Privacy notice for clients and 3rd parties

As part of our obligations under the General Data Protection Regulations (GDPR), we’ve published this Privacy Notice to make it easier for you to find out how we use and protect your information and information about individuals who are connected to your business.

This Privacy Notice is to let you know how Silverthorne Building Consultancy promise to look after your personal information.  This includes what you tell us about yourself, what we learn by having you as a client or working with you as a service provider, and the preferences you make about what type of marketing you want us to send you.  This Privacy Notice explains how we do this and tells you about your privacy rights and how the law protects you where we process your personal data.

We won’t be changing the ways we use this information, but this Notice will provide you with additional details such as:

  • The types of information Silverthorne Building Consultancy collects about you and individuals connected to your business, and how we use it.
  • The legal grounds for how we use personal information.
  • Increased rights which individuals have in relation to the information we hold about them.
  • How we keep information secure.

 

Registered Office

Silverthorne Building Consultancy, (Data Controller) with registered office below, needs to collect and Process information about individuals including Staff, clients, suppliers and other business contacts in order to conduct its business.

Vectis House Banbury Street, Kineton, Warwick, England, CV35 0JS

Our privacy promise

We promise:

  • To keep your data safe and private,
  • Not to sell your data,
  • To give you ways to manage and review your marketing choices at any time.

 

Data Protection law changed on 25 May 2018 and this Privacy Notice sets out most of your rights under the new regulation.   We may make further updates to this Notice to reflect the changing legislation and will periodically review this notice for accuracy in the future.

We will process all personal data in accordance with the following principles:

  • all personal data must be processed lawfully, fairly and in a transparent manner,
  • all personal data must be collected for one or more specified, explicit and legitimate purposes and not processed in a manner incompatible with those purposes,
  • all personal data shall be restricted to what is adequate, relevant and limited for those purposes,
  • all personal data shall be kept accurate and up to date (and reasonable steps must be taken to erase or rectify inaccurate personal data),
  • all personal data must be kept for no longer than is necessary for those purposes,
  • all personal data must be protected by appropriate technical and organisational security measures to prevent unauthorised or unlawful processing and accidental loss, destruction or damage.

 

Silverthorne Building Consultancy as the data controller will be responsible for compliance with these principles and must be able to demonstrate its compliance.

Who does this Privacy Notice relate to?

This Privacy Notice relates to all Silverthorne Building Consultancy’s clients, who are a business (and individuals associated with them) or individuals, all 3rd party businesses and individuals who work with Silverthorne Building Consultancy to provide a service of whom may be a supplier, contractor, sub-contractor or referrer of business for example.

Individuals Connected to Your Business

When providing you with our services we will collect information on individuals connected to your business.  This information may be collected from you or other independent sources.  All relevant individuals will have access to this Privacy Notice and if you, or anyone else on your behalf, has provided or provides personal information to us about an individual connected to your business, you or they must first ensure that you or they have the authority to do so, and that you have provided access to this Privacy Notice to ensure that they are informed.

Which products and services does the Privacy Notice relate to?

The notice applies to all products and services offered and provided by Silverthorne Building Consultancy. A full list of our services is available on request.

What type of personal information does the Privacy Notice relate to?

Silverthorne Building Consultancy will only request details that are genuinely required e.g. in order to carry out our contractual and statutory obligations to you, or for the purposes of a balanced, genuine business interest for you and us.

We will only collect and process data when this is permissible in line with applicable legislation and depending on the purpose, type (which may include special category and diversity related data) and nature of the role applied for within Silverthorne Building Consultancy.

Depending on the reasons you are working with us, data and exceptions may include:

Data may include but not be limited to:

  • Name,
  • Business contact details including mobile/landline numbers, email address and business address,
  • Role title, position and responsibility details,
  • Additional information around the nature of your role, this may include qualifications and experience that you wish to tell us about,
  • Sex/gender,
  • Photographs taken at events (exceptions in Spain and Germany),
  • CCTV footage if you attend our premises (exceptions in Germany and Netherlands),
  • Hobbies and interests,
  • Personal preferences including dietary requirements, personal details linked to an event (e.g. shoe size for a bowling evening), details around physical ability (e.g. ability to swim for a sailing event), or travel preferences (this list is not exhaustive, however, only appropriate types of data will be collected depending on the processing activity),
  • Open data / public records which includes data that you have made freely available in a public domain such as via social media or publications and news articles,
  • Permissions – so we can record how you would like to receive information from us, or if you would prefer not to,
  • Extra information that you choose to tell us.

 

Please note that the above list of categories of personal data we may collect is not exhaustive.

Personal data relating to your racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health, sex life or sexual orientation are subject to additional protection and are referred to as “special categories of personal data”.

Personal data will be collected, stored and processed for the following purposes:

  • In order to provide commercial building consultancy service to our Clients,
  • In order to comply with applicable legislation and statutory requirements for the prevention of money laundering,
  • In order to maintain adequate accounting and financial records and to invoice the Client as and when appropriate,
  • To carry out research activities,
  • To provide you with marketing and other information about us and other goods and services we offer and to allow Silverthorne Building Consultancy to invite you and/or Contact Persons to any events organised alone or jointly by Silverthorne Building Consultancy.
  • To obtain credit checks and or references in relation to the Client, if necessary and not prohibited by applicable legislation,
  • In order to be provided with the services of a 3rd party,
  • To allow Silverthorne Building Consultancy to invite the Client, 3rd Party and/or Contact Persons to any events organised alone or jointly by Silverthorne Building Consultancy,
  • To carry out any other activities that may be ancillary or related to the above. (For marketing, advertising, or research purposes contact by email and text message),
  • To make such Personal Data available (but only to the extent absolutely necessary) to third parties who provide products or services to us and/or to potential purchasers of Silverthorne Building Consultancy Limited or our business.

 

Lawful Processing Basis – Definitions

Under the GDPR, we must justify a lawful basis for processing your personal data.  The most common basis are explained below.

  • Legitimate interest – using people’s data in ways they would reasonably expect in the context of our business, and which have a minimal privacy impact, or where there is a compelling justification for the processing.
  • Contractual – where we need to fulfil our contractual or agreement obligations to you, or you have asked you to do something before entering into a contract (e.g. provide a quote).
  • Consent – asking individuals to ‘opt-in’ as a preference to sign up to a newsletter or networking event, for example. Where consent is not a lawful processing basis, it will not be relied on.
  • Legal / Statutory obligation – using your data because we are statutory required to do so, e.g. retaining invoices based on tax legislation.

 

For further information, please visit the data commissioner’s website, given in the ‘Data Protection Regulators’ section of this page.

Reasons for processing your personal data

We will use this personal data in order to carry out activities, some of which will include marketing purposes, event invitations and carrying out our contractual and statutory duties to you.

If Silverthorne Building Consultancy requests sensitive personal data we will ensure that the correct lawful basis for processing is used and, if consent is required, that this can easily be both freely given and withdrawn and your appropriate preferences recorded.  If we haven’t had to gain consent, you may still be able to exercise your right to object (see section ‘Your rights under GDPR’). 

All individual personal data is regarded as company confidential data and will be handled appropriately at all times.   All Staff working for Silverthorne Building Consultancy will have controlled role-based access to your personal data, but only on a strict ‘need-to-know’ basis, for the purposes described in this Privacy Notice. This list gives detail regarding the type of activity and what we process, why we process it and the lawful basis for us doing do.

Processing Activity

Justification for Processing

Primary Lawful Processing Basis

Collecting personal data for new clients/3rd parties e.g. receiving a business card, exchanging details at events

We conclude that data has been given to Silverthorne Building Consultancy in order to update you about our services and events

Legitimate Interest

Buying in mail lists

To offer our services and invite clients to events where there is a balanced business interest

Legitimate Interest

Responding to requests for work, quotes and tenders

Necessary in order to commence with a business prospect, processing would be expected by the client or 3rd party

Legitimate Interest /Contractual

Carrying out work related requests and activities in line with an existing contract/agreement

To carry out duties in line with contractual/agreement related obligations.  To give relevant updates to clients/3rd parties and conduct billing activities.

Contractual

Adding or amending contact details in our management system

In order to keep records up to date, fulfil contractual obligations, carry out data cleansing activities

Legitimate Interest

Maintaining purchase history on client records

In order to continue offering relevant services, ensuring records are kept up to date

Legitimate Interest

Conduct marketing activities to prospective clients, invite clients to events and promote campaigns

To carry out marketing activities, inform clients of relevant services available, attend relevant events and give company and industry updates

Legitimate Interest /Consent

Conduct marketing activities to existing contacts, invite clients/3rd parties to events and promote campaigns

To carry out marketing activities, inform clients/3rd parties of relevant services available, attend relevant events and give company and industry updates

Legitimate Interest

Update attendance records for events

Assist with future marketing activities and identify which events are of interest to clients and 3rd parties

Legitimate Interest

Record responses to questionnaires

To maintain business relationships and monitor the quality and relevance of our services

Contractual / Legitimate Interest

Address any requests from clients or 3rd parties

To ensure clients/3rd parties receive the appropriate level of information requested.
To identify trends linked to repeated issues and improve our service and relationship with contacts

Legitimate Interest

To address complaints from clients or 3rd parties

To comply with legal and regulatory requirements.
To resolve situations where the contact is dissatisfied and assess any measures of redress where justified.
To identify trends linked to repeated issues and improve our service and relationship to clients and 3rd parties.

Legal / Contractual

 

What we mean by Marketing

  • Using your personal information by way of contact details in order to inform you and your business about new services, events and conduct campaigns,
  • Profiling your data in order for us to justify why we have previously processed your data and why we would continue to do so,
  • To identify what type of marketing information we believe may be of use to you and what you may be interested in,
  • We will only use your information for marketing purposes when we justify our reasons to be a lawful basis using either ‘legitimate interest’ or ‘consent’,
  • We will only use your information for marketing purposes where you have not ‘opted out’ or otherwise indicated a preference not to hear from us,
  • We may periodically ask you to review your preferences about how we contact you and will make it easy for you to change your mind.

 

GDPR and PECR – Electronic Marketing

The GDPR and Privacy and Electronic Communications Regulations (PECR) cross over when it comes to identifying a lawful basis of processing personal data.  GDPR does not replace PECR, however, it may affect whether we use legitimate interest in order to continue contacting you, or will need to ask for consent.  This means we will have to factor certain circumstances like whether you work within a corporate organisation or are perhaps a partnership or sole trader.  We will also consider our approach depending on whether or not you have ever used our services in the past, if you have ever opted out of our marketing activities, we consider that contacting you may impact you in a negative way or that you may be likely to object.

Your Rights Under GDPR

Changes to the regulation mean that every individual whose personal data is processed now has more rights about how their information is used, and why.

Your rights include:

  • Asking us to tell you what data we hold about you and requesting a copy. This is called a Subject Access Request.  We will not charge for this unless a request is manifestly unfounded or excessive, particularly if it is repetitive, or if further copies are requested.  We will have 1 month to comply with your request unless circumstances allow for an extension.
  • Objecting to your personal information being processed. You may also ask us to delete it (known as ‘the right to be forgotten’) and we will consider all such requests.  If there are legal reasons for us keeping your data despite your request, we will discuss this with you. These rights are not absolute rights and there may be reasons for retaining the data.
  • Asking us to amend or stop using your information because it’s inaccurate, incomplete or you want to restrict how we process it.
  • You have the right to be informed about the collection and use of your data.
  • Asking us to move, copy or transfer your personal data easily from one IT environment to another, in a safe and secure way, without hindrance to usability when you have provided to us your personal information.

Please contact us if you wish to speak to us about this.

Consequences of not providing us with certain data

Providing Silverthorne Building Consultancy with certain levels of personal data is the choice of the individual of which that data belongs.  You may choose not to give us certain information we ask for, or ask us to delete or stop using information that we already hold on you, and this is your right to do so.  However, we may have overriding interests or obligations concerning certain data and we must also highlight some possible consequences of us not be able to process certain data belonging to you.

  • We may not be able to keep you informed about our new products and services or any relevant changes
  • We may not be able to keep you up to date with industry or regulatory changes, news and market reports
  • We may not be able to keep you informed around any upcoming events or invite you to our events, or as a guest to accompany us to 3rd party events
  • We may not be able to fulfil our contractual obligations to you in order to provide our service
  • We may not be able to continue using your products or services
  • We may not be able to consider new business with you or arrange networking opportunities to benefit both you and us

 

Withdrawing Consent

If we have asked for your consent at any time and you now wish to withdraw it, please contact us and we will update our records accordingly.

Please remember that if you withdraw consent we may not be able to continue offering you our products and services, however, if this is the case we will discuss this with you.

If we are processing your data using the lawful processing basis of ‘legitimate interest’ you will not have given us ‘consent’ to process this data, however, you still have the right to object (see section ‘Your Rights Under GDPR‘).

If you have any questions please contact us.

How To Complain

If you are not happy about how we are processing, or have processed, your personal information, in line with the GDPR then you are able to raise a compliant with us or the relevant data protection regulator.  Also, if you have instructed us around how to process your data in terms of your individual rights and you are not happy, please let us know.

How long we will keep your data for

Whilst you are still an active client of Silverthorne Building Consultancy, we still have regular contact with you and you haven’t instructed us to delete your data, we will continue to retain your data in a secure environment.

We will retain, cleanse and delete you data in line with our Data Retention Policy, an extract is below:

Document Type

Retention Period

Risk Assessments

3 years from last review date

Documents of External Origin

6 years

Emails and other electronic information

Relevant client or supplier related data – 6 years

Property documents such as leases and lease termination agreements

6 years after lease termination

Client/3rd party feedback/complaints

7 years

Invoices

7 years

Client project related records

15 years

 

Circumstances that will result in us keeping your data outside of these retention periods includes legal and regulatory reasons and those that are bound by applicable legislation.

Will Silverthorne Building Consultancy make use of automated decision-making?

Automated decisions are defined as decision about individuals that are based solely on the automated processing of data and that produce legal effects that significantly affect the individuals involved.

As a rule, Silverthorne Building Consultancy does not make use of the automated decision-making as described above. Silverthorne Building Consultancy does not base its decision whether or not to hire you solely on automated processing of your personal data.

How we keep your data secure

Security of your personal data is vitally important to Silverthorne Building Consultancy and we strive to maintain security in many ways:

  • Testing and reviewing our systems, networks and locations that process data,
  • Maintaining security policies and procedures which are tested and reviewed periodically,
  • Ensuring employees are given the tools and training to handle data responsibly,
  • Ensuring employees are under a statutory or contractual obligation of confidentiality,
  • Controlling access to data across various levels including system and application access, physical access and 3rd party access, robust password management procedures,
  • Access, at all levels, is role-based and only granted on a ‘need to know’ basis,
  • Ensuring data is periodically cleansed, archived or deleted in line with policy,
  • Employees undergo screening upon joining Silverthorne Building Consultancy and training is mandatory for topics such as information security and data protection,
  • Ensuring data is encrypted both in transit and at rest,
  • Information assets are logged and equipped with up to date antivirus software,
  • Data is regularly backed up and stored in a secure environment,
  • Data breaches and security incidents are reported in line with policy and are followed up with analysis, risk assessments and corrective action where necessary.

In line with our security obligations we would also ask that you notify us of any changes to your data so we can keep our records as accurate as possible.

Transfers outside the EEA

We will only transfer personal data outside the EU subject to appropriate safeguards.  These safeguards will usually consist of standard data protection clauses which we will adopt and implement with the relevant data processor or third party service provider; we will inform you in advance if other safeguards are to apply.

Data from 3rd parties we work with

We work with various industries and may receive your contact details as a referral in some cases by other businesses.  We will only process your data when there is legal justification for doing so e.g. where we reasonably believe it is in within our balanced business interests.  If that occurs, we will provide you information about the source of the personal information.

Parties we share data with

We may share your data with companies such as the following:

  • Regulators and other authorities,
  • Any party linked with you or your business’s product or service,
  • Companies we have a joint venture or agreement to co-operate with, where appropriate to do so, such as contractors, sub-consultants and consultants,
  • Companies who conduct requested credit checks on our behalf,
  • Organisations that introduce you to us,
  • Companies that we introduce you to, where appropriate to do so,
  • Companies you ask us to share your data with.

 

We will ensure that, where Silverthorne Building Consultancy are the data processor or where both parties are a data controller, or joint data controller, under the GDPR when sharing your data with the above mentioned parties, we will enter into agreements/arrangements with you.

We also have to share information or data in order to:

  • Meet any applicable law, regulation, legal process or enforceable governmental request,
  • Meet our contractual clauses for the purpose of audit,
  • Enforce applicable policies, including investigations,
  • Detect, prevent, or otherwise address fraud, security or technical issues,
  • Protect against harm to the rights, property or safety of our users, the public or to Silverthorne Building Consultancy and/or as required or permitted by law.

 

Use of Cookies

Personal data may be collected when individuals fill in forms on our websites or by corresponding with us by phone, e-mail or otherwise. This includes information provided when an individual registers to use our websites, subscribes to our service, or makes an enquiry.

Changes to our Privacy Notice

We may need to make changes to our policies and notices from time to time, where the processing of personal data is impacted, within the limitation set out by GDPR and the applicable data protection legislation. When we have made changes we will update the Privacy Notices on our website for you to read.

Our commercial Terms & Conditions have also been updated to comply with the GDPR and are available upon request.

Silverthorne Building Consultancy contact details

If you have any questions, require further information or wish to complain, please contact us.

You can contact our Data Protection Officer

Email:  This email address is being protected from spambots. You need JavaScript enabled to view it.

Or post to: Vectis House Banbury Street, Kineton, Warwick, England, CV35 0JS

Data protection regulators (supervisory authorities)

UK (Lead Authority)

The Information Commissioner (ICO) is the UK regulator of the Data Protection Act 1998 and now the regulator for the GDPR.

www.ico.org.uk