GDPR DATA PROTECTION POLICY
Maintaining the security of personal data is a priority of Pendragon (Design and Build) Limited, and we are committed to respecting privacy rights. We undertake to handle personal data fairly and legally at all times and we are also dedicated to being transparent about what data we collect from individuals and how we may use such data.
We hold personal data about our employees, clients, suppliers and service providers for a variety of business purposes. This policy aims to explain the types of personal data Pendragon (Design and Build) Limited may collect when an individual interacts with us, whether they visit our developments, offices, use a mobile device or go on line. It also aims to explain how we will process, share and keep personal data. This Policy sets out how we seek to protect personal data and ensure that employees understand the rules governing the use of personal data to which they have access in the course of their work.
We hope this will answer any questions, but if further information is required, please get in touch with us.
Who is Pendragon (Design and Build) Limited?
Pendragon (Design and Build) Limited is a registered company in England and Wales (Registration No1789541). We will gather and process personal information in accordance with this privacy notice and in compliance with the relevant data protection regulation and law. This notice provides the necessary information regarding rights and obligations, and explains how, why and when we collect and process personal data.
Why do we collect personal data?
We may collect and process personal data for a number of reasons. These reasons include:
so that we may comply with any legal obligation we have;
in order to comply with our duties and exercising our rights under a contract with an individual;
the pursuit of our legitimate interests (as set out below); or
where an individual has consented to the processing.
Personal data we gather may include:
information relating to identifiable individuals such as job applicants, current and former employees, agency, contract and other employees, clients, suppliers, service providers and marketing contacts;
individuals' contact details, address, financial and pay details;
details of training achievements, proof of right to work in the UK, job title and CV;
sensitive personal data: personal data about an individual's physical or mental health or condition, criminal offences, or related proceedings — any use of sensitive personal data will be strictly controlled in accordance with this Policy;
information provided by individuals:
when they contact us in person, on our website, over the telephone, by e-mail or by post;
at the time of reserving a property to purchase from us;
at the time of purchasing options and extras from us;
during the course of purchasing a property from us;
for the purpose of any repairs that may be necessary during the 12 months defects liability period.
Our legitimate interests
The normal legal basis for processing customer data, is that it is necessary for the legitimate interests of Pendragon (Design and Build) Limited, including:
selling and supplying our homes and services;
protecting customers, employees and other individuals and maintaining their health, safety and welfare;
promoting, marketing and advertising our products and services;
understanding our customers’ behaviour, activities, preferences and needs;
improving existing products and services and developing new products and services;
complying with our legal and regulatory obligations and good practice;
gathering information as part of investigations by regulatory bodies or in connection with legal proceedings or requests;
preventing, investigating and detecting crime, fraud or anti-social behaviour and prosecuting offenders, including working with law enforcement agencies;
handling customer contacts, queries or disputes;
protecting Pendragon (Design and Build) Limited, its employees and customers, by taking appropriate legal action against third-parties who have committed criminal acts or are in breach of legal obligations to Pendragon (Design and Build) Limited;
fulfilling our duties to our customers, employees, shareholders and other stakeholders;
operational reasons, such as contract management, recording transactions, training and quality control, ensuring the confidentiality of commercially sensitive information, security vetting, credit scoring and checking;
checking references, ensuring safe working practices, monitoring and managing employees;
monitoring employee conduct and disciplinary matters.
The purposes and reasons for processing your personal data
We take privacy very seriously and will never disclose or share personal data without the individual’s knowledge, unless we are required to do so by law. We only retain data for as long as is necessary and for the purposes specified in this notice. Unless we notify an individual, we will not process personal data outside of the European Economic Area (EEA), as it is currently defined.
Detailed below are examples of when we would collect, process and in some cases share, personal data:
to verify an individual’s identity;
to process job applications;
to process and manage the purchase of a property from us and provide after sales services where applicable;
to carry out our obligations arising from any contracts entered into between an individual and us, including for example the purchase of a property and/or options and extras from us;
to facilitate the provision of warranties with a property purchased from us;
to carry out our obligations under the 12 months defects liability period;
to notify utility suppliers and local authorities about the new property;
to provide information, products or services that have been requested from us;
to notify about changes to our services; and/or
to contact an individual about new developments and house types which may meet their needs. We will only contact them in this way if they have consented to us using their personal data in this way and that they want to receive this information from us.
Where an individual has consented to us providing them with promotional offers and marketing, they are free to withdraw consent at any time.
The use of protective and pre-emptive safety features
We use CCTV on various sites, primarily construction sites and offices, for the safety of and prevention of any crimes committed against our staff, our customers, our equipment and our properties, not for other monitoring purposes.
In the event of any criminal investigations, we may be required by law, to share the data captured with the relevant authorities.
How long will we keep data?
We only ever retain personal information for as long as is necessary and we have retention policies in place to meet these obligations. We are required under some laws or regulations to retain personal data for a set period of time. Where there is no legal obligation, we will hold data for 2 years, unless the individual opts out within this time.
Some specific areas include, but are not limited to:
Health & Safety related matters– up to 40 years
Property purchases and related matters – up to 15 years
Direct marketing – up to 2 years
Other data will be held for up to 6 years in line with the statute of limitations.
How we will share data?
We do not share or disclose any personal information without consent, other than for the purposes specified in this notice or where there is a legal requirement.
We use trusted third-parties to provide the below services and business functions, however all processors acting on our behalf only process data in accordance with instructions from us and comply fully with this privacy notice, the data protection laws and any other appropriate confidentiality and security measures.
We may disclose information to third parties if:
we are under a duty to disclose or share personal data in order to comply with any legal obligation; or
in order to apply or enforce our contracts with an individual; or
to protect our rights, property, or our safety and/or the safety of our customers, or others.
We may also disclose information to our suppliers and contractors to provide information to an individual on our behalf and/or in order to fulfil our contracts with that individual.
We will share personal information with suppliers of services in respect of:
any property reserved from us;
the sale of the property;
any maintenance / repair work that needs to be carried out under the 12 months defect liability period.
These third parties may include:
estate and managing agents;
financial and legal advisors;
any relevant mortgage provider;
the National House Building Council and similar organisations;
utility and service providers;
sub-contractors for the purpose of repairs / maintenance on the property during the 12 months defect liability period;
We will share information with relevant government agencies to assist a customer with participating in any government schemes in which they have indicated they wish to take part.
What are the rights over personal data?
An individual has the right to access any personal information that we process about them and to request information about:
What personal data we hold about them;
The purposes of the processing;
The categories of personal data concerned;
The recipients to whom the personal data has/will be disclosed to;
How long we intend to store the personal data for;
If we did not collect the data directly from them, information about the source;
If they believe that we hold any incomplete or inaccurate data about them, they have the right to ask us to correct and/or complete the information and we will strive to update/correct it as quickly as possible; unless there is a valid reason for not doing so, at which point they will be notified.
If an individual would like their personal data to be removed or the use to be amended, they have the right to request:
their personal data to be deleted from our records;
the use / processing of their personal data to be restricted in accordance with data protection laws;
to opt out of any direct marketing from us (this can be done in a number of ways and will depend on the marketing they are receiving. Please see the marketing material for how to unsubscribe);
to be informed about any automated decision-making that we use.
If we receive a request to exercise any of the above rights, we may ask for verification of their identity before acting on the relevant request; this is to ensure that data is protected and kept secure.
We will inform the individual if their request is possible under current regulations and inform them to what extent their request has been processed. Where we are under legal obligation to retain their information, we will clarify the requirements around the extent of data as well as the duration we will continue to hold that personal data.
To make a request around the processing of personal data, please contact us at
In order to buy a house from us, or work with us, there is no obligation to provide personal information to us however, as this information is required for us to provide our services, we will not be able to offer our products or services without it.
As a customer or potential customer, personal data is required as part of the reservation process and to complete the contract for sale.
As a new employee, whether permanent or contract, personal data is required to process an application and complete the contract of employment.
Further details, questions, or complaints
We hope we have provided plenty of information around the processing of personal data that we undertake and the rights an individual has over it, however if there are any additional questions or more details required around any of the points listed above, please contact our Data Protection Officer:
Pendragon (Design and Build) Limited
General Rees Square
Tel: 01633 872 406
Lodging a Complaint
If you are not happy with this notice, believe we have processed your data in an unfair or unjust way or are non-compliant with the relevant data protection laws and you wish to raise a complaint, please contact us and we will carefully consider your complaint and respond to you. You also have the right to lodge a complaint with the supervisory authority (the Information Commissioners Office).
Information Commissioner’s Office – Wales
2nd Floor, Churchill House
Please phone 0330 414 6421 to talk to the team.
Further information for employees
You must be familiar with this Policy and comply with its terms. We may supplement or amend this Policy by additional Policies and guidelines from time to time. Any new or modified Policy will be circulated to employees before being adopted.
We must process personal data fairly and lawfully in accordance with individuals’ rights. This generally means that we should not process personal data unless the individual whose details we are processing has consented to this happening.
Who is responsible for this Policy?
As our Data Protection Officer, Dave Johansen has overall responsibility for the day to day implementation of this policy.
The Data Protection Officer’s responsibilities:
Keeping updated about Data Protection responsibilities, risks and issues;
Reviewing all Data Protection procedures and Policies on a regular basis;
Arranging Data Protection training and advice for all employees;
Answering questions on Data Protection from employees and other stakeholders;
Responding to individuals such as clients and employees who wish to know which data is being held on them by Pendragon (Design and Build) Limited;
Checking and approving with third parties that handle the company’s data any contracts or agreement regarding data processing;
Responsibilities of the External IT Advisor (Sabre Computers):
Ensure all systems, services, software and equipment meet acceptable security standards for example firewalls, virus scanning, laptops being password protected etc.;
Checking and scanning security hardware and software regularly to ensure it is functioning properly;
Researching third-party services, such as cloud services the company is considering using to store or process data.
The processing of all data must be:
Necessary to deliver our services;
In our legitimate interests and not unduly prejudice the individual's privacy;
In most cases this provision will apply to routine business data processing activities.
Sensitive personal data
In most cases where we process sensitive personal data we will require the individual's explicit consent to do this unless exceptional circumstances apply or we are required to do this by law (e.g. to comply with legal obligations to ensure health and safety at work). Any such consent will need to clearly identify what the relevant data is, why it is being processed and to whom it will be disclosed.
Accuracy and relevance
We will ensure that any personal data we process is accurate, adequate, relevant and not excessive, given the purpose for which it was obtained. We will not process personal data obtained for one purpose for any unconnected purpose unless the individual concerned has agreed to this or would otherwise reasonably expect this. Individuals may ask that we correct inaccurate personal data relating to them. If you believe that information is inaccurate you should record the fact that the accuracy of the information is disputed and inform the DPO.
Your personal data
You must take reasonable steps to ensure that personal data we hold about you is accurate and updated as required. For example, if your personal circumstances change, please inform the DPO so that they can update your records.
We must keep personal data secure against loss or misuse. Where other organisations process personal data as a service on our behalf, the DPO will establish what, if any, additional specific data security arrangements need to be implemented in contracts with those third party organisations.
Storing data securely
In cases where data is stored on printed paper, it should be kept in a secure place where unauthorised personnel cannot access it.
Printed data should be shredded when it is no longer needed.
Data stored on a computer should be protected by strong passwords that are changed regularly.
Data stored on CDs or memory sticks must be locked away securely when they are not being used.
The DPO must approve any cloud used to store data.
Servers containing personal data must be kept in a secure location, away from general office space.
Data should be regularly backed up in line with the company’s backup procedures.
Data should never be saved directly to mobile devices such as laptops, tablets or smartphones.
All servers containing sensitive data must be approved and protected by security software and strong firewall.
We must retain personal data for no longer than is necessary. What is necessary will depend on the circumstances of each case, taking into account the reasons that the personal data was obtained, but should be determined in a manner consistent with our data retention guidelines.
Transferring data internationally
There are restrictions on international transfers of personal data. You must not transfer personal data anywhere outside the UK without first consulting the DPO.
Subject Access Requests (SAR)
Individuals are entitled, subject to certain exceptions, to request access to information held about them. If you receive an SAR, you should refer that request immediately to the DPO. We may ask you to help us comply with those requests.
Please contact the DPO if you would like to correct or request information that we hold about you. There are also restrictions on the information to which you are entitled under applicable law.
Processing data in accordance with the individual's rights
You should abide by any request from an individual not to use their personal data for direct marketing purposes and notify the DPO about any such request. Do not send direct marketing material to someone electronically (e.g. via email) unless you have an existing business relationship with them in relation to the services being marketed. Please contact the DPO for advice on direct marketing before starting any new direct marketing activity.
All Employees will receive training on this Policy. New joiners will receive training as part of the induction process. Further training will be provided at least every two years or whenever there is a substantial change in the law or our Policy and procedure. Training is provided through a Toolbox Talk on a regular basis. It will cover:
The law relating to Data Protection
Our Data Protection and related Policies and Procedures.
Completion of training is compulsory.
Conditions for processing
We will ensure any use of personal data is justified using at least one of the conditions for processing and this will be specifically documented. All employees who are responsible for processing personal data will be aware of the conditions for processing.
Justification for personal data
We will process personal data in compliance with all six data protection principles. We will document the additional justification for the processing of sensitive data, and will ensure any biometric and genetic data is considered sensitive.
The data that we collect is subject to active consent by the individual. This consent can be revoked at any time.
Criminal record checks
Any criminal record checks are justified by law. Criminal record checks cannot be undertaken based solely on the consent of the subject.
Upon request, an individual should have the right to receive a copy of their data in a structured format. These requests should be processed within one month, provided there is no undue burden and it does not compromise the privacy of other individuals. They may also request that their data is transferred directly to another system. This must be done for free.
Right to be forgotten
An individual may request that any information held on them is deleted or removed, and any third parties who process or use that data must also comply with the request. An erasure request can only be refused if an exemption applies.
Data audit and log
Regular data audits to manage and mitigate risks will inform the data log. This contains information on what data is held, where it is stored, how it is used, who is responsible and any further regulations or retention timescales that may be relevant.
All Employees have an obligation to report actual or potential Data Protection compliance failures. This allows us to:
Investigate the failure and take remedial steps if necessary;
Maintain a register of compliance failures;
Notify the Supervisory Authority (SA) of any compliance failures that are material either in their own right or as part of a pattern of failures.
Everyone must observe this Policy. The DPO has overall responsibility for this Policy. They will monitor it regularly to make sure it is being adhered to.
Data Protection Impact Assessment (DPIA)
A DPIA will be carried out by the responsible person as per ICO guidelines (https://ico.org.uk/fororganisations/guide-to-the-general-data-protection-regulation-gdpr/accountability-andgovernance/data-protection-impact-assessments/) whenever:
Data is processed in a way likely to result in HIGH RISK to individuals’ interests;
When a major project is carried out which involves the processing of personal data.
Consequences of failing to comply
We take compliance with this Policy very seriously. Failure to comply puts both you and the organisation at risk. The importance of this Policy means that failure to comply with any requirement may lead to disciplinary action under our procedures which may result in dismissal. If you have any questions or concerns about anything in this Policy, do not hesitate to contact the DPO.
Who is covered under the Data Protection Policy?
Employees of our company and its subsidiaries must follow this policy. Contractors, consultants, partners and any other external entity are also covered. Generally, our policy refers to anyone we collaborate with or acts on our behalf and may need occasional access to data.