Skip to main content
AdaptScot
Legal

Data protection policy

How AdaptScot meets its obligations as a data controller under UK GDPR and the Data Protection Act 2018.

Roles and responsibilities

AdaptScot Limited (in formation) is the data controller for the personal information you share with us. Where a council or NHS board instructs us under a framework, we act as data processor on their behalf for the duration of that engagement.

Lawful bases

  • Contract — to deliver an adaptation we've been engaged for.
  • Legal obligation — CDM 2015 records, HMRC retention, building control.
  • Legitimate interests — responding to enquiries, fraud prevention.
  • Consent — optional marketing, photography of completed works.
  • Vital interests — in rare safeguarding situations.

Special category data

Where we hold information about a person's health, disability or care needs, we rely on Article 9(2)(h) UK GDPR (provision of health or social care) and process it under strict access controls. We do not process this data for marketing.

Data Protection Impact Assessments (DPIAs)

We complete a DPIA before any new processing involving special category data, automated decision-making, or large-scale referrals from a public body. DPIAs are reviewed annually.

International transfers

All personal data is held within the UK or EEA. Where a sub-processor is outside the UK, we rely on UK International Data Transfer Agreements (IDTAs) or adequacy decisions.

Breach notification

We will notify the ICO within 72 hours of becoming aware of a personal data breach that poses a risk to individuals, and notify affected individuals without undue delay where the risk is high. Email dpo@adaptscot.co.uk.

Your rights

  • Access — request a copy of the data we hold.
  • Rectification — correct inaccurate data.
  • Erasure — ask us to delete data (subject to legal retention).
  • Restriction and objection — limit how we use data.
  • Portability — receive your data in a portable format.
  • Withdraw consent at any time, where consent is the lawful basis.

Exercise any right by emailing dpo@adaptscot.co.uk. We respond within one calendar month. You can also complain to the ICO.

Last reviewed: incorporation date. Next review: 12 months.