Home GDPR in construction

GDPR in construction

GDPR in construction

In 25 May 2018, the European Union adopted the General Data Protection Regulation (GDPR) to replace the data protection guidelines. Covid-19 instigated a gigantic digital shift, and the construction industry is no exception. Still, those working in the construction industry remain a bit unclear as to what needs to be done to comply with GDPR legislation. That is why we wrote the comprehensive article below.


Basic principles of the GDPR

The GDPR revolves around a number of basic principles including transparency and security. Transparency is a very broad term. Firstly, it refers to transparent behaviour regarding the data owner. In addition, it involves mapping the data processed by an organisation in order to create a transparent overview.

Personal data must be treated transparently as well as sufficiently secured. This involves the IT infrastructure of an organisation as well as physical access to personal data. Personal data must be protected from third party access. Leaving documents in a desk drawer that unauthorised individuals may gain access to, must be avoided.

Practical implementation of the GDPR

How to implement the GDPR in the construction industry? Start at the beginning: determine whose personal data your organisation possesses. This includes staff, clients, suppliers, subcontractors, etc. Where this personal data is being kept is of great importance as well.

Access to such data must be restricted to persons who need it in order to do their job. It is up to you to determine the best way of organising this within your company. Methods include drafting a privacy policy containing the regulations that govern your company, concluding contracts with suppliers and subcontractors who process the personal data of your staff or clients, and adjusting the work regulations in view of handling sensitive data. As well as keeping documents in an access-restricted cabinet and a password for a PC that gives access to such data. You may even want to get a programme with specific codes to monitor what data is accessed when and by whom. There are various options and it is important to find out what option is best for your company and your way of working.

In addition, you will need to implement a processing registry of all personal data that is processed by your organisation. This involves a registry that keeps track of the personal data that is being processed. Whether you are a data processor or controller determines what data the registry needs to contain. You will find a list below, but we can certainly help you with this.

  1. Is your organisation a data controller? This means your organisation determines the personal data processing objective and means. In this case, your registry must contain the following:
    1. Name and contact details of
      • The organisation or the representative of the organisation
      • Any other organisation that co-decides on the objectives and means of data processing together with you
    2. The processing objectives. (e.g. for recruiting staff, delivering products or marketing)
    3. A description of data subject categories and categories of personal data (e.g. telephone numbers, CCTV footage, IP addresses)
    4. Categories of personal data recipients.
    5. Storage term
    6. Security
      • This may be a description of the technical and organisational measures implemented to protect the data
  2. If your organisation is a personal data processor, your registry must include the following:If your
    1. Name and contact details of
      • The organisation or the representative of the organisation
      • The data protection officer, if appointed
    2. The categories of data processed on behalf of each data controller
    3. International companies with whom data is being exchanged, including those outside the EU.
    4. Security
      • This may be a description of the technical and organisational measures implemented to protect the data


In addition to maintaining this registry, you also need to inform all data owners about how you handle their data as well as about their rights. Your company must have a “Privacy Statement” that explains whose data is being collected and how they can gain access to it, have it deleted, etc. It is best to include this Privacy Statement on your website. Does your website install cookies? This is yet another way of processing personal data. Consequently, you are required to include a Cookie Statement on your website. Do not forget to refer to your Privacy Statement in each contact form and ask prospects and (in some cases) clients for their permission to send them newsletters.

If you have any further questions after reading this blog post or are seeking specific legal support for GDPR-related issues or documentation, Please feel free to get in touch!