DATA PROTECTION STATEMENT

Introduction

Your personal data is data which by itself or with other data available to us can be used to identify you. We are JPC Decor Limited, the data controllers. This data protection statement sets out how and why we will use your personal data. You can contact our Data Protection Lead, John Cawood, at johncawoodatjpcdecor@gmail.com if you have any questions.

Where there are two or more people named, this data protection statement applies to each person separately.

The types of personal data we collect and use

Whether or not you become a customer, we will use your personal data for the reasons set out below and if you become a customer we will use it in the course of our contractual business with you. We will collect this personal data directly. The personal data we use may be about you as a personal or business customer and may include:

• Full name and personal details including:
  • Home address
  • Business address
  • Contact home, business and mobile telephone numbers
  • Email addresses

Providing your personal details

We’ll tell you if providing some personal data is optional, including if we ask for your consent to process it. In all other cases you must provide your personal data so we can honour our contract with you (unless you are an existing customer and we already hold those details).

Using your personal data: the legal basis and purpose

We’ll process your personal data:

1. As necessary to perform our contract with you for the relevant policy or service:
   1. To take steps at your request before entering into it;
   2. To decide whether to enter into it at our discretion;
   3. To manage and perform that contract;
   4. To update our records; and
   5. To trace your whereabouts to contact you about your account and recovering debt.

2. As necessary for our own legitimate interests or those of other persons and organisations, e.g. For good governance, accounting, and managing and auditing our business operations

3. As necessary to comply with a legal obligation, e.g.:
   1. When you exercise your rights under data protection laws and make requests;
   2. For compliance with legal and regulatory requirements and related disclosures.

4. Based on your consent, e.g.:
   1. When you request us to disclose your personal data to other people or organisations, or otherwise agree to disclosures;
   2. To send out marketing communications where we have asked for your consent to do so.

You’re free at any time to change your mind and withdraw your consent. This can be done by recorded delivery sent to our registered office which is currently Bromley House, 2 Bromley Road, Lytham St Annes, FY8 1PQ. The consequence of this might be that we can’t do certain things for you.

Sharing of your personal data

Subject to applicable data protection law, we may share your personal data with:

• Subcontractors and other persons who help us to provide our products and services;
• Companies and other persons providing services to us;
• Our accountants in the course of maintaining our financial records;
• Our legal and other professional advisors, including our auditors;
• Government bodies and agencies in the UK and overseas (e.g. HMRC, the Information Commissioner’s Office)
• Courts, to comply with legal requirements, and for the administration of justice;
• In an emergency or otherwise to protect your vital interests;
• To other parties who provide a service where you have indicated that you are looking for such service;
• Anyone else where we have your consent or where it is required by law.

Your marketing preferences

We may use your home address, phone numbers, email address and social media (e.g. Facebook, twitter, google) to contact you according to your preferences. You can change your preferences or unsubscribe at any time by contacting us. In the case of social media messages, you can manage your social media preferences via that social media platform.

Your rights under applicable data protection law

Your rights are as follows (noting that these rights don’t apply in all circumstances and that data portability is only relevant from May 2018):

• The right to be informed about our processing of your personal data;
• The right to have your personal data corrected if it’s inaccurate and to have incomplete personal data completed;
• The right to object to processing of your personal data (this right exists from the point of first communication);
• The right to restrict processing of your personal data;
• The right to have your personal data erased (the “right to be forgotten”);
• The right to request access to your personal data and information about how we process it;
• The right to move, copy or transfer your personal data (“data portability”); and
• Rights in relation to automated decision making including profiling.

Requests made in relation to your data rights

Any requests made to JPC Decor Limited in relation to any of the above rights should be directed to our Data Protection Lead Staff Member. If JPC Decor Limited is within its rights under the GDPR to refuse this request, you shall be informed of this decision as soon as possible.

Information given as a response to requests made under the above-named rights will ordinarily be provided free of charge to the requestee. However, JPC Decor Limited reserves the right to charge a reasonable fee when a request is manifestly unfounded or excessive, or where we are asked to comply with requests for further copies of the same information.

The required information will be provided within one month of receipt of a valid request. JPC Decor Limited reserves the right to extend the period of compliance by a further two months where requests are complex or numerous. If this is the case, you will be informed within one month of the receipt of the request and we will explain why the extension is necessary.

Any requests made verbally will be recorded under the terms set out by our data request recording policy below.

Data Protection Impact Assessment (DPIA)

If and when JPC Decor Limited undertakes any new project where data processing is likely to result in a high risk to the rights and freedoms of natural persons, JPC Decor Limited will ensure that a Data Protection Impact Assessment is conducted to help identify, mitigate and minimise any privacy risks.

RECORDS MANAGEMENT POLICY

This policy applies to the management of all documents and records, in all technical or physical formats or media, created or received by JPC Decor Limited in the conduct of its business activities. It applies to all staff, contractors, consultants and third parties who are given access to our documents and records and information processing facilities.

JPC Decor Limited makes every effort to create and manage records efficiently, make them accessible where possible, protect and store them securely and dispose of them safely at the right time (in conjunction with our Retention and Disposals Policy).

JPC Decor Limited conducts its records management in line with the relevant legislation, namely:

• The Data Protection Act 1998
• The Freedom of Information Act 2000
• Privacy and Electronic Communications Regulations 2003
• The Environmental Information Regulations 2004
• General Data Protection Regulation 2018

Records will only be kept when it is necessary for the operation of the business.

Regular reviews of JPC Decor Limited’s records management will be undertaken to identify, assess and manage records management risks. Where it is identified that a risk exists, steps will be taken to rectify such risk. Where it is identified that a record in any format is no longer necessary, that record will be erased.

All digital records of personal information will be held on devices secured by our Information Security Policy and internal information security procedure.

Recording Data Access Requests

JPC Decor Limited will keep a physical copy of any subject access requests made in relation to an individual’s GDPR rights on a designated document.

This will be not be stored digitally, and will include only the very necessary details to make a record of the request.

Retention and Disposal of Data

JPC Decor Limited understands that personal data held by us shall only be used for a legitimate business purpose and shall be disposed of at such time that it is no longer necessary to hold the information.

Personal data held by JPC Decor Limited in the performance of a contract will be held for as long as is necessary to ensure the completion of that contract. Where there is an expectation of future work relating to that personal data, JPC Decor Limited will continue to hold the personal data after the performance of a contract has been completed but for no longer than 6 years.

Personal data held by JPC Decor Limited with a person’s express consent is held for as long as is considered reasonable given the nature of that consent and the purpose for which it was obtained. Any personal information held by consent will be regularly reviewed by the company.

Personal data held JPC Decor Limited’s legitimate interest will be held for the length of time as such a legitimate interest exists but only if that interest is not overridden by the individual’s own overriding personal rights.

Where legal or regulatory requirements apply for the retention of specific data, that data shall be retained for at least the minimum amount of time dictated by those requirements, but will be disposed of on expiry of those requirements.

Where a valid request of erasure is received, JPC Decor Limited will dispose of all the personal data it holds under that request without delay in accordance with our operating procedures.

The retention and disposal of personal data held by JPC Decor Limited shall be the responsibility of the designated Data Protection Lead staff member.

INFORMATION SECURITY POLICY

JPC Decor Limited understands the requirements of confidentiality, integrity and availability for the personal data we process.

JPC Decor Limited uses personal computers and mobile devices in the course of our business. These devices will often hold your personal data and so we take the security of these devices very seriously.

All JPC Decor Limited computers and mobile devices are secured by anti-virus software and other such digital security measures as we may think fit from time to time. They are also restricted by passwords that staff members are encouraged to keep robust.

JPC Decor Limited also makes sure that we can restore access to personal data in the event of any incidents, such as by establishing an appropriate backup process.

Information Security will regularly be reviewed, and any identified threats, vulnerabilities, and potential impacts which are associated with JPC Decor Limited’s activities and information will be logged and analysed.

Physical copies of any personal or sensitive information shall be stored securely in line with our security procedure.

You have the right to complain to the Information Commissioner’s Office. It has enforcement powers and can investigate compliance with data protection law: ico.org.uk.

For more details on all the above you can contact our Data Protection Lead staff member by phone or email at johncawoodatjpcdecor@gmail.com or on 01253 781379

These policies will be reviewed every 12 months or more frequently as required to ensure that the Procedures remain compliant with the General Data Protection Regulation.