We are committed to safeguarding and preserving the privacy of all personal data which may be provided to our company in relation to:
• the ongoing running of and organisation of our legitimate business activities or services;
• visits to our websites or mobile applications; or
• any other interaction with us.
This may include personal data that you provide to us, or that we collect from you.
We will update this Policy from time to time to keep us in line with current EU and UK Legislation, therefore you may wish to re-visit this to view any up to data content.
General Data Protection Regulation (GDPR): The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is a regulation by which the European Parliament, the Council of the European Union and the European Commission intend to strengthen and unify data protection for all individuals within the European Union (EU). It also addresses the export of personal data outside the EU.
Data Breach: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
Data Controller: the entity that determines the purposes, conditions and means of the processing of personal data.
Data Processing: any operation performed on personal data, whether or not by automated means, including collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Data Processor: the entity that processes data on behalf of the Data Controller.
Data Protection Officer (DPO): an expert on data privacy who works independently to ensure that an entity is adhering to the policies and procedures set forth in the GDPR.
Data Subject: a natural person whose personal data is processed by a controller or processor.
Personal Data: any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person.
fconsentProfiling: any automated processing of personal data intended to evaluate, analyse, or predict data subject behaviour.
Regulation: a binding legislative act that must be applied in its entirety across the Union.
Subject Access Right: also known as the Right to Access, it entitles the data subject to have access to and information about the personal data that a controller has concerning them.
Where this Policy refers to `we`, `us`, `our` it refers to Excalibur Cleaning Ltd (Company no. 03661292). Our business provides commercial cleaning services and associated services to public and private sector companies. Please note we do not provide services to domestic customers.
We act as sole Data Controller only in our capacity as an employer and in relation to any data submitted via our website contact form which is separate from, and not in relation to direct instructions received from our existing customers. Our employees have been provided with further information on privacy via our Employee Handbook which is an internal document.
Contact Details for Data Controller
The Data controller is: Excalibur Cleaning Ltd, Well Lane House, Well Lane, Haslemere, Surrey, GU27 2LB.
The Data Protection Officer is: Afshin Amoui, IT Manager.
Data protection enquiries should be directed to the above address; by emailing DPO@excaliburcleaning.com or by calling 01428 658903.
Our Data Protection Principles
Principle 1: Lawfulness, Fairness and Transparency
Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject. This means, Excalibur Cleaning Ltd must tell the data subject what processing will occur (transparency), the processing must match the description given to the data subject (fairness), and it must be for one of the purposes specified in the applicable data protection regulation (lawfulness).
Principle 2: Purpose Limitation
Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes. This means Excalibur Cleaning Ltd must specify exactly what the personal data collected will be used for and limit the processing of that personal data to only what is necessary to meet the specified purpose.
Principle 3: Data Minimisation
Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed. This means Excalibur Cleaning Ltd must not store any personal data beyond what is strictly required.
Principle 4: Accuracy
Personal data shall be accurate and, kept up to date. This means Excalibur Cleaning Ltd must have in place processes for identifying and addressing out-of-date, incorrect and redundant personal data.
Principle 5: Storage Limitation
Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed. This means Excalibur Cleaning Ltd must, wherever possible, store personal data in a way that limits or prevents identification of the data subject.
Principle 6: Integrity & Confidentiality
Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing, and against accidental loss, destruction or damage. Excalibur Cleaning Ltd must use appropriate technical and organisational measures to ensure the integrity and confidentiality of personal data is maintained at all times.
Principle 7: Accountability
The Data Controller shall be responsible for and be able to demonstrate compliance. This means Excalibur Cleaning Ltd must demonstrate that the six data protection principles (outlined above) are met for all personal data for which it is responsible.
What Personal Data will we Collect
We will collect information from the data subject where one of the following apply:
• The nature of the business necessitates collection of the personal data.
• Collection of personal data may be carried out under emergency circumstances in order to protect the vital interests of the data subject; or to prevent serious loss or injury to another person.
The legal basis for processing personal data is to meet our contractual obligations to customers in relating to providing cleaning and associated services; and to respond to potential customer enquiries.
The legitimate interests pursued by Excalibur Cleaning Ltd and/or its customers is to promote the cleaning and associated services offered by Excalibur Cleaning Ltd and/or to market the services offered by Excalibur Cleaning Ltd to existing customers.
We will use the information collected to:
• provide legitimate documentation to employees and customers relating directly to the proper performance of our business services;
• process quotations, invoices and other financial information relating to the services provided to you;
• communicate via telephone and email regarding the services you receive, or advise of matters of safety in relation to services;
• discuss and provide information to legitimate suppliers or sub-contractors of associated services in order that those services can be provided as per our service agreement;
• collect CCTV recording at our office locations to prevent crime and protect the security of our premises.
The use of such data is based on legitimate business interests in providing services to you. In you making initial contact with us, you consent to us maintaining a dialogue with you until you either opt out (which you can do at any stage) or until services are cancelled by either party. We may also act on behalf of our customers in the capacity of data processor. When working exclusively as a data processor, we will act on the instruction of our customer, and we will work hard to ensure that the customer remains fully GDPR compliant.
People accessing our website (i.e. Data Subjects) may visit our site anonymously. We will collect personal data from users only where it is voluntarily submitted and any such information provided to us is deemed part of taking part in the activity of the site.
Users contacting us via our website enquiry form do so at their own discretion. Personal details provided for the purposes of a website enquiry may include, but are not limited to:
• Phone number;
• email address;
• additional data which the enquirer may provide which may include an address or mobile phone number etc.
Our website enquiry form does not store or retain information. Information is passed securely via email to the company’s Business Director. Personal data provided is kept private and stored securely until such time it is no longer required or has no further use. Whilst we have made every effort to ensure a safe and secure contact form to email submission process; we do advise users that in providing personal data that they do so at their own risk.
By using this site, you signify your acceptance of this policy. If you do not agree to this policy, please do not use our site. Your continued use of the site following the posting of changes to this policy will be deemed your acceptance of those changes.
No personal details from our website are passed on to third parties, nor shared with other companies or people outside of the company that operates the website. We use Google Analytics to gather data on our website visitors for marketing purposes. All data is anonymous, and no personally identifiable information is collected.
Although our website only looks to include quality, safe and relevant external links, users should always adopt a policy of caution before clicking any external web links mentioned throughout this website.
We do not broker or pass on information to third parties for marketing purposes, or any other purpose not associated with our business needs, without your consent. However, we may disclose personal data to meet legal obligations, regulations or valid government department requests. We may also enforce our Terms and Conditions, including investigating potential violations of our Terms and Conditions to detect, prevent or mitigate fraud or security or technical issues; or to protect against imminent harm to the rights, property or safety of our business, our customers and/or the wider community.
Data will only be held for as long as necessary to fulfil the purpose of the processing of such data and for statutory or legal reasons.
We will store customer data for the duration of our contractual relationship and up to a period of three years after our contractual relationship has ended. This may be for financial requirement or if we believe it may be necessary to handle any future potential complaints or claims.
We will store customer contact data for as long as you wish to receive information and service communications from us.
Your Rights as a Data Subject
At any point whilst we are in possession of, or processing your personal data, all data subjects have the following rights:
• Right of access – you have the right to request a copy of the information that we hold about you.
• Right of rectification – you have a right to correct data that we hold about you that is inaccurate or incomplete.
• Right to be forgotten – in certain circumstances you can ask for the data we hold about you to be erased from our records.
• Right to restriction of processing – where certain conditions apply you have a right to restrict the processing.
• Right of portability – you have the right to have the data we hold about you transferred to another organisation.
• Right to object – you have the right to object to certain types of processing such as direct marketing.
• Right to object to automated processing, including profiling – you also have the right not to be subject to the legal effects of automated processing or profiling.
In the event that we refuse your request under rights of access, we will provide you with a reason as to why, which you have the right to legally challenge.
At your request we can confirm what information we hold about you and how it is processed.
You can request the following information:
• Identity and the contact details of the person or organisation (Excalibur Cleaning Ltd) that has determined how and why to process your data.
• Contact details of the data protection officer, where applicable.
• The purpose of the processing as well as the legal basis for processing.
• If the processing is based on the legitimate interests of our business, or a third party such as one of our clients, information about those interests.
• The categories of personal data collected, stored and processed.
• Recipient(s) or categories of recipients that the data is/will be disclosed to.
• How long the data will be stored.
• Details of your rights to correct, erase, restrict or object to such processing.
• Information about your right to withdraw consent at any time.
• How to lodge a complaint with the supervisory authority (Data Protection Regulator).
• Whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether you are obliged to provide the personal data and the possible consequences of failing to provide such data.
• The source of personal data if it wasn’t collected directly from you.
• Any details and information of automated decision making, such as profiling, and any meaningful information about the logic involved, as well as the significance and expected consequences of such processing.
International Transfer of Data
We host applications and data on industry leading cloud-based servers, whose data centres are held within the UK or EU using different (multiple) servers which have been thoroughly tested for security, availability and business continuity. The infrastructure for application servers is managed and maintained by each service provider. We have undertaken a check of each service provider’s security and privacy policies and have deemed that these are suitable and sufficient to meet GDPR requirements.
We do not store personal data outside of the EEA.
Any staff member who suspects that a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data might have occurred, must immediately notify the Data Protection Officer and provide a description of the circumstances. Notification of the incident can be made via e-mail, by telephone, or in person.