Don't Move, Just Improve

UK General Data Protection Regulation (GDPR)

Complete Works Plymouth

UK General Data Protection Regulation (GDPR)

We currently collect and process the following information:

Personal identifiers, contacts, and characteristics (for example, name, address, contact details and email addresses).

How do we get personal information and why do we have it? Most of the personal information we process is provided to us directly by you for one of the following reasons:

  • To enable Complete Works to contact you to arrange an estimate for work to be carried out, to discuss any work, and to complete any work that has been agreed.
  • We also receive personal information indirectly, from the following sources in the following scenarios:
  • Direct from suppliers if you have gone direct to them initially for an estimate or to price up
  • We use the information that you have given us in order to contact you directly.
  • We may share this information with suppliers or subcontractors that may be carrying out work on your property on behalf of Complete Works.
  • Under the UK General Data Protection Regulation (UK GDPR), the lawful bases we rely on for processing this information are:
    (a) Your consent. You are able to remove your consent at any time. You can do this by contacting Complete Works Plymouth Ltd using the contact details at the top of this document.
  • (b) We have a contractual obligation.
  • (c) We have a legal obligation.
    How we store your personal information
    Your information is securely stored in locked filing cabinets in a locked office.
    We keep estimates and invoices with your name and address on them for six-seven years in accordance with HMRC. We will then dispose of your information by shredding the paperwork associated with you and your property.
    Your data protection rights
    Under data protection law, you have rights including:
    Your right of access - You have the right to ask us for copies of your personal information.
    Your right to rectification - You have the right to ask us to rectify personal information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete.
    Your right to erasure - You have the right to ask us to erase your personal information in certain circumstances.
    Your right to restriction of processing - You have the right to ask us to restrict the processing
    of your personal information in certain circumstances.
    Your right to object to processing - You have the right to object to the processing of your personal information in certain circumstances.
    Your right to data portability - You have the right to ask that we transfer the personal information you gave us to another organisation, or to you, in certain circumstances.
    You are not required to pay any charge for exercising your rights. If you make a request, we have one month to respond to you.

Please contact us if you wish to make a request at:

Tel: 07973 451373
Address: 20A, Ford Hill, Stoke, Plymouth PL2 1HN

The Company is fully committed to compliance with the requirements of the Data Protection Act 2018 and all other data protection legislation currently in force. The Regulation applies to anyone processing personal data and sets out principles which should be followed and gives rights to those whose data is being processed.

To this end, the Company endorses fully and adheres to the Data Protection Principles listed below. When processing data we will ensure that it is:

    • processed lawfully, fairly and in a transparent way (‘lawfulness, fairness and transparency);
    • processed no further than the legitimate purposes for which that data was collected (‘purpose limitation’);
    • limited to what is necessary for relation to the purpose (‘data minimisation’); accurate and kept up to date (‘accuracy’);
    • kept in a form which permits identification of the data subject for no longer than is necessary (‘storage limitation’);
    • processed in a manner that ensures the security of that personal data (‘integrity and confidentiality);
    • processed by a controller who can demonstrate compliance with the principles (‘accountability’).

These rights must be observed at all times when processing or using personal information. Therefore, through appropriate management and strict application of criteria and controls, the Company will: 

    • observe fully the conditions regarding having a lawful basis to process personal information;
    • meet its legal obligations to specify the purposes for which information is used;
    • collect and process appropriate information only to the extent that it is necessary to fulfil operational needs or to comply with any legal requirements;
    • ensure the information held is accurate and up to date;
    • ensure that the information is held for no longer than is necessary;
    • ensure that the rights of people about whom information is held can be fully exercised under the Data Protection Act 2018 (i.e. the right to be informed that processing is being undertaken, to access personal information on request; to prevent processing in certain circumstances, and correct, rectify, block or erase information that is regarded as wrong information);
    • take appropriate technical and organisational security measures to safeguard personal information;
    • ensure that personal information is not transferred outside the EU, to other countries or international organisations without an adequate level of protection.
    • Employees’ Personal Information

Throughout employment and for as long as is necessary after the termination of employment, the Company will need to process data about you. The kind of data that the Company will process includes: 

    • any references obtained during recruitment;
    • details of terms of employment; payroll details;
    • tax and national insurance information;
    • details of job duties;
    • details of health and sickness absence records;
    • details of holiday records;
    • information about performance;
    • details of any disciplinary and grievance investigations and proceedings;
    • training records;
    • contact names and addresses;
    • correspondence with the Company and other information that you have given the Company.

The Company believes that those records used are consistent with the employment relationship between the Company and yourself and with the data protection principles. The
data the Company holds will be for management and administrative use only but The Company may, from time to time, need to disclose some data it holds about you to relevant third parties, for example where legally obliged to do so by HM Revenue & Customs, where requested to do so by yourself for the purpose of giving a reference or in relation to maintenance support, and/or the hosting of data in relation to the provision of insurance.

In some cases, the Company may hold sensitive data, which is defined by the legislation as special categories of personal data, about you. For example, this could be information about health, racial or ethnic origin, criminal convictions, trade union membership, or religious beliefs. This information may be processed not only to meet the Company's legal responsibilities but, for example, for purposes of personnel management and administration, suitability for employment, and to comply with equal opportunity legislation. Since this information is considered sensitive, the processing of which may cause concern or distress, you will be asked to give express consent for this information to be processed, unless the Company has a specific legal requirement to process such data.

Access to Data

You may, within a period of one month of a written request, inspect and/or have a copy, subject to the requirements of the legislation, of information in your own personnel file and/or other specified personal data and, if necessary, require corrections should such records be faulty. If you wish to do so you must make a written request to your Manager. The Company is entitled to change the above provisions at any time at its discretion.

Data Security

You are responsible for ensuring that any personal data that you hold and process as part of your job role is stored securely.

You must ensure that personal information is not disclosed orally, in writing, via web pages, or by any other means, accidentally or otherwise, to any unauthorised third party.
You should note that unauthorised disclosure may result in action under the Disciplinary Procedure, which may include dismissal for gross misconduct. Personal information should be kept in a locked filing cabinet, drawer, or safe. Electronic data should be coded, encrypted, or password-protected both on a local hard drive and on a network drive that is regularly backed up. If a copy is kept on removable storage media, that media must itself be kept in a locked filing cabinet, drawer, or safe.

When travelling with a device containing personal data, you must ensure both the device and data is password protected. The device should be kept secure and, where possible, it should be locked away out of sight, for example in the boot of a car. You should avoid travelling with hard copies of personal data where there is secure electronic storage available. When it is essential to travel with hard copies of personal data this should be kept securely in a bag and where possible locked away out of sight, for example in the boot of a car.

Notifying Breaches

A personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data
transmitted, stored or processed.

The following are examples of data breaches

  • access by an unauthorised third party;
  • deliberate or accidental action (or inaction) by a data controller or data processor;
  • sending personal data to an incorrect recipient;
  • computing devices containing personal data being lost or stolen;
  • alteration of personal data without permission;
  • loss of availability of personal data.

Investigation and Notification

In the event that we become aware of a breach, or a potential breach, an investigation will be carried out. This investigation will be carried out by Andrea McGowan. We will undertake to notify the Information Commissioner of a breach which is likely to pose a risk to people’s rights and freedoms without undue delay and at the latest within 72 hours of discovery. If we are unable to report in full within this timescale, we will make an initial report to the Information Commissioner, and then provide a full report in more than one
instalment if so required.

We will undertake to notify the individual whose data is the subject of a breach if there is a high risk to people’s rights and freedoms without undue delay and may, dependent on the circumstances, be made before the supervisory authority is notified.

Record of Breaches

The Company records all personal data breaches regardless of whether they are notifiable or not as part of its general accountability requirement under the Data Protection Act 2018. It records the facts relating to the breach, its effects and the remedial action taken