+44 (0)333 207 0400

Privacy Policy

Modular Clean Air Ltd. takes the security and privacy of your data seriously. We need to gather and use information or ‘data’ about you as part of our business and to manage our relationship with you. We intend to comply with our legal obligations under the Data Protection Act 2018 and the UK General Data Protection Regulation (GDPR) in respect of data privacy and security.

This policy applies to current and former employees, workers, volunteers, apprentices, and consultants. If you fall into one of these categories, then you are a data subject for the purposes of this policy.

You should read this policy alongside your contract of employment (or contract for services) and any other notice we issue to you from time to time in relation to your data.

Modular Clean Air Ltd. will hold data in accordance with our Data Retention Policy, which can be obtained from the Operations Manager. We will only hold data for as long as necessary for the purposes for which it was collected.

Modular Clean Air Ltd. is the data controller for the purposes of your personal data. This means we determine the purpose and means of processing your personal data. This policy explains how we will hold and process your information, your rights as a data subject, and your obligations when obtaining, handling, processing, or storing personal data in the course of working for, or on behalf of, the Company.

This policy is intended to be fully compliant with the 2018 Act and the UK GDPR. If any conflict arises, the Company will comply with those laws.

1.1. Data Protection Principles

Personal data must be processed in accordance with six principles. It must:

Be processed fairly, lawfully, and transparently.

Be collected and processed only for specified, explicit, and legitimate purposes.

Be adequate, relevant, and limited to what is necessary.

Be accurate and kept up to date; inaccurate data must be rectified or deleted without delay.

Not be kept longer than necessary.

Be processed securely.

We are accountable for these principles and must demonstrate compliance.

1.2. Definition of Personal Data

‘Personal data’ refers to any information relating to a living person who can be identified directly or indirectly. It includes opinions about the person and indications of our intentions toward them. It does not include anonymised data.

This policy applies to all personal data, whether stored electronically, on paper, or other media, provided by you or others (such as former employers, doctors, or agencies) or created by us during recruitment, employment, or after termination.

We collect and use personal data such as:

Recruitment details (CV, references, qualifications).

Contact details and date of birth.

Employment information (role, salary, benefits).

Identification documents and immigration status.

Performance, training, and disciplinary records.

IT usage data and vehicle tracking.

CCTV and photographic images.

1.3. Special Categories of Personal Data

We may process data revealing:

Race or ethnic origin.

Political opinions.

Religious or philosophical beliefs.

Trade union membership.

Genetic or biometric data.

Health.

Sexual life or orientation.

Criminal convictions.

Such data will be processed only in accordance with the law.

1.4. Definition of Processing

‘Processing’ covers any operation performed on personal data, including:
collection, recording, organisation, storage, alteration, retrieval, use, disclosure, alignment, restriction, or destruction.

1.5. How We Process Your Data

We process personal data to:

Perform employment or service contracts.

Comply with legal obligations.

Pursue legitimate business interests (provided they do not override your rights).

We will not use your data for unrelated purposes without notice and a lawful basis. Failure to provide certain data may prevent us from fulfilling legal or contractual duties (e.g., paying wages or ensuring tax compliance).

1.6. Examples of Data Processing

We may process your data to:

Decide on recruitment, pay, promotion, or training.

Manage performance, conduct, and attendance.

Ensure legal compliance (employment, immigration, health & safety).

Monitor diversity, equality, and network security.

Manage pensions, payroll, and benefits.

Handle disciplinary actions, insurance, and litigation.

Processing of special category data may occur for:

Employment law obligations.

Protecting vital interests.

Public data disclosure.

Legal claims or occupational health purposes.

We do not use automated decision-making or profiling.

1.7. Sharing Your Personal Data

We may share data with group companies, contractors, or service providers (e.g., payroll, HR, insurance, health & safety consultants). These parties must comply with legal and contractual data protection obligations.

We do not send personal data outside the UK or EEA. If this changes, we will notify you and outline protective measures.

1.8. Processing Rules

All staff must:

Access data only if required and authorised.

Keep data secure; do not share it informally.

Regularly review and update records.

Use strong passwords and lock devices.

Store paper records securely; dispose of them properly.

Not transfer data outside the EEA without approval.

Seek help from the Operations Manager if unsure.

Deliberate or negligent breaches may result in disciplinary action and could constitute a criminal offence.

1.9. Data Breaches

We have procedures to prevent and respond to data breaches.
If a breach occurs, details and evidence must be recorded.
If it poses a risk to individuals’ rights, the Information Commissioner’s Office (ICO) must be notified within 72 hours.
Report all breaches immediately to the Operations Manager.

1.10. Subject Access Requests (SAR)

Data subjects can request access to their personal data in writing.
Requests must be forwarded promptly to the Operations Manager.
We must respond within one month, extendable by two months for complex cases.
No fee applies unless the request is excessive or unfounded.

1.11. Your Data Subject Rights

You have the right to:

Access, correct, or erase personal data.

Restrict or object to processing.

Request data portability.

Withdraw consent (if previously given).

Be informed of any breaches.

Complain to the ICO via www.ico.org.uk.

2. Breach Notification Policy

2.1. Purpose

This procedure determines whether a breach of personal data has occurred and outlines the steps and notifications required.

2.2. Scope

This applies to all data held by Modular Clean Air Ltd. where there has been a breach of security or integrity that significantly impacts a trust service or personal data.

2.3. Responsibilities

The Data Protection Lead must inform the Information Commissioner’s Office (ICO) within 24 hours of any qualifying breach, as required under the eIDAS Regulation (“electronic identification and trust services”).

2.4. Protocol

The following steps apply when a potential data breach occurs.

2.5. Communicating to the ICO

A personal data breach includes the accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access to data.

Reporting Exceptions:
Only breaches posing serious risks to individuals’ rights must be reported.

Timeline:

The Data Processor must inform the Data Protection Lead immediately.

The Data Protection Lead must notify the ICO within 72 hours.

If delayed, reasons must be documented.

Notification Must Include:

Nature of the breach.

Contact details of the Data Protection Lead.

Likely consequences.

Measures taken or proposed to address and prevent recurrence.

All breaches must be documented, including facts, effects, and actions taken.

2.6. Communicating to the Data Subject

If a breach poses a high risk to an individual’s rights and freedoms, the affected person(s) must be notified without undue delay.

Exceptions:
Notification is not required if:

Effective technical or organisational protection was applied.

Subsequent actions removed the high risk.

Individual notification would require disproportionate effort (public notice may be appropriate).

2.7. Communication Responsibility

The Data Controller (Modular Clean Air Ltd.) must communicate the breach to affected data subjects, using the same content provided to the supervisory authority (ICO).