Skip to content
01934 419901 Request a quote
EJ McGrath Construction Ltd

GDPR Statement

EJ McGrath Construction Limited is committed to protecting the personal data of everyone we work with. This statement sets out how we comply with the UK GDPR and the Data Protection Act 2018.

1. Introduction – What is GDPR?

The General Data Protection Regulation (EU) 2016/679 (“GDPR”) came into force on 25 May 2018 and is incorporated into UK law through the UK GDPR and the Data Protection Act 2018. The legislation strengthens individual rights and places enhanced obligations on organisations that process personal data. It promotes accountability, transparency and a risk-based approach to data protection, ensuring that personal information is handled lawfully, fairly and securely.

2. Our Commitment

EJ McGrath Construction Limited is committed to protecting the personal data of employees, contractors, clients, suppliers and other stakeholders. We operate a robust data protection framework designed to:

  • Ensure lawful, fair and transparent processing
  • Limit data collection to what is necessary
  • Maintain data accuracy
  • Protect data through appropriate security measures
  • Retain data only for as long as required
  • Enable individuals to exercise their rights

We regularly review and update our policies and procedures to ensure ongoing compliance with UK GDPR and the Data Protection Act 2018.

3. Governance & Accountability

We maintain:

  • A designated Data Controller
  • Clear internal reporting procedures for data protection matters
  • Documented policies and procedures
  • Secure IT systems with restricted access controls
  • Defined data retention and erasure schedules
  • Breach reporting procedures aligned with ICO requirements

Where required, we maintain records of processing activities in accordance with Article 30 UK GDPR.

4. Information Audit

We have conducted a company-wide information audit to identify:

  • What personal data we hold
  • The lawful basis for processing
  • Where data originates
  • Who it is shared with
  • How it is stored and secured

This is recorded within departmental data registers and reviewed periodically.

5. Legal Basis for Processing

We process personal data under the following lawful bases:

  • Performance of a contract
  • Legal obligation
  • Legitimate interests
  • Consent (where appropriate)
  • Employment law obligations

Special category data is processed only where a valid Article 9 condition applies.

6. Data Subject Rights

Individuals have the right to:

  • Access their personal data (Subject Access Request)
  • Request correction of inaccurate data
  • Request erasure (where applicable)
  • Restrict or object to processing
  • Data portability (where applicable)

Subject Access Requests are handled within the statutory one-month timeframe.

7. Data Retention & Erasure

We operate a documented retention schedule to ensure:

  • Data is not retained longer than necessary
  • Secure destruction of hard copy and electronic records
  • Compliance with statutory retention periods

8. Data Breaches

We have procedures to:

  • Identify and assess potential breaches
  • Contain and investigate incidents
  • Report notifiable breaches to the Information Commissioner’s Office (ICO) within required timeframes
  • Inform affected individuals where necessary

9. International Data Transfers

EJ McGrath Construction Limited does not routinely transfer personal data outside the UK. Where third-party processors are used, we ensure:

  • Appropriate contractual safeguards are in place
  • Data Processing Agreements are signed
  • Adequate security measures are verified

10. Monitoring

Monitoring may take place where necessary for security, legal compliance, protection of company assets and prevention of misconduct. Monitoring is proportionate, transparent and compliant with employment and data protection legislation. Covert monitoring will only occur in exceptional circumstances and with senior authorisation.

11. Employee Responsibilities

All employees who handle personal data must:

  • Keep information accurate and up to date
  • Ensure data is used only for legitimate purposes
  • Protect data through secure systems and password protection
  • Not retain data longer than necessary
  • Report any suspected data breach immediately

Failure to comply may result in disciplinary action.

12. Information Security

We implement appropriate technical and organisational security measures, including:

  • Restricted access on a “need-to-know” basis
  • Encrypted data transmission
  • Secure password protocols
  • Secure disposal of confidential waste
  • Ongoing IT security monitoring

Any suspected loss of personal data must be reported immediately to the Data Controller.

13. Compliance

This statement aligns with the UK General Data Protection Regulation, the Data Protection Act 2018 and ICO guidance.

14. Review

This policy is reviewed annually, or sooner if legislative changes require it.