Version 3 (24/05/2018)
INFORMATION COVERED BY THIS POLICY
- Who We Are and How to Contact Us
- Personal Data
- Information Security
- Collection of Personal Data
- Why We Process Personal Data
- Sharing of Personal Data
- How Long We Keep Personal Data For
- International Transfers
- Automated Decision Making
- Your Rights Under Applicable Data Protection Law
- Updates to This Policy
- Jurisdiction and Applicable Law
WHO WE ARE AND HOW TO CONTACT US
We are RHQS, a provider of Quantity Surveying services to the UK Construction Industry. RHQS is the trading name of Richard Harrison, a sole trader whose registered address is The Courtyard, Oakwood Park Business Centre, Fountains Road, Bishop Thornton, Harrogate, HG3 3BF. If you have any queries relating to this policy, you can contact at us by post at this address, or by email at firstname.lastname@example.org.
Your personal data (“information”) is data which by itself or with other data available to us can be used to identify you. Any personal data processed by us is controlled by Richard Harrison, who is a registered data controller with the Information Commissioner’s Office (reference ZA346744).
The security of your personal data is very important to us and we are committed to protecting your privacy. We have implemented technical, administrative and physical procedures designed to protect personal information from modification, loss or illegitimate access, in accordance with all relevant data protection law, including the Data Protection Act and the General Data Protection Regulation.
We store personal information on secure servers with access limited to authorised personnel, or on paper files which are kept in our secure offices. Unfortunately, despite all the security and protection we put in place, the transmission of information via the internet, including by email, is not completely secure. Although we will do our best to protect your personal information, we cannot guarantee the security of the information sent to us electronically and transmission of such information is therefore at your own risk. Once we have received your information, we will use strict procedures and security features to prevent unauthorised access.
COLLECTION OF PERSONAL DATA
We collect information directly from you when you contact us by telephone, letter, email, or in person, including your name, title, gender, email address, postal address and telephone number (landline and/or mobile), and the company you work for.
If you are a business to business contact (including existing and prospective clients or suppliers), we may also obtain the same categories of information about you from non-publicly available sources, such as referral agents or mutual business contacts, and also from publicly available sources, such as online telephone/ website/ company/ biographical directories, social media platforms such as Linked In, Facebook and Twitter, business/ company/ government websites, the Land Registry, the Electoral Register, Companies House and information that has been published in reputable media.
If we enter into a business relationship with you, for example if you are a client, supplier, sub-contractor, advisor, expert, consultant or similar, or if we have an indirect business relationship with you through one of our clients, we may also process further details as necessary depending on the nature of the relationship including information such as employment and education history, financial information such as bank payment/transaction information, invoices, UTR and VAT numbers, other finance details including rates and salary information, goods or services provided, lifestyle and social circumstances, family details and other information typically found on CV’s.
With the exception of the limited information necessary to enter into and perform a contract (such as contact and bank details), or the information which you are legally obliged to provide (such as VAT number), you are under no obligation from RHQS to provide further information. However, not providing information that is requested from you may affect our ability to properly carry out the services we provide which may affect you adversely. Each circumstance is unique and we will tell you at the time of requesting information if it is optional and what the specific effects may be to you if you do not provide the information.
WHY WE PROCESS PERSONAL DATA
Depending on who you are and the context of our relationship with you, we process your personal data under the following legal bases for the purposes as described below:
- As necessary to perform our contract with you:
- To take steps at your request prior to entering into it;
- To decide whether to enter into it;
- To manage and perform that contract;
- To update our records;
- To trace your whereabouts to contact you about your account and recovering debt.
- As necessary for our own legitimate interests or those of other persons and organisations including our clients, for example:
- For good governance, accounting, and managing and auditing our business operations;
- To respond to queries;
- To search at credit reference agencies;
- To identify and prevent fraud;
- To monitor and log emails, calls, and other communications;
- For market research, analysis and developing statistics;
- To send you marketing communications;
- For business networking and growing our business;
- To enhance the security of our networks and information systems;
- To better understand how people interact with our website;
- Where the processing is necessary to perform the service provided to our clients;
- Where the processing enables us to enhance, modify, personalise, or otherwise improve our services/communications for the benefit of our clients;
- For the establishment, exercise or defence of legal claims.
- As necessary to comply with a legal obligation, for example:
- For compliance with legal and regulatory requirements and related disclosures, including those required by HMRC;
- When you exercise your rights under data protection law and make requests;
- For activities relating to the prevention, detection and investigation of crime;
- To verify your identity, make credit, fraud prevention and anti-money laundering checks.
- When we have your consent to process the information, for example:
- To store cookies on your device when you visit our website, as further described on our Cookies Page;
- In very unusual circumstances when it is most appropriate to gain your consent (if and when such circumstances occur, we will make it clear that we need your consent and we will request it in accordance with any relevant legal principles).
SHARING OF PERSONAL DATA
We will not share your data with anyone for marketing purposes. However, subject to applicable data protection law, we sometimes need to share the personal information we process, for example, when it is necessary in order to perform our contracted obligations or otherwise to provide our services, to obtain legal advice, to protect the rights, interests or safety of ourselves or others, or where we have a legal obligation to do so. Examples of who we may need to share the information with are:
- family, associates and representatives of the person whose personal information we are processing
- staff, employment and recruitment agencies
- educators and examining bodies
- financial organisations
- credit reference agencies
- debt collection and tracing agencies
- current, past or prospective employers
- trade and employer associations
- professional bodies
- business associates
- persons making an enquiry or complaint
- suppliers and service providers, including sub-contractors and other persons or organisations who help us provide our services (including the use of services such as secure cloud storage and email hosting facilities), as well as our legal and other professional advisors, including our accountant
- local and central government (for example HMRC who may in turn share it with relevant overseas tax authorities and with regulators such as the Information Commissioner's Office)
- ombudsmen and regulatory authorities
- client's clients
HOW LONG WE KEEP PERSONAL DATA FOR
- Retention in accordance with legal requirements. We will retain your personal data after your service has been completed or has otherwise come to an end based on our legal requirements (such as the periods required by HMRC for accounting purposes).
- Retention in case of claims. We will retain your personal data for as long as you might legally bring claims against us or our clients, as indicated by the Limitations Act 1980 and any subsequent amendments to the legislation.
- Retention in case of queries. We will retain your personal data as long as necessary to deal with your queries.
- Retention in case of other legitimate interests as noted above. For the minimum period of time necessary to pursue those interests.
RHQS uses cloud based storage and email hosting from leading commercial providers. These leading commercial providers typically use either Canadian or U.S. based servers to store information. As such, the use of cloud based facilities and email hosting may be classed as International Transfers. To this extent, information provided by you may be transferred out of the European Economic Area (EEA).
The European Commission has the power to determine, on the basis of article 45 of Regulation (EU) 2016/679 whether a country outside the EU offers an adequate level of data protection, whether by its domestic legislation or of the international commitments it has entered into. There is an adequacy decision in place for transfers to Canada (for commercial organisations) and for the U.S. (which relates to the EU-US Privacy Shield). All commercial providers used by RHQS are either U.K. based, Canadian commercial organisations, or U.S. companies that are certified under the EU-US Privacy Shield.
It may sometimes be necessary to transfer personal information overseas for other reasons. When this is needed information is only shared within the European Economic Area (EEA). Any transfers made will be in full compliance with all aspects of relevant data protection law.
AUTOMATED DECISION MAKING
At RHQS, none of the processing we undertake includes automated decision making or profiling.
YOUR RIGHTS UNDER APPLICABLE DATA PROTECTION LAW
Under the EU General Data Protection Regulation (“GDPR”) individuals are given certain rights in respect of the processing of their personal data. Those basic rights are as follows, but please note some of the rights are dependent upon the legal basis under which the processing takes place, as well as other factors:
- The right to be informed about our processing of your personal data.
- The right to have your personal data corrected if it is inaccurate and to have incomplete personal data completed.
- The right to object to processing of your personal data.
- The right to restrict processing of your personal data.
- The right to have your personal data erased (the "right to be forgotten").
- The right to request access to your personal data and information about how we process it.
- The right to move, copy or transfer your personal data ("data portability").
- Rights in relation to automated decision making including profiling.
- Where we use consent as the basis for processing, you have the right to withdraw your consent at any time.
For more information about your rights under the GDPR, including detailed information regarding the circumstances under which they apply, please visit ico.org.uk.
If you wish to discuss or exercise any of the above rights, please contact RHQS at email@example.com in the first instance.
You also have the right to complain to the Information Commissioner's Office. It has enforcement powers and can investigate compliance with data protection law. Details for contacting the ICO can be found at ico.org.uk/global/contact-us/.
If you would like to see the data we hold about you, you can submit a subject access request by sending a description of the information you want to see and proof of your identity by post to the address at the top of this policy. As long as your request is not manifestly unfounded or excessive, we will provide you with this information free of charge, within 1 month of receipt of your written request. We do not accept these requests by email, so that we can ensure that we only provide personal information to the right person.
UPDATES TO THIS POLICY
JURISDICTION AND APPLICABLE LAW