GDPR Policy
Last Updated: January 2024
General Data Protection Regulation (GDPR)
Introduction
GGDPR will apply to all EU states from the 25th May 2018. GDPR is an EU regulation which has two main drivers:
- The EU wants to give people more control on how their personal data is being used.
- The EU wants to give businesses a simpler, clearer legal environment in which to operate, making data protection law identical throughout the single market.
DVC Group Limited has always adhered to the current Data Protection laws and regulations set out for the use of personal data. GDPR means that we are having to change a number of our process, policies and contracts.
This page/document outlines what we have put in place at DVC Group Limited to ensure that we are fully compliant with the new GDPR regulation from the 25th May 2018.
What does GDPR change?
In summary, two things:
- Transparency – Customers must be given far more information about what is done with their personal data, why, and what rights they have.
- Control – Customers are given much more control in terms of obtaining a copy of their personal data, have it corrected, having it deleted, being told what legal ground is relied on to process the data, how long it will be kept for, objecting to processing (especially automated processing) and being told about security breaches and loss of data.
Data Controllers and Data Processors at DVC Group Limited
A Data Controller states how and why personal data is processed. DVC Group Limited has one Data Controller and we will be more than happy to provide names should you have a valid request. Please email hello@dvcg.co.uk asking for the name of your Data Controller.
A Data Processor is the individual at DVC Group Limited who is processing the data. All of our team who are in a sales, operations, finance and marketing roles can process data.
The duty of our Data Controller is to ensure that our processors abide by the law and our processors must abide by these rules and maintain records of their processing activates.
Our Data Controller must ensure that data is processed lawfully (see below “What is Lawful?”), is transparent and used for a set purpose.
Once this purpose has been fulfilled and the data is no longer required, it then needs to be deleted from our systems.
Who we are and our details?
All our company details are on our website, www.dvcg.co.uk. Located at the footer of the home page, we list all of our corporate information.
What is Lawful?
Firstly, a person has consented for us to have their personal data and to process it. Secondly, collecting the data is in our legitimate interest, such as preventing fraud.
How do we get consent from you?
We ask you to submit your name and email address when completing an application form or you contact our business. Your data remains on file whilst we process your application or quotation. We also retain your data and use your data for marketing purposes until such time as you inform us to remove your data.
To comply with GDPR, DVC Group Limited need to answer the following questions?
When did you give us consent?
The date you made contact with DVC Group Limited, completed an application form or quotation.
What did you give consent for?
You are giving us consent to market to you no more than once per month and also to communicate about business opportunities we may be working on.
How did you give consent?
When you requested a quote or completed an application form.
How can I withdraw my consent for you to hold my data?
You have the right to withdraw your consent for us to hold your data at any time. You do not have to offer a reason for this.
Once we have received notice from you to withdraw consent to hold your data, your details will be removed from our system and marketing lists within seven working days.
To remove your consent for us to hold your data, please email hello@dvcg.co.uk, and provide your name and email address.
Do we have this history by individual person?
Yes, our records will provide history by the individual, not the company or organisation they represent.
When will the consent expire?
We expire consent seven years after it has been given.
What is classified as personal data?
Personal data could relate to economic, cultural and mental health information on yourself. We do not hold any of this data.
What data we hold and why? Profiling and collection of other personal data
Profiling means any form of automated process of personal data to evaluate certain aspects relating to a person to analyse and predict their interest, behaviour, health and location.
At DVC Group Limited, at time we collect information on:
- Contact data – mobile phone number and email address.
- People’s interests – this is used for our account managers to speak about subjects an individual is interested in, thus building up a stronger relationship with them.
- Health – we will only ever record information on an individual’s health to ask how they are at a later date, or not to embarrass ourselves speaking about a subject matter that would clearly cause offence or harm.
- Location – we use location information, such as where you live, should there be a need to meet up in the future and / or take a general interest in business or local events that may be of interest to you.
- Age – we collect information on peoples age. Often, when we submit your application this data will be needed. With regards to the suppliers we work with, again, we have to carry out basic KYC checks and wish to communicate with you on a social level about things that interest you.
- Gender – we collect information on your gender for the purposes of writing to you.
- Contact Data – we collect your phone number and email address so we can stay in touch and provide updates.
- Property Information – we collect property details such as the type of property, ownership status, insulation, heating systems, and rooftop suitability. This information is essential for assessing eligibility for government-backed schemes and providing tailored recommendations.
- Household Information – we gather relevant household details including income status and number of occupants. This allows us to confirm eligibility for specific grants or funding programmes that are income or household-dependent.
- Spouse and Children – in some instances, we will hold the names and year of birth of immediate family members. This is done to build a closer working relationship with you over a period of time. This information is not used for any other form of profiling.
Who do we share our data with, selling or offering of your data to third parties
DVC Group Limited will not sell your personal data to any third parties without your written consent.
The only third party companies we share data with are:
Our installation partners, our supply partners, our equipment suppliers and funding supply partners. Even then, this will only be done at a time when we are looking at a specific business opportunity or when we have been requested this information due to a dispute, default or problem in general.
Holding of “Special Personal Data” also known as “Sensitive personal Data.”
This relates to racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership and health or sex life.
DVC Group Limited does not hold or collect any of this data: Passports, driving Licences, utility bills, bank statements, council tax bills and benefits documentation do not form part of sensitive data.
Where information on the data subject/customer is obtained from a source other than the data subject/customer, what that source is.
There will be instances where we obtain data from a third party. Often, this is where a supplier we deal with passes up information on a prospect they are working with. We will data load and keep this information as long as the information is appropriate to our needs. Should you request it, we will be more than happy to disclose what information we hold and the third party we received it from.
What is soft Opt-in?
Soft opt-in is a term used to allow us to communicate with an individual even though they have not actually opted in as from the 25th May 2018. An individual could be a prospect, customer, or supplier with whom we have spoken to about our services. Under the soft opt-in rules, we are allowed to communicate with this individual via email as long as the subject matter is related to the services we offer or promote.
The soft opt-in ruling can be deemed to be ambiguous. We have interpreted this section under the new GDPR rules that we can communicate with individuals via their personal email account or mobile phone if we can clearly demonstrate we have communicated with them in the past about a relevant subject matter.
What have we done to comply with the new GDPR ruling?
Board of Directors – The directors have been fully briefed on GDPR and have appointed Data Controllers internally.
Training – All our existing staff will go through a one-day GDPR training course as a minimum.
Company mobile phones/Tablets – All company mobile phones are password protected.
Company laptops – All laptops are password protected. They are hidden when in a vehicle and locked away if ever stored overnight at an office.
Personal Data – Our Customer Relationship Management (CRM) system, Word, Excel, Outlook are all stored on office PC’s and laptops.
Printed material – We scan printed material as quickly as we can and store it on our company storage facility. Once scanned, printed material is destroyed.
CRM system – Only current employees of our company have access to this system.
Personal data – we do not store any personal data, other than what is required commercially for a client application or quotation purposes, or on our CRM system for communication and marketing purposes.
Your rights as an individual
The GDPR includes the following rights for individuals:
- the right to be informed
- the right of access
- the right to rectification
- the right to erasure
- the right to restrict processing
- the right to data portability
- the right to object
- the right not to be subject to automated decision-making including profiling.
You can remove consent, for any reason at any time by emailing hello@dvcg.co.uk.
Should you have any questions regarding GDPR and your data at DVC Group Limited, again, please email hello@dvcg.co.uk and a DVC Group Limited Data Controller will get back to you within 14 working days.
In the event of a security breach
We take data security very seriously and use best endeavours to ensure the systems and procedures we follow provide us with a high level of data security. Should a data breach occur, we will analyse the situation and report it to the necessary authorities and communicate with any individuals that may have been affected.
DVC Group Limited look to report this information to the Information Commissioner’s Office with 48 business hours and communicate with any individual affected within 72 hours.
Filing a Complaint
We hope that you will not find it necessary to file a complaint against our company with reference to Data Protection. Should you feel it appropriate, you will need to contact:
Organisation Information Commissioner’s Officer Website address www.ico.org.uk
Telephone You can call their helpline on 0303 123 1113
Who are the ICO? The ICO are the UK’s independent authority set up to uphold information rights in the public interest promoting openness by public bodies and data privacy for individuals.
Thank you.
DVC Group Limited
