Data protection policy

1. Policy Statement

Construction Carbon Limited (CC) is committed to conducting its business in accordance with all applicable Data Protection laws and regulations and in line with the highest standards of ethical conduct. This policy sets forth the expected behaviours of CC Employees and Third Parties in relation to the collection, use, retention, transfer, disclosure and destruction of any Personal Data belonging to a CC Contact (i.e. the Data Subject).

Personal Data is any information which relates to an identified or Identifiable Natural Person. Personal Data is subject to certain legal safeguards and other regulations, which impose restrictions on how organisations may process Personal Data.

CC’s leadership is fully committed to ensuring continued and effective implementation of this policy, and expects all CC Employees and Third Parties to share in this commitment.

2.    Data Protection Principles

CC are committed to adhering, without compromise, to the data protection principles listed under in the Date Protection Act 2018 (DPA 2018).

          o   Fair, lawful and transparent processing

                We will process personal data fairly and lawfully and will fulfill our obligation to tell data                 subjects what their personal data will be used for. We will ensure that we have a lawful                 basis for the processing of all personal data.

          o    Purpose limitation

                Under the purpose limitation principle, we confirm that personal data collected for one                 purpose will not be used for a new, incompatible, purpose.

          o    Data minimisation

                We will only process the personal data that we need, in order to achieve our processing                 purposes.  Personal data collected will be adequate, relevant and limited to what is                 necessary in relation to the purposes for which that data is processed.

          o    Accuracy

                There are obvious risks to data subjects if inaccurate data are processed. As a controller of                 certain data, we are responsible for taking all reasonable steps to ensure that personal                 data is accurate. Every reasonable step will be taken to ensure that if personal data is                 found to be inaccurate, it is either erased or rectified without delay.

          o    Storage limitation (Data retention periods)

                We will not retain personal data for longer than necessary in relation to the purposes for                 which it was collected.

          o    Data security (Integrity and Confidentiality)

                 We will ensure we take all practicable measures to secure personal data, both against                  external threats (e.g., malicious hackers) and internal threats (e.g., poorly trained                  employees).

                Personal data will be processed in a manner that ensures appropriate security of the data,                 including protection against unauthorised or unlawful processing and against accidental                 loss, destruction or damage, using appropriate technical or organisational measures.

          o    Accountability

                We will ensure the enforcement of the Data Protection Principles. This means we must                 demonstrate that the six Data Protection Principles (outlined above) are met for all                 Personal Data for which we are responsible.

3.    Data Security

The Company will implement appropriate technical and organisational security measures to protect personal data against accidental or unlawful destruction or loss, alteration, unauthorised disclosure or access. These measures include:

          o   only storing data in a location which utilises adequate encryption of data at rest;

          o   ensure transfers of data are protected with encryption in transit;

          o   limiting access to data on a need-to-access basis;

          o   training employees on good data protection standards;

          o   enforcing the use of strong unique passwords across the organisations;

          o   utilising 2FA (where available) to protect applications/systems containing personal                 information.

4.    Data Breach Reporting

Under the DPA 2018, it is a requirement for controllers to report breaches to DPAs, we commit to transparency in our actions and will report any breach to the DPA without undue delay, and in any event within 72 hours of becoming aware of it. The notification will include:

          o   a description of the data breach, including the numbers of data subjects affected and the                categories of data affected;

          o   the name and contact details of the DPO (or other relevant point of contact);

          o   the likely consequences of the data breach;and

          o   any measures taken by the controller to remedy or mitigate the breach.

All breach investigations will be conducting in line with our Information Security Incident Procedure.  We will keep records of all data breaches, comprising the facts and effects of the breach and any remedial action taken.

Where the data breach is likely to cause high risk to data subjects we will notify the affected data subjects without undue delay. Where we are a data processor, we shall inform the data processor of any known breach without undue delay so they can fulfill their responsibilities under the DPA 2018.

5.    Awareness and Training

Management will ensure that all Employees responsible for the Processing of Personal Data are aware of and comply with the contents of this policy. We will provide suitable training concerning data processing on induction into the Company and then on an ongoing basis. The level of training will be proportionate to the level of exposure to Personal Data.

6.    Sub Processors

We will ensure all Third Parties engaged in the processing of Personal Data on behalf of CC are aware of and comply with the contents of this policy. Assurance of such compliance will be obtained from all Third Parties, whether companies or individuals, prior to granting them access to Personal Data controlled by the Company.

7.    Data Subject Requests

The Company have an established system to enable and facilitate the exercise of Data Subject rights related to:

          o   Information access

          o   Objection to Processing

          o   Objection to automated decision-making and profiling

          o   Restriction of Processing

          o   Data portability

          o   Data rectification

          o   Data erasure

If an individual makes a request relating to any of the rights listed above, the Company will consider each such request in accordance with all applicable Data Protection laws and regulations. No administration fee will be charged for considering and/or complying with such a request unless the request is deemed to be unnecessary or excessive in nature.

All requests received for access to, or rectification of Personal Data will be logged as each request is received. A response to each request will be provided within 30 days of the receipt of the written request from the Data Subject.Appropriate verification must confirm that the requestor is the Data Subject or their authorised legal representative. Data Subjects shall have the right to require the Company to correct or supplement erroneous, misleading, outdated,or incomplete Personal Data.

8.    Law Enforcement Requests & Disclosures

In certain circumstances, it is permitted that Personal Data be shared without the knowledge or Consent of a Data Subject. This is the case where the disclosure of the Personal Data is necessary for any of the following purposes:

          o   The prevention or detection of crime

          o   The apprehension or prosecution of offenders

          o   The assessment or collection of a tax or duty

          o   By the order of a court or by any rule of law

9.    Data Transfers to Third Parties

CC may transfer Personal Data to internal or Third Party recipients located in another country where that country is recognised as having an adequate level of legal protection (this includes the use of cloud computing platforms).

If transfers need to be made to countries lacking an adequate level of legal protection, they must be made in compliance with an approved transfer mechanism. In this case, CC may only transfer Personal Data where one of the transfer scenarios list below applies:

          o   The Data Subject has given Consent to the proposed transfer

          o   The transfer is necessary for the performance of an explicit contract with the DataSubject

          o   The transfer is necessary for the implementation of pre-contractual measures taken in                 response to the Data Subject’s request

          o   The transfer is legally required on important public interest grounds

          o   The transfer is necessary in order to protect the vital interests of the Data Subject

10.   Procedures for the control of data processing

The Company is committed to ensuring that in the completion of business operations,Personal Data is not compromised and is handled in a fair and lawful manner. We maintain documented records of all our data processing activities.

All consultants working for CC are contractually bound to a confidentiality agreement which outlines their responsibilities for handling CC and client data.

Where there is a change in the business or our activities, we will conduct a data audit to establish how the change will affect Data Subjects. The results of the audit will inform decisions as to how legal compliance and the rights of Data Subjects maintained.

11.     Authorisation

This policy has been authorised by:

Gilbert Lennox-King and Tom Scott


25 January 2024

CC015D Data Protection Policy (Privacy Policy) V22023.02.02