Greenfile Developments

General Data Protection Regulations 2018


Data Protection Policy& Practices

  1. This set of policy and practices (the Policy) applies to Greenfile Developments Ltd’s office, its staff and agents operating on behalf of Greenfile Developments Ltd.

  2. The Policy is operational from 28th January 2013.

  3. The Policy is prepared by Dr Uly Ma, Director and Data Protection Officer.

  4. The Policy Date approved by the Greenfile Developments Board of Directors.

  5. The Policy review dates are the third working day of each calendar year.

  6. The purpose of the Policy is to enable GREENFILE DEVELOPMENTS LTD to:
    1. comply with the law in respect of the data it holds about individuals;
    2. follow good practice;
    3. protect GREENFILE DEVELOPMENTS LTD's supporters, staff and other individuals; and
    4. protect the organisation from the consequences of a breach of its responsibilities.
  7. This policy applies to information relating to identifiable individuals, even where it is technically outside the scope of the Data Protection Act, by virtue of not meeting the strict definition of 'data' in the Act.
    1. . This policy has been updated to comply with the General Data Protection Regulations (GDPR) 2018
    1. comply with both the law and good practice;
    2. respect individuals' rights;
    3. be open and honest with individuals whose data is held; and
    4. provide training and support for staff and volunteers who handle personal data, so that they can act confidently and consistently.
  9. GREENFILE DEVELOPMENTS LTD recognises that its first priority under the Data Protection Act is to avoid causing harm to individuals. In the main this means:
    1. keeping information securely in the right hands; and
    2. holding good quality information.
  10. In addition to being open and transparent, GREENFILE DEVELOPMENTS LTD will seek to give individuals as much choice as is possible and reasonable over what data is held and how it is used. This is to ensure that the legitimate concerns of individuals about the ways in which their data may be used are taken into account.

  11. GREENFILE DEVELOPMENTS LTD has identified the following potential key risks, which this Policy is designed to address:
    1. Breach of confidentiality (information being given out inappropriately) - especially at during project reporting.
    2. Insufficient clarity about the range of uses to which data will be put - leading to Data Subjects being insufficiently informed.
    3. Failure to offer choice about data use when appropriate.
    4. Breach of security by allowing unauthorised access - especially by project sponsors.
    5. Insufficient clarity about the way contractors’ or contracted associates’ (hereafter associates) personal data is being used e.g. given out to general public.
    6. Failure to offer choices about use of contact details for staff, contractors or associates.
  12. The Data Protection Officer is currently Dr Uly Ma, with the following responsibilities:
    1. Briefing the board on Data Protection responsibilities;
    2. Reviewing Data Protection and related policies;
    3. Advising other staff (contractors and associates) on Data Protection issues as appropriate;
    4. Ensuring that Data Protection induction and training takes place at the start of new projects;
    5. Notification;
    6. Handling subject access requests; and
    7. Approving unusual or controversial disclosures of personal data.
  13. All staff, contractors and associates are required to read, understand and accept any policies and procedures that relate to the personal data they may handle in the course of their work. Significant breaches of this policy will be handled under GREENFILE DEVELOPMENTS LTD's disciplinary procedures.

  14. Because confidentiality applies to a much wider range of information than Data Protection, GREENFILE DEVELOPMENTS LTD has separate Confidentiality clauses in its Non- Disclosure Agreements, Confidentiality Agreements, Associates Agreements and Programme of Work for specific projects.

  15. Where anyone within GREENFILE DEVELOPMENTS LTD feels that it would be appropriate to disclose information in a way contrary to the various Confidentiality-related policies stated in paragraph 15 above, or where an official disclosure request is received, this will only be done with the authorisation of the Data Protection Officer. All such disclosures will be documented.

  16. GREENFILE DEVELOPMENTS LTD has identified the following risks:
    1. Information passed to project sponsors can go astray or be misdirected;
    2. Staff at project sponsors with access to personal information could misuse it;
    3. Contractor and Associates could continue to hold information after they have stopped working for GREENFILE DEVELOPMENTS LTD;
    4. Poor web site security might give a means of access to information about individuals once individual details are made accessible on line; and
    5. Contractors and associates may be tricked into giving away information, either about colleagues or data collected as part of the project, especially over the phone.
  17. GREENFILE DEVELOPMENTS LTD will not verify the accuracy of the data gathered as part of its projects but will accept them in good faith. However, GREENFILE DEVELOPMENTS LTD will update the data when information which enables this to happen is available.

  18. GREENFILE DEVELOPMENTS LTD will retain personal data gathered from its projects for a period of three years after the end of the project or otherwise specified by its project sponsors.

  19. Any subject access requests will be handled by the Data Protection Officer.

  20. Subject access requests, other than those by a project sponsor, must be in writing. All staff, contractors and associates are required to pass on anything which might be a subject access request to the Data Protection Officer without delay.

  21. Where the individual making a subject access request is not personally known to the Data Protection Officer, including representatives of the project sponsor, their identity will be verified before handing over any information.

  22. General Data Protection Regulations (GDPR): GREENFILE DEVELOPMENTS LTD confirms that it complies with GDPR in the following areas:
    1. Data: data beyond 6 years has been deleted from company computers.
    2. Consent to process data: Greenfile Developments Ltd will follow the GDPR definitions of consent.
    3. Security measures and policies: policies have been updated to comply with GDPR
    4. Meet access needs: GREENFILE DEVELOPMENTS LTD will follow the GDPR required one-month timeframe.
    5. Employee training: all employees have been trained to comply with GDPR.
    6. Supply chain due diligence: this has been reviewed and found compliant. New subcontractors and suppliers will be assessed for their GDPR compliance.
    7. Fair processing notices: this has been reviewed and found compliant.
    8. Data Protection Officer: this requirement has been reviewed and the current system is deemed compliant.


    1. GREENFILE DEVELOPMENTS LTD does not hold details on individuals who attended seminars and workshops other than name, photo and CSCS number where required. Data older than 6 years will be deleted from company computers.
    2. GREENFILE DEVELOPMENTS LTD retains subcontractor/ supplier details: name, address and bank details solely for the purposes of invoice payments.