Privacy Notice: All Breedon Group Customers

21 September 2020: Version 2.0

This privacy notice describes how the Breedon Group (We/Us) collects and uses information about its customers, before, during and after the contractual relationship, to the extent such information is personal data in accordance with the EU Regulation 2016/679 General Data Protection Regulation (GDPR).  This document also satisfies our obligations under Article 30 of the GDPR.  It applies to all customers of the Breedon Group (You).

Data Controller Details

The Company is a data controller for the purposes of the GDPR and every customer on behalf of itself and any of its directors, shareholders, members, employees, servants and agents (“associates”) acknowledges the use and processing of personal data described in this privacy notice.

Company means the member of the Breedon Group selling goods and/or associated services to the relevant customer.  Breedon Group means any of companies within the Breedon group of companies, including, without limitation, Breedon Southern Limited, Breedon Northern Limited, Breedon Cement Limited, Breedon Holdings Limited, Breedon Group Services Limited, Lagan Materials Limited, Lagan Asphalt Limited, Whitemountain Quarries Ltd, Alpha Resource Management Ltd, Breedon Cement Ireland Limited, Breedon Employee Services Ireland Limited, Lagan Cement Products Limited, Breedon Brick Limited and/or Welsh Slate Limited  further details of which can be found at www.breedongroup.com

Categories of Data Subjects

Whilst the majority of our customers are “corporates”, some may be sole traders, partnerships or consumers.  We may therefore collect personal data from those types of customers and any employees or individuals working for that customer (collectively “customers”).

Categories of Personal Data

We may collect the following categories of personal data about customers:

  • Personal details including name, address, email, telephone number including mobile phone or other contact information;
  • Date of birth and/or age;
  • Banking, taxation and financial information including VAT details;
  • Credit information (through an external third party);
  • Electronic identification data including IP address collected through our websites;
  • Contractual details including the goods and services provided, trading history with the Company, insurance details and buying status;
  • Audio recordings of all telephone orders, enquiries and customer communications (Audio Data); and/or
  • Images (still or video) from the closed circuit television (CCTV) on the Company’s sites or from onboard vehicle monitoring (CCTV Data).

Due to the Coronavirus pandemic, in addition to the collection of personal data as mentioned above, Breedon may also be required to collect the following information from customers when attending at one of our Breedon sites in order to comply with the Government’s legislation/guidelines in respect of any track and trace system:

  • information to determine whether a customer has experienced or are maybe experiencing Covid-19 symptoms (which may include temperature checks) or are in any of the high-risk categories which are most vulnerable to become infected and seriously ill (Health Information); and/or
  • a positive result for Covid-19; details of anyone a customer may have been in contact with who has tested positive for Covid-19 or presented with symptoms; whether a customer has been asked to self-quarantine within the preceding 14 days; and/or where a customer has travelled to in the preceding 14 days (Contact History).

Source of personal data

Most of the information we obtain comes directly from customers or in the case of Audio Data and CCTV Data from our IT systems.  Some information may come from external third-party credit reference agencies or credit insurers.  If you don’t provide us with this data we may be unable to enter into or conclude a contract with you.

Purposes of Data Processing

The Company collects and processes data about customers, some of which may be personal data as defined under GDPR, for purposes which include:

  • As necessary to perform a contract with a customer including:
    • To take steps at the customer’s request prior to entering into a contract;
    • To decide whether to enter into a contract;
    • To make credit decisions about the customer or its associates regarding the contract or the entering into of a new contract with us;
    • To manage, perform and operate the contract and the customer’s account;
    • To update our records;
    • To resolve any complaints in relation to the contract;
    • To recover debts.
  • As necessary for our own legitimate interests or those of other persons and organisation, for example:
    • For good governance, accounting and managing and auditing our business operations;
    • To search credit reference agencies;
    • To protect the health and safety of workers and others;
    • Maintaining, monitoring, improving and enhancing our goods and services;
    • To monitor Audio Data and CCTV Data for quality control and training or for the detection and prevention of crime or unauthorised use of our systems.
  • As necessary to comply with our legal obligations for example:
    • Where disclosure is necessary for or in connection with any legal proceedings (including prospective legal proceedings), for obtaining legal advice or for establishing, exercising or defending legal rights;
    • For tax collection purposes;
    • To comply with any regulatory obligations to which we are subject;
    • Where we are required to do so by law (including under any legislation, or by a court or tribunal in any jurisdiction);
    • All Health Information and Contact History will be obtained in order that we can keep you and others safe and/or where we are required to comply with Government legislation/guidelines in respect of any track and trace system as part of a response to Covid-19;
    • For fraud prevention and money laundering purposes in compliance with our statutory obligations.

Categories of Personal Data Recipients

We disclose personal data to a number of recipients which includes the following categories of persons:

  • Other companies within the Breedon Group;
  • Auditors and professional advisors, such as our bankers, lawyers and consultants;
  • Law enforcement officials and statutory or regulatory authorities;
  • Third-party service providers, such as providers of CCTV management; Audio Data management; IT system management; credit checks, debtor tracing; hauliers, contractors or subcontractors or associated services necessary to perform the contract.

We may use and replace any third party which we wish to use to assist us in meeting its obligations under the contract, and where such third party is a processor of personal data, this constitutes prior general written authorisation as envisaged by Article 28(2) of the GDPR.

We may transfer personal data outside the EEA in accordance with the principles of the GDPR.

Data Protection Principles

We will comply with data protection law which includes the GDPR (Data Protection Laws) applicable in the country in which the Company operates. This says that the personal information we hold must be:

  1. Used lawfully, fairly and in a transparent way.
  2. Collected only for valid purposes that have been clearly explained and not used in any way that is incompatible with those purposes.
  3. Relevant to the purposes we have told you about and limited only to those purposes.
  4. Accurate and kept up to date.
  5. Kept only as long as necessary for the purposes we have told you about.
  6. Kept securely.

Personal Data Retention Periods

Except as otherwise permitted or required by applicable law or regulation, we only retain personal data for as long as necessary to fulfil the purposes we collected it for, as required to satisfy any legal, accounting, or reporting obligations, or as necessary to resolve disputes.

We typically retain personal data obtained from customers for 6 years after the completion or termination of the contract, save for Audio Data which is retained for 6 months and CCTV Data which is retained for 30 days.

Technical and Organisational Security Measures

We have implemented technical and organisational security measures to protect personal data.

Duty to inform us of changes

It is important that the personal information we hold about customers is accurate and current. We ask all our customers to keep us informed if personal information changes during your contractual relationship with us.

Customers’ rights in connection with personal information

Under certain circumstances, by law customers have the right to:

  • Request access to personal information.
  • Request correction of the personal information that we hold.
  • Request erasure of personal information.
  • Object to processing of personal information where we are relying on a legitimate interest (or those of a third party) and there is something about the particular situation which makes you want to object to processing on this ground.
  • Request the restriction of processing of personal information.
  • Request the transfer of personal information to another party.

If you want to review, verify, correct or request erasure of your personal information, object to the processing of your personal data, or request that we transfer a copy of your personal information to another party, please contact the Breedon Group. ‌

You may make a complaint to the local data commissioner’s office in which the Company operates if you are dissatisfied as to how your personal data is being processed.

Data Processors

For the purposes of the contract and GDPR, we are of the view that it is the Company which is the data controller.  However, if the Company is deemed to be acting as data processor for the purposes of the contract (or the customer is held to be a data processor in relation to any of the Company’s personal data they receive during the contract) then the relevant processor shall:

  • only act on the written instructions of the controller (unless required by law to act without such instructions);
  • ensure that people processing the data are subject to a duty of confidence;
  • take appropriate measures to ensure the security of processing;
  • only engage a sub-processor with the prior consent of the data controller and a written contract;
  • assist the data controller in providing subject access and allowing data subjects to exercise their rights under the GDPR;
  • assist the data controller in meeting its GDPR obligations in relation to the security of processing, the notification of personal data breaches and data protection impact assessments;
  • delete or return all personal data to the controller as requested at the end of the contract; and
  • submit to audits and inspections, provide the controller with whatever information it needs to ensure that they are both meeting their Article 28 obligations, and tell the controller immediately if it is asked to do something infringing the GDPR or other data protection law of the EU or a member state.

Each of the parties, shall, comply with its obligations under the GDPR, shall co-operate with the relevant supervisory authorities and upon request provide the other with reasonable assistance, information and cooperation, at its own expense, to ensure the other party’s compliance with their respective obligations.

Changes to this Record of Processing Activities

We reserve the right to amend this Privacy Notice from time to time consistent with the GDPR and other applicable data protection requirements.

You can contact us at Compliance.Officer@breedongroup.com.

Breedon Group plc

21 September 2020