Privacy Policy

Code for Construction Product Information – Privacy Policy

1.         Introduction

1.1             The Code for Construction Product Information is a service of Construction Product Information Ltd, a company incorporated in the United Kingdom whose registered office address is The Building Centre, 26 Store Street, London, WC1E 7BT (referred to as CPI Ltd, we, us and our in this Privacy Policy).

1.2             The information set out in this Privacy Policy is provided to individuals whose personal data we process (you or your) as data controller, in compliance with our obligations under Articles 13 and 14 of the “UK GDPR” (as defined in the Data Protection Act 2018) (UK GDPR).

1.3             To make this information clear, we have divided the data we receive into the following groups and corresponding Schedules, where each of which refers to: the particular category of information we collect and retain; from where we obtain the information; the purpose and legal basis of processing and to whom we will (if applicable) disclose the information:

Schedule 1

Data about individuals who are our registered organisations, Code Supporters, Content Providers, Worker and Public Portal and all individuals in respect of whom we have acquired personal information in connection with our professional relationship with our customer (including directors, shareholders, consultants, employees or other personnel of our customers).

Schedule 2

Data about individuals which we acquire as part of the CPI Ltd process and/or services (including members of our customer’s workforce and its contractors’ (and sub-contractors’) workforces).

Schedule 3

Data about members of the public including residents of buildings/building users or industry workforce who contact us via post, website forms, email addresses, via social media, via any CPI Ltd Public Liaison phone line, via the Considerate Constructors Scheme Public Liaison team (if appropriate/applicable), via the Building a Safer Future Public Liaison team and any future technology solutions such as an app.

1.4             In addition to the above, individuals who interact with us in any of the below capacities should also refer to the following:

 Schedule 4

Data about visitors to our websites www.cpicode.org.uk (including our portal www.assessments.cpicode.org.uk)

 

1.5             Please note that this Privacy Policy does not apply to:

1.5.1           any personal data collected or processed by us via the Considerate Constructors Scheme and/or at www.ccscheme.org.uk (which is covered by separate Privacy Policy arrangements available at https://www.ccscheme.org.uk/privacy-policy/); or

1.5.2           any personal data which is otherwise collected or processed by Construction Product Association outside the CPI Ltd service.

2.         Data controller details

2.1             We are the data controller in relation to the processing of the personal information that you provide to us or our service providers, or that we otherwise receive or process. Our contact details are as follows:

2.1.1           Address: Construction Product Information Ltd, The Building Centre, 26 Store Street, London, WC1E 7BT

2.1.2           Telephone number:

2.1.3           Email address: info@cpicode.org.uk (please include “Personal Data Request” in your subject heading to ensure it receives the correct attention).

3.         How we collect your information

3.1             Generally, the information we hold about you comes from the way you engage with us, for example by doing any of the following:

3.1.1           providing us with information in the course of enquiring about, or registering for, the CPI Ltd services, and maintaining your professional relationship with us;

3.1.2           providing us with information as part of any review or assessment we may conduct under the CPI Ltd services;

3.1.3           reporting concerns to us about issues and practices which are the subject of the CPI Ltd services (whether anonymously or on an open basis); and/or

3.1.4           visiting and/or viewing our website.

4.         International transfers

We will not transfer personal data relating to you within or to a country which is outside the UK or European Economic Area (EEA) unless:

4.1             the country or recipient is covered by an adequacy decision of the Commission under the UK GDPR Article 45;

4.2             appropriate safeguards have been put in place which meet the requirements of the UK GDPR Article 46 (for example using the European Commission’s Standard Model Clauses and any appropriate due diligence for transfers of personal data outside the UK or the EEA); or

4.3             one of the derogations for specific situations under the UK GDPR Article 49 is applicable to the transfer.  These include (in summary):

4.3.1           the transfer is necessary to perform, or to form, a contract to which we are a party:

4.3.1.1          with you; or

4.3.1.2          with a third party where the contract is in your interests;

4.3.2           the transfer is necessary for the establishment, exercise or defence of legal claims;

4.3.3           you have provided your explicit consent to the transfer; or

4.3.4           the transfer is of a limited nature and is necessary for the purpose of our compelling legitimate interests.

5.         Retention of personal data

Our retention and deletion policy can be found at Schedule 5 below. 

6.         Your rights in respect of your personal data

6.1             You have the following rights under the UK GDPR:

6.1.1           you will have the following rights:

6.1.1.1          right to access: the right to request certain information about, access to and copies of the personal information about you that we are holding (please note that you are entitled to request one detailed summary of the personal information that we hold about you at no cost, but for any further copies of such detailed summaries, we reserve the right to charge a reasonable fee based on administration costs); and

6.1.1.2          right to rectification: the right to have your personal information rectified if it is inaccurate or incomplete; and

6.1.2           in certain circumstances, you will also have the following rights:

6.1.2.1          right to erasure/“right to be forgotten”: the right to withdraw your consent to our processing of the data (if the legal basis for processing is based on your consent) and the right to request that we delete or erase your personal information from our systems (however, this will not apply if we are required to hold on to the information for compliance with any legal obligation or if we require the information to establish or defend any legal claim);

6.1.2.2          right to restriction of use of your information: the right to stop us from using your personal information or limit the way in which we can use it;

6.1.2.3          right to data portability: the right to request that we return any information you have provided in a structured, commonly used and machine-readable format, or that we send it directly to another party, where technically feasible; and

6.1.2.4          right to object: the right to object to our use of your personal information including where we use it for our legitimate interests or for marketing purposes.

6.2             Please note that if you withdraw your consent to the use of your personal information for purposes set out in our Privacy Policy, we may not be able to carry out our service or any contractual obligations to you or provide you with access to all or certain parts of our services.

If you consider our use of your personal information to be unlawful, you have the right to lodge a complaint with your relevant local supervisory authority. In the UK, this is the Information Commissioner’s Office. Please see further information on its website: www.ico.org.uk

7.         Security

7.1             We keep your information protected by taking appropriate technical and organisational measures to guard against unauthorised or unlawful processing, accidental loss, destruction or damage. For example:

7.1.1           where appropriate, data is password protected and/or encrypted when transiting on our system or stored on our databases;

7.1.2           we have implemented safeguards in relation to access and confidentiality in order to protect the information held within our systems;

7.2             Unfortunately, the transmission of information via the internet is not completely secure and, although we will take steps to protect your personal information, we cannot guarantee the security of your personal information transmitted via our website(s); any transmission is therefore at your own risk;

7.3             It is important that all details of any username, password and/or other identification information created to access our servers are kept confidential by you and should not be disclosed to or shared with anyone.

8.         Changes to this Privacy Policy

We may amend this Privacy Policy from time to time, for example to keep it up to date, to implement minor technical adjustments and improvements or to comply with legal requirements. We will always update this Privacy Policy on our website, so please try to read it when you visit the website (the “last updated” reference tells you when we last updated our Privacy Policy).

9.         Our use of cookies

9.1             A cookie is a small file that is sent to your browser from a web server and is stored on your computer. Cookies help us to analyse web traffic and identify which pages of our website(s) are being used. Our website(s) also use cookies to respond to you as an individual so that they can tailor their operations to your needs by gathering and remembering information about your preferences. We only use this information for statistical analysis purposes and then it is removed from our systems.

9.2             A cookie in no way gives us access to your computer or any information about you, other than information about how you use the websites and the personal information you choose to share with us (including personal information you automatically share with us by way of your browser settings). In particular, we use the cookies identified at Appendix 1.

9.3             We may also use banners and pop-ups from time to time to give you options around cookie use.

9.4             You can also manage cookie use via your browser settings (this will allow you to refuse the setting of all or some cookies) and your browser provider may ask you to confirm your settings. Note, however, that if you block all cookies (including essential cookies) via your browser settings you may not be able to access all or parts of our website(s).

9.5             You can find more information about the specific cookies we use and the purposes for which we use them in the table below. You can also find more information about cookies generally here: www.allaboutcookies.org.

Appendix 1

Our Cookies

Cookie Name

Description/Purpose

Duration

ASP.NET_SessionId

A token used by the website when registering for a site, company or supplier. This cookie holds no personal information.

After session ends

.AspNet.ApplicationCookie

Holds encrypted data for user roles and

After session ends

__RequestVerificationToken

Random token used to prevent CSRF attacks

After session ends

__utma

 

Used by the old Google Analytics which is no longer used. No new cookies will be issues however if you have visited the site in the past you may have this cookie still saved.

Persistent cookie –

expires year 2038

_ga

_gid

Used to distinguish users for Google Analytics.

 

_ga – 2 years

_gid – 24 hours

_gat

Used to throttle request rate on Google Analytics

1 minute

ARRAffinity

Used to keep the same Azure server instance for applications that are hosted on Azure so that you do not lose your session if you lose connection temporarily.

After session ends

wp-settings-XXX

WordPress also sets a few wp-settings-[UID] cookies.

The number on the end is your individual user ID from the users database table.

This is used to customize your view of admin interface, and possibly also the main site interface.

1 year

wp-settings-time

Used to show GMT time across the site

1         year

 

This policy was last updated: July 2021

Schedule 1

Data about our customer, and all individuals in respect of whom we have acquired personal information in connection with our professional relationship with you (including directors, shareholders, consultants, employees or other personnel of our customer)

What we may collect:

  • Contact details and log-in information such as your name, email address, landline/mobile phone or fax numbers, account name and password.
  • Employment information such as your position/title, professional specialisms and qualifications; and length of employment in the construction sector.
  • Other personal information such as your title (e.g. Mr, Ms, or Mrs) and your age bracket.
  • Payment information such as bank details and transaction history.

We may use your information for the following purposes, based on the following legal grounds:

  • If it is necessary for the performance of our contract or for the purposes of entering into a contract: for the purpose of negotiating and entering into contractual agreements with you, in the course of providing our services e.g. contacting individuals to obtain instructions and discuss work involved.
  • If it is in our legitimate business interests to do so: for internal record keeping for administration purposes; for purposes of conducting surveys and questionnaires as part of our services and for corroborating safety critical elements of building safety critical practices, policies and procedures; for purposes of analysing and reporting anonymised and aggregated data to provide snapshots of sector-wide progress against CCPI commitments and progress of improved culture and leadership in relation to construction product information; for purposes of communications in relation to establishing a customer relationship, obtaining evidence of identity of our customers, communications regarding our service and fees; for insight purposes (e.g. to analyse compliance/market trends and demographics, and develop the services which we offer to you or other individuals in the future); and for sending information to you about products and services which we think may be of interest to you for marketing purposes.
  • Compliance with a legal obligation: in order to prevent fraud or money laundering or to comply with any other legal or regulatory requirements.
  • If it is necessary for the performance of our contract: for the purpose of making or receiving payments in the course of providing our services.
  • If it is in our legitimate business interests to do so: for internal record keeping for administration purposes, for the purpose of retaining evidence of payment transactions, for insight purposes (e.g. to analyse market trends and demographics in relation to our fees), for establishing our customer’s ability to pay costs and to develop the service which we offer to you or other individuals in the future).
  • Compliance with a legal obligation: in order to prevent fraud or money laundering or to comply with any other legal or regulatory requirements.

Recipients:

How we share information

Please note that personal information we are holding about you may be shared with and processed by:

  • our own professional advisers and auditors for the purpose of seeking professional advice or to meet our audit responsibilities;
  • our service providers and agents (including their subcontractors) or third parties which process information on our behalf (e.g. internet service and platform providers, our bank, payment processing providers and those organisations we engage to help us send communications to you) so that they may help us to provide you with the services and information you have requested;
  • regulators or other third parties for the purposes of monitoring and/or enforcing our compliance with any legal and regulatory obligations, including statutory or regulatory reporting or the detection or prevention of unlawful acts;
  • any third party in the context of actual or threatened legal proceedings, provided we can do so lawfully (for example in response to a court order);
  • research organisations for the purpose of sectoral reporting;
  • third parties for marketing purposes (with your consent), e.g. our partners and other third parties with whom we work; and
  • another organisation to whom we may transfer our agreement with you or if we sell or buy (or negotiate to sell or buy) our business or any of our assets (provided that adequate protections and safeguards are in place).

Schedule 2

Data about individuals which we acquire as part of the CPI Ltd services (including members of our customer’s workforce and its contractors’ and sub-contractors’ workforces and members of the public)

What we may collect:

  • Contact details such as your name, work email address and work telephone number.
  • Information about your role such as your position/title, sites and/or offices where you work, the tasks you fulfil as part of your work; length of employment in the construction sector.
  • Other personal information such as your title (e.g. Mr, Ms, or Mrs) and your age bracket
We may use your information for the following purposes, based on the following legal grounds:
  • Our legitimate interest in processing such information for assessing your role and activities against the requirements of the CCPI Commitments and other related services relevant to product information; for purposes of conducting surveys and questionnaires as part of our services and for corroborating construction product information practices, policies and procedures; for purposes of analysing and reporting anonymised and aggregated data to provide snapshots of sector-wide progress against CCPI commitments and progress of improved culture and leadership in relation to product information;
  • Necessary to protect the vital interests of the individual concerned for the purposes of ensuring that you are working in a safe and legally-compliant environment. 
  • Necessary in the exercise of an official authority vested. 
  • Consent: if you had provided your consent to our processing this information as part of our review.
Recipients:

How we share information
Please note that personal information we are holding about you may be shared with and processed by:

  • your employer (if they are our customer) unless you have indicated to us that you wish this to be confidential in which case we will respect your wishes and only shared that information in an anonymised manner;
  • our own professional assessors, advisers and verifiers for the purpose of seeking professional advice or to meet our CCPI benchmarking and verification responsibilities;
  • our service providers and agents (including their subcontractors) or third parties which process information on our behalf (e.g. customer relationship management (CRM) provider, appointment booking coordinator, internet service and platform providers, data storage providers, administrative support and benchmarking and verification providers);
  • research organisations for the purpose of anonymised sectoral reporting;
  • regulators or other third parties for the purposes of verifying and/or enforcing our compliance with any legal and regulatory obligations, including statutory or regulatory reporting or the detection or prevention of unlawful acts;
  • any third party in the context of actual or threatened legal proceedings, provided we can do so lawfully (for example in response to a court order); and
  • please note that special categories of information will only be disclosed provided you have consented or if we are permitted to do so under any applicable law.

Schedule 3

Data about members of the public or industry workforce who contact us via any CPI Ltd website forms, email addresses, via social media, via any CPI Public Liaison phone line, via the Considerate Constructors Scheme Public Liaison team, the Building A Safer Future Public Liaison team, and any future technology solutions such as an app

What we may collect:

  • Your name
  • Contact details such as your email address and your phone number
  • Your position such as whether you are a member of the public or a member of the construction industry working on a particular site or project.
  • Your concerns such as those relating to a particular site or project and any other information that you disclose to us.
  • Your call to us such as a recording of your voice on the call for training, quality or service improvement/development purposes.
We may use your information for the following purposes, based on the following legal grounds:
Consent where you have expressly agreed to provide this information to us.
Consent where you have expressly agreed to provide this information on the telephone.
Recipients:

How we share information

Please note that any personal information that you provide to us will be processed by: CPI Ltd personnel and third-party suppliers engaged in the delivery of the CPI Ltd services including, but not limited to:

  • Complaints handling; technology solutions providers; software developers and providers; CCS public liaison team (if appropriate/applicable); and market research and data analysis providers. Where information is provided to us anonymously or requested to be treated in an anonymised manner, we will respect this request and treat such information accordingly.
  • our service providers and agents (including their subcontractors) or third parties which process information on our behalf (e.g. customer relationship management (CRM) provider, customer app provider, complaints handling provider, internet service and platform providers, data storage providers, administrative support and audit providers); where information is provided anonymously or requested to be treated in an anonymised manner, we will respect this request and treat such information accordingly.
  • our customers, on an anonymised basis;
  • regulatory and law enforcement bodies, where required of us under any applicable law or regulation.

Schedule 4

Details about visitors to our websites www.cpicode.org.uk

What we may collect:

  • Browser history information you provide when browsing our website, including your IP address and device type and, if you choose to share it with us, your location data, as well as how you use our website.
We may use your information for the following purposes, based on the following legal grounds:
  • If it is in our legitimate business interests to do so: to improve and maximise functionality of our website and services.
  • Compliance with a legal obligation: in order to prevent fraud or money laundering or to comply with any other legal or regulatory requirements.
  • Consent: for the purposes of analytics, advertising, integrated social media and functional services.
Recipients:

How we share information
Please note that personal information we are holding about you may be shared with and processed by:

  • regulators or other third parties for the purposes of monitoring and/or enforcing our compliance with any legal and regulatory obligations, including statutory or regulatory reporting or the detection or prevention of unlawful acts;
  • any third party in the context of actual or threatened legal proceedings, provided we can do so lawfully (for example in response to a court order);
  • our service providers and agents (including their subcontractors) or third parties which process information on our behalf (e.g. internet service and platform providers);
  • third parties for marketing purposes (with your consent), e.g. our partners and other third parties with whom we work; and
  • another organisation to whom we may transfer our agreement with you or if we sell or buy (or negotiate to sell or buy) our business or any of our assets (provided that adequate protections and safeguards are in place).

Schedule 5

Retention and deletion policy

Unless we are required or permitted by law to hold on to your information for a specific retention period, we may retain your information for the following purposes and periods: 

Category of personal data:

  • Data about our customers and business contacts.
  • Data about workforce personnel that we collect as part of the CPI Ltd services.
  • Data about members of the public or workforce personnel that is submitted to us as part of any reporting of concerns or complaints
  • Data about visitors of our websites

Period for which personal data will be stored:

Contracts and general correspondence (emails, post and other communications) obtained in the course of providing our services:  

Such information will be stored for 7 years from the completion or termination of our relationship with regard to the CPI Ltd or to the company and locations to which the data applies.

Contact details for marketing purposes:

Contact information relating to customers and contacts will be held for so long as we believe the information to remain accurate and the individual concerned remains a genuine connection of ours, or of one of our directors and staff.  We have a programme for reviewing our contacts regularly and removing any information which is considered to be out of date or no longer relevant.

Such information will be stored for up to 7 years following completion of the services or termination or expiry of our contract (whichever is later).
Such information will be stored for up to 2 years following collection.
We will maintain records of your personal data for 2 years following your visit to our website.