for Clients, Consultants & Suppliers


This Privacy Policy sets out how Malcolm Payne Group Limited uses and protects the personal data of our clients, consultants and suppliers in accordance with the General Data Protection Regulation (GDPR) and which we require to hold and process in order to operate our business.


Key Definitions

  • Personal Data –any information relating to an identifiable person (‘data subject’) who can be directly or indirectly identified in particular by reference to an identifier. The Group processes data including names, email and postal addresses, business contact details, telephone/fax/mobile numbers and (where applicable) financial data for payments such as VAT registration and bank details.
  • Sensitive Personal Data & Special Categories of Personal Data – including information relating to an individual’s race, ethnic origin, politics, religion, trade union membership, genetics, biometrics (where used for ID purposes), health, sex life, or sexual orientation.
  • Processing – any operation or set of operations which is performed on personal data whether or not by automated means, including: collecting, recording, storing, organising, disclosing, erasing and destroying. The Group does not use any form of automated decision-making.
  • Data Controller – the person (or business) who determines the purposes for which, and the way in which, personal data is processed. Malcolm Payne Group Limited is a data controller. We decide how personal data is processed and for what purpose(s).
  • Data Processor – anyone who processes personal data on behalf of the data controller (excluding the data controller’s own employees).


Purpose of processing personal data

We hold the minimum personal data to enable us to provide Architectural services to our clients, to collaborate with other consultants and colleagues in the industry, and to communicate with our suppliers.

We hold personal data in order to:

  • Maintain contact and communication with our clients and consultants during the course of a project
  • Maintain our own records and accounts
  • Inform you of relevant news and events related to our business
  • To purchase goods, materials and services from our suppliers

In certain specific cases and only where necessary (for example if relevant to a planning application), we may seek to obtain and process sensitive personal data. We must separately request the data subject’s written consent for us to do so, setting out the reasons why we need this sensitive personal data and what we will do with it.


Lawful basis for processing personal data

Our lawful basis for processing your personal data is where:

  • processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract

This includes where we have a contract with the individual and we need to process their personal data to comply with our obligations under the contract, and;

Where we haven’t yet got a contract with the individual, but they have asked us to do something prior to that (e.g. provide a quote) and we need to process their personal data to fulfil that request.

  • processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data

This includes contact details of clients, consultants and suppliers for projects and marketing purposes, and;

Data used for the purposes of purchasing goods and services for the legitimate running of the business.


Sharing of personal data

Personal data will be treated as strictly confidential and will be shared only with our staff and project consultants as required to perform our project duties and for the legitimate running of the business. We will not share personal information with third parties unless we have the data subject’s permission to do so.

The Group does not generally transfer personal data outside the European Economic Area. Where a specific project may require us to do this prior consent will be sought from the data subject and provision of adequate safeguards will need to be verified by the receiving organisation.


Data Storage & Retention

The Group stores both paper and electronic data in a safe and secure manner. Electronic data is password protected and continually and securely backed-up. The Group’s systems are firewall and anti-virus protected. Our staff are required to enter into an agreement containing a code of confidentiality in relation to company and personal data.

Personal data will be retained for only as long as reasonably necessary. This will include the limitation or extended limitation period of any contract.


Data Subject Rights

Unless subject to an exemption under the GDPR, individuals have the right to:

  • Request a copy of the personal data held about them
  • Request that we correct any personal data found to be inaccurate or out of date. Please contact us at with ‘GDPR’ as the subject line should you need us to update your personal data
  • Request their personal data is erased where it is no longer necessary to retain such data
  • Withdraw their consent to the processing at any time (where ‘Consent’ was the lawful basis for processing)
  • Request that we provide them with a copy of their data and to transmit that data directly to another data controller
  • Request, where there is a dispute regarding the personal data, to restrict further processing
  • Object to the processing of personal data, unless there is a legal reason for us to do so

Should you wish to exercise any of the above rights or should you have any queries or complaints please contact us at with ‘GDPR’ as the subject line.

Malcolm Payne Group Limited  May 2018