GDPR Compliance

Your data protection rights and our commitments

Our Commitment to Data Protection

rough-joist operates in full compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. We take your privacy seriously and have implemented comprehensive measures to protect your personal information.

Data Controller Information

rough-joist is the data controller responsible for your personal information. Our contact details:

rough-joist
142 Kingsland Road
London E2 8DY
United Kingdom
Email: [email protected]

Lawful Basis for Processing

We process your personal data only when we have a lawful basis to do so. The specific lawful basis depends on the purpose:

Contract Performance

When you engage our services, we process information necessary to fulfill our contractual obligations. This includes project planning, installation scheduling, service delivery, and warranty administration.

Legitimate Interests

We process certain data based on legitimate business interests, provided these interests do not override your rights. Examples include:

  • Maintaining client relationship records
  • Improving our services based on client feedback
  • Ensuring network and information security
  • Internal administrative purposes

Legal Obligation

Some processing is required to comply with legal obligations, such as:

  • Retaining financial records for tax purposes
  • Maintaining warranty documentation
  • Complying with health and safety regulations

Consent

For certain activities, particularly marketing communications, we rely on your explicit consent. You can withdraw consent at any time without affecting the lawfulness of prior processing.

Your Data Protection Rights

Under UK GDPR, you have comprehensive rights regarding your personal data:

Right to Be Informed

You have the right to clear information about how we collect and use your personal data. This page and our Privacy Policy fulfill this obligation.

Right of Access

You can request a copy of the personal data we hold about you. This is commonly known as a Subject Access Request (SAR). We will provide this information within one month, free of charge.

Right to Rectification

If information we hold about you is inaccurate or incomplete, you can request correction. We will update our records promptly and inform any third parties to whom we've disclosed the information.

Right to Erasure

Also known as the 'right to be forgotten', you can request deletion of your personal data in certain circumstances:

  • The data is no longer necessary for the purpose it was collected
  • You withdraw consent and there is no other legal basis for processing
  • You object to processing and there are no overriding legitimate grounds
  • The data has been unlawfully processed
  • Erasure is required to comply with a legal obligation

This right is not absolute. We may need to retain certain information to comply with legal obligations or for legitimate business purposes.

Right to Restrict Processing

You can request that we limit how we use your data in these situations:

  • You contest the accuracy of the data whilst we verify it
  • Processing is unlawful but you prefer restriction to erasure
  • We no longer need the data but you require it for legal claims
  • You have objected to processing whilst we verify our legitimate grounds

Right to Data Portability

When processing is based on consent or contract and carried out by automated means, you can request your data in a structured, commonly used, machine-readable format. You can also request direct transmission to another controller where technically feasible.

Right to Object

You can object to processing based on legitimate interests or for direct marketing purposes. We must cease processing unless we demonstrate compelling legitimate grounds that override your interests.

Rights Related to Automated Decision-Making

We do not use automated decision-making or profiling that produces legal effects or similarly significant impacts. If this changes, we will inform you and ensure appropriate safeguards.

How to Exercise Your Rights

To exercise any of these rights, contact us via email at [email protected] or write to our postal address. Please include:

  • Your full name and contact details
  • A clear description of which right you wish to exercise
  • Any relevant details to help us locate your information
  • Proof of identity if requested (for security purposes)

We will respond within one month. In complex cases, we may extend this by two additional months, but we will inform you of any delay within the initial month.

Data Security Measures

We implement appropriate technical and organisational measures to ensure data security:

Technical Measures

  • Encryption of data in transit and at rest
  • Secure authentication and access controls
  • Regular security updates and patches
  • Intrusion detection and prevention systems
  • Regular security testing and vulnerability assessments

Organisational Measures

  • Staff training on data protection requirements
  • Clear policies and procedures for data handling
  • Access restrictions based on role requirements
  • Regular audits of data processing activities
  • Incident response procedures

Data Breach Notification

In the unlikely event of a data breach that poses a risk to your rights and freedoms, we will:

  • Notify the Information Commissioner's Office within 72 hours of becoming aware
  • Inform affected individuals without undue delay if the breach poses a high risk
  • Provide clear information about the nature of the breach and steps being taken
  • Advise on measures you can take to protect yourself

Third-Party Processing

When we engage third parties to process data on our behalf, we ensure:

  • Written contracts are in place with appropriate data protection terms
  • Processors only act on our documented instructions
  • Adequate security measures are implemented
  • Sub-processing requires our prior authorisation
  • Processors assist with compliance obligations

International Data Transfers

We primarily process data within the United Kingdom. If we transfer personal data internationally, we ensure appropriate safeguards:

  • Adequacy decisions for countries with equivalent protection
  • Standard contractual clauses approved by the ICO
  • Additional security measures where necessary

Data Protection Impact Assessments

For processing activities that pose high risks to individuals' rights, we conduct Data Protection Impact Assessments (DPIAs). These identify risks and implement measures to address them before processing begins.

Record Keeping

We maintain records of our processing activities as required by UK GDPR, including:

  • Purposes of processing
  • Categories of data subjects and personal data
  • Recipients of personal data
  • International transfers
  • Retention periods
  • Security measures

Regular Review and Updates

We regularly review our data protection practices to ensure ongoing compliance with UK GDPR. This includes:

  • Annual policy reviews and updates
  • Periodic staff training
  • Regular security assessments
  • Monitoring changes in legislation

Complaints and Supervisory Authority

If you believe we have not complied with data protection law, you can lodge a complaint with the Information Commissioner's Office (ICO):

Information Commissioner's Office
Wycliffe House, Water Lane
Wilmslow, Cheshire SK9 5AF
United Kingdom

Telephone: 0303 123 1113
Website: ico.org.uk

We encourage you to contact us first so we can address your concerns directly.

Questions and Further Information

If you have questions about our GDPR compliance or data protection practices, please contact us at [email protected]. We're committed to transparency and will address your concerns promptly.