Privacy Notice

Building Testing Ltd of Unit 12, Wintonlea Industrial Estate, Monument Way West, Woking, GU21 5EN (”we, us, our” or ”Employer”) is a “data controller” and we collect, store, hold, process, use, record, consult, disclose, erase, make decisions based upon, destroy and in some instances transmit personal data about you (together these activities are referred to as “Process”, “Processed” or “Processing”).

This Privacy Notice sets out the information that must be provided by us to you (the “Data Subject”) at the time your personal data is obtained. It is drafted in compliance with UK data protection laws. The person responsible for overseeing data protection compliance issues within the Employer is the Company Secretary.

This Privacy Notice concerns your personal data and special categories of data, together referred to as “Data” in the Privacy Notice. This Privacy Notice describes how we collect and use Data about you both during and after your working relationship with us and gives examples of the types of Data we hold, Processing activities and the justifications for that Processing.

This Privacy Notice applies to clients and subcontractors.

It is important that you read this Privacy Notice, together with any other privacy notice we may provide on specific occasions when we are collecting or processing Data about you, so that you are aware of how and why we are using such information. This Privacy Notice should also be read in conjunction with the Employer’s Data Protection Policy.

The Data Protection Principles
We will comply with UK data protection laws which state that the Data we hold about you must be:

• Used lawfully, fairly and in a transparent way
• Collected only for valid purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes
• Adequate and relevant to the purposes we have told you about and limited only to those purposes
• Accurate and kept up to date
• Kept only as long as necessary for the purposes we have told you about
• Kept securely

The types of Data we hold
Data means any personal data about an individual from which that person can be identified. It does not include information where the identity has been removed (anonymous data).

Data is collected directly through you.

We may collect, store, use and Process the following personal data or categories of personal data about you:

1. Personal contact details such as name, title, addresses, telephone numbers, and personal email
   addresses
2. Bank account details

These are examples of Data and the list may not be exhaustive depending on the project and the data required.

How your Data is Processed and in what situations
The situations in which we will Process your personal Data are listed below:

• Administering the contract we have entered into with you
• Business management and planning, including accounting and auditing
• Dealing with legal disputes involving you or contractors
• Complying with health and safety or other legal or regulatory requirements or obligations

We may Process Data about you in compliance with our Lawful Basis (see below) and/or where this is required or permitted by law. Some of the above grounds for Processing will overlap and there may be several grounds which justify our use of your Data.

How we will use Data about you – the “Lawful Basis”
Under Data Protection laws, data controllers have to explain how Data about Data Subjects is used because they can only use Data when they are permitted to do so by law. Data controllers will be permitted to use Data by law when they can establish a “Lawful Basis”. Below we set out each Lawful Basis relevant to us in relation to your personal data.

Each Lawful Basis for the processing or use of personal data is as follows:

1. As necessary to perform our contract we have entered into with you
2. Where we need to comply with a legal obligation
3. Where it is necessary for our legitimate interests and your interests and fundamental rights do
   not override those interests.

Our Legitimate Interests
With regards to our ‘legitimate interests’ referred to above, these would include, but are not limited to:

• The furtherance of the business operations, services and products
• The pursuit or defence of any claims, rights or litigation
• Our accounting or auditing functions and reporting duties

Consent to Process your Data
In limited circumstances, we may approach you for your specific written consent to allow us to process certain particularly sensitive Data. If we do so, we will provide you with full details of the information that we would like and the reason we need it, so that you can carefully consider whether you wish to give us your consent. You should be aware that it is not a condition of your contract with us that you agree to any request for consent from us.

Third Party Recipients of Data
From time to time, we may collect and share your Data with third parties, including third party service providers or other entities within our group.

We may share your Data with other entities in our group as part of our regular reporting activities on company performance all within the context of business procedures.

The recipients or categories of recipients of the Data may include:

• Parent, Associated Employers or Group Companies
• Legal representatives
• Accountants
• Auditors

All our third-party service providers and other entities in the group are required to take appropriate security measures to protect your Data in line with our policies. We do not allow our third-party service providers to use your Data for their own purposes. We only permit them to process your Data for specified purposes and in accordance with our instructions.

Data Security and Data Breaches
We have put in place appropriate security measures to prevent your Data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your Data to those employees, agents, contractors and other third parties who have a business need to know. They will only Process your Data on our instructions and they are subject to a duty of confidentiality. Details of these measures may be obtained from the Company Secretary.
We have put in place procedures to deal with any suspected Data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.

Data Retention
The periods for which Data will be stored and the criteria used to determine retention periods or whether Data can be removed will depend on the information in question, its relevance or sensitivity; however, generally, Data will be removed if it has been superseded by other relevant or up to date information, if it is out of date, irrelevant or no longer necessary. Any removal of Data will be subject to the principles of data protection, compliance with the Lawful Basis for processing as well as other statutory rights and obligations.

In some circumstances we may anonymise your personal information so that it can no longer be associated with you, in which case we may use such information without further notice to you. Once a project is complete and our contract completed we will retain the project data in our archive for a minimum of 7 years,  after which time the file may be securely destroyed including all your personal information in accordance with our Data Protection Policy and applicable laws and regulations.

Your Rights in Relation to your Data
Under certain circumstances, by law you have the right to:

• Request access to your Data (commonly known as a "data subject access request"). This enables
  you to receive information about the Data we hold about you.
• Request correction of the Data that we hold about you. This enables you to have any incomplete
  or inaccurate information we hold about you corrected.
• Request erasure of your Data. This enables you to ask us to delete or remove Data where there is
  no good reason for us continuing to Process it. You also have the right to ask us to delete or
  remove your Data where you have exercised your right to object to processing (in certain
  circumstances).
• Object to processing of your Data where we are relying on a legitimate interest for processing (or a
  legitimate interest of a third party) and there is something about your particular situation which
  makes you want to object to processing on this ground. You also have the right to object where we
  are processing your Data for direct marketing purposes.
• Request the restriction of processing of your Data. This enables you to ask us to suspend the
  processing of Data about you, for example if you want us to establish its accuracy or the reason for
  processing it.
• Request to lodge a complaint. This allows you to lodge a complaint with your local data
  Protection authority.

If you want to review, verify, correct or request erasure of your Data, object to its Processing, or request that we transfer a copy of your Data to another party, please contact the Company Secretary in writing.

Further details relating to Data Subject rights are set out in the Data Protection Policy.
You also have the right to lodge a complaint as to our Processing of your Data with the UK’s data supervisory authority (e.g. The Information Commissioner).

Providing us with up-to-date Data
The requirement for you to provide us with Data is a contractual requirement as well as in some cases, a statutory one, necessary to enter into a contract and working relationship. If you do not provide us with the Data we request, this may impact upon our ability to perform our contract with you and also impact on our ability to comply with other legal obligations.

Change of Purpose
We will only use your Data for the purpose for which it was collected, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purposes. If we need to use your Data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so. We may also process your Data without your knowledge or consent, in compliance with the above rules, where this is permitted or required by law.

Changing this Privacy Notice
We reserve the right to update this Privacy Notice at any time, and will provide you with a new Privacy Notice if we make substantial changes. We may also notify you in other ways from time-to-time about the processing of your data.

Any questions about this Privacy Notice should be directed to the Company Secretary.