For most chimney sweeps the data they hold on a customer is very basic. This guide and the downloads below should cover most of your requirements. We have made every effort to ensure this is a comprehensive guide but it is ultimately up to the business owner to ensure they comply. The Guild can not accept any responsibility for any omissions or inaccuracies within the guide or accompanying information.
Many thanks to John Stone of Diamond Sweeps, Scotland Regional Director for his help in compiling this information
Your certificates will be updated with this and other information in due course. Please order new certificates if you need to – we do not yet have a timetable for the changes. You may continue to use up any existing certificates even once new ones are available.
In order to gain permission to keep your customer’s details for the stated purposes you should have a stamp made with the wording indicated below. The wording should be produced on a stamp or printed on a sticker and put in to the comments section of the blue or pink counterfoil on your certificate and signed by your customer. You retain this copy as it gives you permission.
Please see the directions in the guide below. There are 2 documents to copy and one to download. You will need to create a stamp or print stickers.
- The privacy notice – copy this from below, insert your details and follow the instructions in the guide.
- The Data Protection Policy – copy this from below, insert your details and follow the instructions in the guide.
Download this Data Inventory Map, insert your details and follow the instructions in the guide.
This is the wording for the stamp or stickers.
Details are held for the purpose of chimney sweeping / service & maintenance and we will contact you for this purpose only. ( Your company name) will not pass on your details to a third party.
For any data protection information, including user rights please contact (your company email)
Delete as required:
I consent / I do not consent to (Your company name) to holding my details for this purpose.
If you have a website you should put a Tab or link on the contacts bar which will then show the Data Protection Policy and another with the Full Privacy Notice
( If you employ anyone you must add a Privacy Notice regarding their rights)
Data Inventory Map
This isn’t actually necessary but will prove you have complied with the requirements as much as possible.
I have attached mine to copy and a blank one for you to copy where applicable.
This doesn’t need to be on your web site, just filed with your other business records
If you have any questions contact me
I will do my best to help.
“Insert your Company Name” is committed to Data Protection and guarding your privacy. We will hold any personal information that you supply, or that we are given, securely within the UK in order to provide “your company name” services. We will only collect very limited basic personal data from you such as your name and contact details in order to respond to your enquiry, enter into a contract with you or manage your account. We do not record any personal data from you that we do not require.
Your personal data may be shared with the Guild of Master Sweeps as part of its monitoring of professional sweeps activities, and with “your Company name| financial business advisors in order to meet its statutory business reporting obligations, it will not be used, or provided to 3rd parties, for marketing purposes.
If you would like further information about how “your company name” uses personal data, including your rights to data correction and erasure, please contact “your company email”.
You have a responsibility to ensure that the data that you provide to us is correct. If its incorrect, please let us know by contacting “your company email” .
If you would like to review the information we have collected on you, please see the contact email address above and state what information you wish to access. Only applications made in writing will be considered and you will receive a written response within 1 month of a request being made.
You have the right to withdraw consent for personal data processing at any time and have the information we retain on you erased if it is your wish and “your Company Name” does not have a legitimate reason for retaining it.
You retain other rights in relation to expressing or withdrawing consent, right to be informed and for data portability along with data rectification, automated decisions/profiling and objections. More details on these rights can be found at the Information Commissioner’s Office web site ico.org.uk, where you may also lodge a complaint if you feel that “your Company Name” has not met its Data Protection obligations.
Data Protection Policy for ( Insert your Company Name)
The protection of Personal and Non Personal (Technical) data is recognised as being important and therefore will be managed protected and secured. All personal data will be treated confidentially in accordance with the EU General Data Protection Regulation (EU 2016/679) under the control of “Your Company Name”.
Hardcopy data will be secured within a locked environment at all times when in transit or storage and access will be granted to authorised persons only.
Electronic data will be stored on laptop hard drives, protected by password protection, the laptops also secured within a locked environment when in transit (in vehicle) or use (office location).
“your company name” will ensure that it maintains appropriate and current software protection on all electronic devices that it utilises.
Authorised Persons and Data Sharing
Only persons authorised by “Company director / you”, the proprietor of “your Company Name” will be granted access to data. “Company director / you” will be the nominated individual responsible for data protection.
Personal Data may be shared with third party financial advisors and statutory bodies (HMRC) as part of the proof of invoicing and income required for accounts generation and tax audit purposes.
Personal and technical data regarding services provided or appliance status data may be shared with the individual commissioning a service (landlord or agent) in the event that the resident is not the recognised owner or their authorised agent. It may also be shared with the Guild of Master Chimney Sweeps as part of its professional monitoring activities.
Data Retention and Deletion
Only the data necessary for the provision of the requested services and/or goods will be collected. It will be retained within the UK for the purposes of administering and managing customer and supplier accounts, and as required under statutory obligations.
The data retention period will be determined by applicable legislation, in particular the requirement to provide evidence for tax audits 7 years after the end of the financial year to which the information applies.
If not determined by legislation, data will be deleted 2 years after the end of the enquiry or service/goods provision to which it applies.
Data will be securely destroyed and/or disposed of after the end of the defined retention period.
Data Breach Monitoring
Under the GDPR there are strict requirements for the notification in the event of a data breach. If there is reasonable grounds to believe that any personal data has been lost, the applicable GDPR notifications will be made as required to the ICO and/or the individual data subject.
“ your Company Name” will act on any notification that personal data may have been breached, and separately will undertake periodic review to ensure all hardcopy data remains secured.
Transparency of Data Processing and Data Subjects Rights
Under the GDPR all personal data should be processed lawfully, transparently and fairly. To ensure that data subjects are aware of their rights, “your company name” will provide individuals with Privacy Notices which set out what personal data is processed, for what purposes and why, and who it is shared with. In addition, they will be advised of their rights including their right to see, amend, and have erased their personal data.
In support of this, individuals have the right to make a personal data Subject Access Request that will be responded to with one month as per the GDPR requirements.
Where required, individual consent will be required for any activities that require consent, such as direct marketing for instance if undertaken.