Data Protection Policy

Published by: at 22nd May 2018

Filed under: Uncategorised


The General Data Protection Regulation (2016/679 EU) (GDPR) provides strict rules on what data can be held and how it should be gathered, processed, stored, deleted and rules regarding the free movement of personal data.  Under the Regulation the Information Commissioner has powers to issue notices where data controllers and/or data processors have contravened any of the data protection principles. The main contraventions are likely to be unlawful reason for the collection of data, keeping data which is no longer required or where consent has been withdrawn/expired, unauthorised processing and/or disclosure of data. Failure to comply with such a notice is an offence under the legislation and could result in large fines.

In order to operate efficiently Fira (the Company) needs to collect and process information about people, which may include past and present employees, past and present Directors, suppliers, clients and project partners.

The Company is committed to ensure that all personal data gathered is processed and managed in compliance with the General Data Protection Regulation.  Every effort will be made to meet the obligations set out in legislation.


Fira is committed to be transparent about how it collects and uses personal data of our staff (and other) to meet our data protection regulations. This policy applies to all employees, Directors, contractors and representatives working for or on behalf of the Company. It also includes a section on the processing of clients’ and project partners’ personal data

This policy applies to all personal data, including special categories and sensitive data, processed by the Company and applies to data both manually and electronically held.  It also applies to personal data processed wholly or partially by automated means.

Images including CCTV footage, will also be covered by this policy.


The Data Controller will have the overall responsibility to ensure compliance with GDPR.  The Data Controller and the Data Processors will ensure the day-to-day activities of the Company comply with GDPR and are responsible for:

  • Notifying individuals at the point of collection of how their personal data will be processed, stored, who will have access, accountability, the reason for processing and how long it will be used for.
  • Ensuring that consent or reason for personal data processing is collected and are able to provide evidence upon request.
  • Comply with subject data requests.
  • Providing a central point for advice regarding data protection matters.
  • Arranging appropriate data protection training.
  • Keeping up to date with latest legislation and guidance regarding data protection.
  • Ensuring adequate systems are in place to comply with this policy.


If any member of staff has any concerns regarding the policy, compliance with the regulations or suspects there has been a breach of the regulations they should report this to the Data Controller as soon as possible.  The Data Controller will then complete their duties and record, report, deal and resolve the incident as necessary within the guidelines of GDPR.  All breaches are required to be reported to the Supervisory Authority within 72 hours.


Personal data

Information which relates to a living individual that is processed as data, which can be identified from the data.  It also includes photographs, e-mail messages, IP addresses and data recorded by CCTV. It also covers data identified by reference numbers where a separate list can be used to match the reference numbers to named individuals.

Sensitive personal data

Personal data consisting of information as to (a) the racial or ethnic origin of the data subject, (b) their political opinions, (c) their religious beliefs, (d) whether they are a member of a Trade Union, (e) their physical or mental health, (f) their sexual life, (g) the commission or alleged commission by them of any offence and (h) any proceedings for any offence committed or alleged to have been committed by them.

Processing data

Collecting, processing, storing, disclosing, access, or deletion of data.

Data controller

The person or organisation that is responsible for the manner and purpose in which personal data is processed along with ensuring compliance of GDPR.

Data processor/user

Any person that processes or uses the personal data on behalf of the Data Controller. Note that this is any third party who processes/uses data on behalf of the Company.

Restriction of processing

The marking of stored personal data with the aim of limiting their processing in the future.


Any form of automated processing of personal data to evaluate certain personal aspects.  An example could be during the shortlisting of candidates if this is done automatically.


The processing of personal data that cannot be identified as a single individual without additional information.

Filing system

Means both electronic and manual filing systems.


Freely given, informed and unambiguous indication of the data subject’s wishes by which they are providing their agreement for their personal data to be processed.

Data subject

Individual to whom the personal data relates.


The GDPR stipulates that anyone processing personal data should comply to:

  • Ensure data is processed lawfully, fairly and in a transparent manner to the data subject.
  • Ensure data is collected for a specific, explicit and legitimate reason and not processed for any other reason than that given at time of collection.
  • Ensure data is only held if there is a necessity to hold it (data minimisation).
  • Ensure data is accurate and up to date. Steps should be taken to ensure accuracy and rectify or delete inaccurate records (accuracy).
  • Ensure data is kept in a form which can identify the data subject for no longer than necessary.
  • Ensure data is processed in a secure manner with only authorised access. Steps should be taken to prevent against unauthorised, unlawful processing and against loss or damage.
  • The Data Controller is responsible for showing compliance with the legislation.

Gathering and Notification of Personal Data

Data subjects will be notified at the time of collection of:

  • The reason for collecting the personal data.
  • How it will be processed.
  • Who will process it/have access to it.
  • Where and how it will be stored.
  • Security measures.
  • How long it will be held.
  • When it will be deleted and how.
  • Employee rights under GDPR.
  • The contact details for the Data Controller.

Personal data will only be collected for lawful purposes and only processed in a manner and reason for which it was gathered.

Protection statements will be included on the forms used to collect personal data.

If personal data is received by a third party the data subject will be made aware of:

  • The reason for collecting the personal data.
  • How it will be processed.
  • Who will process it/have access to it.
  • Where and how it will be stored.
  • Security measures.
  • How long it will be held.
  • When it will be deleted and how.
  • The identity and contact of the Data Controller.

The Storage of Data

Personal data gathered will be stored in a safe and secure manner.  The following measures have been put in place to assist with this:

  • Manual data is secured away in filing systems, with access only available to authorised personnel with a legitimate reason to view or process the data.
  • Sensitive data is secured away in a locked cabinet with limited access to the Data Controller only. In some cases the data may be pseudonymised.
  • Electronic data is protected through secure passwords and firewall systems.

Checking of Data

Personal data held will be periodically reviewed to ensure it is accurate and up to date.  Employees will be provided with details of the contact details, next of kin and address details on an annual basis to enable them to check and amend as necessary.

Any data that should be removed after a length of time will be diarised and deleted accordingly. The removal of certain data may be restricted for example for historical records such as for HMRC or for other legal or legitimate reasons.

Any records that are inaccurate will be reported and rectified as soon as possible.

Disclosing Data

Personal data will only be disclosed to the authorised companies or individuals as notified at the time of gathering the data with the exception of the organisations which have a legal right to process the data without consent.

Personal data disclosure requests via telephone will be verified to ensure the person requestig are entitled to receive the data and further checks may be carried out such as contacting the Company direct to check, before the data is released.

Data Subject Access Requests

Data subjects have the right to request to see the personal data held concerning him or her.  They should be provided with the following:

  • Access to the data and a copy of it.
  • The purpose of the processing.
  • Categories of the personal data.
  • Details of who has or will have access to the data.
  • Where the data has or will be stored.
  • How long the data has or will be stored for.
  • Provided the right to lodge a complaint with the supervisory authority.
  • Provided the details of the Employees Rights.
  • Details of source of data if not collected from data subject.
  • Details of any automated decision making or profiling of data such as recruitment and selection.

Employee Rights

Right to be forgotten Employees have the right to request information is forgotten.

Right to be amended


Employees have the right to request information is amended.
Right to withdraw consent


Employees can withdraw consent to the processing of their data.
Right to data portability


Employees can use and obtain their own data for their own purpose.
Right to object


Right to object to automated decision made in decision-making, including profiling.
Right to object to the data being used for direct marketing purposes


Right to object to the personal data being processed, therefore cannot be processed further unless there is a legitimate reason for doing so.

Destroying Data

Data will be discarded if no longer required for the reason given at the time of collection or if the data is out of date.  If there is no legal or business reason to keep the data it will be removed.

Breach of this Policy

Any members of staff who do not comply with this policy, along with the data protection regulations and legislation, may warrant disciplinary action which dependent upon the circumstances, could result in their dismissal.

Client Data

We hold limited data under the GDPR lawful basis of legitimate interest. It is minimal and only relevant. This enables us to provide Landscape Architectural services to our clients, to collaborate effectively with our project partners and contacts in the industry.

Our uses of personal data include:

  • Inviting people to industry events and thought leadership events that we might organise
  • Updating people on our services
  • Informing individuals on projects of interest
  • Providing updates on legal or regulatory changes to individuals in the industry

Fira has an obligation to work with our clients, projects partners, contacts and the wider industry to help raise standards by sharing our ideas and through thought leadership. To enable us to do this we may occasional contact our clients, project partners and contact when we consider there is information that is in their interest.

External parties

We will never share personal information with other organisations, except occasionally with a co-event organiser.

Right to correct or access

Individuals in our database have the right to correct or access their information at any time. Should you wish to do so please contact us at

Individuals have the right to object to their information being used for the uses listed here and can request that they are removed from our database at any time unless there is a legal reason for us to keep a record of their information.

How we manage information

We at Fira have a very strict data protection policy and IT security measures in place that safeguard all information we hold. The internal arrangements prevent unauthorized persons internal or external to access data, whilst Fira personnel dealing with your personal data are fully trained to comply with GDPR requirements as Data Controller and Processor.


This policy will be regularly reviewed and updated in accordance with data protection regulations.


Print name:

Jane Findlay

Date:    10 May 2018