JDMA Website Privacy Statement
Purpose
The purpose of this privacy statement is to explain how JDMA Paving & Landscaping (JDMA) processes all personal data which is gathered in the course of its business. This will provide a framework against which JDMA fulfils its data protection responsibilities.
The Role of JDMA
JDMA is a data controller in so much that it determines the purpose and use of personal data collected in order to fulfil its obligations to its customers, employees and suppliers. In all cases, once personal data has been received it becomes the responsibility of the JDMA manager to ensure that it is processed in accordance with UK data protection legislation.
Duty of Confidentiality
JDMA requires all its staff to understand their duty of confidentiality to its customers when handling personal data. It will only be disclosed among the staff that need to know it and all reasonable measures will be taken to ensure it is kept secure when in use and disposed of responsibly or deleted when no longer needed.
JDMA also expects the same duty of confidentiality of third parties with whom JDMA shares personal data. Any sharing is kept to a minimum and is subject to scrutiny.
Why JDMA processes personal data and against which lawful basis
Only basic contact details are collected which are used in the preparation of quotations, invoices as appropriate and to facilitate any follow-up work that might be needed. The legal bases for processing your personal data will vary but typically JDMA will use a combination of legitimate interests (for casual enquiries), legal (for statutory obligations) and to fulfil its contractual obligations* (typically for customers). On rare occasions it may be necessary to seek a customer’s consent (normally verbally) to provide a supplier with contact details to effect deliveries, but only when JDMA cannot do this themselves. *The customer’s acceptance of a quotation forms the contract of work with JDMA. In all cases the processing of personal data by JDMA shall be:
- Processed fairly, lawfully and transparently;
- Collected for specified, explicit and legitimate purposes;
- Adequate, relevant and limited to what is necessary (and no more);
- Accurate and, when necessary, updated;
- Kept for no longer than is necessary; and
- Processed in a manner that ensures appropriate security.
With whom JDMA shares personal data
Depending on the nature of the requirement, the JDMA will share personal data with some or all of the following third parties:
- Suppliers, but only related to customer specific work;
- The Inland Revenue (HMRC) via the JDMA appointed accountant;
- Local solicitors appointed by JDMA;
- JDMA’s appointed accountant; and
- Unspecified recipients but only when compelled to do so for legal reasons.
Where JDMA processes personal data
Personal data provided to or collected by JDMA is processed in a home office of the JDMA administrator. Details of calls are kept in note form only and on-line enquiries (email) are stored on JDMA’s IT system, which is backed up to the Apple iCloud. This is covered by Apple’s Privacy Policy, see https://www.apple.com/uk/legal/privacy/en-ww/. Minimal customer contact details are stored on the JDMA manager’s mobile phone and that of the JDMA staff, and this is subject to the JDMA retention policy (see below).
How long we retain your personal data for
The JDMA will retain your personal data when a lawful basis exists, for no longer than is necessary and in accordance with its retention schedule, see below:
- Routine correspondence/ quotations with casual enquirers for which no work was agreed will be stored for only 12 months;
- Routine correspondence, quotations and other miscellaneous documentation and emails between you and the JDMA, relating to an agreed contract of work will be stored for 5 years after the point at which the work was completed;
- Records of your payments will be retained throughout the period of the contract and up to 7 years after the contract has ended to comply with HMRC requirements; and
- Exceptionally, documentation that includes personal data, may be retained by JDMA beyond the timelines shown above, but only for a specific purpose and when the JDMA manager believes there is a legitimate interest and/or a legal obligation to do so.
What we do with your personal data at the end of our retention period
At the end of the retention schedule, JDMA will either return, destroy or delete the relevant documentation, including quotations and emails. When it is technically impractical to delete all electronic copies of your personal data, it will be put beyond operational use. JDMA allows itself an administrative period of up to 1 month after the retention period has expired to fulfil its record deletion/ destruction obligations.
What happens if you contact the JDMA using this website portal
Enquiries made via the JDMA website ‘Contact us’ page will be directed as an email to the JDMA manager. He will handle it in accordance with the procedures set out in this privacy statement and other internal JDMA processes. No personal data is stored on the JDMA website server.
What visitor information is collected by the website host
For the purposes of website maintenance and security, the website host has access to user IP addresses collected at the time of website usage. The website also runs Google Analytics for the purpose of gathering of user statistics only. No attempt is made to identify users visiting the website. For more details, please read the cookie policy.
Links to other websites
The website may, occasionally include links to other websites that are relevant to JDMA business. If these are used, the visitor should be aware that JDMA has no responsibility for the processing of personal data by these linked websites.
Data subjects’ rights
Everyone (i.e. data subjects) covered by the GDPR has certain rights with regards to the way any business handles their personal data. It should be noted that these do not necessarily apply in all situations. For ease of visibility, the rights are listed directly below.
- Right to be informed;
- Right to access;
- Right to rectification (right to have records updated when necessary);
- Right to erasure (‘right to be forgotten’);
- Right to restrict processing;
- Right to data portability;
- Right to object; and
- Rights related to automated decision making and profiling (however JDMA does not use these techniques in its decision making).
In addition, everyone has the right to lodge a complaint directly to the Information Commissioner’s Office (ICO) without having to inform the relevant business beforehand. For more information on UK data protection matters, please visit www.ico.org.uk. If anyone has any concerns regarding the handling of their personal data or would like to exercise their rights, they are asked to contact the JDMA in the first instance by email using privacy@jdmapaving.co.uk
Updated April 2019