractors have access to personal data, and they are trained in data protection and confidentiality. Subcontractors receive only the data necessary to complete their job.

8. Data Retention

Personal data is retained only for as long as necessary to fulfil the purpose for which it was collected, usually for the duration of a contract. Upon completion of the contract, personal data is securely deleted or destroyed:

• Digital Data: Deleted from devices and backups.
• Physical Data: Shredded to ensure it cannot be accessed or recovered.

9. Data Sharing

AD Building Contractors does not share personal data with third parties unless it is necessary to fulfil our contractual obligations or comply with legal requirements. When data is shared with subcontractors or other third parties, we ensure that they adhere to our data protection policies and GDPR requirements.

10. Data Subject Rights

Under GDPR, individuals have the following rights concerning their personal data:

• Right to Access: Individuals can request access to the personal data we hold about them.
• Right to Rectification: If personal data is inaccurate or incomplete, individuals can request that it be corrected.
• Right to Erasure: Individuals can request the deletion of their personal data in certain circumstances (e.g., when it is no longer necessary for the purpose it was collected).
• Right to Restrict Processing: Individuals can request that we restrict the processing of their personal data.
• Right to Data Portability: Individuals can request to receive their personal data in a structured, commonly used format or have it transmitted to another organisation.
• Right to Object: Individuals can object to the processing of their data under certain circumstances.

Data subjects can exercise these rights by contacting AD Building Contractors directly at info@ad-buildingcontractors.co.uk.

11. Data Breaches

In the unlikely event of a data breach, AD Building Contractors has the following procedures in place:

1. Identification and Reporting: Any employee or subcontractor who suspects or identifies a data breach must report it immediately to the company director.
2. Containment and Assessment: Steps are taken to assess the breach and contain it. This may involve revoking access, isolating affected systems, or halting data flow.
3. Notification: If the breach poses a risk to individuals’ rights and freedoms, we will notify the affected individuals and the Information Commissioner’s Office (ICO) within 72 hours of becoming aware of the breach.
4. Review and Mitigation: We will investigate the breach, identify the root cause, and take steps to prevent a recurrence.

12. Accountability and Documentation

We maintain records of our data processing activities and are able to demonstrate our compliance with GDPR requirements. These records include:

• Data protection policies and procedures
• Data retention schedules
• Data processing agreements with third parties

13. Training and Awareness

All employees and subcontractors are made aware of their responsibilities under GDPR and receive training to ensure compliance with this policy. Training covers data protection principles, confidentiality, and our internal procedures for handling personal data securely.

14. Regular Policy Review

This GDPR Policy will be reviewed annually or whenever necessary to reflect changes in data protection laws or our business practices. Any updates to the policy will be communicated to all relevant staff and subcontractors.

Contact Information: For any questions, concerns, or requests regarding personal data, please contact: info@ad-buildingcontractors.co.uk