Privacy Policy

This Policy relates to information from which individuals can be identified and sets out how
Building Craftsmen / McCartney (Dumfries) Ltd will manage such information.


This Data Protection Policy applies to all Personal Data the Company processes regardless of how that data is stored or whether it relates to past or present employees, apprentices, workers, contractors, agency workers, volunteers and interns. Separate Policies in respect of data subjects who are job applicants, customers or suppliers are available from William Hewitson.
This Data Protection Policy applies to all Company Personnel.


We recognise that the correct and lawful treatment of Personal Data will maintain confidence in the organisation and will provide for successful business operations. It is a critical responsibility that we take seriously at all times.
Whilst employees are required to comply with the terms of this Data Protection Policy, it does not form part of their employment contract.
Please contact Data Protection Compliance Manager with any questions about the operation of this Data Protection Policy or if you have any concerns that this Data Protection Policy is not being or has not been followed.

What we Collect:

We may collect the following information:

• name
• contact information including email address
• demographic information such as postcode, preferences and interests
• Information fields on our contact us form and book a viewing form that are given relating to a sale/enquiry.

What we do with the information we gather:

We require this information to understand your needs and provide you with a better service, and in particular for the following reasons:
• Internal record keeping.
• We may use the information to improve our products and services.
• We may periodically send promotional emails about new products, special offers or other information which we think you may find interesting using the email address which you have provided.
• From time to time, we may also use your information to contact you for market research purposes. We may contact you by email, phone, fax or mail. We may use the information to customise the website according to your interests.

We will not:

• sell or rent your data to third parties
• share your data with third parties for marketing purposes
We will share your data if we are required to do so by law – for example, by court order, or to prevent fraud or other crime.

How long we keep your data:

We will only retain your personal data for as long as:
it is needed for the purposes set out in this document
the law requires us to
In general, this means that we will only hold your personal data for a minimum of 1 year and a maximum of 7 years.

Disclosure Of Your Data:

The Data you provide to us will be treated as confidential. However, we may disclose your Data to other third parties who act for us for the purposes set out in this Privacy Policy or for purposes approved by you such as to external suppliers that we use to deliver a product to you or as discussed with you before we share your data.

Google Analytics Data:

We use Google Analytics software to collect information about how you use
We do this to help make sure the site is meeting the needs of its users and to help us make improvements, for example improving site search.
Google Analytics stores information about:
the pages you visit on
how long you spend on each page
how you got to the site
what you click on while you’re visiting the site
We do not collect or store your personal information (for example your name or address) so this information cannot be used to identify who you are.
We also collect data in order to:
improve the site by monitoring how you use it


Lawfulness and Fairness

Data may only be collected by the Company if the Processing is fair, lawful and for specified purposes, some of which are set out below:
(a) The Data Subject has given his or her consent
(b) The Processing is necessary for the performance of a contract with the Data Subject
(c)  To meet our legal compliance obligations (d) To protect the Data Subject’s vital interests (e) To pursue our legitimate interests


In some circumstances, consent may be required. Consent should be freely given, specific and informed. It may also be withdrawn at any time.


Information in relation to how and why we collect data will be provided through appropriate Privacy Notices.

Purpose Limitation

Personal Data will be collected only for specified, explicit and legitimate purposes. It will not be further Processed in any manner incompatible with those purposes. We will not Process Personal Data for new, different or incompatible purposes from that disclosed when it was first obtained unless the Data Subject has been informed and has consented where necessary.

Data Minimisation

Personal Data will be adequate, relevant and limited to what is necessary in relation to the purposes for which it is Processed. When Personal Data is no longer needed, it is deleted or anonymised in accordance with the Company’s data retention guidelines.


We will ensure that the Personal Data we use, and hold is accurate, complete, kept up to date and relevant to the purpose for which we collected it. We will take all reasonable steps to destroy or amend inaccurate or out-of-date Personal Data.

Storage Limitation

Personal Data will be kept in an identifiable form for no longer than is necessary for the purposes for which the data is processed.


Protecting Personal Data

Personal data will be secured by appropriate technical and organisational measures against unauthorised or unlawful Processing, and against accidental loss, destruction or damage.

Reporting a Personal Data Breach

The GDPR and Data Protection Act 2018 requires Data Controllers to notify any Personal Data Breach to the applicable regulator and, in certain instances, the Data Subject. We have put in place procedures to deal with any suspected Personal Data Breach and will notify Data Subjects or any applicable regulator where we are legally required to do so within 72 hours.
If you know or suspect that a Personal Data Breach has occurred, you should contact William Hewitson immediately.

Transfer Limitation

We do not transfer data outside of the UK, however, where it appears necessary to transfer Personal Data outside of the UK, you must first contact William Hewitson for guidance on how this can be achieved within the scope of the GDPR and Data Protection Act 2018.

Company Procedures

The Company has appointed William Hewitson with a specific responsibility for protecting the personal data of individuals in respect of processing and controlling the data. If you wish further information in relation to the steps taken, please contact William Hewitson.

Data Subject’s Rights and Requests

Data Subjects have certain rights when it comes to how we handle their Personal Data. These include rights to: withdraw consent to Processing; receive certain information about the Data Controller’s Processing activities; request access to the Personal Data that we hold; ask us to erase Personal Data if it is no longer required for the purpose for which it was collected or Processed; to rectify inaccurate data; to complete incomplete data; restrict Processing in specific circumstances; challenge Processing which has been justified on the basis of our legitimate interests or in the public interest; prevent Processing that is likely to cause damage or distress to the Data Subject or anyone else; be notified of a Personal Data Breach which is likely to result in high risk to their rights and freedoms; make a complaint to the supervisory authority.
You must immediately forward any Data Subject request you make or receive to William Hewitson and comply with the Company’s Data Subject response process.


We implement appropriate technical and organisational measures to ensure compliance with data protection principles. Our policies and procedures are one way in which we demonstrate our compliance with the GDPR and Data Protection Act 2018.

Record Keeping

Where required by the GDPR and Data Protection Act 2018 we will keep full and accurate records of all our Data Processing activities. In addition, we will keep records of Data Subject’s consents and procedures for obtaining consents, in accordance with the Company’s record keeping guidelines.

Training and Audit

We require all Company Personnel to read and understand the Data Protection Policy when they are inducted. In addition, you will be required to undergo training appropriate to your role to enable you to comply with the GDPR and Data Protection Act 2018.

Sharing Personal Data

We will only share Personal Data with third parties where certain safeguards and contractual arrangements have been put in place.
We only share the Personal Data we hold with third parties, including but not limited to our services providers such as benefits providers, payroll providers and professional advisors if:
a)   We have a lawful basis for doing so;
b)  Sharing the Personal Data complies with the Privacy Notices provided to the Data
Subject and, if applicable, consent has been obtained, and
c)   The third party has agreed to comply with the required data security policies and procedures and put adequate security measures in place.
We may share the Personal Data we hold with another employee, agent or representative of our company if the recipient has a job-related need to know the information.

Changes To This Data Protection Policy

We reserve the right to change this Data Protection Policy at any time without notice to you. This Data Protection Policy does not override any applicable national data privacy laws and regulations in countries where the Company operates.

Acknowledgement Of Receipt And Review

I acknowledge that I have received and read a copy of the Building Craftsmen / McCartney’s Data Protection Policy, 16th May 2018 and understand that I am responsible for knowing and abiding by its terms. I understand that the information in this Data Protection Policy is intended to help Company Personnel work together effectively on assigned job responsibilities and assist in the use and protection of Personal Data.