DATA PROTECTION

Data Protection Policy

Last updated: 01/10/2025

1. Purpose

The purpose of this policy is to ensure that True Craftsmen (“the Company”) complies with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. We are committed to handling personal data lawfully, fairly, and transparently to protect the privacy of our clients, employees, contractors, and suppliers.

2. Scope

This policy applies to all personal data processed by True Craftsmen, whether in digital or paper form. It covers all employees, subcontractors, consultants, and third parties acting on behalf of the Company.

3. Data Protection Principles

True Craftsmen adheres to the following data protection principles:

a)      Lawfulness, fairness, and transparency – Data is processed lawfully and in a way that individuals can understand.

b)      Purpose limitation – Data is collected only for specified, legitimate purposes and not used in ways incompatible with those purposes.

c)       Data minimisation – Only data necessary for the intended purpose is collected and processed.

d)      Accuracy – Data is kept accurate and up to date.

e)       Storage limitation – Data is retained only as long as necessary.

f)        Integrity and confidentiality – Data is kept secure through appropriate technical and organisational measures.

g)      Accountability – The Company is responsible for and can demonstrate compliance with these principles.

4. Legal Bases for Processing

True Craftsmen Ltd processes personal data under one or more of the following lawful bases:

·         The individual has given consent.

·         Processing is necessary for the performance of a contract.

·         Processing is required for compliance with a legal obligation.

·         Processing is necessary to protect vital interests.

·         Processing is necessary for legitimate business interests, provided these are not overridden by individual rights.

5. Data Subject Rights

Individuals have the right to:

·         Access their personal data (Subject Access Request).

·         Request correction or deletion of their data.

·         Restrict or object to processing.

·         Withdraw consent at any time (where applicable).

·         Request transfer of their data to another controller.

·         Lodge a complaint with the Information Commissioner’s Office (ICO) at www.ico.org.uk.

Requests to exercise these rights can be made by emailing info@truecraftsmen.co.uk.
We aim to respond within one month of receipt.

6. Data Security

True Craftsmen uses appropriate physical, technical, and organisational security measures to prevent unauthorised access, loss, misuse, or alteration of personal data. These include:

·         Secure storage systems and access controls.

·         Encrypted communication where appropriate.

·         Regular staff training on data protection.

·         Controlled access to personal data on a need-to-know basis.

Any suspected data breaches will be investigated immediately and, where required, reported to the ICO within 72 hours.

7. Data Retention

Personal data is retained only for as long as necessary to fulfil contractual, legal, or business purposes.
Once no longer required, data is securely deleted, anonymised, or archived according to our Data Retention Schedule.

8. Third-Party Processing

Where third-party service providers (such as subcontractors, cloud storage, or IT providers) process data on our behalf:

·         They must sign a Data Processing Agreement (DPA).

·         They are required to maintain equivalent security and confidentiality standards.

·         They may not use the data for their own purposes.

9. Roles and Responsibilities

·         Managing Director / Data Protection Lead – oversees compliance and acts as the main contact for data protection issues.

·         Employees and subcontractors – must handle personal data responsibly and report any suspected breaches or security incidents immediately.

10. Data Breach Procedure

If a data breach occurs:

a)      The Data Protection Lead will assess the risk and record details of the breach.

b)      Affected individuals will be informed where there is a high risk to their rights or freedoms.

c)       The ICO will be notified within 72 hours if the breach meets notification thresholds.

11. Training and Awareness

All employees receive data protection training appropriate to their role. Regular refresher sessions and updates are provided when laws or Company practices change.

12. Monitoring and Review

This policy is reviewed annually or when significant changes occur in legislation, business operations, or data-handling practices. Non-compliance with this policy may result in disciplinary action.