Terms and Conditions of Use and Data Processing Agreement

Welcome to our website. If you continue to browse and use this website you are agreeing to comply with and be bound by the following terms and conditions of use, which together with our privacy policy govern Construct UK's relationship with you in relation to this website.

The term "Construct UK" or "us" or "we" refers to the owner of the website whose registered (in England) number is 4402883. The term "you" refers to the user or viewer of our website.

The use of this website is subject to the following terms of use:

  • The content of the pages of this website is for your general information and use only. It is subject to change without notice.
  • Neither we nor any third parties provide any warranty or guarantee as to the accuracy, timeliness, performance, completeness or suitability of the information and materials found or offered on this website for any particular purpose. You acknowledge that such information and materials may contain inaccuracies or errors and we expressly exclude liability for any such inaccuracies or errors to the fullest extent permitted by law.
  • Your use of any information or materials on this website is entirely at your own risk, for which we shall not be liable. It shall be your own responsibility to ensure that any products, services or information available through this website meet your specific requirements.
  • This website contains material which is owned by or licensed to us. This material includes, but is not limited to, the design, layout, look, appearance and graphics. Reproduction is prohibited other than in accordance with the copyright notice, which forms part of these terms and conditions.
  • All trademarks reproduced in this website, which are not the property of, or licensed to the operator, are acknowledged on the website.
  • Unauthorised use of this website may give to a claim for damages and/or be a criminal offence.
  • From time to time this website may also include links to other websites. These links are provided for your convenience to provide further information. They do not signify that we endorse the website(s). We have no responsibility for the content of the linked website(s).
  • You may not create a link to this website from another website or document without Construct UK's prior written consent.
  • Your use of this website and any dispute arising out of such use of the website is subject to the laws of England and Wales.

Data Processing Agreement

1. Definitions

"Data" shall mean all names of construction related businesses, publications, events, service providers and individuals referenced on this website and within its downloadable databases.

“Data Subject” shall have the same meaning as set out in Article 4 (1) of the GDPR and means an identified or identifiable natural person

“EEA” means the European Economic Area – the 28 Member states of the European Union plus Iceland, Lichtenstein and Norway

“GDPR” means the General Data Protection Regulation (Regulation (EU) 2016/679 of the European Parliament and the Council

“Incident” has the same meaning as a personal data breach in Article 4 (12) of the GDPR and means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Data , transmitted, stored or otherwise processed under the terms of this Agreement

“Processing” shall mean any operation or set of operations which is/are performed upon Data , (whether or not by automatic means) including collection, recording, organisation, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction. Such processing may be wholly or partly by automatic means or processing otherwise than by automatic means of Data which form part of a filing system or one intended to form part of a filing system. A filing system shall mean any structured set of Data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographic basis."

“Processor” shall mean any user of the information provided by Construct UK Ltd, the “Controller” via this website.

2. Purpose of Processing

a) The Processor shall process the Data it processes on behalf of the Controller, solely for the purposes of providing information on construction industry related businesses, publications, events, service providers and individuals in accordance with the written instructions of the Controller (including when making a transfer of personal data to countries outside the EEA) unless required to do by law. The Processor must inform the Controller of what processing the Processor is required to do so by law unless the Processor is prohibited under the relevant law from notifying the Controller of such processing. The Processor shall not process the Data for any other purpose except with the express written consent of the Controller.

b) The Controller confirms and warrants that the Processing of the Data, including the transfer of the Data to the Processor, has been and will continue to be carried out in accordance with the relevant provisions of the GDPR and does not violate the relevant provisions of the EEA country in which the Controller is established

3. Type of Personal Data

The Processor will process the following types of construction-related personal information

• individual contact names
• job titles
• email addresses
• business and trade names
• postal addresses
• event, publication and service names
• social media information

4. Categories of Data Subjects

The Processor will process information about the following categories of data subjects:

• construction professionals, including contractors, architects and other specifiers
• construction events and publications
• construction service providers, including agencies, PR, marketing and media organisations
• construction trade associations and bodies
• construction journalists and the media]
• construction product manufacturers and suppliers
• other providers or business services and materials
• consultants and advisers
• survey respondents

5. Security and Confidentiality of Data

a) The Processor and the Controller shall implement appropriate technical and organisational measures to ensure a level appropriate to the risks that are presented by the data processing in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal transmitted, stored or otherwise processed.

b) Both the Controller and Processor shall take into account the following when determining the measures:

i) the state of the art, and
ii) the cost of implementation of the measures, and
iii) the nature, scope context and purposes of processing, and
iv) the risk of varying likelihood and severity for the rights and freedoms of individual Data Subjects

c) The Controller and Processor agree that the security measures taken in accordance with Clause 6 (a) of this Agreement after assessment with the requirements of the GDPR are appropriate to protect Data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the Processing involves the transmission of Data over a network, and against all other unlawful forms of Processing, and that these measures ensure a level of security appropriate to the risks presented by the Processing and the nature of the Data to be protected having regard to the state of the art and the cost of their implementation; shall ensure a level of security appropriate to the risk,

d) The measures taken shall include amongst others the following items, where appropriate, from the non- exhaustive list below:

i) the pseudonymisation and encryption of Data
ii) the ability to ensure the ongoing confidentiality, integrity and availability and resilience of processing systems and services
iii) the ability to restore the availability and access to Data in a timely manner in the event of a physical or technical Incident
iv) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

e) The Controller and the Processor may use adherence to an approved code of conduct as referred to by Article 40 of the GDPR or an approved certification mechanism as referred to in Article 42 as an element by which to demonstrate compliance with the requirements set out above in clause 6 ) (b) (c) and (d) of this Agreement

f) The Processor shall ensure that each of its employees, agents or subcontractors are made aware of its obligations with regard to the security and protection of the Data and shall require that they enter into binding obligations with the Processor in order to maintain the levels of security, protection and confidentiality provided for in this Agreement.

g) The Processor shall not divulge the Data whether directly or indirectly to any person, firm or company without the express consent of the Controller except to those of its employees, agents and subcontractors who are engaged in the processing of the Data and are subject to the binding obligations referred to in Clause 6 (e) of this Agreement above).

6. Incident Reporting

a) The Processor must have effective processes for the identification, management and reporting of Incidents. Any Incident, suspected or actual, involving the Controller’s Data must be reported immediately to the Controller. An Incident may include but not be limited to:

• Security breach or fraud
• Misuse of relevant system storing Controller’s Data
• Misuse, loss or corruption of the Controller’s Data
• Unauthorised access to, use of, alteration, amendment or deletion of Controller’s Data
• Physical security incident
• Any unapproved requirement to disclose Controller’s Data to a third party

b) The Processor will be expected to promptly investigate any such Incident, provide status updates throughout the Incident, where appropriate cooperate with reasonable Controller requests during the management of the Incident or permit the Controller to support the management of the Incident, and send a written report to the Controller, describing the nature of the Incident, stating any control weaknesses discovered, and any actions taken/planned. A plan to agree any reasonable additional controls, either identified by the Processor or the Controller, to prevent or reduce the likelihood of a similar Incident must be agreed and monitored.

c) The Processor will assist the Controller in informing Data Subjects if there has been an Incident involving the Processor.

d) The Processor will assist the Controller in informing any relevant supervisory authority of an Incident.

7. Processor’s Appointment of a Sub-Processor

a) The Processor will not engage a Sub-Processor to process the Controller’s Data, without the prior specific or general or written authorisation of the Controller.

b) If the Processor employs a Sub-Processor under the Controller’s prior general written authorisation the Processor will inform the Controller in writing of any intended additions to or replacement of Sub-Processor(s) the Processor uses to carry out processing of the Controller’s personal data at least 20 days before the date of any intended additions or changes to the sub processors.

c) If the Controller objects to any such additions to or replacement the Controller shall inform the Processor within 10 days of receiving the notice in Clause 8 (b) of this Agreement. Upon receipt of such a notice of objection the Processor shall not make the intended addition or replacement of [a] Sub-Processor(s)

d) The Processor, upon receipt of a notice under Clause 8 (c) of this Agreement above may choose another Sub-Processor(s) it wishes to add to or act as a replacement to the existing Sub-Processor(s) it uses to carry out the processing. The Processor will then inform the Controller in accordance with clause 8 (b) of this Agreement and the Controller will have the right to object in accordance with clause 8 (c) of this Agreement

e) The Processor shall ensure by written contract that any agent or Sub-Processor employed by the Processor to process Data to which this Agreement relates:

i) imposes the same contract terms as listed in Clause 6 – Security and Confidentiality of Data and Clause 7 Incident reporting of this Agreement on any agent or sub- processor
ii) makes it clear that the Processor and not any agent or sub-processor will be liable to the Controller for the compliance of the agent or Sub-Processor with data protection law

f) The Processor will immediately inform the Controller of any Incident involving any of its’ permitted sub-contractors or sub-processors in accordance with Clause 7 Incident reporting of this Agreement.

g) The Processor will assist the Controller in informing Data Subjects if there has been an Incident involving any of its’ permitted sub-contractors or sub-processors in accordance with Clause 7 Incident reporting of this Agreement.

h) The Processor will assist the Controller in informing any relevant supervisory authority of an Incident.

8. Data Subjects Rights

a) The Processor shall have appropriate technical and organisational means taking account of the nature of the Processing in so far as this is possible for the fulfilment of the Controller‘s obligation to respond to requests for exercising the following Data Subject’s rights :

i) information rights under Articles 13 and 14 of the GDPR
ii) right of access by the Data Subject under Article 15 of the GDPR
iii) right to rectification under Article 16 of the GDOR
iv) right to erasure under Article 17 of the GDPR
v) right to restriction of processing under Article 18 of the GDPR
vi) notification regarding the right of rectification and/or erasure of personal data and/or restriction of processing under Article 19 of the GDPR
vii) right to data portability under Article 20 of the GDPR

9. Assisting the Controller

a) The Processor will assist the Controller, taking into account the nature of the Processing and the information available to the Processor, to meet the Controller’s obligations

i) to keep Data secure in accordance with Article 32 of the GDPR
ii) to notify Incidents in accordance with Article 33 of the GDPR
iii) to advise Data Subjects when there has been an Incident in accordance with Article 34 of the GDPR
iv) to carry out data protection impact assessments (DPIAs) in accordance with Article 35 GDPR
v) to consult with the Controller’s supervisory authority where a DPIA indicates there is an unmitigated high risk in accordance with Article 36 of the GDPR

b) The Processor will immediately pass on any notices, requests or other communications from a Data Subject. The Processor will not act on any request from a Data Subject, without the full written authority of the Controller.

c) If a privacy impact assessment indicates that there is an unmitigated high risk to the rights and freedoms of the Data Subject, the Processor will assist the Controller in consulting with the relevant supervisory authority or authorities

10. Audit, Inspections and Legal Processing

a) The Processor must provide the Controller with all the information that is needed to show that both the Processor and the Controller have met their obligations under Article 28 of the GDPR

b) The Processor must submit and contribute to audits and inspections conducted by the Controller or another auditor mandated by the Controller.

c) The Processor shall allow the Controller and/or its auditors, or their representatives, to have access to and audit relevant processes, procedures, documentation, and/or any premises of the Processor. Such access may take place on 30 days’ prior written notice to the Data Processor. The Controller agrees to reimburse the Processor any reasonable charge for the audit, at the hourly rates agreed within the Controller’s contract with the Processor.

d) If the Controller reasonably believes that the Processor is in breach of any of its obligations under this Agreement or in which case the Controller shall not be obliged to give such prior notice and the Processor shall ensure that a Processor appointed representative shall provide full co-operation and assistance to the Controller and/or its representatives, auditors at no additional charge to the Controller.

e) The Processor shall inform the Controller if any instruction that the Controller gives, infringes the GDPR or other EU, or EEA member state data protection provisions.

11. Processor’s Responsibilities and Liabilities Under the GDPR

a) The Processor is aware that it may be subject to enforcement action by any relevant data protection supervisory authority to which the Controller is subject under Article 58 (Powers of the supervisory authority) of the GDPR.

b) The Processor is aware that if it fails to meet its obligations as set out in this Agreement and under Article 83 (General conditions for imposing administrative fines) of the GDPR, it may be subject to an administrative fine.

c) The Processor is aware that if it fails to meet its obligations under GDPR, it may be subject to a penalty under Article 84 (Penalties) of the GDPR.

d) The Processor is aware that if it fails to meet its obligations under GDPR, it may have to pay compensation to individual Data Subjects under Article 82 (right to compensation and liability) of the GDPR.

e) The Processor will appoint a data protection officer, if required in accordance with Article 37 (designation of the data protection officer) of the GDPR.

f) The Processor will appoint (in writing) a representative within the European Union if required because it is not established in the European Union and the provisions of Article 3 (2) apply in accordance with Article 27 (representatives of controllers or processors not established in the Union) of the GDPR .

12. Liability

The Processor's liability to the Controller for any loss or damage of whatsoever nature suffered or incurred by the Controller or for any liability of the Controller to any other person for any loss or damage of whatsoever nature suffered or incurred by that person shall to the extent permitted by law not exceed £10 million

13. Termination

a) Subject to Clause 14 (b) either Party may terminate this Agreement upon giving one months prior written notice to the other. Upon the date of termination of this Agreement, the Processor shall return or delete at the Controller’s choice any Data received from the Controller to the Controller should the Controller request it.

The Processor shall not be obliged to return or delete any Data received from the Controller which has:

a) already been deleted in the normal course of events or
b) the Processor is required to retain by law.
b) Notwithstanding termination of this contract, the provisions of this Agreement shall survive the termination of this Agreement and shall continue in full force and effect for a period of 2 years from the date of termination of the Agreement. The obligations contained in Clause 6 of this Agreement – Security and Confidentiality of Data – and Clause 7of this Agreement- Incident Reporting shall continue indefinitely.

14. Assignment

This Agreement shall not be transferred or assigned by either party except with the prior written consent of the other.

15. Jurisdiction

This Agreement shall be governed by and construed in accordance with the law of England and Wales and the parties shall submit to the exclusive jurisdiction of the Courts of England and Wales.