External Privacy Notice
Preface
Beva Group companies are committed to the principles of the General Data Protection Regulation (GDPR) and the Data Protection Act 2018 and to ensuring that your privacy is protected.
The use of your personal information is governed by this Privacy Notice.
Within this notice “Beva Group”, “our”, “us” and “we” each mean all the companies in the group including but not limited to;
- Beva Investments Ltd
- Beva Build Ltd
- Merlin Trafford Park Ltd
- Hamer Vale Estates Ltd
- Rochdale Estates Company Ltd
and any respective parent companies and subsidiaries which collect and use your information.
References to “you” or “your” refers to anyone whose personal information we process.
1. Introduction
Our use of your personal data will be governed by this Privacy Notice.
Beva Group is a data controller for the personal information that it collects and uses about you. We will treat your personal information as confidential and in accordance with applicable data protection legislation and your personal information will only be shared with others in accordance with this Privacy Notice.
This Privacy Notice explains;
- What personal information is
- How we collect your personal information
- The types of personal information we collect
- How we use your personal information
- The legal basis for processing your personal information
- How we share your personal information
- How long we keep your personal information
- How we keep your personal information secure
- Overseas transfers of your personal information
- Your rights in relation to your personal information
- How to make complaints and how to contact us
- Other Relevant Information
If there are any changes to the way in which your personal information is used, this Privacy Notice will be updated.
2. What is personal information
Personal information is any information that tells us something about you. This could include information such as name, contact details, date of birth, bank account details or any information about your needs or circumstances which would allow us to identify you.
Some personal information is classified as “special” data under data protection legislation. This includes information relating to health, racial or ethnic origin, religious beliefs or political opinions and sexual orientation. This information is more sensitive and we need to have further justifications for collecting, storing and using this type of personal information. There are also additional restrictions on the circumstances in which we are permitted to collect and use criminal conviction data.
Any references to personal information in this privacy notice will include personal data, and where relevant, special categories of personal data.
3. What personal information do we collect?
We will generally request your full name, company name, job title and contact details (such as phone number, email address and postal address) from you whenever you engage with us (by phone, email, web enquiry or meeting in person)
Occasionally, this information is provided to us by third parties such as property agents, development agencies, occupiers or contractors.
We may collect further, more detailed information following initial enquiry or introduction. The nature and extent of personal information gathered will depend on the service you are requesting from us or providing to us.
For example*;
A property rental/purchase enquiry will require further details about your company and the nature of business, its physical space requirements, its financial standing, VAT and company numbers, solicitors details, other relevant contacts within the business.
A contractor working on a building site will be required to provide all relevant H&S information, insurances, bank and CIS details. The workers the contractor sends to work on that site will have to provide emergency contact details and any relevant health information which may affect their safety on site.
We do not aim to collect “special” data (as described in 2. above) unless it is specifically relevant to an individual’s health and safety on site. No “special” data that is volunteered by you in regard to the other categories of “special” data will be noted down or saved with your contact information.
4. How we use your personal information
We use your personal information;
- to provide you with/or offer you our services
- to use your services
- to communicate with you in relation to either of the above
5. The legal basis for processing your personal information
Personal Information is processed by us under the following lawful basis;
Contract – the processing is necessary for a contract we have with you, or because the information is required as a pre-requisite to entering into a contract with you.
Examples*: You are an existing occupier. You make a property enquiry or development enquiry. You are a contractor working for us or in our buildings. We ask you to provide a quotation for works or equipment. We provide CCTV coverage to your site for the security of your unit, visitors and employees.
Legal Obligation – processing is necessary for compliance with legal obligation to which we are subject.
Examples*: Provision and storage of data to Inland Revenue/HMRC for CIS and VAT. Retention of JCT and/or warranty information. Retention of Insurance details both yours and ours. Requesting relevant health conditions and emergency contact details whilst working on our sites for H&S purposes.
Legitimate Interests – processing is necessary for the legitimate interests pursued by us or a third party, except where such interests are over-ridden by the interests or fundamental rights and freedoms of you which would require protection of your personal data, in particular if you are a child.
Examples*: We have previously had a contract with you and may enter into another one in the future. Requesting relevant health conditions and next of kin details whilst working on our sites. We provide CCTV coverage to your site for the security of your unit, visitors and employees. We provide you with general or specific information that we feel is relevant to you on occasion. Providing your requirements to third parties to enable us to provide a service or quotation.
Special Category Data – Health only
We only process special category data where it relates to the health of an operative working on our building sites.
6. How we share your personal information
We will never sell your personal information.
We may share your personal information;
- With our employees who use it within the course of their employment
- External organisations that support the services we provide to you
- Official bodies as is our legal obligation or in the prevention/detection of criminal activity
- With those making a subject access request in regard to CCTV images (if applicable)
Any data disclosure will only be relevant to the particular requirements of that contract or individual request, event or situation.
Information will be handled in accordance with the guidelines of the DPA 2018 and GDPR
7. How long we keep your personal information
The length of time we retain your data will depend of the nature of the relationship, but we will not retain your personal data for longer than is necessary.
Generally, personal data will only be retained whist there is a legitimate business interest to do so. If no business enquiry, transaction or order is made between our 2 parties for a period of 6 years we will generally destroy our files.
Other information may be kept much longer as is may be necessary to fulfil our legal obligations and/or need to retain the information in case of a legal claim. This is particularly relevant in relation to property leases and sales and H&S on site.
8. How we keep your personal information secure
The security of your personal information is very important to us.
Manual files are retained within our secure offices or within our secure archive. Access is restricted to relevant employees.
Electronic files are retained on our secure server, which can only be accessed by employees with a current username and password. There are restrictions in place on the specific data that can be accessed dependent on role. Backups are made regularly to a secure data centre.
Emails and attachments are retained within a secure hosted data centre. Emails can only be accessed by employees with a current username and password. There are restrictions in place on the specific data that can be accessed dependent on role.
The secure data centre is a fully ISO27001 certified datacentre and is NSI Gold Approved. Our external IT support are required to provide multifactor authentication credentials before being allowed access to any hosted systems with only role-based privileges. All access is fully logged and reviewed on an ongoing basis.
Personal data, both current and archived, is only accessed when necessary or requested in line with the appropriate legal basis for processing.
CCTV images are only accessible by relevant employees. They are stored on secure locations on physical servers, where access is physically and electronically restricted. All CCTV data is encrypted.
9. Overseas transfers of your personal information
We do not transfer your data outside of the EU
All of our electronic and hosted data is held at a secure data centres within the UK
10. Your rights in relation to your personal information
The GDPR provides the following rights for individuals:
- The right to be informed
The External Privacy Notice (this document) provides you with the information you need in regard to our use of your personal data. This document is updated regularly and readily available from our website www.beva.co.uk/privacy/
- The right of access
You have the right to confirmation we hold your personal data, to obtain a copy of your personal data as well as supplementary information. This is often referred to as a Subject Access Request.
A reasonable fee may be charged if requests are manifestly unfounded or excessive. Or if further copies are required.
- The right to rectification
You have the right to have any inaccurate information corrected, or incomplete data completed.
- The right to erasure
You have the right to be forgotten and your personal data erased
This right is not absolute and does not apply in all circumstances
- The right to restrict processing
You have the right to limit the way we use your data. This is normally time limited and is closely attached to the rights of rectification and erasure.
- The right to data portability
You have the right to obtain and re-use your personal data where applicable
- The right to object
You have the right to object to your personal data being processed
This right is not absolute and does not apply in all circumstances
Detailed guidance regarding these rights and the applicable timescales for response is available from the ICO website.
We will always attempt to work with you in regard to these rights and will assess any request on a case by case basis.
11. How to make complaints and how to contact us
The Registered Office (and principal place of business) of each of the individual companies is;
Chichester Business Centre
Chichester Street
Rochdale
OL16 2AU
T 01706 710 740
F 01706 710 536
You may contact us by email, post, via our website, telephone or fax.
We have not appointed a Data Protection Officer as we are not required to and our processing of personal data is minimal and simplistic. Data Protection/Subject Access Requests will be passed to a Director and/or the Office & Security Manager at the stage of initial enquiry.
If you’re unhappy with our response or if you need any advice you should contact the Information Commissioner’s Office (ICO).
12. Other Relevant Information
CCTV
The Beva Group controls CCTV systems on various developments.
The relevant Beva Group companies are registered on the ICO’s Data Protection Register, specifically, though not exclusively, for their management and operation of CCTV systems. The security systems are operated with reference to the ICO’s CCTV Code of Practice.
CCTV images are monitored by security personnel for the detection and prevention of crime.
CCTV images may also be used to monitor staff when carrying out work duties.
Recorded images may be accessed by relevant employees as part of an internal/external investigation or in response to a Subject Access Request.
The extent of personal data contained within images is assessed for its impact prior to distribution to third parties with reference to the ICO’s CCTV Code of Practice.
Access Controls
The Beva Group manages the access control system on various developments and individual premises. We do not retain personal information in regard to individual holders of fobs/cards, only the company to which they are allocated.
The company to which they are allocated to is responsible to keep details of who each device is allocated to (if relevant) and to keep that information secure. Offline systems do not hold any personal data. Online systems can hold personal data, if information recorded on these systems is to be used for any purpose other than access or egress you must inform your users as appropriate.
Programming devices are kept in a secure location only accessible by relevant individuals.
Website cookies
A cookie is a small file which asks permission to be placed on your computer’s hard drive. Once you agree, the file is added and the cookie helps analyse web traffic or lets you know when you visit a particular site. Cookies allow web applications to respond to you as an individual. The web application can tailor its operations to your needs, likes and dislikes by gathering and remembering information about your preferences.
We use traffic log cookies to identify which pages are being used. This helps us analyse data about web page traffic and improve our website in order to tailor it to customer needs. We only use this information for statistical analysis purposes and then the data is removed from the system.
Overall, cookies help us provide you with a better website, by enabling us to monitor which pages you find useful and which you do not. A cookie in no way gives us access to your computer or any information about you, other than the data you choose to share with us.
You can choose to accept or decline cookies. Most web browsers automatically accept cookies, but you can usually modify your browser setting to decline cookies if you prefer. This may prevent you from taking full advantage of the website.
Links to other websites
Our website may contain links to other websites of interest. However, once you have used these links to leave our site, you should note that we do not have any control over that other website. Therefore, we cannot be responsible for the protection and privacy of any information which you provide whilst visiting such sites and such sites are not governed by this privacy statement. You should exercise caution and look at the privacy statement applicable to the website in question.
* any examples provided in this document are for demonstration purposes only. The examples given are neither exclusive nor exhaustive.