General Data Protection Regulation (GDPR)

The GDPR is designed to bring new levels of protection for personal data. The new European directive GDPR comes into effect on 25th May 2018 and After Build is GDPR compliant.

What is personal data?

Personal data means any information that relates to a natural person through which they may be identified e.g. an email address such as: john.smith@googlemail.com

What personal data does After Build hold?

After Build provide an aftercare service to new home developers, contractors and housing associations. The delivery of such service involves communication with homeowners, occupants and tenants (the ‘data subject’). This means that we will seek, store and process the following:

Email address
Telephone number
Mobile phone number
Postal address
Legal completion date (property acquired)

Usually this information is largely provided by the developer or housing association.

How will the data be processed?

The use of the personal data enables After Build to communicate with the data subject when dealing with reported building defects. This is the purpose of the service provided. After Build’s outbound communication may take the form of an Email, a telephone call, an SMS message or a letter.

Who else will see or have access to the personal data?

The developer (who most likely provided it in the first instance) and the contractor. After Build will liaise with the relevant trade contractor to organise an appointment when work needs to be conducted. Personal data is captured in a formal Job Instruction which is raised by After Build and issued to the contractor. Usually this is limited to the data subject’s name, postal address and nature of the reported building defect; however there may be occasions when the data subject may request that we also provide a telephone contact.

Consent

The quickest way for the data subject to report a defect is via the After Build Occupant Portal (the web address is: www.defects.uk.com). This is a secure platform that can be accessed using any web enabled smart phone, tablet or PC. The data subject needs to register the first time they visit the Occupant Portal; this provides the opportunity to set their own password and at this stage will be asked to give their consent for After Build to use their personal data (tick box). Any data subject receiving After Build’s service prior to 25th May 2018 will be contacted by After Build to seek their consent; this will take the form of a tick-box return form.

Where will we store personal data?

All personal data is stored electronically, not in hard copy.

Emails – all stored externally on the Microsoft Exchange server
Postal address – captured by our CRM system and stored on Microsoft Cloud server
Landline/Mobile – captured by our CRM system and stored on Microsoft Cloud server
Letters – stored internally on After Build server

What will After Build do with the data when it is no longer needed?

After Build will archive the information on the Microsoft Cloud server.

Can a data subject refuse to give consent?

Yes certainly – either at the outset or later on. After Build should point out however that it would be impossible to provide the service without their consent.

Can a data subject complain?

The data subject reserves the right to lodge a complaint with a supervisory authority.

Can a data subject request a copy of personal data?

Yes they can. After Build will provide a copy of all personal data held on the system, within 72 hours and at no expense, subject to identity verification. Further copies may incur a small administrative expense.

What about personal data relating to the developer, housing association and the contractor?

After Build will take the same procedural precautions when storing and processing this personal data however it is presumed that consent is implied to the extent that the contractual relationship between the contractor and developer or housing association, and the developer or housing association with After Build, requires the use of such personal data to fulfil contractual obligations. The basis for this is ‘Legitimate Interest’.

After Build’s Data Controller

Any questions, queries or complaints should be directed to After Build’s Data Controller:

Mark Fawcitt
Head of Operations
After Build Limited
Units 1&2 Woodfield Farm Offices
Isaacs Lane, Burgess Hill
West Sussex RH15 8RA

Email: markf@afterbuild.com

Responsibility of the After Build Data Controller

The Data Controller shall implement appropriate technical and organisational measures to ensure and demonstrate that processing is performed in accordance with GDPR. Those measures shall be reviewed and updated as necessary. The Data Controller shall also implement appropriate technical and organisational measures to ensure that, by default, only personal data which are necessary for each specific purpose of the service are processed.

Records

After Build shall keep records of the data categories processed and the purpose of the processing. These records shall include details of the recipients to whom the personal data has been disclosed.

Security

The Data Controller shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including:

The ability to ensure ongoing confidentiality
The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident
Account shall be taken of the risks presented by processing, from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.

Personal data breach

In the case of a personal data breach, the Data Controller shall without delay (not later than 72 hours of becoming aware of it) notify the Authorities, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. When the data breach is likely to result in a high risk to the rights and freedoms of natural persons, the Data Controller shall communicate the personal data breach to the data subject.