Definitions and Interpretation
In this Policy the following terms shall have the following meanings:
means an account required to access and/or use certain
means the relevant parts of the Privacy and Electronic Communications(ECDirective)Regulations2003;
means any and all data that relates to an identifiable personwhocanbedirectlyorindirectlyidentifiedfromthat data.Inthiscase,itmeanspersonaldatathatyougiveto Us via Our Site. This definition shall, where applicable, incorporate the definitions provided in the Data Protection Act 1998 or EU Regulation 2016/679 – the General Data Protection Regulation (“GDPR”);and
Our Data Protection Officer is Diane Searl, and can be contacted by email at [email protected],bytelephoneon01376349929,orbypostatWestEndBarn, The Street, Rayne, Braintree, Essex. CM776RY.
Edward Parsley Associates Limited value and are committed to protecting and respecting your privacy.
This policy explains when and why we collect information about our clients, how we use it, the conditions under which
we may disclose it to others and how we keep it secure.
Who are we?
Edward Parsley Associates Limited is a Structural and Architectural Services company offering our expertise in home
extensions, new builds, renovations, major commercial developments and large industrial projects in both the public
and private sector.
The Registered and Trading Address is West End Barn, The Street, Rayne, Braintree, Essex. CM77 6RY.
How do we collect information from you?
We obtain information from you from your initial contact with us either by telephone, through our website, by email,
social media or in person with one of our Directors or members of staff.
What type of information is collected from you?
The information we collect may include your Name, Business Name, Address, Email address and telephone number.
How is your information used?
1. We may use the information to:-
Carry out the services required
Notify you of any changes to our services (i.e. office closure times)
Lawful basis for processing of data
The lawful bases for processing are set out in Article 6 of the GDPR. At least one of these must apply whenever
we process personal data:
The individual has given clear consent for you to process their personal data for a specific purpose. This purpose
being – as set out in paragraph (1) above.
Who has access to your information?
We will not sell or rent your information to third parties.
We will not share your information with third parties for marketing purposes.
Edward Parsley Associates Ltd
West End Barn, The Street, Rayne, Braintree, Essex, CM77 6RY
01376 349929 [email protected]
Third Party Service Providers working on our behalf:
We may pass your information to our third party service providers for the purpose of completing tasks and
providing services to you on our behalf (for example surveys, soil investigations, Laboratory testing).
However, when we use third party service providers, we disclose only the information that is necessary to deliver
the service and we have a contract in place that requires them to keep your information secure and not to use it
for their own direct marketing purposes. Please be assured that we will not release any information to third parties
outside Edward Parsley Associates Limited network unless we are required to do so by law, for example, by a court
order or for the purpose of prevention of fraud or other crime.
Third Party Product Providers we work in association with:
We work closely with various third party providers to bring you a range of quality and reliable services designed to
meet the needs of you, our customers. When your project requires one or more of these services, the relevant third
party service provider will use your details to provide you with information and carry out their obligations arising
from any contracts you have entered into with them. In some cases they will be acting as a Data Controller of your
We may transfer your personal information to a third party as part of a sale of some or all of our business and
assets to any third party or as part of any business restructuring or reorganisation, or if we are under a duty to
disclose or share your personal data in order to comply with any legal obligation or to enforce or apply our terms
of use to protect the rights, property or safety of our supporters and customers. However, we will take steps with
the aim of ensuring that your privacy rights continue to be protected.
This Policy sets out the obligations of Edward Parsley Associates Limited, a company registeredinUnitedKingdomundernumber4669284,whoseregisteredofficeisatWestEnd Barn, The Street, Rayne, Braintree, Essex. CM77 6RY (“the Company”) regarding retention of personaldatacollected,held,andprocessedbytheCompanyinaccordancewithEURegulation 2016/679GeneralDataProtectionRegulation(“GDPR”).
TheGDPRdefines“personaldata”asanyinformationrelatingtoanidentifiedoridentifiable naturalperson(a“datasubject”).Anidentifiablenaturalpersonisonewhocanbeidentified, directly or indirectly, in particular by reference to an identifier such as a name, an identificationnumber,locationdata,anonlineidentifier,ortooneormorefactorsspecificto thephysical,physiological,genetic,mental,economic,cultural,orsocialidentityofthat naturalperson.
TheGDPRalsoaddresses“specialcategory”personaldata(alsoknownas“sensitive” personaldata).Suchdataincludes,butisnotnecessarilylimitedto,dataconcerningthedata subject’s race, ethnicity, politics, religion, trade union membership, genetics, biometrics (if used for ID purposes), health, sex life, or sexualorientation.
UndertheGDPR,personaldatashallbekeptinaformwhichpermitstheidentificationof datasubjectsfornolongerthanisnecessaryforthepurposesforwhichthepersonaldata isprocessed.Incertaincases,personaldatamaybestoredforlongerperiodswherethat dataistobeprocessedforarchivingpurposesthatareinthepublicinterest,forscientific or historical research, or for statistical purposes (subject to the implementation of the appropriate technical and organisational measures required by the GDPR to protect that data).
In addition, the GDPR includes the right to erasure or “the right to be forgotten”. Data subjectshavetherighttohavetheirpersonaldataerased(andtopreventtheprocessingof that personal data) in the followingcircumstances:
Where the personal data is no longer required for the purpose for which it was originally collected or processed (seeabove);
When the data subject withdraws theirconsent;
When the data subject objects to the processing of their personal data and the Company has no overriding legitimateinterest;
Where the personal data is processed for the provision of information society services to achild.
ThisPolicysetsoutthetype(s)ofpersonaldataheldbytheCompanyforArchitecturaland StructuralEngineeringServicespurposes,theperiod(s)forwhichthatpersonaldataistobe retained,thecriteriaforestablishingandreviewingsuchperiod(s),andwhenandhowitisto be deleted or otherwise disposedof.
Data subjects are kept fully informed of their rights, of what personal data the Companyholdsaboutthem,howthatpersonaldataisused(assetoutinParts12 and13oftheCompany’sDataProtectionPolicy,andhowlongtheCompanywillhold thatpersonaldata(or,ifnofixedretentionperiodcanbedetermined,thecriteriaby whichtheretentionofthedatawillbedetermined).
Data subjects are given control over their personal data held by the Company including the right to have incorrect data rectified, the right to request that their personaldatabedeletedorotherwisedisposedof(notwithstandingtheretention periods otherwise set by this Data Retention Policy), the right to restrict the Company’s use of their personal data, (the right to data portability,) and further rightsrelatingtoautomateddecision-makingandprofiling(,assetoutinParts14to 20 of the Company’s Data ProtectionPolicy).
5. Technical and Organisational Data SecurityMeasures
ThefollowingtechnicalmeasuresareinplacewithintheCompanytoprotectthe securityofpersonaldata.PleaserefertoParts22to26oftheCompany’sData Protection Policy for furtherdetails:
All emails containing personal data must beencrypted;
All emails containing personal data must be marked“confidential”;
Personal data may only be transmitted over securenetworks;
Personal data may not be transmitted over a wireless network if there is a reasonable wiredalternative;
Personaldatacontainedinthebodyofanemail,whethersentorreceived,shouldbe copied from the body of that email and stored securely. The email itself and associated temporary files should bedeleted;
Where personal data is to be sent by facsimile transmission the recipient shouldbe informed in advance and should be waiting to receiveit;
Where personal data is to be transferred in hardcopy form, it should bepassed directlytotherecipient(orsentusingRoyalMail).
Nopersonaldatamaybesharedinformallyandifaccessisrequiredtoanypersonal data, such access should be formally requested fromDirectors.
All hardcopies of personal data, along with any electronic copies stored onphysical media should be storedsecurely;
Nopersonaldatamaybetransferredtoanyemployees,agents,contractors,orother parties, whether such parties are working on behalf of the Company or not, without authorisation;
Personal data must be handled with care at all times and should not be left unattended or onview;
Computers used to view personal data must always be locked before being left unattended;
No personal data should be stored on any mobile device, whether such device belongs to the Company or otherwise (without the formal written approval of Directors) and then strictly in accordance with all instructions and limitations described at the time the approval is given, and for no longer than is absolutelynecessary.
Nopersonaldatashouldbetransferredtoanydevicepersonallybelongingtoan employeeandpersonaldatamayonlybetransferredtodevicesbelongingtoagents, contractors,orotherpartiesworkingonbehalfoftheCompanywherethepartyin question has agreed to comply fully with the Company’s Data Protection Policyand theGDPR.
Allpersonaldatastoredelectronicallyshouldbebackedupdailywithbackupsstored onsite. All backups should beencrypted;
Allpasswordsusedtoprotectpersonaldatashouldbechangedregularlyandshould must besecure.
Under no circumstances should any passwords be written down or shared. If a passwordisforgotten,itmustberesetusingtheapplicablemethod.ITstaffdonot have access topasswords;
Allsoftwareshouldbekeptup-to-date.Security-relatedupdatesshouldbeinstalled as soon as reasonably possible after becomingavailable.
No software may be installed on any Company-owned computer or device without approval;and
WherepersonaldataheldbytheCompanyisusedformarketingpurposes,itshallbe the responsibility of Office Manager to ensure that the appropriate consent is obtainedandthatnodatasubjectshaveoptedout,whetherdirectlyorviaathird- party service such as theTPS.
ThefollowingorganisationalmeasuresareinplacewithintheCompanytoprotectthe security of personal data. Please refer to Part 27 of the Company’s DataProtection Policy for furtherdetails:
All agents, contractors, or other parties working on behalf of the Companyhandling personaldatamustensurethatanyandallrelevantemployeesareheldtothesame conditionsasthoserelevantemployeesoftheCompanyarisingoutoftheGDPRand the Company’s Data ProtectionPolicy;
Where any agent, contractor or other party working on behalf of the Company handlingpersonaldatafailsintheirobligationsundertheGDPRand/ortheCompany’s Data Protection Policy, that party shall indemnify and hold harmless the Company againstanycosts,liability,damages,loss,claimsorproceedingswhichmayariseout of thatfailure.
UpontheexpiryofthedataretentionperiodssetoutbelowinPart7ofthisPolicy,orwhen adatasubjectexercisestheirrighttohavetheirpersonaldataerased,personaldatashall be deleted, destroyed, or otherwise disposed of asfollows:
Personaldatastoredelectronically(includinganyandallbackupsthereof)shallbe archived securely using the ‘put beyond use’ method.
Special category personal data stored electronically (including any and all backups thereof)shallbearchivedsecurelyusingthe‘putbeyonduse’method.
Personal data stored in hardcopy form shall be shredded to at least level 3and recycled.
The category or categories of data subject to whom the data relates;
Ifapreciseretentionperiodcannotbefixedforaparticulartypeofdata,criteria shallbeestablishedbywhichtheretentionofthedatawillbedetermined,thereby ensuringthatthedatainquestion,andtheretentionofthatdata,canberegularly reviewed against thosecriteria.
Notwithstandingthefollowingdefinedretentionperiods,certainpersonaldatamaybe deletedorotherwisedisposedofpriortotheexpiryofitsdefinedretentionperiod whereadecisionismadewithintheCompanytodoso(whetherinresponsetoa request by a data subject orotherwise).
Inlimitedcircumstances,itmayalsobenecessarytoretainpersonaldataforlonger periods where such retention is for archiving purposes that are in the public interest,forscientificorhistoricalresearchpurposes,orforstatisticalpurposes. All such retention will be subject to the implementation of appropriate technical and organisationalmeasurestoprotecttherightsandfreedomsofdatasubjects,as required by theGDPR.
TheDataProtectionOfficershallberesponsibleforoverseeingtheimplementationof thisPolicyandformonitoringcompliancewiththisPolicy,theCompany’sotherData Protection-related policies (including, but not limited to, its Data Protection Policy), andwiththeGDPRandotherapplicabledataprotectionlegislation.
TheDataProtectionOfficershallbedirectlyresponsibleforensuringcompliancewith the above data retention periods throughout theCompany.