Privacy Notice (Issued May 2018)


We have always taken the security of our client’s personal data very seriously. This Privacy Notice explains how we collect and process personal Data to comply with GDPR Regulations. From time to time we will update this notice and make any necessary changes. The General Data Protection Regulations will be the legal framework for this Notice.

To assist you in understanding this Notice we have divided it into sections:


Personal data - any information relating to an identified or identifiable living natural person.

Processing - any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction

Filing system- paper or electronic arrangement of personal date to facilitate processing

Controller- natural or legal person, alone or jointly with others, determines the purposes and means of the processing personal data

Processor- a natural or legal person, which processes personal data on behalf of the controller

Main establishment- SAY House, Units 2,3 & Offices, Rudgate Business Centre, Rudgate/Wighill Lane, Thorp Arch Industrial Estate, Wetherby, LS23 7AT.

Why, When and How we use your personal data

We are engaged by our clients to provide a professional service Personal data is provided to us by our clients and used exclusively for the purpose of providing the service they instruct us to provide.

Legal basis for processing

We acknowledge our responsibility to identify to our clients the lawful basis for processing personal data. In this regard we have considered a number of factors which we set out in this Notice:

1. Processing is necessary for the performance of the contract between our client and SAY Group of Companies.

2. Processing is necessary for the purposes of the legitimate interests pursued by SAY Group of Companies in our capacity as controller.

3. Processing is necessary for the purpose of meeting the legal obligations of the SAY Group of Companies.

We acknowledge that clients have the right to withdraw their consent at any time. However, this will not have effect on any processing we have undertaken on their behalf before consent is withdrawn.

In the event that clients wish to withdraw consent for use of their data outside of the reasons listed above under ‘Legal basis for processing’ in which case they should contact a member of our service team.


We do not process data of children as part of our business activities.

What personal data do we store securely

The personal data we collect depends upon the service(s) we are contracted to provide to our clients but includes; Name, address, telephone number, email address.

Additional Information in relation to works such as project quotes, project specifications, quotation history, payments made, payments outstanding, bank details etc.

To ensure the safety and security of our staff we monitor our premises by CCTV. The legal basis for recording is a legitimate interest for the safety and security of our staff and premises.

Currently, we do not record telephone conversations. However, we may do so in the future and we will update this Notice if we do change our decision.

Third party data processing and sharing

We may share your data with a third party for specific limited purposes, technical support, legal requirements, accountancy requirements, and other third parties which have a business need to know. These parties are subject to a duty of confidentiality. We may also need to share your information with a regulator or to otherwise comply with the law.

Marketing and newsletters

SAY Group does not undertake marketing and will not share its client’s personal data with any third-party organisation for marketing of any kind.

How long we retain personal data

We only hold your personal data for as long as necessary. This means that we will retain copies of processed data only to comply with statutory requirements or to enable us to provide services we are contracted to provide on an ongoing basis. Generally, some or all of the personal data of clients will be retained for as long as they are a client of SAY Group and for a period of six years after the last interaction with us (for accounting, tax reporting and record-keeping purposes).

Personal data security

In order to maintain the highest possible level of security and to prevent processing infringement we have undertaken a risk review and implemented policies and procedures designed to mitigate those risks. However, it is impossible to guarantee that any IT system is robust in the face of a concerted cyber-attack by those persons or States sponsoring such activity.

We invest annually in our IT network and engage IT experts to evaluate the security measures we implement. We have data encryption, firewall security, cloud-based server facilities hosted in UK data centres, up to date software programmes supported by regular updates and malware.

We have implemented corporate rules which include policies and procedures to reduce the risk of data loss.

Data breach

In the event of a personal data breach, we will assess if there is a high risk of an adverse impact to your rights and freedoms. In such circumstances we will inform you of the nature of the breach and the action we have taken, or will take, to mitigate the effect.

We will contact you as soon as we can and where possible within 48 hours of the breach setting out the circumstances and convey our plan to mitigate any adverse effect. We will notify the ICO of the personal data breach without delay and no later than 72 hours after having become aware of it, unless the breach is unlikely to result in a risk to your rights and freedoms.

Your rights regarding personal information

Under certain circumstances, by law you have the right to:

Request access to your personal information (commonly known as a "data subject access request"). This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it.

Request correction of the personal information that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.

Request erasure of your personal information. This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing (see below).

Object to processing of your personal information where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. You also have the right to object where we are processing your personal information for direct marketing purposes.

Request the restriction of processing of your personal information. This enables you to ask us to suspend the processing of personal information about you, for example if you want us to establish its accuracy or the reason for processing it.

Request the transfer of your personal information to another party.

If you want to review, verify, correct or request erasure of your personal information, object to the processing of your personal data, or request that we transfer a copy of your personal information to another party, please contact the Office Manager in writing.

SAY Group of Companies, SAY House, Units 2,3 & Offices, Rudgate Business Centre, Rudgate/Wighill Lane, Thorp Arch Industrial Estate, Wetherby, LS23 7AT

Limitation of your rights

Your rights are not absolute, and we may be entitled to refuse requests where exceptions apply.

If you are not satisfied with how we are processing your personal data, you can make a complaint to the Information Commissioner. You can find out more about your rights under applicable data protection legislation from the Information Commissioner’s Office website available at