Furbnow Data Protection & GDPR Policy

Last updated at: 9th January 2023

Goal of the data protection policy

The goal of the data protection policy is to depict the legal data protection aspects in one summarising document. It can also be used as the basis for statutory data protection inspections, e.g. by the customer within the scope of commissioned processing. This is not only to ensure compliance with the European General Data Protection Regulation (GDPR) and Data protection Act (DPA) 2018 but also to provide proof of compliance.

Preamble

Furbnow offers home retrofit services to homeowners and manages a network of suppliers to deliver home retrofits from assessments to installations and monitoring. As such, Furbnow collects, processes and holds data on its current and potential customers, and suppliers. Protection of this data is an important responsibility of Furbnow as a legal and regulatory requirement. We have legal and regulatory requirements to retain certain data, usually for a specified amount of time. We also retain data for business purposes, such as to operate our business and to have information available when we need it. However, we may not need to retain all data indefinitely, and retaining data can expose us to risk as well as be a cost to our business.

Data Controller

Furbow is a Data Controller. Furbnow collects and processes data subject data for the purposes of customer management, supplier management, marketing, recruitment, and research. Further types of data subjects and categories of data collected are detailed further below in this document. Furbnow shares data it controls with trusted suppliers to carry out our business functions, and third party data processes for the above purposes.

Furbnow’s Data Protection Officer is:

Laurence Watson, Chief Product & Technology Officer

hello@furbnow.com

Data Retention

Record Retention

Formal or official records which are listed in the Record Retention Schedule. This may be because we have a legal requirement to retain it, or because we may need it as evidence of our transactions, or because it is important to the running of our business. Please see paragraph 6.1 below for more information on retention periods for this type of data.

Disposable Data

Disposable information consists of data that may be discarded or deleted at the discretion of the user once it has served its temporary useful purpose and/or data that may be safely destroyed because it is not a formal or official record as defined by this policy and the Record Retention Schedule. Examples may include:

• Duplicates of originals that have not been annotated.
• Preliminary drafts of letters, memoranda, reports, worksheets, and informal notes that do not represent significant steps or decisions in the preparation of an official record.
• Books, periodicals, manuals, training binders, and other printed materials obtained from sources outside of Furbnow and retained primarily for reference purposes.
• Spam and junk mail.

Personal Data

Personal data includes any information that could identify living individuals. Data protection laws require us to retain personal data only for as long as is necessary for the purposes for which it is processed (principle of storage limitation). See paragraph 6.3 below for more information on this.

Confidential information belonging to others

Any confidential information that an employee may have obtained from a source outside of Furbnow, such as a previous employer, must not, so long as such information remains confidential, be disclosed to or used by us except as permitted in our confidentiality policy. Unsolicited confidential information submitted to us should be refused, returned to the sender where possible, and deleted if received via the internet. Please see our confidentiality policy.

Retention Periods

Formal or Official Records

Any data that is part of any of the categories listed in the Record Retention Schedule contained in the Annex to this policy, must be retained for the amount of time indicated in the Record Retention Schedule. A record must not be retained beyond the period indicated in the Record Retention Schedule, unless a valid business reason (or notice to preserve documents for contemplated litigation or other special situation) calls for its continued retention. If you are unsure whether to retain a certain record, contact Furbnow Management.

Disposable Information

The Record Retention Schedule will not set out retention periods for disposable information. This type of data should only be retained as long as it is needed for business purposes and once it no longer has any business purpose or value it should be securely disposed of.

Storage Limitation for Personal Data

As explained above, data protection laws require us to retain personal data for no longer than is necessary for the purposes for which it is processed (principle of storage limitation). Where personal data is listed in the Record Retention Schedule, we have taken into account the principle of storage limitation and balanced this against our requirements to retain the data. Where personal data is disposable information, you must take into account the principle of storage limitation when deciding whether to retain this data. More information can be found in our Privacy Policy.

Omit from Schedule

If data is not listed in the Record Retention Schedule, it is likely that it should be classed as disposable information. However, if you consider that there may be an omission in the Record Retention Schedule, or if you are unsure, please contact the Furbnow CTO.

Storage, Backup-up and Disposal of Data

Data Storage

Our data must be stored in a safe, secure, and accessible manner. Documents and financial files that are essential to our business operations during an emergency must be continuously backed up on redundant storage.

Data Destruction

Our CTO and Furbnow Management is responsible for the continuing process of identifying the data that has met its required retention period and supervising its destruction. The destruction of confidential, financial, and employee-related hard copy data must be conducted by shredding if possible. Non-confidential data may be destroyed by recycling or erased if appropriate. The destruction of electronic data must be co-ordinated with Furbnow Management.

Stopping data destruction

Destruction of data must stop immediately upon notification from Furbnow Management that preservation of documents for contemplated litigation is required. This is because we may be involved in a legal claim or an official investigation (see next paragraph). Destruction may begin again once Furbnow Management lifts the requirement for preservation.

Special Circumstances

Record Retention

This policy requires employees to comply with our Record Retention Schedule and procedures as provided in this policy. All employees should note the following general exception to any stated destruction schedule: If you believe, or Furbnow Management informs you, that certain records are relevant to current litigation or contemplated litigation (that is, a dispute that could result in litigation), government investigation, audit, or other event, you must preserve and not delete, dispose of, destroy, or change those records including emails and other electronic documents until Furbnow Management determines those records are no longer needed. Preserving documents includes suspending any requirements in the Record Retention Schedule and preserving the integrity of the electronic files or other format in which the records are kept.

Exception Questions

If you believe this exception may apply, or have any questions regarding whether it may apply, please contact Furbnow management.

Data Disposal

You may be asked to suspend any routine data disposal procedures in connection with certain other types of events, such as our merger with another organisation or the replacement of our information technology systems.

Where to Go for Advice and Questions

Questions About Policy

Questions about retention periods relevant to your function should be raised with your function lead or manager, or the Furbnow CTO. Any questions about this policy should be referred to the data retention lead Laurence Watson, laurence@furbnow.com, who is in charge of administering, enforcing and updating this policy.

Breach Reporting and Audit

Reporting Policy Breaches

We are committed to enforcing this policy as it applies to all forms of data. The effectiveness of our efforts, however, depend largely on employees' willingness to report incidents. If you feel that you or someone else may have breached this policy, you should report the incident immediately to your supervisor. If you are not comfortable bringing the matter up with your immediate supervisor, or do not believe the supervisor has dealt with the matter properly, you should raise the matter with the Furbnow CTO. If employees do not report inappropriate conduct, we may not become aware of a possible breach of this policy and may not be able to take appropriate corrective action.

Protected Activities

We will not subject any person to any form of discipline, reprisal, intimidation, or retaliation for reporting incidents of inappropriate conduct of any kind, pursuing any record destruction claim, or co-operating in related investigations.

Audits and Compliance

Our CTO and Data Controller will periodically review this policy and its procedures (including where appropriate by taking outside legal or auditor advice) to ensure compliance with relevant new or amended laws, regulations or guidance. Additionally, we will regularly monitor compliance with this policy, including by carrying out audits.

Schedules

Schedule 1: Definitions

Data: all data that we hold or have control over and therefore to which this policy applies. This includes physical data such as hard copy documents, contracts, notebooks, letters and invoices. It also includes electronic data such as emails, electronic documents, audio and video recordings. It applies to both personal data and non-personal data. In this policy we refer to this information and these records collectively as "data".

>Data Protection Officer: our Data Protection Officer who is responsible for advising on and monitoring compliance with data protection laws.

>Data Retention Policy: this policy, which explains our requirements to retain data and to dispose of data and provides guidance on appropriate data handling and disposal.

>Disposable information: disposable information consists of data that may be discarded or deleted at the discretion of the user once it has served its temporary useful purpose and/or data that may be safely destroyed because it is not a formal or official record as defined by this policy and the Record Retention Schedule.

Formal or official record: certain data is more important to us and is therefore listed in the Record Retention Schedule. This may be because we have a legal requirement to retain it, or because we may need it as evidence of our transactions, or because it is important to the running of our business. We refer to this as formal or official records or data.

Non-personal data: data which does not identify living individuals, either because it is not about living individuals (for example financial records) or because it has been fully anonymised.

Personal data: any information identifying a living individual or information relating to a living individual that we can identify (directly or indirectly) from that data alone or in combination with other identifiers we possess or can reasonably access. This includes special categories of personal data such as health data and pseudonymised personal data but excludes anonymous data or data that has had the identity of an individual permanently removed. Personal data can be factual (for example, a name, email address, location or date of birth) or an opinion about that person's actions or behaviour.

Record Retention Schedule: the schedule attached to this policy which sets out retention periods for our formal or official records.

Storage limitation principle: data protection laws require us to retain personal data for no longer than is necessary for the purposes for which it is processed. This is referred to in the GDPR as the principle of storage limitation.

Schedule 2: Record Retention Schedule

Furbnow establishes retention or destruction schedules or procedures for specific categories of data. This is done to ensure legal compliance (for example with our data protection obligations) and accomplish other objectives, such as protecting intellectual property and controlling costs. We will retain data with the purpose of continuing to interact with customers over a longer time period if they wish to do so, and to continue to work with suppliers to carry out retrofit projects into the future while considering capacity and demand.

Employees should comply with the retention periods listed in the record retention schedule below, in accordance with the Furbnow Data Retention Policy.

If you hold data not listed below, please refer to the Data Retention Policy - Disposable Records. If you still consider your data should be listed, if you become aware of any changes that may affect the periods listed below or if you have any other questions about this record retention schedule, please contact Laurence Watson, laurence@furbnow.com

See table at the bottom of this page.

Guidelines for the rights of data subjects

As per guidelines from the Information Commissioner’s Office, the UK GDPR provides the following rights for individuals, which are:

• The right to be informed
• The right of access
• The right to rectification
• The right to erasure
• The right to restrict processing
• The right to data portability
• The right to object
• Rights in relation to automated decision making and profiling.

The right to be informed

Furbnow must issue certain information about the processing activities that affect you. This information is usually provided in a Privacy Notice or Privacy Statement that is made available at the point the data is collected.

The right of access

Furbnow, as the data controller, must provide you with:

• confirmation that your data is being processed
• access to your personal data
• other supplementary information

For further information on how to make a Subject Access Request application see guidance from the Information Commissioner’s Office.

The right to rectification

You can ask Furbnow to correct any personal information it holds about you to ensure your data is accurate. You may also ask Furbnow to complete incomplete data held about yourself.

The right to erasure/be forgotten

You have the right to (under certain circumstances) ask for your personal data to be erased where:

• your personal data is no longer necessary in relation to the purpose for which it was collected/processed
• you withdraw your consent or object to the processing and there is no overriding legitimate interest to continue processing
• you object to the processing and there are no overriding legitimate grounds for the processing
• you object to the processing and your personal data was processed for direct marketing purposes
• your personal data was unlawfully processed or should be erased to comply with a legal obligation
• your personal data is processed in relation to the offer of information society services to a child

Furbnow can refuse to erase your personal data where it is processed:

• to comply with a legal obligation or for the performance of a task of public interest
• for the exercise or defence of legal claims
• for purposes relating to public health, archiving in the public interest, scientific/historic research or statistics
• If your data has been disclosed to a third party, Furbnow will ask them to erase that data, unless this proves impossible or involves disproportionate effort. You may ask who those third parties are and Furbnow will inform you accordingly.

The right to restrict processing

You have the right to restrict the processing of personal data held by Furbnow where:

• you have contested its accuracy
• you have objected to the processing and Furbnow is considering whether they have a legitimate ground which overrides this
• processing is unlawful
• Furbnow no longer needs the data but you require it to establish, exercise or defend a legal claim
• The right to data portability
• The right to data portability allows individuals to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without hindrance to usability. This enables you to obtain and reuse your personal data across different services.

The right to data portability only applies:

• to personal data that an individual has personally provided to Furbnow
• where the processing is based on consent or the performance of a contract
• where processing is carried by automated means (i.e. excluding paper files)

The right to object

You have the right to object to processing of your personal data in certain circumstances and have an absolute right to stop your data being used for direct marketing.

You can also object if the processing is for:

• a task carried out in the public interest
• the exercise of official authority vested in Furbnow
• Furbnow’s legitimate interests (or those of a third party)

However, in these circumstances the right to object is not absolute and you must give specific reasons why you are objecting to the processing of your data.

Please be aware that Furbnow would be able to continue processing your personal data if:

• we can demonstrate compelling legitimate grounds for the processing, which override the interests, rights and freedoms of the individual
• the processing is for the establishment, exercise or defence of legal claims
• Rights relating to automated decision making and profiling
• Automated decision-making takes place when an electronic system uses personal information to make decisions without human intervention.

Furbnow could use automated decision-making in the following circumstances:

• where we have notified you of the decision and given you 21 days to request a reconsideration
• where it is necessary to perform the contract and appropriate measures are in place to safeguard your rights

At present, there are no fully automated decision making or profiling systems in use within Furbnow. This means that this right does not currently apply to any processing activities.

How to contact Furbnow about your rights

You may submit your request to Furbnow verbally or in writing.

How to make a complaint to Furbnow

If you are dissatisfied with the way we have handled your application and want to make a complaint, please write to:

Email: hello@furbnow.com

We will acknowledge your complaint within 10 working days and send you a full response within 20 working days. If we can’t respond fully in this time, we will write and let you know why and tell you when you should get a full response.

Complaints to the Information Commissioner

If you are dissatisfied with the way we have handled your complaint or request and want to make a complaint, you may write to the Information Commissioner, who is an independent regulator. Any complaint to the Information Commissioner is without prejudice to your right to seek redress through the courts.

The Information Commissioner can be contacted at:

Information Commissioner Wycliffe House Water Lane Wilmslow Cheshire, SK9 5AF Tel: 08456 30 60 60 or 01625 54 57 45 Fax: 01625 524510