DATA PROTECTION POLICY

Last Reviewed: May 2019

OVERVIEW

Sampson Associates is committed to ensuring that your privacy and personal data is protected. However in order for us to provide the best service, we need to gather and use your information or ‘data’. We intend to comply with our legal obligations under the Data Protection Act 2018 (the ‘2018 Act’) and the EU General Data Protection Regulation (‘GDPR’) in respect of data privacy and security. We have a duty to notify you of the information contained in this policy.

The privacy policy sets out how Sampson Associates uses and protects any personal data (defined as data from which a living individual can be identified, including email addresses) you share with us, any data which we hold about you, how we collect, process, protect and share that data.

Sampson Associates will process all personal data lawfully, fairly and in a transparent matter. This data will be collected and processed only for specific, explicit and legitimate purposes, and will be limited to what is necessary for the purposes for which it is processed.

We will keep your data accurate and will delete any inaccurate data without undue delay and we will keep this information no longer than for which is necessary.

WHAT DATA WE COLLECT

We may collect the following data/information but is not limited to:

  • Name and job title

  • Postal addresses

  • Contact Information including email address

  • Details of your property and land ownership

  • Any other information relevant to your project such as any surveys, easements, covenants which may impact on the design or construction of the project.


WHAT WE DO WITH THIS DATA

We require this information to understand your needs and provide you with the best service.

Generally, we will use your personal data for the following purposes:

  • Administration of projects;

  • Completion of planning application forms (and any other statutory application form);

  • Issuing of invoices;

  • Preparation of appointment documents and building contracts;

  • Issuing certification associated with administration of building contracts.

Sampson Associates will keep this information confidential and we will only disclose the necessary information with other third parties with your express consent with the exception of the following:

  • insurance companies, loss adjusters, regulatory authorities and other fraud prevention agencies for the purposes of fraud prevention and to comply with any regulatory issues.

  • any contractors or consultants that are providing a service to your project, or any potential contractors or consultants who are tendering to provide a service to your project.

  • any legal or crime prevention agencies and/or to satisfy any regulatory request if we have a duty to do so, or if the law allows us to do so.

  • anyone to whom we may transfer our rights and duties under any agreement we have with you.

Sampson Associates will not send your personal data outside the European Economic Area (EEA), nor sell on or rent out the information collected.

Our website is hosted by by Squarespace. In recognition of the global nature of their user base, Squarespace Ireland Limited, their Irish entity, is going to provide services to users outside of the US. For users who are not residents of or who do not have their principal place of business in the US, the Terms of Service will be an agreement with Squarespace Ireland Limited and the laws of Ireland will apply. They have restructured their Privacy Policy to be clearer about the ways they collect, use, process, and share personal information. It also explains rights and choices we have over our personal information (and that of visitors to our Squarespace site), including the ability to access, correct, and delete personal information. Their privacy policy can be read at https://www.squarespace.com/privacy-new/ As noted in their Privacy Policy, Squarespace rely upon a number of means to transfer personal information which is subject to the European General Data Protection Regulation (“GDPR”) in accordance with Chapter V of the GDPR.  These include:

  • Privacy Shield. Squarespace transfer, in accordance with Article 45 of the GDPR, personal information to companies that have certified their compliance with the EU-U.S. or Swiss-U.S.

  • Privacy Shield Frameworks (each individually and jointly, the “Privacy Shield”), including Squarespace, Inc.

  • Standard Data Protection Clauses. Squarespace may, in accordance with Article 46 of the GDPR, transfer personal information to recipients that have entered into the European Commission approved contract for the transfer of personal data outside the European Economic Area.

  • Other means. Squarespace may, in accordance with Articles 45 and 46 of the GDPR, transfer personal information to recipients that are in a country the European Commission or a European data protection supervisory authority has confirmed, by decision, offers an adequate level of data protection, pursuant to an approved certification mechanism or code of conduct, together with binding enforcement commitments from the recipient to apply the appropriate safeguards, including as regards data subjects’ rights, or to processors which have committed to comply with binding corporate rules.


DATA RETENTION & DESTRUCTION

We shall retain data in line with our Data Retention Policy which will detail standard periods for holding different types of information to meet the operational and statuary obligations of the company, and to comply with legal and other requirements.

To meet the requirements of GDPR Article 5, data must be held no longer than is necessary. Deeming how long it is necessary to retain information will depend on a number of factors, including:

  • statutory requirements and limitation periods;

  • known industry best-practice and regulatory requirements;

  • the operational needs of Sampson Associates;

  • the difficulty of ensuring that the information remains accurate;

  • the costs, risks and liabilities of retaining that data.

Where personal data is destroyed or deleted, it must be done securely, and in a way that ensures it is put ‘beyond use’.

DATA SECURITY

Sampson Associates are committed to ensure that your information is secure. In order to prevent unauthorised access or sharing of your data, we have put in place appropriate physical, electronic and managerial procedures to protect the information we have collected.

DATA SUBJECT ACCESS RIGHTS

The General Data Protection Regulations (GDPR) grants you (hereafter referred to as the “data subject”) the right to access particular personal data that we hold about you. This is referred to as a subject access request. We shall respond promptly, and certainly within one month from the point of receiving the request and all necessary information from you. Our formal response shall include details of the personal data we hold about you, including the following:

  • sources from which we acquired the information;

  • the purposes for processing the information; and

  • persons or entities with whom we are sharing the information.

RIGHT TO RECTIFICATION - The data subject shall have the right to obtain from us, without undue delay, the rectification of inaccurate personal data we hold concerning you. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.

RIGHT TO BE FORGOTTEN - The data subject shall have the right to obtain from us the erasure of their personal data without undue delay.

Subject to exemptions, the data subject shall have the right to obtain from us restriction of processing where one of the following applies:

  • the accuracy of the personal data is contested by the data subject and is restricted until the accuracy of the data has been verified;

  • the processing is unlawful and the data subject oppose the erasure of the personal data and instead request the restriction on its use;

  • we no longer need the personal data for the purposes of processing, but it is required by the data subject, for the establishment, exercise or defence of legal claims;

  • the data subject has objected to the processing of their personal data pending the verification of whether there are legitimate ground for us to override these objections.

RIGHT TO ACCESS - The data subject shall have the right to receive their personal data, which has been provided to us in a structured and legible format and have the right to issue this data to another controller, without hindrance from us.

RIGHT TO OBJECT - The data subject, shall have the right to object, on grounds relating to your particular situation, at any time to the processing of personal data concerning you, including any personal profiling; unless this relates to processing that is necessary for the performance of a task carried out in the public interest or an exercise of official authority vested in us. We shall no longer process the personal data unless we can demonstrate compelling legitimate grounds for the processing, which override the interests, rights and freedoms of the data subject, or for the establishment, exercise or defence of legal claims.

We do not carry out any automated processing, which may lead to an automated decision based on your personal data.

If you would like to invoke any of the above data subject rights with us, please write to us at Unit J205-206, The Biscuit Factory, 100 Clements Road SE16 4DG or email hello@sampsonassociates.co.uk

In order to provide the highest level of customer service possible, we need to keep accurate personal data about you. We take reasonable steps to ensure the accuracy of any personal or sensitive information we obtain. We ensure that the source of any personal data or sensitive information is clear and we carefully consider any challenges to the accuracy of the information. We also consider when it is necessary to update the information, such as name or address changes and you can help us by informing us of these changes when they occur.

POLICY REVIEW

This Privacy Policy is regularly reviewed (at least annually). This is to make sure that we continue to meet the highest standards and to protect your privacy. We reserve the right, at all times, to update, modify or amend this Policy. We suggest that you review this Privacy Policy from time to time to ensure you are aware of any changes we may have made, however, we will not significantly change how we use information you have already given to us without your prior agreement.

DATA BREACH

In the event of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data, Sampson Associates shall promptly assess the risk to people’s rights and freedoms and if appropriate report this breach to the Information Commissioner’s Office (ICO).

GETTING IN TOUCH

If you have any questions or queries which are not answered by this Privacy Policy, or have any potential concerns about how we may use the personal data we hold, please write to us at Unit J205-206, The Biscuit Factory, 100 Clements Road SE16 4DG or email hello@sampsonassociates.co.uk

If you have a complaint regarding the use of your personal data or sensitive information then please contact us by writing to us at Unit J205-206, The Biscuit Factory, 100 Clements Road SE16 4DG or email hello@sampsonassociates.co.uk

If your complaint is not resolved to your satisfaction and you wish to make a formal complaint to the Information Commissioner's Office (ICO), you can contact them on 01625 545745 or 0303 123 1113. You also have the right to judicial remedy against a legally binding decision of the ICO where you consider that your rights under this regulation have been infringed as a result of the processing of your personal data. You have the right to appoint a third party to lodge the complaint on your behalf and exercise your right to seek compensation.