1. Data Controller UKBPM LimitedCompany registration: 16245788Registered office: 124 City Road, London, England, EC1V 2NXEmail: info@ukbpm.co.ukTelephone: 0203 693 3824ICO Registration No.: [ICO-REG-PLACEHOLDER] 2. Who This Notice Covers This privacy notice applies to: Sub-contractors who provide trade or specialist services on behalf of UKBPM Limited Self-employed contractors engaged by UKBPM Limited Employees of contractor companies whose details we hold for operational, health and safety, or statutory compliance purposes If you are a member of the public or a business client enquiring about our services, please refer to our Privacy Policy instead. 3. What Personal Data We Hold About You Depending on your engagement with UKBPM Limited, we may hold the following categories of data: CategoryExamples Identity dataFull name, trading name (if sole trader) Contact dataBusiness address; home address (for self-employed sole traders who use personal address on invoices); email address; telephone number Qualifications and accreditationsGas Safe registration number, NICEIC number, CSCS card number, asbestos awareness certificate, first aid certificates, and any other relevant trade or safety qualifications Insurance detailsPublic liability insurance policy number, level of cover, insurer, expiry date; employers' liability insurance (where applicable); professional indemnity insurance (where applicable) Financial dataBank account details (for payment purposes only) Performance dataJob attendance records, quality assessments, SLA compliance history Health and safety dataSite induction records, accident/incident reports involving you Statutory compliance recordsNames of engineers who carried out inspections (as required to appear on statutory certificates such as CP12, EICR, LOLER reports) 4. Why We Hold This Data To fulfil our contract with you: We need your contact details, qualifications, and bank details to engage you, assign work, and pay you. To comply with health and safety legal obligations: We must verify that contractors on client sites are qualified, insured, and have completed appropriate inductions. This is required under the Health and Safety at Work Act 1974 and associated regulations. To manage statutory compliance records: Statutory certificates (gas safety, EICR, LOLER, etc.) must identify the competent person who carried out the inspection. Your name and registration number must appear on these records, which are required by law. To manage insurance and indemnity risk: We verify that sub-contractors carry adequate insurance before allowing access to client sites. Insurance details are checked and renewed annually. To maintain performance records: We track contractor performance to ensure quality standards are maintained and clients receive a consistent, high-quality service. To manage financial records: Invoices and payment records must be retained for 7 years for HMRC purposes. 5. Lawful Basis for Processing PurposeLawful basis Engaging you and managing your work assignmentsContract performance (Article 6(1)(b)) Payment of invoicesContract performance (Article 6(1)(b)) Verifying qualifications and insuranceLegal obligation (Article 6(1)(c)) — H&S legislation; and Legitimate interests (Article 6(1)(f)) Statutory compliance certificate recordsLegal obligation (Article 6(1)(c)) — Gas Safety Regs, CAR 2012, LOLER, Electricity at Work Regs, etc. Performance managementLegitimate interests (Article 6(1)(f)) — ensuring quality and client satisfaction Financial records (invoices)Legal obligation (Article 6(1)(c)) — HMRC requirements 6. How Long We Keep Your Data We retain contractor data for the following periods. Full details are in our Data Retention Policy. Record TypeRetention Period Contact details and qualificationsDuration of engagement + 6 years Insurance certificatesDuration of engagement + 6 years Invoices and financial records7 years (HMRC requirement) Statutory compliance certificates bearing your detailsAs required by relevant legislation (see Data Retention Policy — Section 2) Bank detailsDuration of engagement + 1 year (then deleted) Performance recordsDuration of engagement + 3 years 7. Who We Share Your Data With We share contractor data only where necessary: Our clients: Your name may appear on statutory certificates and job records provided to clients (e.g. gas safety record, EICR, LOLER report). This is required by law. Microsoft 365: Our data is stored within Microsoft 365 (SharePoint/OneDrive/Outlook). Microsoft acts as a data processor under appropriate data processing terms. HMRC / legal authorities: Where required by law or court order. We do not sell or share your data with third parties for marketing purposes. 8. Your Rights Under UK GDPR You have the right to: Access the personal data we hold about you (Subject Access Request) Have inaccurate data corrected Request deletion of your data (subject to legal obligations to retain certain records) Restrict our processing of your data in certain circumstances Object to processing based on legitimate interests Note: We may be unable to comply with a deletion request where we are legally required to retain the data (for example, statutory maintenance records or HMRC financial records). To exercise your rights, contact us at privacy@ukbpm.co.uk with "Data Request" in the subject line. We will respond within 30 days. If you are unhappy with our response, you have the right to complain to the Information Commissioner's Office at ico.org.uk or by calling 0303 123 1113. 9. Contact UKBPM LimitedEmail: info@ukbpm.co.ukTel: 0203 693 3824Registered office: 124 City Road, London, England, EC1V 2NX