STJ Projects Ltd (“STJ”) processes personal data relating to its staff, customers and suppliers.
This policy sets out our commitment to ensuring that any personal data (including special category personal data) we process, complies with Data Protection Law. ‘Data Protection Law’ includes the General Data Protection Regulation 2016/679; the UK Data Protection Act 2018 and all relevant EU and UK data protection legislation.
STJ ensures that good data protection practice is embedded in the culture of its staff and our organisation.
STJ will implement every prudent level of protection to ensure that data remains safe within our systems and that all personal information provided to and held by us will be treated as strictly private and confidential. We use a variety of security technologies and procedures to help protect your personal information from unauthorised access, use, or disclosure. For example, we store the personal information you provide on limited access computer servers, which are located in controlled, locked facilities.
This policy applies to all personal data processed by STJ and is part of our compliance to Data Protection Law. All our staff are expected to comply with this policy and failure to comply may lead to disciplinary action for misconduct, including dismissal. Obtaining (including accessing) or disclosing personal data in breach of STJ’s data protection policies, may also be a criminal offence.
Data Protection Principles
STJ complies with the Data Protection Principles set out below. When processing personal data, we will ensure that:
- it is processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);
- it is collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; (‘purpose limitation’)
- it is all adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed; (‘data minimisation’)
- it is accurate and where necessary, is kept up to date and that reasonable steps will be taken to ensure that personal data that is inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’)
- it is kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed; (‘storage limitation’)
- it is processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).
STJ will process any request from a data subject who wishes to exercise their rights under Data Protection Law in a concise, transparent and easily accessible form and without undue delay. We will not transfer your data internationally.
- ensure that the legal basis for processing personal data is identified in advance and that all processing complies with the law;
- not do anything with your data that you would not expect given the content of this policy and the fair processing or privacy notice.
- ensure that appropriate privacy notices are in place advising data subjects how and why their data is being processed, and in particular advising data subjects of their rights;
- only collect and process the personal data that it needs for purposes it has identified in advance;
- ensure that as far as possible the personal data it holds is accurate, or a system is in place for ensuring that it is kept up to date as far as possible;
- only hold onto your personal data for as long as it is required after which time STJ will securely erase or delete the personal data;
- ensure that appropriate security measures are in place to ensure that personal data can only be accessed by those who need to access it and that it is held and transferred securely.
STJ will ensure that all staff who handle personal data are aware of their responsibilities under all data protection policies and are adequately trained and supervised.
We will not contact you in respect of other services that we offer unless we feel these are relevant to you or have obtained your explicit consent to do so. You can stop this consent at any time by giving us notice.
Data Subject Rights
STJ has processes in place to ensure that it can process any request made by an individual to exercise their rights under Data Protection Law. The relevant data subject rights are listed below to provide detailed guidance on how we will comply.
All requests will be considered without undue delay and within one month of receipt as far as possible. We have the right to refuse or charge for requests that are manifestly unfounded or excessive. If we take this course of action we will write to you to inform our reason why. If this should occur and you are unhappy with our decision you may complain to the Information Commissioner, as detailed at the end of this notice.
Subject access: the right to request information about how and what personal data is being processed, the right to be allowed access and a copy of that data and the right to obtain the following information:
- the purpose of the processing;
- the categories of personal data;
- the recipients to whom data has been disclosed or which will be disclosed;
- the retention period;
- the right to lodge a complaint with the ICO;
- the source of the information if not collected direct from the subject; and
- the existence of any automated decision making.
Rectification: the right to have inaccurate personal data concerning them rectified immediately.
Erasure: the right to have data erased and to have confirmation of erasure, but only where:
- the data is no longer necessary in relation to the purpose for which it was collected; or
- where consent is withdrawn; or
- where there is no legal basis for the processing; or
- there is a legal obligation to delete data.
Restriction of processing: the right to ask for certain processing to be restricted in the following circumstances:
- if the accuracy of the personal data is being contested; or
- if our processing is unlawful but the data subject does not want it erased; or
- if the data is no longer needed for the purpose of the processing but it is required by the data subject for the establishment, exercise or defence of legal claims; or
- if the data subject has objected to the processing, pending verification of that objection.
Data portability: the right to receive a copy of personal data which has been provided by the data subject and which is processed by automated means in a format that will allow the individual to transfer the data to another data controller. This would only apply if we were processing the data using consent or on the basis of a contract.
Object to processing: the right to object to the processing of personal data relying on the legitimate interests processing condition unless STJ can demonstrate compelling legitimate grounds for the processing which override the interests of the data subject or for the establishment, exercise or defence of legal claims.
Special Category Personal Data
This includes the following personal data revealing:
- Racial or ethnic origin,
- Political opinions,
- Religious or philosophical beliefs,
- Trade union membership,
- The processing of genetic data, biometric data for the purpose of uniquely identifying a natural person,
- Data concerning health,
- Data concerning a natural person's sex life or sexual orientation, or
- Data relating to criminal convictions or offences.
STJ will process special category data of employees as is necessary to comply with employment and social security law, but does not process special category data of customers, contractors or their staff.
Responsible Personal Data Processing
STJ Projects' Directors take ultimate responsibility for data protection.
If you have any concerns or wish to exercise any of your rights under the GDPR then you can contact the Data Protection Lead by emailing firstname.lastname@example.org
This policy was last updated on 23 May 2018 and shall be regularly monitored and reviewed, at least every two years.
All data subjects have the right to object to the way in which we handle their data. If you have an objection, please in the first instance contact: Mike Pearson (Managing Director) on 01724 720977. Should you be unsatisfied with our own investigations, you also have the right to take your objection to the Information Commissioners Office.
This can be done through:
- The Information Commissioner’s Office web site https://ico.org.uk/
- The ICO web sites functionality for live web chat
- Calling the ICO’s office helpline on 0303 123 1113
STJ Projects Ltd (“STJ”) are data controllers which collect and process personal data relating to their clients, suppliers, contractors and their staff, in order to supply products and services. STJ is committed to being transparent about how it collects and uses that data and to meeting its data protection obligations. Please also refer to STJ’s Data Protection Policy.
What Information Does STJ Collect?
STJ collects and processes a range of information containing personal data about you. This includes the following:
- your name, business address and contact details, including business email address and telephone number;
- financial information (where you are purchasing goods or services from us);
- confirmation that you have opened or interacted with emails and other digital communications that we send to you.
STJ may collect this information in a variety of ways including directly from you, when you contact us, when we engage in negotiations for provisions of goods or services, when you enter personal data into any of our online forms and tools or from your employer.
We may also record telephone calls for staff training purposes.
Your personal data will be stored in hard copy in files which are stored in locked rooms/cabinets and in STJ’s IT system.
Why Does STJ Process Your Personal Data?
Where you are an individual, sole trader or partner in a partnership which has contracted with us, we need to process data in order to meet its obligations and exercise its rights in terms of that contract.
Where you are, or work for, one of our contractors, architects or other third party providing a service on our behalf, we will collect your personal data in order to meet our contractual obligations and exercise our rights in terms of that contract.
In other cases, STJ has a legitimate interest in processing personal data which allows us to:
- meet its obligations and exercise its rights in terms of a contract to which you are not party, but where you have been involved in the negotiations, conclusion or implementation of a contract for the provision of goods or services by us; or
- provide you with a better customer service; and to send marketing and information emails where you have purchased goods or services from us and you have not opted out from receiving those messages.
There may be some occasions where we seek your consent to process personal data but, in this case, we will provide full details of what we are seeking consent for, so that you will be able to carefully consider whether to provide that consent.
Who Has Access To Your Data?
Your personal data may be shared internally within STJ, where a member of our staff requires the information for the processing of goods, services or completion of an activity.
We will also share your data as required by law, to administer the working relationship that we have with you.
STJ also shares your data with third parties, including sub-contractors engaged by STJ, to provide services on behalf of STJ. These third parties include product specialists, architects and third-party service providers that process data on our behalf in connection with email services, cloud storage providers, banking, invoicing and IT services.
Where appropriate we will share the personal data of our sub-contractors with our clients in order to adhere to our contractual rights and obligations.
We will not sell your personal data to third parties.
How Does STJ Protect Data?
We take the security of your data seriously. STJ has internal policies and controls in place to try to ensure that your data is not lost, accidentally destroyed, misused or disclosed, and is not accessed, except by its employees in the performance of their duties.
Where we engage with third parties to process personal data on our behalf, we do so on the basis of strict confidentiality and they are obliged to implement appropriate technical and organisational measures to ensure the security of data. They are not allowed to use your personal data for their own purposes.
How Long Does STJ Keep Your Data?
We will hold your personal data for the duration of any contract with you and for a fixed period thereafter. Where you have not entered into a contract with us, we will only hold your personal data for as long as it is necessary for the purposes for which it is being processed. The periods for which your data is held after the end of the contract and in all other situations are set out in our Data Retention Policy.
As a data subject, you have a number of rights, which includes: -
- the access and to obtain a copy of your data on request;
- the requirement for STJ to change incorrect or incomplete data;
- the requirement for STJ to delete or stop processing your data, in certain circumstances;
- to object to the processing of your data where STJ rely on its legitimate interests as the legal ground for processing;
- portability; and
- the right to object to automated decision making.
If you would like to exercise any of these rights, or if you have any concerns about how your personal data us being processed, please contact email@example.com
If you believe that STJ has not complied with your data protection rights, you can complain to the Information Commissioner. The Information Commissioner’s Office can be contacted by: -
- The Information Commissioner’s Office web site https://ico.org.uk/
- The ICO web sites functionality for live web chat
- Calling the ICO’s office helpline on 0303 123 1113
What happens if personal data is not provided?
Where you have entered into a contract with STJ for the provision of services, failing to provide the data may mean that we are unable to properly implement the contract and that you are unable to exercise certain contractual rights.
DATA RETENTION POLICY
STJ PRojects Ltd (“STJ”) is committed to protecting the privacy and security of our customers’ personal information.
We have developed policies and practices which describe how we collect and use personal information about customers during and after their relationship with us, in accordance with the General Data Protection Regulation (GDPR).
STJ is a “data controller”. This means that we are responsible for deciding how we hold and use personal information about customers. We are required under data protection legislation to notify our customers of this information which is contained within a privacy notice sent out to them.
Data Protection Principals
We will comply with data protection which states that any personal information we hold on an individual must be:
- Used lawfully, fairly and in a transparent way.
- Collected only for valid purposes that we have clearly explained to the individual and not used in any way that is incompatible with those purposes.
- Relevant to the purposes we have told the individual about and limited only to those purposes.
- Accurate and kept up to date.
- Kept only as long as necessary for the purposes we have told the individual about.
- Kept securely.
What Type Of Customer Information Do We Hold?
Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).
There are “special categories” of more sensitive personal data which require a higher level of protection.
STJ may collect, store, and use the following categories of personal information about individuals (not all will be applicable to each individual):
- Personal contact details such as name, title, addresses, telephone numbers, and personal email addresses.
- Date of birth.
- Company information.
- Bank account details and VAT registration.
- Location of employment or workplace.
- Identification documents.
- Public liability Insurance.
- Recordings of telephone calls.
- Credit scores.
We may also collect, store and use “special categories” of sensitive personal information obtained from tracking devices (this may not be applicable to each individual).
We only use an individual’s personal information when the law allows us to. Most commonly, we will use personal information as per our privacy notice and in the following circumstances:
- Where we need to perform the contract we have entered into with the customer.
- Where it is necessary for our legitimate interests (or those of a third party) and an individual’s interests and fundamental rights do not override those interests.
Where Is Customer Information Stored?
We will undertake regular assessments of the storage of the personal data we hold, to ensure we are compliant with our obligations under the GDPR.
Personal data is stored both electronically and in paper format. In particular, personal data is stored as follows: -
- Electronically within Sage accounting and payroll;
- Electronically on the Company’s server;
- Electronically on Outlook 365;
- Paper format.
How Long Will STJ Use Customer Information For?
We will only retain customer personal information for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.
To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of an individual’s personal data, the purposes for which we process an individual’s personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
In some circumstances we may anonymise personal information so that it can no longer be associated with an individual, in which case we may use such information without further notice to that individual. Once the individual in question is no longer a customer of the company we will retain and securely destroy their personal information in accordance with applicable laws and regulations.
In particular, we will retain a customer’s personal information for the length of time needed to complete the initial request and for a maximum of five years should the individual terminate their request (subject to any legal requirement).
STJ will share an individual’s personal information with third parties where required by law, where it is necessary to administer the working relationship with the customer or where we have another legitimate interest in doing so.
“Third parties” includes third-party service providers (including contractors and designated agents). The following activities are carried out by third-party service providers:
- IT services including web development and hosting companies, email and information technology platforms;
- Secure servers;
- Installation engineers;
- Financial and leasing companies; and
- Our designated insurance broker and insurer.
All of our third-party service providers are required to take appropriate security measures to protect personal information in line with our policies.
STJ may share a customer’s personal information with other third parties, for example in the context of the possible sale or restructuring of the business. We may also need to share personal information with a regulator or to otherwise comply with the law.
STJ has put in place appropriate security measures to prevent customer personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to customer personal information to those employees, agents, contractors and other third parties who have a business need to know. They will only process an individual’s personal information on our instructions and they are subject to a duty of confidentiality.
STJ has put in place procedures to deal with any suspected data security breach and will notify an individual and any applicable regulator of a suspected breach where we are legally required to do so.