1. DEFINITIONS

The GDPR RegulationRegulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016
The CompanyJohn L Lord & Son (Rizistal) Ltd
UsJohn L Lord & Son (Rizistal) Ltd
WeJohn L Lord & Son (Rizistal) Ltd
OurBelonging to John L Lord & Son (Rizistal) Ltd
Data SubjectAny person whose personal data has been or is being processed by John L Lord & Son (Rizistal) Ltd
LIALegitimate Interest Assessment (Sometimes referred to as a “balancing test”)
ICOInformation Commissioners Office

2. INTRODUCTION

    • This Privacy Notice explains how John L Lord & Son (Rizistal) Ltd, part of the John Lord Group of Companies, collects and uses personal data.
    • The notice details how the Company complies with the requirements of The GDPR Regulation.
    • The company is the data controller.
    • This privacy notice relates to personal data from individuals not currently employed by the company.
    • Similar details for employees can be found in the internal document “Privacy Policy”

3. WHO WE ARE

  • John L Lord & Son (Rizistal) Ltd is the data controller as defined in Chapter IV of the GDPR Regulation.
  • Our registered address is; John L Lord & Son (Rizistal) Ltd, Wellington Cement Works, Ainsworth Road, Bury, Lancashire, BL8 2RS
  • The company can be contacted at enquiries@john-lord.co.uk
  • Our privacy officer can be contacted at privacy@john-lord.co.uk

 

 

4. JUSTIFICATION FOR PROCESSING PERSONAL DATA

    • To process a contract or enquiry
    • To provide quotations, make telephone contact and to email details of purchases
    • To provide marketing information which we believe will be of interest based on:
    • Existing and/or previous business relationships
    • Identified market sector / business type
    • To respond to requests for information
    • To comply with our own statutory and regulatory obligations such as anti-bribery and anti-money laundering

5. LAWFUL BASIS FOR COLLECTING AND PROCESSING PERSONAL DATA

  • In accordance with article 6 of the GDPR Regulation, we are required to establish lawful bases for processing data.
  • Those lawful bases must be derived from at least one of the six valid grounds for processing in article 6.
  • We have established the following as our lawful bases for processing data:

5.1 LEGITIMATE INTERESTS FOR PROCESSING DATA

  • Before “Legitimate Interests” are used as a lawful basis for processing data the company will carry out and record legitimate interest assessments (LIA).
  • The LIA’s will balance our legitimate interests with the data protection rights of individuals.
  • The legitimate interests for which the company processes personal data include:
  • To carry out direct marketing of our products and services in line with recital 47 of the GDPR Regulation.
  • To process data belonging to those who have a relevant and appropriate relationship with the company. This would include regular and/or recent clients, suppliers and sub-contractors.
  • To take actions to prevent fraud. This may include collecting and checking bank details and identities of data subjects.
  • To transfer personal data throughout other companies within the group (UK only) in order to carry out administrative functions. This may include group level employees processing data collected at on company in the group while they are actually present at another company within the group.
  • Where the data subjects might reasonably expect the company to process their data. This may include occasions where data subjects have browsed products and services on the company’s web site.
  • To prevent damage to the company’s IT network due to malicious attacks by individuals visiting the web site or network.

5.2 NECESSARY FOR THE PERFORMANCE OF A CONTRACT

  • In order to carry out contracts with clients and suppliers legally, we will have to process data from those clients and suppliers. In particular we will need the contact data of those involved in the contract.

5.3 LEGAL OBLIGATION

  • We may be legally bound to process personal data for example in situations regarding eligibility to work in the UK, the reporting of accidents and the creation of safe systems of work on clients premises.
  • We may also process data in order to answer and defend against legal claims against the company.

6. PERSONAL DATA

6.1 WHAT IS PERSONAL DATA

  • Personal information is information which we hold and which uniquely identifies and is related to an individual person.
  • Such data could include:
  • Contact details
  • Next of kin
  • CCTV footage
  • Financial Information

6.2 WHAT PERSONAL DATA DO WE COLLECT

  • The data listed below refers only to the personal data of individuals.
Personal DataPurposeLawful Basis
Customers’ name, address, telephone number and email addressSupply and receive contract information·         Legitimate interest

·         Performance of contract

·         Legal obligation

Supplier bank account detailsMake payments for supplies·         Legitimate interest

·         Performance of contract

Customer bank account / credit card detailsReceive payments and to prevent fraud or money laundering·         Legitimate interest

·         Performance of contract

·         Legal obligation

Name, address, telephone number and email address of previous customersMarketing activities and protection against legal claims·         Legitimate interest

·         Legal obligation

Name, address, telephone number and email address of previous and current sub-contractorsTraceability of work carried out·         Legal obligation
Name, address, telephone number and email address of potential clients in appropriate marketing sectorsMarketing activities·         Legitimate interest
Photographs and video footage of clients, suppliers and subcontractors entering our premises.Advertising of our premises and activities

Security of our premises and assets

·         Legitimate interest

·         Legal obligation

Photographs and video footage of activities on the premises of clients and suppliers.Monitoring of project performance

Marketing materials

·         Legitimate interest

·         Performance of contract

6.3 HOW DO WE COLLECT PERSONAL DATA

  • We collect the personal data tabulated above by the following means:
  • Correspondence with clients, suppliers, subcontractors and previous clients
  • Researching the web sites of potential customers
  • CCTV footage and still photography
  • Provided by third parties (Such information is not automatically generated and processed.)
  • Information provided by individuals on our web-site

6.4 WHAT WE WILL DO WITH PERSONAL DATA

  • We will use personal data as follows:
  • Monitor and progress current contracts
  • Make payments to suppliers and sub-contractors
  • Request and receive payments from suppliers
  • Provide data to regulatory bodies
  • Market our products, services and capabilities
  • Safeguarding our employees
  • Compliance with health and safety legislation
  • Detecting and preventing fraud and other criminal activities
  • Provide appropriate marketing information to existing and potential clients

6.5 WHAT WE WILL NOT DO WITH PERSONAL DATA

    • We will not sell personal data to third parties
    • We will not provide marketing materials other than as permitted in Recital 47 of the GDPR Regulation to individuals who it is reasonable to suspect would be interested in our products and services.
    • We will not pass on personal data to third parties unless we have a legal obligation to do so or are instructed by the data subject.
    • We will not transfer or store personal data outside of Europe (the European Economic Area) outside of the control of the UK / European regulations.

6.6 HOW WILL WE SECURE PERSONAL DATA

6.6.1 STORING THE DATA

  • Personal data is stored on the company cloud based server, hosted by an external IT provider.
  • A contract exists with the external IT provider preventing sharing of the data with other parties and preventing movement of the data outside the UK.
  • PC’s having access to the server are regularly updated to provide the correct level of encryption.
  • Data storage locations are password protected to control who, within the company, has access to the data.
  • We also hold some paper copies of personal data in the form of contract documents. These are stored in dedicated contract files under the control of the individual contract managers.
  • Email correspondence remains with the person sending and receiving emails.

6.6.2 BACKING-UP THE DATA

  • Data on our server is backed-up every 30 minutes to protect against data loss.

6.7 SHARING PERSONAL DATA

6.7.1 WHY WE SHARE PERSONAL DATA

  • We may share personal data with others for the following reasons:
  • In order for us to carry out our legitimate interests (section 5.1).
  • Where we are instructed to do so by enforcement authorities.
  • Where the data subject has requested we share the data with specific third parties. In such cases the identity of the data subject making the request will be verified (section 7.)
  • Where the data is required to demonstrate compliance with national and international standards.
  • Where the data is required to provide defence in a civil claim against the company or group.
  • Where there is a requirement to carry out an accident or incident investigation.

6.7.2 WHO WE SHARE PERSONAL DATA WITH

  • We may share personal data with the following:
  • Employees within our company and group
  • Third parties who provide services to us such as IT providers
  • Banks who may arrange payments and cash transfers
  • Internal and external auditors
  • Insurance brokers and underwriters
  • Legal counsel in situations where disputes arise
  • Government departments
  • Police and other enforcement officers such as HSE

6.8 TRANSFERRING PERSONAL DATA OUT OF THE UK

  • We do not transfer personal data outside of the UK.
  • Third parties with whom we share personal data are contracted not to transfer data outside the UK.

6.9 RETENTION PERIODS FOR PERSONAL DATA

  • Retention periods for personal data are as follows:
Data Retention Period
Data relating to contractsMinimum of twelve years
Financial dataMinimum of six years
Health and safety dataMinimum of ten years

 

 

6.9.1 STATUTORY AND REGULATORY RETENTION

  • We are bound by national and international legislation to keep certain types of data for specified periods.
  • In addition standards that we conform to, such as BS EN 1090-1, require us to keep data for specified periods.

7. RIGHTS OF A DATA SUBJECT

  • The rights detailed in this section of the privacy notice are granted to data subjects upon proof of the data subject’s identity.
  • Proof of identity will be provided by the presentation of one form of approved photographic evidence plus one other printed (not hand written) document such as a utility bill or birth certificate.
  • Passports and driving licenses are the only forms of approved photographic evidence
  • To exercise any of the rights listed below, data subjects should contact the company’s privacy officer at privacy@john-lord.co.uk
  • Our privacy officer will respond to contacts from data subjects within one month of receipt.
  • It may not be possible for the company to comply with the requests of data subjects. If this is the case, the privacy officer will inform the data subject of the grounds for non-compliance.

7.1 RIGHT TO RECEIVE TRANSPARENT COMMUNICATIONS (Article 14 GDPR)

  • Data subjects have the right to receive transparent, concise, intelligible and easily accessible information from the company in a clear and plain language.

7.2 RIGHT OF ACCESS TO PERSONAL DATA (Article 15 GDPR)

  • All data subjects have the right to request access to the personal data we hold about them.
  • Data subjects have the right to know whether we hold and process personal data about them and also:
  • The purpose of processing their data
  • The categories of personal data
  • Who has access to the data
  • The retention period of the data
  • The source of the data
  • Details of any automated decision making using their data

7.3 RIGHT TO RECTIFICATION OF PERSONAL DATA (Article 16 GDPR)

  • Data subjects have the right to request rectification of incorrect or out dated data and the completion of incomplete data.

7.4 RIGHT TO ERASURE OF PERSONAL DATA (Article 17 GDPR)

  • Data subjects have the right to request complete erasure of their personal data “The right to be forgotten”, where any of the following apply:
  • Processing the data is no longer necessary
  • Lack of legitimate grounds for processing
  • Unlawful possession of the data
  • There is a legal reason for erasure

7.5 RIGHT TO RESTRICTION OF PROCESSING (Article 18 GDPR)

  • Data subjects have the right to restriction of processing where any of the following apply:
  • The data subject contests the accuracy of the data
  • Lack of legitimate grounds for processing but the data subject does not require erasure

7.6 RIGHT TO DATA PORTABILITY (Article 20 GDPR)

  • Data subjects have the right to request the receipt of their personal data in order to transfer it to another data controller.

7.7 RIGHT TO OBJECT

  • Data subjects have the right to object to the use of their personal data for direct marketing

8. AUTOMATED DECISION MAKING DURING DATA PROCESSING

  • We do not use personal data for automated decision making with regard to data subjects.

9. FURTHER INFORMATION

9.1 FURTHER INFORMATION AND GUIDANCE

  • Further information and guidance may be obtained from the Information Commissioners Office (ICO)

https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/

9.2 CONTACT US

For specific information regarding the way we process personal data please contact our privacy officer

privacy@john-lord.co.uk

10. REVISIONS

DatePages / SectionsIssue StatusAmendment Details
13th March 2018AllIssue 1First issue of Policy
 

John Lord are proud to be associated with...

Ferfa
NBS
Altius
Biocotes
Safe Contractor
UKAS