‘Personal data’ relates to a living individual. This data could be as simple as your name and email address, or more sensitive information, for instance, data relating to your health, race or religion. The processing of personal data is governed by the General Data Protection Regulation 2016 (“GDPR”).
As it would not be possible to provide our services without personal information relating to the project, ‘contractual necessity’ is our lawful basis for processing under the GDPR.
Contractual necessity is our primary lawful reason for processing your data, and a requirement for us to retain your information is bound into law.
Our professional bodies and our Professional Indemnity Insurance require us to process and retain your data as part of our project files, and doing so is in our legitimate interest.
In order to facilitate collaborative working, all permanent members of our team have access to live project files. We also have to share drawings and documentation with other members of the design team (Engineers, Interior Designers, Landscape Architects, Quantity Surveyors etc) as part of providing our service.
Our contracted cleaning company and landlord have access to our offices, and we use The Post Office and other national courier companies to send physical documents as needed. Our contracted IT provider also has access to all files within the business to enable them to support our architectural and admin teams.
Employee records are access controlled, with appropriate access granted to Directors, the IT team and first aiders.
You have the right to request copies of personal data held by the practice at any time. Requests to access, amend or delete data will be considered and responded to without undue delay.
In order to help facilitate compliance with the GDPR, we politely request that all contact with us be limited to email, letter, telephone and face-to-face meetings. The use of alternative text-based messaging platforms or social media cannot be accepted (this includes WhatsApp, iMessage and SMS).
In line with the requirements of our professional bodies and of our Professional Indemnity Insurance, we typically retain all project documentation electronically for no fewer than six years and no longer than seven years after your project is complete. This information includes drawings, contractual correspondence, project emails and other non-structured information. After this period, our records will be destroyed.
Drawings may be kept indefinitely for their historical, artistic or technical value. If we have lawful reason to do so, other records may also be kept for longer periods. For certain large projects, a longer retention period is outlined as part of our contract with you.
We maintain a list of all client names, and some structured project data relating to the client, which is kept indefinitely in order to provide a long-term audit trail, for fraud prevention and to provide enhanced customer service to repeat clients.
Employee records are kept for the duration of the employment contract. From the time an employee leaves the business, we periodically review the information retained with the aim of reducing the amount of data that we hold (for instance, health questionnaires get destroyed once the employee has left).
We keep copies of employment applications for six months from submission date, and a list of candidates for up to three years.
Unless otherwise communicated to you, your data will be stored on our internal servers and storage arrays. Backups will be made both within our business, and to a European datacentre. Printed copies of information may also be produced and stored. If your information leaves our network, for instance on an employee’s laptop, then it is typically encrypted to minimise the risk of it falling into the wrong hands.
We generally avoid issuing data via physical media, but if personal data must be sent via memory stick or DVD then it will be sent by special delivery (‘Signed For’).
We have policies in place to ensure an appropriate response to any data breach, be it something simple such as an incorrectly addressed email, or a serious attack on our network from a third party. These policies will ensure that the appropriate people are alerted following any breach (or suspected breach).
If you become aware of a breach, please contact the practice as soon as possible.
If you have any queries regarding this policy, or require additional clarification, please contact Daniel Vesma.