Data Protection Policy

1. Introduction

Commercial Roofing Contractors is committed to protecting the privacy and security of personal data. This Data Protection Policy explains how we collect, use, store, and protect personal information in compliance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and other applicable laws.

2. Scope

This policy applies to all employees, contractors, and third parties handling personal data on behalf of Commercial Roofing Contractors. It covers all personal data relating to customers, suppliers, employees, and any other individuals with whom we interact.

3. Principles of Data Protection

We process personal data in line with the following principles:

• 3.1 Lawfulness, Fairness and Transparency: Data must be processed lawfully, fairly, and in a transparent manner.
• 3.2 Purpose Limitation: Data must be collected for specific, explicit, and legitimate purposes.
• 3.3 Data Minimisation: We only collect data necessary for the stated purposes.
• 3.4 Accuracy: Personal data must be accurate and kept up to date.
• 3.5 Storage Limitation: We retain personal data only as long as necessary.
• 3.6 Integrity and Confidentiality: Data must be processed securely to protect against unauthorised or unlawful processing and accidental loss.

4. Legal Basis for Processing

We will only process personal data where we have a lawful basis to do so, which may include:

• Consent of the data subject.
• The performance of a contract.
• Compliance with a legal obligation.
• Legitimate business interests, provided these do not override individual rights.

5. Types of Personal Data We Collect

We may collect the following types of personal data:

• Names, addresses, email addresses, and telephone numbers.
• Employment details for staff and contractors.
• Financial details such as bank account information (for payments).
• Project-related information necessary for carrying out our services.

6. How We Use Personal Data

We process personal data for the following purposes:

• Delivering our services to customers.
• Managing supplier and subcontractor relationships.
• Communicating with customers about projects and services.
• Meeting legal, regulatory, and contractual obligations.
• Maintaining accurate business and financial records.

7. Data Sharing

We will not share personal data with third parties unless:

• It is necessary for delivering our services.
• We are legally required to do so.
• We use trusted third-party service providers (e.g., IT, payroll, or cloud services) under strict contractual obligations.

8. International Transfers

If personal data is transferred outside the UK, we will ensure appropriate safeguards are in place, such as the use of standard contractual clauses or confirmation that the receiving country provides adequate protection.

9. Data Security

We implement appropriate technical and organisational measures to keep personal data secure, including:

• Secure storage systems and password-protected access.
• Encryption where appropriate.
• Regular security audits and staff training on data protection.

10. Data Retention

Personal data will be retained only for as long as necessary to fulfil the purposes for which it was collected or as required by law. Data no longer required will be securely deleted or anonymised.

11. Individual Rights

Under UK GDPR, individuals have the following rights:

• The right to be informed about how their data is used.
• The right to access their personal data.
• The right to rectify inaccurate or incomplete data.
• The right to erasure (“right to be forgotten”).
• The right to restrict or object to processing.
• The right to data portability.

All requests relating to individual rights will be handled within the required legal timeframes.

12. Data Breaches

In the event of a data breach, we will:

• Take immediate steps to contain and assess the breach.
• Notify the Information Commissioner’s Office (ICO) within 72 hours if required.
• Inform affected individuals if there is a high risk to their rights and freedoms.

13. Responsibilities

• The Data Controller for Commercial Roofing Contractors is A Bright, who is responsible for ensuring compliance with this policy.
• All employees and contractors are required to follow this policy and attend data protection training as needed.

14. Policy Review and Updates

This Data Protection Policy will be reviewed annually and updated as necessary to reflect changes in legislation, business practices, or organisational structure.

15. Contact

If you have any questions about this policy or wish to exercise your data protection rights, please contact:

📧 dpo@commercialroofingcontractors.uk

Last updated: August 2025