Last updated: 8 July 2024
Purpose
This privacy policy gives you information about how Greencore Homes Ltd (referred to in this policy as “we” “us” or “our”) collects and uses your personal information through any interaction you have with us.
We are a ‘data controller’. This means that we are responsible for deciding how we hold and use personal information about you. We are required under data protection legislation to notify you of the information contained in this policy and we are committed to protecting the privacy and security of your personal information.
We may update this policy at any time and we will provide you with an updated copy as soon as reasonably practical.
It is important that you read and retain this policy, together with any other information we may provide on specific occasions when we are collecting or processing personal information about you, so that you are aware of how and why we are using such information and what your rights are under the data protection legislation.
How to contact us
If you have any questions about this privacy policy or our privacy practices, including any requests to exercise your legal rights, please contact us using the details below:
Greencore Homes Ltd
Email address: enquiries@greencorehomes.co.uk
Postal address: Unit 1 Bicester Park, Charbridge Way, Bicester, OX26 4SS
Telephone number: 01865 110044
The information we collect about you
Personal information means any information about an individual from which that person can be identified.
We may collect, use, store and transfer different kinds of personal information about you which we have grouped together as follows:
Identity Data includes first name, last name, any previous names, username or similar identifier, marital status, title, date of birth and gender.
Contact Data includes billing address, job title, email address and telephone numbers.
Financial Data includes bank account and payment card details.
Transaction Data includes details about payments to and from you.
Technical Data includes information about land ownership, sustainability and planning.
Marketing and Communications Data includes your contact data and preferences in receiving marketing from us and our third parties and your communication preferences.
Recruitment Data includes your contact data and all information required as part of our recruitment process in relation to prospective candidates including CVs, application forms, interview notes, test results, copies of right to work documentation, references and other evidence of skills and qualifications. We will also collect your NI number, health details (to the extent necessary if you require any adjustments or workplace needs), criminal records and equal opportunities data.
Site Data includes all information we collect in relation to individuals that are visiting our premises, including any health and safety accident logs and CCTV.
Energy Data includes energy usage data and internal environment data in relation to the properties we have developed. This data does not directly identify any individual but may do so in combination with different types of data and is collected via unit mounted devices for data analysis, research, modelling and information purposes. Decisions are not made about any individual using this data.
We also collect, use and share aggregated data such as statistical or demographic data which is not personal information as it does not directly (or indirectly) reveal your identity.
How we collect your personal information
We use different methods to collect information from and about you including through:
Your interactions with us. You may give us your personal information directly when liaising with us. For example, if you are a supplier, we will require your personal information in order to facilitate the agreement between us for the services you are providing and for us to make payment to you.
Third parties or publicly available sources. We will receive personal information about you from various third parties and public sources as set out below:
- Credit agencies;
- Property / site valuation agencies;
- Estate agents;
- Housing associations;
- Energy providers.
How we use your personal information
We will only use your personal information when the data protection legislation allows us to. Data protection legislation requires us to have a legal basis for collecting and using your personal information. We rely on one or more of the following legal bases:
Performance of a contract with you: Where we need to perform the contract we are about to enter into or have entered into with you.
Legitimate interests: We may use your personal information where it is necessary to conduct our business and pursue our legitimate interests, for example to prevent fraud and enable us to give you the best and most secure customer experience. We make sure we consider and balance any potential impact on you and your rights (both positive and negative) before we process your personal information for our legitimate interests. We do not use your personal information for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law).
Legal obligation: We may use your personal information where it is necessary for compliance with a legal obligation that we are subject to. We will identify the relevant legal obligation when we rely on this legal basis.
Consent: We rely on consent only where we have obtained your active agreement to use your personal information for a specified purpose, for example if you subscribe to marketing from us or for certain recruitment data we obtain such as health details or criminal records.
If you fail to provide certain information when requested, we may not be able to perform the contract we have entered into with you (such as paying you or providing a benefit), or we may be prevented from complying with our legal obligations (such as to ensure the health and safety of individuals visiting our premises).
Purposes for which we use your personal information
We have set out below, in a table format, a description of all the ways we plan to use the various categories of your personal information, and which of the legal bases we rely on to do so. We have also identified what our legitimate interests are where appropriate.
We will only use your personal information for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal information for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.
Please note that we may process your personal information without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.
Purpose/Use | Type of data | Legal basis |
To obtain address and property information for the purposes of our business; contact landowners, land / estate agents | (a) Technical (b) Contact | (a) Necessary for our legitimate interests (b) Performance of a contract with you |
To process and manage payments, fees and charges to / from you and collect and recover money owed to us | (a) Identity (b) Contact (c) Financial (d) Transaction (e) Marketing and Communications | (a) Performance of a contract with you (b) Necessary for our legitimate interests |
To manage our relationship with you, whether you are a supplier, contractor, or customer. | (a) Identity (b) Contact (c) Financial (d) Transaction (e) Marketing and Communications | (a) Performance of a contract with you (b) Necessary to comply with a legal obligation (c) Necessary for our legitimate interests |
To administer and protect our business | (a) Identity (b) Contact (c) Site (d) Recruitment | (a) Necessary for our legitimate interests (b) Necessary to comply with a legal obligation |
To administer our recruitment process | (a) Identity (b) Contact (c) Site (d) Recruitment | (a) Necessary for our legitimate interests (b) Necessary to comply with a legal obligation (c) Consent in relation to any special categories of personal data as may be applicable (detailed below) |
To send you relevant marketing communications | (a) Identity (b) Contact (c) Marketing and Communications | Consent, having obtained your prior consent to receiving direct marketing communications |
To conduct data analysis, research, modelling and information | (a) Energy | (a) Consent where it is deemed that such data is capable of identifying an individual’s presence at the property in real time, or is otherwise deemed intrusive (b) Necessary for our legitimate interest |
How we use sensitive personal information
Special categories of particularly sensitive personal information require higher levels of protection. We need to have further justification for collecting, storing and using this type of personal information. This information includes racial, religious, biometric, health and sexual orientation data. We may process special categories of personal information in the following circumstances:
1. In limited circumstances, with your explicit written consent.
2. Where we need to carry out our legal obligations or exercise rights, for example in relation to recruitment or health and safety, and we are authorised by law to do so.
3. Where it is needed in the public interest, such as for equal opportunities monitoring.
Less commonly, we may process this type of information where it is needed in relation to legal claims or where it is needed to protect your interests (or someone else’s interests) and you are not capable of giving your consent, or where you have already made the information public.
Processing of special category personal data is carried out in line with ICO guidance and where the processing is considered high risk then a Data Protection Impact Assessment will be carried out. This will include considering the purposes for which the activity is carried out, the risks for individuals and the measures that can be put in place to mitigate those risks.
CCTV
We use CCTV cameras to view and record individuals on and around our premises (including development sites) in order to maintain a safe environment for staff and visitors. However, we recognise that the images of individuals recorded by CCTV cameras are personal information which must be processed in accordance with data protection legislation.
Where CCTV cameras are placed in at our premises, we ensure that signs are displayed at the entrance of the surveillance zone to alert individuals that their image may be recorded. The signs will contain details of the organisation operating the system, the purpose for using the surveillance system and who to contact for further information, where these things are not obvious to those being monitored.
We ensure that live feeds from cameras and recorded images are only viewed by approved members of staff whose role requires them to have access to such information. Information gathered from CCTV cameras is stored in a way that maintains its integrity and security.
Data Sharing
We may have to share your data with third parties, including third-party service providers. We require third parties to respect the security of your data and to treat it in accordance with the law.
‘Third parties’ include third-party service providers (including professional advisors, contractors and designated agents) and any other third parties to whom we may choose to sell, transfer or merge parts of our business or our assets.
Alternatively, we may seek to acquire other businesses or merge with them. If a change happens to our business, then the new owners may use your personal information in the same way as set out in this policy.
We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal information for specified purposes and in accordance with our instructions.
We may transfer your personal information outside the UK and EU. If we do, you can expect a similar degree of protection in respect of your personal information. Whenever we transfer your personal information out of the UK or EU to countries which have laws that do not provide the same level of data protection as the UK law, we always ensure that a similar degree of protection is afforded to it by ensuring that the following safeguards are implemented:
- we will only transfer your personal information to countries that have been deemed by the UK to provide an adequate level of protection for personal information; OR
- we may use specific standard contractual terms approved for use in the UK which give the transferred personal information the same protection as it has in the UK, namely the International Data Transfer Agreement or The International Data Transfer Addendum to the European Commission’s standard contractual clauses for international data transfers.
Data Security
We have put in place appropriate security measures to prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed.
In addition, we limit access to your personal information to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal information on our instructions and they are subject to a duty of confidentiality. We do not allow our third-party service providers to use your personal information for their own purposes.
Data breaches
If we discover that there has been a breach personal information that poses a risk to the rights and freedoms of individuals, we will report it to the Information Commissioner within 72 hours of discovery. We will record all data breaches regardless of their effect.
If the breach is likely to result in a high risk to the rights and freedoms of individuals, we will tell affected individuals that there has been a breach and provide them with information about its likely consequences and the mitigation measures we have taken.
Data retention
We will only retain your personal information for as long as reasonably necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. We may retain your personal information for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with you.
To determine the appropriate retention period for personal information, we consider the amount, nature and sensitivity of the personal information, the potential risk of harm from unauthorised use or disclosure of your personal information, the purposes for which we process your personal information and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting or other requirements.
By law we have to keep basic information about our customers (including Contact, Identity, Financial and Transaction Data) for six years after they cease being customers for tax purposes.
Individual rights
As a data subject, you have a number of rights in relation to your personal information.
Under certain circumstances, by law you have the right to:
Request access to your personal information (commonly known as a ‘data subject access request’). This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it.
Request rectification of the personal information that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.
Request erasure of your personal information. This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing (see below).
Object to processing of your personal information where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. You also have the right to object where we are processing your personal information for direct marketing purposes.
Request the restriction of processing of your personal information. This enables you to ask us to suspend the processing of personal information about you, for example if you want us to establish its accuracy or the reason for processing it.
Request the transfer of your personal information to another party.
Right to withdraw consent where you may have provided your consent to the collection, processing and transfer of your personal information for a specific purpose, you have the right to withdraw your consent for that specific processing at any time. We will no longer process your information for the purpose or purposes you originally agreed to, unless we have another legitimate basis for doing so in law.
You will not have to pay a fee to access your personal information (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we could refuse to comply with your request in these circumstances.
If you want to review, verify, correct or request erasure of your personal information, object to the processing of your personal information, or request that we transfer a copy of your personal information to another party, please contact us, making your request in writing.
We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is another appropriate security measure to ensure that personal information is not disclosed to any person who has no right to receive it.
We try to respond to all legitimate requests within one month. Occasionally it could take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.
Complaints
You have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK regulator for data protection issues (www.ico.org.uk). We would, however, appreciate the chance to deal with your concerns before you approach the ICO so please contact us in the first instance using the information at the top of this policy in the “how to contact us” section.