SIGMA HOMES
PRIVACY POLICY

SIGMA HOMES
CUSTOMER PRIVACY NOTICE

1. WHY DO WE HAVE THIS PRIVACY NOTICE?

We are Sigma Homes Limited and treating individuals and their personal information with respect reflects our core values and the values of our business. So we want you to know as much as possible about what we do with your personal information. Also you and your personal information are protected by various laws and guidance and Sigma Homes is committed to upholding these and respecting your privacy and keeping your information safe. So whilst this privacy notice is quite long, we want you to be fully informed.

In this privacy notice any reference to “Sigma Homes”, "us", "we", "our" or "ourselves" is a reference to Sigma Homes, and the particular part of the Sigma Homes group that you have a relationship with and any reference to "you", "your" and "yourself" is a reference to you as an individual who has a relationship with us or is in contact with us.

This notice applies to our customers who have reserved a new home to be purchased from us through until after completion of the purchase. This notice does not form part of any contract relating to the property you have agreed to purchase.

Please note that we have a separate privacy notice that relates to personal information captured by our CCTV and Access Control systems. A copy can be found at www.sigmahomesgroup.co.uk. We also have a separate Staff Recruitment privacy notice that applies generally to individuals who apply to work for us, a copy of which can be found at www.sigmahomesgroup.co.uk. Finally we have a separate Rest of the World privacy notice that applies to any other individual that may interact with us, a copy of which can be found at www.sigmahomesgroup.co.uk. You should also read these privacy notices to the extent that they will apply to your activities as they may apply to you in addition to this privacy notice.

This privacy notice provides details in accordance with data protection laws about how we collect and use personal information about you during and after your relationship with us.

As this privacy notice covers a range of individuals and different types of relationships and interactions with us, not all aspects of this privacy notice may apply to you depending upon the nature of your relationship and interactions with us. If you are unsure then you can always ask us by contacting privacy@sigmahomesgroup.co.uk.

2. CONTROLLER OF YOUR PERSONAL INFORMATION

For the purposes of data protection laws and this privacy notice, whichever part of the Sigma Homes group is processing your personal information is the controller of your personal information for that processing of your personal information. This will usually be the part of the Sigma Homes group that you interact with or have a relationship with. Being a controller of your personal information means that we are responsible for deciding how we hold and use your personal information. Our main trading entity is Sigma Homes Limited (Registered number 08031459) which is incorporated in England and Wales with its registered office at Ashbourne House, The Guildway, Old Portsmouth Road, Guildford, Surrey, United Kingdom, GU3 1LR. If you are based in the UK then this company will be the controller of your personal information. If you are based outside of the UK then the controller of your personal information may be another part of our group that you interact with, but in most cases for the interactions covered by this privacy notice it will always be Sigma Homes Limited that is the controller of your personal information. Sometimes we may pass personal information to different parts of our group, so this privacy notice covers our whole group and more than one part of our group may be a controller of your personal information. However regardless of where you are based and regardless of which part of our group may be a controller of your personal information, any queries you have regarding your personal information will be dealt with by the DPCM which can be contacted at privacy@sigmahomesgroup.co.uk.

3. YOUR DUTY TO INFORM US OF CHANGES

It is important that the personal information we hold about you is accurate and current. Please keep us informed if your personal information changes during the period of your interactions with us.

4. WHAT IF YOU DO NOT PROVIDE PERSONAL INFORMATION?

Failing to provide some of the personal information we require may have an adverse impact on our ability to interact with you, for example we may not be able to provide you with products or services you would like to receive. However generally you are not obliged to provide us with any of your personal information.

5. IF YOU HAVE QUERIES OR CONCERNS, JUST ASK!

We are not required to appoint a data protection officer to oversee our compliance with the data protection laws, however, we have appointed a Data Protection Compliance Manager (DPCM) to do this. If you have any questions about this privacy notice or how we handle your personal information, please contact our DPCM on privacy@sigmahomesgroup.co.uk.

6. CHANGES TO THIS NOTICE

We keep our privacy notice under regular review and we may update this privacy notice at any time. The current version of this notice is available on our website at www.sigmahomesgroup.co.uk or by requesting a copy from privacy@sigmahomesgroup.co.uk. If there are any material changes to this privacy notice in the future, we will let you know, usually by updating the version on our website, and we may also email you to let you know.

7. DATA PROTECTION PRINCIPLES

We are committed to being transparent about how we collect and use your personal information and in meeting our data protection obligations. Data protection laws say that the personal information we hold about you must be:

• Used lawfully, fairly and in a transparent way.
• Collected only for valid purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes.
• Relevant to the purposes we have told you about and limited only to those purposes.
• Accurate and kept up to date.
• Kept only as long as necessary for the purposes we have told you about.
• Kept securely.

To make sure this happens we are required under data protection laws to notify you of the information contained in this privacy notice. It is important that you read this document before you begin interacting with us so that you understand how and why we will process your personal information.

8. WHAT PERSONAL INFORMATION DO WE COLLECT?

In connection with your relationship or interactions with us, we may collect and process a wide range of personal information about you. This includes:

• Personal and work contact details and identifiers such as name, title, addresses, telephone numbers, and email addresses, emergency contact details, date of birth, gender, details of availability.
• Family information: any family members who will live with you, guarantors of your commitments.
• Marketing preferences including preferred contact methods, property types, locations of interest, developments of interest, purchase schemes and incentives of interest.
• Tax or governmental identifiers regarding any stamp duty or other relevant property taxes.
• Bank accounts, credit card details, payment and receipt details, financial status, mortgage status and amounts and tax status, sale status of your current property.
• Account information for any of our portals and websites including username, password and other identifying information and other account information (for more details see our separate Cookie Policy at www.sigmahomesgroup.co.uk.
• Details of the property to be purchased, property options selected and payments made, and where you take part in our part exchange scheme, details relating to the property you are selling to us, payments we make to you and other associated information, relevant utilities records, decisions made by you.
• Identification documents and information such as passport, utilities bills, identity cards, signature, etc.
• Advisors appointed by you including mortgage brokers, lawyers, financial advisors, surveyors.
• Property records, searches, documents and files (including our legal files relating to the sale to you, and where you take part in a part exchange, our legal files relating to the property you are selling to us).
• Enquiries, complaints and correspondence and other communications with you.
• Videos and pictures where you feature in our marketing or promotional materials.
• Any terms and conditions relating to your relationship with us.
• Vehicle registration number, make and model and vehicle insurance details.
• CCTV footage and other information obtained through electronic means such as swipe card records and access control systems if you visit our premises or properties (see our separate CCTV and Access Control privacy notice at www.sigmahomesgroup.co.uk.
• Any other personal information you provide to us.

Generally, we do not collect personal information relating to anyone under the age of 18 years old unless for some reason you provide it to us.

However, we may in some cases collect limited personal information related to children if they are connected to someone who is 18 or older whom we have a relationship with, for example if they are a family member of a customer or they attend an event, a property or our premises when accompanied by an adult.

9. SPECIAL CATEGORIES OF PERSONAL INFORMATION

We do not generally collect, store and use any of the following “special categories” of more sensitive personal information regarding you:

• information about your race or ethnicity, religious beliefs, sexual orientation and political opinions;
• information about your trade union memberships;
• information about your health, including any medical condition, health and sickness records, medical records and health professional information and disability information; and
• biometric information about you, for example fingerprints, retina scans.

We will generally not collect, store and use any special category personal information in relation to you except to the extent we need to do so to comply with a legal obligation or you have given your consent or it relates to a dispute.

Also we do not generally collect, store and use any criminal records history relating to you except to the extent we are legally required to do so or you have given your consent.

10. WHERE DO WE COLLECT YOUR PERSONAL INFORMATION FROM?

We will collect personal information from a number of sources. These include the following:

• Directly from you: from yourself, when you indicate that you may wish to attend an event, complete forms we provide to you, use our website, enter our competitions and promotions, make a claim, make a complaint, provide money laundering information to us contact us by phone, email or communicate with us directly in some other way.
• Third parties authorised by you: a family member or someone else authorised by you.
• Our website: provides us with information about how you use it and the devices that you use to connect to our website.
• Providers of information: which may include credit reference agencies, money laundering check provider, the Land Registry and other web platforms.
• Portals, social media and other web platforms: for example Rightmove, Zoopla.
• Journalists or other investigators: they may provide us with details or make enquires about you or matters concerning you or ourselves.
• Your professional advisors: such as lawyers, accountants, planning consultants, mortgage brokers, financial advisors and surveyors.
• Our professional advisors: such as lawyers, accountants, planning consultants and surveyors.
• Information technology and communications systems, access control systems and CCTV and suppliers we use in connection with them.
• Government or government related bodies, regulators, the police, law enforcement authorities or the security services.

We will also collect additional personal information throughout the period of you going through the purchase process connected to your dealings and activities connected to the purchase of the property and, if you are utilising our part exchange scheme, the sale of your property to us.

11. WHAT ARE OUR BASES FOR PROCESSING YOUR PERSONAL INFORMATION?

We will only use your personal information when the law allows us to. This means we must have one or more legal bases to use your personal information. Most of these will be self-explanatory. The most common legal bases which will apply to our use of your personal information are set out below:

• Where we need to perform the contract, we have entered with you which covers your relationship with us or to take steps to enter that contract.
• Where we need to comply with a legal obligation which applies to us, for example complying with laws relating to the sale of products to consumers or complying with data protection laws.
• Where it is necessary for legitimate interests pursued by us or a third party and your interests and fundamental rights do not override those interests. We have set out in the section below how we use your personal information together with more details on our legitimate interests.
• You have given your consent. Generally we do not rely on or need your consent for most uses we make of your personal information, but we will need your consent to directly market our products and services to you by electronic communications channels such as email or SMS/MMS.

Where we are processing any sensitive special category personal information about you (for example personal information revealing racial or ethnic origin, religious or philosophical beliefs, or data concerning health) we also need to have one or more of the following legal bases for using your personal information.

• Where we have your explicit consent to do so.
• Where it is necessary for us to comply with our obligations and exercising our rights in the field of employment law, social security law and social protection law, for example processing your health information so we can ensure our app is tailored to you or making sure it is safe for you to participate in one of our events or promotions or making any adjustments necessary for you to attend our premises.
• Where we need to protect your vital interests (or someone else's vital interests).
• Where you have already made public the personal information.
• In establishing, exercising or defending legal claims, whether those claims are against us or by us.
• Where it is necessary in the public interest.

In some cases more than one legal bases may apply to our use of your personal information.

12. HOW WILL WE USE YOUR PERSONAL INFORMATION?

There are many ways we will need to use your personal information in the context of your relationship with us. We have set out the main uses below and indicated the main applicable legal bases of processing, but there may be other specific uses which are linked to or covered by the uses below.

• Marketing to your properties and developments of potential interest and our services, products and schemes which may be of potential interest to you. We have a legitimate interest in marketing our properties and developments to you in order to make new sales. You may also have requested that we send to you details of certain properties and/or developments and we may have obtained your explicit consent.
• Carrying out any identity and money laundering checks. We have a legitimate interest in making sure that we have correctly identified you and ensuring that we are likely to be paid. We also have a legal obligation to do this.
• Dealing with and managing the reservation, exchange of contracts and completion of your purchase of a property from us. We need to do this to be able to perform and administer your acquisition of the property and to be able to enter into, manage and perform our contract with you regarding your property purchase and fixtures and fittings options.
• Dealing with and managing our party exchange with you of your property, exchange of contracts and completion of our purchase of your property. This is necessary to be able to perform and administer your acquisition of the property and to enter into and perform the contract with you regarding your sale of your property to us where you utilise our part exchange scheme.
• Dealing with and carrying out any fixtures and fittings options selected by you in relation to the property. This is necessary to enter into and perform the contract with you regarding any fixtures and fittings options selected by you in relation to your property purchase.
• Receiving money from you for your selected options and/or the property or payments from us under our part exchange scheme. This is necessary to be able to manage and perform our contract with you regarding your property purchase and fixtures and fittings options and, where you utilise the part exchange scheme, your property sale to us. We may also have a legal obligation to do this.
• Administering the contract we have entered into with you regarding property transactions and managing our relationship with you including your rights in relation to the property(s). This is necessary to be able to manage and perform our contract with you regarding your property purchase and fixtures and fittings options and, where you utilise the part exchange scheme, your property sale to us. We also have a legitimate interest to do this.
• Managing our relationship with you and to manage and operate our business and internal reporting. We have a legitimate interest to ensure that we operate efficiently and manage our business properly. This is also necessary to be able to manage and perform our contract with you regarding your property purchase and fixtures and fittings options and, where you utilise the part exchange scheme, your property sale to us.
• Dealing with and managing enquiries, defect rectification, complaints and other communications from you or your organisation or a third party and dealing with legal disputes and warranty claims involving you or your organisation or a third party. We have a legitimate interest to ensure that we operate efficiently and deal with any enquiries, complaints or other communications and ensure that all legal claims are managed effectively. We may also need to do this to be able to manage and perform our contract with you regarding your property purchase and fixtures and fittings options and, where you utilise the part exchange scheme, your property sale to us. We may process special category personal information to assess, defend or bring legal claims.
• Providing to you purchaser portal and/or website access and for the purposes of ensuring the security of our systems and our information including preventing unauthorised access to our computer and electronic communications systems and preventing malicious software distribution. We have a legitimate business in ensuring our premises and systems are secure and we may also need to this to be able to manage and perform our contract with you regarding your property purchase and fixtures and fittings options and, where you utilise the part exchange scheme, your property sale to us.
• To conduct data analytics studies and customer satisfaction surveys to review, and better understand our customer purchase, retention, attrition and satisfaction levels. We have a legitimate interest to improve as a company.
• Fraud, crime prevention and debt collection. We have a legitimate interest to detect and prevent crime and to collect debts.
• To comply with any legal or regulatory requirements. We may have a legal obligation to comply with regulatory requirements and we have a legitimate interest in complying with regulatory requirements. Where we process special category personal information or criminal records information we will do so to comply with our legal obligations or where you have provided your consent.
• Creating and storing records relating to you or the organisation you represent and records relating to our business. This is necessary to be able to manage and fulfil our contract with you, we may have a legal and/or regulatory obligation to do so and we also have a legitimate interest to keep proper records.

For some of your personal information you will have a legal, contractual or other requirement or obligation for you to provide us with your personal information. If you do not provide us with the requested personal information, we may not be able to sell to you the property you wish to purchase or we may not be able to properly perform our contract with you or comply with legal obligations. For other personal information you may not be under an obligation to provide it to us, but if you do not provide it then we may not be able to properly provide the information you have requested or market our properties and purchase/incentive schemes to you, perform our contract with you regarding sale of the property to you or, where you are utilising our part exchange scheme, purchase of your property by us.

You should be aware that it is not a condition of any contract with us that you agree to any request for consent from us and we do not usually rely on consent as a basis for processing your personal information. However if we have asked you for consent, and you have given us your consent to use your personal information, you have the right to withdraw this consent at any time, which you may do by contacting us as described in the "Contacting us" section below.

Please note however that the withdrawal of your consent will not affect any use of the data made before you withdrew your consent and we may still be entitled to hold and process the relevant personal information to the extent that we are entitled to do so on bases other than your consent. Withdrawing consent may also have the same effects as not providing the information in the first place, for example we may no longer be able to provide carry out certain activities.

13. DIRECT MARKETING

Email, post, telephone and SMS marketing: from time to time, we may contact you by email, post, telephone or SMS with information about products or services we believe you may be interested in.

We shall only send marketing messages to you in accordance with the marketing preferences you set when you create your account or that you tell us afterwards you are happy to receive or where you or the organisation you represent have purchased similar services or goods from us previously.

You have the right to opt out of receiving marketing communications from us at any time by:

• Updating your preferences in your account on our website.
• Informing us that you wish to change your marketing preferences by contacting our customer support team at privacy@sigmahomesgroup.co.uk.
• Making use of the simple “unsubscribe” link in emails or any other electronic marketing materials we send to you.
• Contacting us via email at privacy@sigmahomesgroup.co.uk or by post to Sigma Homes Limited, 44-46 Springfield Road, Horsham, West Sussex, RH12 2PD.

This will not stop non-marketing communications from us. It will also not affect advertising that may appear on our website or other websites. Please see below section entitled 'Automated decision-making' for more information on how we use cookies to advertise to you.

14. CHANGE OF PURPOSE

We will only use your personal information for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal information for an unrelated purpose, we will notify you by updating this privacy notice on our website, so please check back regularly for any updates.

Please note that we may process your personal information without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law. We will rarely need to rely on your consent to process any of your personal information.

15. AUTOMATED DECISION-MAKING

Automated decision-making takes place when an electronic system uses personal information to make a decision about that person without any human intervention which produces legal effects concerning them or similarly significantly affects them. We do not currently use this type of automated decision-making in our business in relation to you.

You will not be subject to decisions that will have a significant impact on you based solely on automated decision-making unless we have a lawful basis for doing so and we have notified you.

However we do use automated processing so that we can show you personalised advertisements whilst browsing our website or those of other companies and to build a customer profile for you. Any advertisements you see may relate to your browsing activity on our website from your computer or other devices.

These advertisements are provided by us via external market leading specialist providers using techniques such as pixels, web beacons, ad tags, mobile identifiers and ‘cookies’ placed on your computer or other devices (see further information on the use of cookies in our Cookie Policy at www.sigmahomesgroup.co.uk. You can remove or disable cookies at any time.

We may analyse your browsing and purchasing activity online and your responses to marketing communications. The results of this analysis, together with other demographic data, allow us to decide what advertisements are suitable for you and to ensure that we draw to your attention products, services, events and offers that are tailored and relevant to you. To do so, we use software and other technology for automated processing. This allows us to provide a more personalised services and experience.

We may review personal information held about you by external social media platform providers, such as the personal information available on social media platforms such as Twitter, Instagram, YouTube, Twitter and Facebook.

We aim to update you about products and services which are of interest and relevance to you as an individual. To help us do this, we process personal data by profiling and segmenting, identifying what our customers like and ensuring advertisements we show you are more relevant based on demographics, interests, purchase behaviour, online web browsing activity and engagement with previous communications.

16. WHO HAS INTERNAL ACCESS TO YOUR PERSONAL INFORMATION?

Your personal information may be shared internally with our staff, including with our customer support, order fulfilment, loyalty and retention, customer relationship management, media, insights, events, campaign, technical and legal teams where access to your personal information is necessary for the performance of their roles. We only provide access to your personal information to those of our staff who need to have access to your personal information.

17. WHO DO WE SHARE YOUR PERSONAL INFORMATION WITH EXTERNALLY?

When using your personal information we may share it with third parties, but we will only do so when it is appropriate and we have a legal basis for doing so. Third parties that we may share your personal information with include:

• Companies in the same group of companies as us: for the purpose of providing a service to you.
• Our commercial partners: where they need to know personal information as part of our business dealings.
• Any party approved by you: for example mortgage brokers, financial advisors, legal advisors, your family.
• Other service providers to our business and advisors: repair and maintenance contractors, banks, professional advisors including legal advisors, and administration and IT services. All our third-party service providers and other entities in the group are required to take appropriate security measures to protect your personal information.
• Insurance providers: where relevant to the insurance of the property you purchase and/or the property we purchase from you.
• Managing agents, management company, landlords, the Land Registry: where relevant to the completion of your property transactions.
• Guarantee providers: such as the National House Builders Council or other guarantee or warranty providers in relation to your property and/or the fixtures and fittings in the property.
• Utility providers and council tax authorities: for example water, electric, gas, telephone, internet/broadband and the relevant council tax authority.
• Purchasers of our business: buyers or perspective buyers to whom we sell or negotiate to sell our business.
• Professional bodies and associations: where relevant to our business dealings.
• Government agencies and representatives: where you are taking part in any scheme run by them, for example help to buy.
• The Government, government bodies or our regulators: where we are required to do so by law or to assist with their investigations or initiatives, for example HMRC, the National House Building Council or the Information Commissioner’s Office.
• Police, law enforcement and security services: to assist with the investigation and prevention of crime and the protection of national security.
• Social media and other online platforms where relevant to our relationship with you.

We also use Google Analytics which sets cookies to collect information about how visitors use our website. See our Cookie Policy at www.sigmahomesgroup.co.uk. We use the information to compile reports and to help us improve the website. The cookies collect information in an anonymous form, including the number of visitors to the website and blog, where visitors have come to the website from and the pages they visited. To opt out of being tracked by Google Analytics across all websites visit http://tools.google.com/dlpage/gaoptout.

We do not disclose personal information to anyone else except as set out above unless we have your consent or we are legally entitled to do so. We may provide third parties with aggregate statistical information and analytics about users of our products and services but we will make sure no one can be identified from this information before we disclose it.

18. INTERNATIONAL TRANSFERS

It is sometimes necessary to share your personal information outside of the UK and the European Economic Area (the EEA) or it will be collected outside of the UK and the EEA. This will typically occur when service providers to our business are located outside the EEA or if you are based outside the EEA. These transfers are subject to special rules under data protection laws.

The same applies to any transfer of personal information to another part of our group of companies based outside of the UK and the EEA. We also apply the same standards to any transfer of personal information between members of our group, regardless of where the group company is based.

If we transfer your personal information outside of the UK and the EEA, we will ensure that the transfer will be compliant with data protection laws and all personal information will be secure. Our standard practice is to assess the laws and practices of the destination country and relevant service provider and the security measures that are to be taken as regards the personal Information in the overseas location; alternatively, we use standard data protection clauses. This means that when a transfer such as this takes place, you can expect a similar degree of protection in respect of your personal information.

Our directors and other key staff working for us may in limited circumstances access personal information from outside of the UK and EEA if they are on holiday abroad outside of the UK or EEA. If they do so they will be using our security measures and the same legal protections will apply that would apply to accessing personal information from our premises in the UK.

In limited circumstances the people to whom we may disclose personal information may be located outside of the UK and EEA and we will not have an existing relationship with them, for example a foreign police force. In these cases we will impose any legally required protections to the personal information as required by law before it is disclosed.

Also if you are based outside of the UK and EEA, then your personal data may be held and used outside of the UK and EEA anyway, but in most cases as described at the start the controller of your personal information will be Sigma Homes Limited in the UK.

If you would like any more details about how we protect your personal information in relation to international transfers, then please contact our DPCM at privacy@sigmahomesgroup.co.uk.

19. HOW DO WE PROTECT YOUR PERSONAL INFORMATION?

We are committed to keeping your personal information safe and secure and so we have numerous security measures in place to protect against the loss, misuse, and alteration of information under our control. Our security measures include:

• Encryption of personal information where appropriate.
• Regular cyber security assessments of all service providers who may handle your personal information.
• Regular planning and assessments to ensure we are ready to respond to cyber security attacks and data security incidents.
• Regular penetration testing of systems.
• Security controls which protect our information technology systems infrastructure and our premises from external attack and unauthorised access.
• Aiming to use security systems implemented across our networks and hardware to ensure access and information are protected.
• Regular backups of information technology systems data with functionality to correct errors or accidental deletion/modification to data.
• Internal policies setting out our information security rules for our staff.
• Regular training for our staff to ensure staff understand the appropriate use and processing of personal information.
• Where we engage third parties to process personal information on our behalf, they do so on the basis of our written instructions, they are under a duty of confidentiality and are obliged to implement appropriate technical and organisational measures to ensure the security of personal information.

We take information security very seriously and will use all reasonable endeavours to protect the integrity and security of the personal information we collect about you.

20. HOW LONG DO WE KEEP YOUR PERSONAL INFORMATION FOR?

We will hold your personal information for the duration of your relationship with us and then usually for a further period. The duration for which we retain your personal information will differ depending on the type of information and the reason why we collected it from you. However, in some cases personal information may be retained on a long-term basis: for example, personal information that we need to retain for legal purposes will normally be retained in accordance with usual commercial practice and regulatory requirements. Generally, where there is no legal requirement, we retain all physical and electronic records for a period of approximately 15 years until after you have completed your purchase of a property from us due to this being the limitation period for claims about latent defects. The exceptions to this general rule are:

• Legal property information and legal files will be retained for approximately 12 years after completion because this is the limitation period for claims related to property title claims.
• Information regarding fixtures and fittings will retained for approximately 6 years after completion because this is the limitation period for claims related to breach of contract unless it forms part of a contract executed as a deed when it will be retained for 12 years.
• CCTV images will generally be retained for approximately 30 days and then overwritten, unless required to be retained for any reason (please see our separate privacy notice for more details).
• Audio recordings will generally be retained for approximately 30 days and then overwritten or deleted, unless required for any reason (please see our separate privacy notice for more details).
• If for any reason your property transaction with us does not complete, then we would retain your records for approximately 6 years (instead of 15 years) because this is the limitation period for claims related to breach of contract.

We will not retain your personal information for longer than necessary for the purposes for which it was collected and it is being used. We do not guarantee to retain your personal information for the whole of the periods set out above; they are usually the maximum period, and in some cases, we may keep your personal information for a much shorter period.

It is important to ensure that the personal information we hold about you is accurate and up-to-date, and you should let us know if anything changes, for example if you move home or change your phone number or email address. You may be able to update some of the personal information we hold about you by using the details set out in the "Contacting us" section below.

21. YOUR RIGHTS

As an individual whose personal information we collect and process, you have a number of rights. You may:

• Withdraw any consent you have given to us, although this will only be relevant where we are relying on your consent as a basis to use your personal information, but it is an absolute right. Once we have received notification that you have withdrawn your consent, we will no longer process your personal information for the purpose or purposes for which you originally gave your consent, unless we have another legal basis for doing so.
• Request details about how your personal information is being used. This right is linked with the right of access mentioned below.
• Request access and obtain details of your personal information that we hold (this is commonly known as a “data subject access request”). This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it.
• Request correction of the personal information that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.
• Request erasure of your personal information. This means that you can ask us to delete or stop processing your personal information, for example where we no longer have a reason to process it. You also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing (set out below). The right to have data erased does not apply in all circumstances.
• Object to the processing of your personal information where we are relying on a legitimate interest (ours or that of a third party) and there is something about your particular situation which makes you want to object to processing on this ground.
• Object to direct marketing where we are processing your personal information for direct marketing purposes, for example contacting you about products that might interest you. This is an absolute right.
• Request the restriction of processing of your personal information. This enables you to ask us to stop processing your personal information for a period if data is inaccurate or there is a dispute about whether or not your interests override our legitimate grounds for processing data.
• Request the transfer of your personal information to another party in certain circumstances.
• Object to certain automated decision-making processes using your personal information.

You should note that some of these rights, for example the right to require us to transfer your personal information to another service provider or the right to object to automated decision-making, may not always apply as they have specific requirements and exemptions which apply to them and they may not apply to personal information recorded and stored by us. Also for example we do not use automated decision-making in relation to your personal information which has legal or other significant effects for you, but we do use automated processing to show you relevant advertisements. However some of your rights have no conditions attached, so your right to withdraw consent or object to processing for direct marketing are absolute rights.

If you would like to exercise any of these rights, please contact our DPCM at privacy@sigmahomesgroup.co.uk.

We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is another appropriate security measure to ensure that personal information is not disclosed to any person or dealt with by a person who has no right to do so.

Whilst this privacy notice sets out a general summary of your legal rights in respect of personal information, this is a complex area of law. More information about your legal rights can be found on the ICO’s website at https://ico.org.uk/for-the-public/.

22. COMPLAINTS

We hope you don’t have any reason to complain, and we will always try to resolve any issues you have, but you always have the right to make a complaint at any time to the ICO if you are based in the UK about how we deal with your personal information or your rights in relation to your personal information. If you are based outside of the UK, you may have the right to complain to your local data protection regulator.

You can make a compliant in writing to the ICO, Wycliffe House, Water Lane, Wilmslow, SK9 5AF, United Kingdom or you can go to https://ico.org.uk/make-a-complaint/.

23. CONTACTING US

If you have any queries regarding our use of your personal information or this privacy notice then please contact our DPCM at privacy@sigmahomesgroup.co.uk or write to DPCM, Sigma Homes Limited, 44-46 Springfield Road, Horsham, West Sussex, RH12 2PD or telephone 0203 019 0741. You can use these details regardless of which of our group companies you are working for or used to work for.

SIGMA HOMES
CCTV AND ACCESS CONTROL PRIVACY NOTICE

CCTV USAGE

A notice of the type below should appear in prominent locations around the perimeter and within the area under CCTV surveillance so that any individual coming into and moving around within the CCTV area has the opportunity to see the signs. The image is an example, only the wording is specific. The notice should be clearly visible and legible bearing in mind the different individuals in the area, e.g. pedestrians or car drivers. Careful consideration will be required if there is also audio recording, in which case the sign and notice would both need to be changed.

The controller of the images and personal information captured using the CCTV covered by this notice is Sigma Homes Limited, 44-46 Springfield Road, Horsham, West Sussex, RH12 2PD.

The images and personal information are captured using our CCTV system for the purpose of security, crime detection, public safety and other legitimate reasons set out in our privacy notice which can be found online at www.sigmahomesgroup.co.uk or copies are available upon request.

Please contact Sigma Homes Limited’s Data Protection Compliance Manager by email at privacy@sigmahomesgroup.co.uk or by post at DPCM, Sigma Homes Limited, 44-46 Springfield Road, Horsham, West Sussex, RH12 2PD or telephone 0203 019 0741 if you would like a copy of this privacy notice sent to you, you have any queries or wish to exercise any of your rights in relation to your personal data. Please see the privacy notice for further details.

1. WHY DO WE HAVE THIS PRIVACY NOTICE?

We are Sigma Homes Limited and treating individuals and their personal information with respect reflects our core values and the values of our business. So we want you to know as much as possible about what we do with your personal information. Also you and your personal information are protected by various laws and guidance and Sigma Homes Limited is committed to upholding these and respecting your privacy and keeping your information safe. So whilst this privacy notice is quite long, we want you to be fully informed. Please note while you read it, that not all parts of this privacy notice may apply to you depending upon whether you are a member of our staff, you do not use our Access Control systems or you manage to visit our premises without being recorded on our CCTV system.

In this privacy notice any reference to “Sigma Homes”, "us", "we", "our" or "ourselves" is a reference to Sigma Homes Limited, and the particular part of the Sigma Homes group whose premises you visit and any reference to "you", "your" and "yourself" is a reference to you as a visitor to our premises.

This privacy notice applies to any visitors to or a member of our staff using Sigma Homes' premises whose images are captured on our CCTV systems and/or who use our Access Control systems at our premises usually a key card, fob or code entry system. You may be applying to work for us, or already work for us as one of our staff as an employee, director, temporary worker or consultant. You may also be a representative of a supplier to us, a customer of ours or on our premises for any other reason. This privacy notice provides details, in accordance with data protection laws, about how we collect and use personal information about you on our CCTV and Access Control systems during and after your visit to or use of our premises. Depending on the reasons for your visit to or use of our premises, you may also be covered by another privacy notice as well as this one.

Please note we have a separate Rest of the World privacy notice that applies generally to individuals when they are external to our business, including users of our website, a copy of which can be found at www.sigmahomesgroup.co.uk. We also have a separate privacy notice that applies to our customers and potential customers, a copy of which can be found at www.sigmahomesgroup.co.uk, so this will apply if you have reserved a new home to be purchased from us through until after completion of the purchase. We also have a separate Staff Recruitment privacy notice that will apply to you if you apply to work for us, a copy of which can be found at www.sigmahomesgroup.co.uk. You should also read these privacy notices to the extent that they will apply to your activities as they may apply to you in addition to this privacy notice.

2. CONTROLLER OF YOUR PERSONAL INFORMATION

For the purposes of data protection laws and this privacy notice, whichever part of the Sigma Homes group is processing your personal information is the controller of your personal information for that processing of your personal information. This will usually be the part of the Sigma Homes group that controls the premises that you are visiting. Being a controller of your personal information means that we are responsible for deciding how we hold and use your personal information. Our main trading entity is Sigma Homes Limited (Registered number 08031459) which is incorporated in England and Wales with its registered office at Ashbourne House, The Guildway, Old Portsmouth Road, Guildford, Surrey, United Kingdom, GU3 1LR. If you are visiting our premises in the UK then this company will be the controller of your personal information. If you are visiting premises outside of the UK then the controller of your personal information will be the part of our group that controls those premises. Details of its identity will also be contained on CCTV warning signs at and around the premises. Sometimes we may pass personal information to different parts of our group, so this privacy notice covers our whole group and more than one part of our group may be a controller of your personal information. Regardless of which premises you visit and regardless of which part of our group may be a controller of your personal information, any queries you have regarding your personal information will be dealt with by the DPCM which can be contacted at privacy@sigmahomesgroup.co.uk.

3. WHAT IF YOU DO NOT PROVIDE PERSONAL INFORMATION?

Failing to provide some of the personal information we require may mean that you are not allowed to access our premises using our Access Control systems or use our commercial vehicles. The only way not to have personal information captured by our CCTV systems is to stay out of the line of vision and range of our CCTV cameras.

4. IF YOU HAVE QUERIES OR CONCERNS, JUST ASK!

We are not required to appoint a data protection officer to oversee our compliance with the data protection laws, however, we have appointed a Data Protection Compliance Manager (DPCM) to do this. If you have any questions about this privacy notice or how we handle your personal information, please contact our DPCM on privacy@sigmahomesgroup.co.uk.

5. CHANGES TO THIS NOTICE

We keep our privacy notice under regular review and we may update this privacy notice at any time. The current version of this notice is available on our website at www.sigmahomesgroup.co.uk or by requesting a copy from privacy@sigmahomesgroup.co.uk. If there are any material changes to this privacy notice in the future, we will let you know, usually by updating the version on our website.

6. DATA PROTECTION PRINCIPLES

We are committed to being transparent about how we collect and use your personal information and in meeting our data protection obligations. Data protection laws say that the personal information we hold about you must be:

• Used lawfully, fairly and in a transparent way.
• Collected only for valid purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes.
• Relevant to the purposes we have told you about and limited only to those purposes.
• Accurate and kept up to date.
• Kept only as long as necessary for the purposes we have told you about.
• Kept securely.

To make sure this happens we are required under data protection laws to notify you of the information contained in this privacy notice. It is important that you read this document before you visit our premises or use our commercial vehicles so that you understand how and why we will process your personal information.

7. WHAT PERSONAL INFORMATION DO WE COLLECT?

As a visitor to our premises or a member of our staff using our premises or as someone using our commercial vehicles or being near to our commercial vehicles we may collect and process certain personal information about you in our CCTV system and our Access Control systems. As a visitor you may not always make use of our Access Control systems, but it will be difficult for you to avoid personal data being captured by our CCTV system. The types of personal information we may collect are:

• CCTV - we may collect video recordings and still pictures which feature you if you are in the field of vision of any of our CCTV systems in and around our premises or you feature in the field of vision of any of CCTV installed in our commercial vehicles. This personal information may include your activities, your face, clothing, possessions, vehicle registration, colour, make and model details and other visual information about you which is recorded on our CCTV system.
• Access Control system - Personal contact details such as name, title, address, email address and telephone number(s) when we issue you with a fob, key card, code or other similar means to use our Access Control system, and then when it is being used it may record times, dates, location and link these to your identity each time the Access Control system is used by you.
• Any communications between ourselves and you relating to our CCTV and Access Control systems.
• Details of any claims or disputes relating to you and our CCTV and Access Control systems.
• Any other personal information provided by you.

8. WHERE DO WE COLLECT YOUR PERSONAL INFORMATION FROM?

We collect your personal information in our CCTV systems and Access Control systems directly from you as you are on and move around our premises or are located inside or outside our commercial vehicles. We do not generally use these systems to collect your personal information from third parties, though in some cases we may collect the personal information from a third-party provider of CCTV and/or Access Control systems to us.

9. WHAT ARE OUR BASES FOR PROCESSING YOUR PERSONAL INFORMATION?

We will only use your personal information when the law allows us to. This means we must have one or more legal bases to use your personal information. Most of these will be self-explanatory. The most common legal bases which will apply to our use of your personal information are set out below:

• Where we need to perform the contract, we have entered with you which covers your working relationship with us or to take steps to enter into that contract.
• Where we need to comply with a legal obligation which applies to us, for example complying with health and safety laws.
• Where it is necessary for legitimate interests pursued by us or a third party and your interests and fundamental rights do not override those interests. We have set out in the section below how we use your personal information together with more details on our legitimate interests.

Whilst this is almost always not the case with our CCTV systems and Access Control systems, if we are processing any sensitive special category personal information about you (which covers personal information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data, data concerning health or data concerning a natural person’s sex life or sexual orientation) then we also need to have one or more of the following bases for using your personal information.

• Where it is necessary for us to comply with our obligations and exercising our rights in the field of employment law, social security law and social protection law.
• Where we need to protect your vital interests (or someone else's vital interests).
• Where you have already made public the personal information.
• In establishing, exercising or defending legal claims, whether those claims are against us or by us.
• Where it is necessary in the public interest.

We will not usually process any of these types of special category personal information about you, and in cases where we do process special category personal information about you it will generally be to comply with legal obligations, where you have given your consent or to establish, exercising or defending legal claims. In some cases more than one legal basis may apply to our use of your personal information, so for example it may be in our legitimate interests to use an Access Control system and it may also be to comply with legal obligations, for example health and safety obligations to keep our premises and staff safe.

10. HOW WILL WE USE YOUR PERSONAL INFORMATION?

There are many ways we will need to use your personal information and we have set out the main uses below and indicated the main applicable legal bases of processing, but there may be other specific uses which are linked to or covered by the uses below.

• For the prevention, detection and prosecution of crime, which is in our legitimate interests, in the public interest, and in some cases may also be a legal obligation.
• For evidence in any civil or criminal legal proceedings, and if you work for us, in any disciplinary or grievance proceedings and taking decisions in relation to any such proceedings. This may relate to the entry into or performance of an existing contract with you either directly or indirectly and if not, this will also be in our or a third party’s legitimate interests. We may also have a legal obligation to do so, be exercising a legal right to do this and in relation to special category personal information, it may also be needed to establish, bring or defend legal claims.
• To assist in investigations, which is in our or a third party’s legitimate interests, in the public interest, and also in some cases may be a legal obligation.
• For safety and security, for example to comply with health and safety laws and this is also in our or a third party’s legitimate interests.
• Dealing with any claims, queries, complaints or enquiries and to manage our relationship with you, which may relate to the entry into or performance of an existing contract with you either directly or indirectly or be in our or a third party’s legitimate interests. We may also have a legal obligation to do so or be exercising a legal right to do this and in relation to special category personal information, it may also be needed to establish, bring or defend legal claims.
• We may need to process your personal information to help train our staff, and make sure they deliver the high standards expected in relation to our brand. This will be in our legitimate interests.
• Retaining records, which will be in our legitimate interests, may be in the public interest and in some cases, we may have a legal obligation to do so.
• To manage our CCTV and Access Control systems to ensure compliance with our information technology policies, ensure network and information security, including preventing unauthorised access. This will also be in our legitimate interests and we may also have legal obligations or be exercising a legal right to do this.

We may anonymise any of the personal information we hold on our CCTV system or Access Control system (so that it does not directly identify you, for example by obscuring your face) and it therefore ceases to be your personal information. We may use this anonymised information for any other purposes.

11. CHANGE OF PURPOSE

We will only use your personal information for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose.

Please note that we may process your personal information without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law. We will rarely need to rely on your consent to process any of your personal information in our CCTV and Access Control systems.

12. AUTOMATED DECISION-MAKING

Automated decision-making takes place when an electronic system uses personal information to make a decision about that person without any human intervention which produces legal effects concerning them or similarly significantly affects them. We do not currently use this type of automated decision-making in our business in relation to our CCTV and Access Control systems.

13. WHO HAS INTERNAL ACCESS TO YOUR PERSONAL INFORMATION?

Your personal information may be shared internally with our staff, including with members of our security team, recruitment team, managers and senior staff, the technical and legal teams where access to your personal information is necessary for the performance of their roles. We only provide access to your personal information to those of our staff who need to have access to your personal information.

14. WHO DO WE SHARE YOUR PERSONAL INFORMATION WITH EXTERNALLY?

When using your personal information we may share it with third parties, but we will only do so when it is appropriate and we have a legal basis for doing so. Third parties that we may share your personal information with include:

• Any third party approved by you.
• An organisation you work for or that represents you if that organisation has a relationship with us.
• Service or product providers to our business, for example information technology services suppliers, CCTV or Access Control suppliers and third parties that process personal information on our behalf and in accordance with our instructions.
• People who have been injured, attacked or had property damaged or stolen and their insurance providers to assist them with any criminal or civil investigations or legal proceedings.
• People who have been involved in road traffic accidents and their insurance providers: to assist with insurance claims, legal claims and investigations.
• Private and other investigators to aid their investigations.
• Another company within our group of companies, especially if we are dealing with any enquiry, claim, complaint, disciplinary or grievance proceedings and it is relevant to do so.
• Purchasers, investors, funders and their advisers if we sell all or part of our business, assets or shares or restructure whether by merger, re-organisation or in another way.
• Our legal and other professional advisers, or any professional advisors appointed by you, for example a legal advisor.
• Governmental bodies, regulators, police, law enforcement agencies, security services, courts/tribunals.

15. INTERNATIONAL TRANSFERS

It is sometimes necessary to share your personal information outside of the UK and the European Economic Area (the EEA) or it will be collected outside of the UK and the EEA. This will typically occur when service providers to our business are located outside the EEA or if you are based outside the EEA. These transfers are subject to special rules under data protection laws.

The same applies to any transfer of personal information to another part of our group of companies based outside of the UK and the EEA. We also apply the same standards to any transfer of personal information between members of our group, regardless of where the group company is based.

If we transfer your personal information outside of the UK and the EEA, we will ensure that the transfer will be compliant with data protection laws and all personal information will be secure. Our standard practice is to assess the laws and practices of the destination country and relevant service provider and the security measures that are to be taken as regards the personal information in the overseas location; alternatively, we use standard data protection clauses. This means that when a transfer such as this takes place you can expect a similar degree of protection in respect of your personal information.

Our directors and other key staff working for us may in limited circumstances access personal information from outside of the UK and EEA if they are on holiday abroad outside of the UK or EEA. If they do so they will be using our security measures and the same legal protections will apply that would apply to accessing personal information from our premises in the UK.

Depending on the circumstances the people to whom we may disclose your personal information may be located outside of the UK and EEA and we will not have an existing relationship with them, for example a police force in a country where we have premises outside of the UK and EEA. In these cases, we will impose any legally required protections to the personal information as required by law before it is disclosed.

If you would like any more details about how we protect your personal information in relation to international transfers, then please contact our DPCM at privacy@sigmahomesgroup.co.uk.

16. HOW DO WE PROTECT YOUR PERSONAL INFORMATION?

We are committed to keeping your personal information safe and secure and so we have numerous security measures in place to protect against the loss, misuse, and alteration of information under our control. Our security measures include:

• Encryption of personal information where appropriate.
• Regular cyber security assessments of all service providers who may handle your personal information.
• Regular planning and assessments to ensure we are ready to respond to cyber security attacks and data security incidents.
• Regular penetration testing of systems.
• Security controls which protect our information technology systems infrastructure and our premises from external attack and unauthorised access.
• Aiming to use security systems implemented across our networks and hardware to ensure access and information are protected.
• Regular backups of information technology systems data with functionality to correct errors or accidental deletion/modification to data.
• Internal policies setting out our information security rules for our staff.
• Regular training for our staff to ensure staff understand the appropriate use and processing of personal information.
• Where we engage third parties to process personal information on our behalf, they do so on the basis of our written instructions, they are under a duty of confidentiality and are obliged to implement appropriate technical and organisational measures to ensure the security of personal information.

We take information security very seriously and will use all reasonable endeavours to protect the integrity and security of the personal information we collect about you.

17. HOW LONG DO WE KEEP YOUR PERSONAL INFORMATION?

We will hold your personal information on our CCTV system until it is overwritten on the storage media we use, which is generally between [14–30] days depending on the CCTV system.

We will hold your personal information on our Access Control system for up to 30 days.

In either case if your personal information becomes or is thought to be relevant to any matters we may extract or copy it from our CCTV or Access Control system and retain it separately. In this case it will be retained for as long as it remains relevant to that matter. For example, if the personal information is relevant for a dispute or legal claim, it may be retained for the duration of that process, which might take a number of years.

We will not retain your personal information for longer than necessary for the purposes for which it was collected and for which it is being used. We do not guarantee to retain your personal information for the whole of the periods set out above, they are usually the maximum period.

18. YOUR RIGHTS

As an individual whose personal information we collect and process, you have a number of rights. You may:

• Withdraw any consent you have given to us, although this will only be relevant where we are relying on your consent as a basis to use your personal information, but it is an absolute right. This is not usually relevant to personal information in our CCTV and Access Control systems.
• Request details about how your personal information is being used. This right is linked with the right of access mentioned below.
• Request access and obtain details of your personal information that we hold (this is commonly known as a “data subject access request”). This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it.
• Request correction of the personal information that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.
• Request erasure of your personal information. This means that you can ask us to delete or stop processing your personal information, for example where we no longer have a reason to process it. You also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing (set out below). The right to have data erased does not apply in all circumstances.
• Object to the processing of your personal information where we are relying on a legitimate interest (ours or that of a third party) and there is something about your particular situation which makes you want to object to processing on this ground.
• Object to direct marketing where we are processing your personal information for direct marketing purposes. This is an absolute right, although not relevant to our CCTV and Access Control systems.
• Request the restriction of processing of your personal information. This enables you to ask us to stop processing your personal information for a period if it is inaccurate or there is a dispute about whether or not your interests override our legitimate grounds for processing your personal information.
• Request the transfer of your personal information to another party in certain circumstances.
• Object to certain automated decision-making processes using your personal information.

You should note that some of these rights, for example the right to require us to transfer your personal information to another service provider or the right to object to automated decision-making, may not apply as they have specific requirements and exemptions which apply to them and they may not apply to personal information recorded and stored by us. Also some of the rights will not apply to personal information in our CCTV and Access Control systems, for example we do not rely on consent in most cases and the personal information is not used for marketing, so whilst your right to withdraw your consent or object to processing for direct marketing are absolute rights, they will not be relevant to the personal information in our CCTV and Access Control systems. Also we do not use automated decision-making which has legal or other significant effects for you in relation to your personal information in our CCTV and Access Control systems.

If you would like to exercise any of these rights, please contact our DPCM at privacy@sigmahomesgroup.co.uk.

We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is another appropriate security measure to ensure that personal information is not disclosed to any person or dealt with by a person who has no right to do so. We may also need you to provide details of specific times, dates and locations to allow us to locate any relevant personal information relating to you.

Whilst this privacy notice sets out a general summary of your legal rights in respect of personal information, this is a complex area of law. More information about your legal rights can be found on the ICO’s website at https://ico.org.uk/for-the-public/.

19. COMPLAINTS

We hope you don’t have any reason to complain, and we will always try to resolve any issues you have, but you always have the right to make a complaint at any time to the ICO about how we deal with your personal information or your rights in relation to your personal information. If you are based outside of the UK, you may have the right to complain to your local data protection regulator.

You can make a compliant in writing to the ICO, Wycliffe House, Water Lane, Wilmslow, SK9 5AF, United Kingdom or you can go to https://ico.org.uk/make-a-complaint/.

20. CONTACTING US

If you have any queries regarding our use of your personal information or this privacy notice then please contact our DPCM at privacy@sigmahomesgroup.co.uk or write to DPCM, Sigma Homes Limited, 44-46 Springfield Road, Horsham, West Sussex, RH12 2PD or telephone 0203 019 0741.

SIGMA HOMES
RECRUITMENT OF STAFF (INCLUDING CONSULTANTS) PRIVACY NOTICE

1. WHY DO WE HAVE THIS PRIVACY NOTICE?

We are Sigma Homes Limited and treating individuals and their personal information with respect reflects our core values and the values of our business. So, we want you to know as much as possible about what we do with your personal information. Also, you and your personal information are protected by various laws and guidance and Sigma Homes Limited is committed to upholding these and respecting your privacy and keeping your information safe. So, whilst this privacy notice is quite long, we want you to be fully informed. Please note while you read it, that not all parts of this privacy notice may apply to you depending upon the nature of your role with us that you are applying for.

In this privacy notice any reference to “Sigma Homes”, "us", "we", "our" or "ourselves" is a reference to Sigma Homes Limited, and the particular part of the Sigma Homes group that you work for and any reference to “Sigma Homes”, "you", "your" and "yourself" is a reference to you as an applicant to become one of our staff or to start working for us.

This privacy notice applies to all current and past applicants for positions to work for Sigma Homes. You may be applying to work for us as one of our staff as an employee, director, temporary worker, or consultant. This privacy notice provides details in accordance with data protection laws about how we collect and use personal information about you during and after our recruitment process.

Please note that we have a separate privacy notice that relates to personal information captured by our CCTV and Access Control systems. A copy can be found at www.sigmahomesgroup.co.uk. We have a separate privacy notice that applies to our customers and potential customers, a copy of which can be found at www.sigmahomesgroup.co.uk, so, this will apply if you have reserved a new home to be purchased from us through until after completion of the purchase. Finally, we have a separate Rest of the World privacy notice that applies to any other individual that may interact with us, a copy of which can be found at www.sigmahomesgroup.co.uk and this covers everyone else including people who have a business relationship with us. You should also read these privacy notices to the extent that they will apply to your activities as they may apply to you in addition to this privacy notice.

We also have a separate privacy notice that will apply to you if you are successful in your application to work for us, and we will provide that to you once you are successful in your application as part of your joining process.

2. CONTROLLER OF YOUR PERSONAL INFORMATION

For the purposes of data protection laws and this privacy notice, whichever part of the Sigma Homes group is processing your personal information is the controller of your personal information for that processing of your personal information. This will usually be the part of the Sigma Homes group that you interact with or have a relationship with. Being a controller of your personal information means that we are responsible for deciding how we hold and use your personal information. Our main trading entity is Sigma Homes Limited (Registered number 08031459) which is incorporated in England and Wales with its registered office at Ashbourne House, The Guildway, Old Portsmouth Road, Guildford, Surrey, United Kingdom, GU3 1LR. If you are based in the UK then this company will be the controller of your personal information. If you are based outside of the UK then the controller of your personal information will be the part of our group that you interact with. Sometimes we may pass personal information to different parts of our group, so this privacy notice covers our whole group, and more than one part of our group may be a controller of your personal information. However regardless of where you are based and regardless of which part of our group may be a controller of your personal information, any queries you have regarding your personal information will be dealt with by the DPCM which can be contacted at privacy@sigmahomesgroup.co.uk.

3. YOUR DUTY TO INFORM US OF CHANGES

It is important that the personal information we hold about you is accurate and current. Please keep us informed if your personal information changes during the period of your application to work for us. We may also hold your records on file for future positions even if you are unsuccessful in your initial application to join us, so again ideally please update us with any changes.

4. WHAT IF YOU DO NOT PROVIDE PERSONAL INFORMATION?

Failing to provide some of the personal information we require may mean that your application to join us will not be successful and we are unable to consider you for the position you are applying for.

Certain information, such as contact details, your right to work in the UK and payment details, must be provided to enable us to enter a working relationship with you.

5. IF YOU HAVE QUERIES OR CONCERNS JUST ASK!

We are not required to appoint a data protection officer to oversee our compliance with the data protection laws, however, we have appointed a Data Protection Compliance Manager (DPCM) to do this. If you have any questions about this privacy notice or how we handle your personal information, please contact our DPCM on privacy@sigmahomesgroup.co.uk.

6. CHANGES TO THIS NOTICE

We keep our privacy notice under regular review, and we may update this privacy notice at any time. The current version of this notice is available on our website at www.sigmahomesgroup.co.uk or by requesting a copy from privacy@sigmahomesgroup.co.uk. If there are any material changes to this privacy notice in the future, we will let you know, usually by updating the version on our website.

7. DATA PROTECTION PRINCIPLES

We are committed to being transparent about how we collect and use your personal information and in meeting our data protection obligations. Data protection laws say that the personal information we hold about you must be:

• Used lawfully, fairly and in a transparent way.
• Collected only for valid purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes.
• Relevant to the purposes we have told you about and limited only to those purposes.
• Accurate and kept up to date.
• Kept only as long as necessary for the purposes we have told you about.
• Kept securely.

To make sure this happens we are required under data protection laws to notify you of the information contained in this privacy notice. It is important that you read this document before you make your application to join us so that you understand how and why we will process your personal information.

8. WHAT PERSONAL INFORMATION DO WE COLLECT?

In connection with your application to work with us, we may collect and process a wide range of personal information about you. This includes:

• Personal contact details such as name, title, address, email address and telephone number(s).
• Information about your date of birth, age, gender, marital status, referees, next of kin, beneficiaries, dependants, family members and emergency contacts.
• Bank account details, payroll records, national insurance number, tax records/status information and other tax or governmental identifiers.
• Information about your remuneration, including bonuses, entitlement to benefits such as pensions or insurance cover.
• The terms and conditions relating to you coming to work for us.
• Any communications between ourselves and you.
• Details of your previous schedule (days of work and working hours) and attendance at work.
• Details of previous periods of leave taken by you, including holiday, family leave and sabbaticals, and the reasons for the leave.
• Your usage of the IT systems we make available to visitors to our premises such as any visitor internet facilities at our premises.
• Identification information including your driving license and/or passport and background checks.
• Recruitment information including information about your nationality and entitlement to work in the UK, references, CVs, application information, experience, reasons for leaving previous positions.
• Past work records including your qualifications, skills, experience, working hours, location of workplace, promotions, work titles, performance information, performance reviews, performance improvement plans, training records and start and end dates.
• Vehicle registration number make, model and vehicle insurance details.
• Details of any past disciplinary or grievance or performance related procedures in which you have been involved, including any warnings issued to you and related communications.
• CCTV footage and other information obtained through electronic means such as swipe card records and access control systems if you visit our premises or if you pass or use our commercial vehicles (see our separate CCTV and Access Control privacy notice at www.sigmahomesgroup.co.uk.
• Photographs, video footage and audio recordings, for example any created as part of our assessment process.
• Results of HMRC employment status check, details of your interest in and connection with any intermediary through which your services are supplied.
• Information from Companies House.
• Shareholding, options, stock appreciation rights, dividend entitlements and investments you hold where relevant.
• Any other personal information you provide to us.

If you are providing us with details of referees, they have a right to know and to be aware of what personal information we hold about them, how we collect it and how we use and may share that information. Please share this privacy notice with them. They also have the same rights as set out in this privacy notice in relation to their personal information that we collect.

9. SPECIAL CATEGORIES OF PERSONAL INFORMATION

We may also collect and process more sensitive special category personal information including:

• Information about your health including any medical condition, health, and sickness records, including:
  • where you have a disability or medical condition for which we need to make reasonable adjustments.
  • where you stop working for a previous organisation and the reason for leaving is determined to be ill-health, injury, or disability including any records relating to that decision.
  • details of any past absences (other than holidays from work) including time on statutory parental leave and sick leave and the reasons for those absences.
  • information about your health in the context of providing you with benefits as part of your proposed remuneration, for example health insurance.
• Equal opportunities monitoring information, including information about your ethnic origin, sexual orientation, health and religion or beliefs.
• In cases where it is relevant, we may also collect criminal records information about you, for example points on a driving licence where we need to ensure you are insured to drive any of our vehicles if this is relevant to the role you are being considered for, or an offence committed by you or alleged to have been committed by you impacts on your application to work for us.

10. WHERE DO WE COLLECT YOUR PERSONAL INFORMATION FROM?

We collect your personal information in a variety of ways and from a variety of sources as set out below:

• Most of your personal information is collected directly from you, for example through application forms, CVs or resumes; from your passport or other identity documents such as your driving licence; from correspondence with you; or through interviews, meetings, or other assessments, when you visit our premises or other personal information you provide to us.
• If you are applying for a position with us through a third party, then instead we may collect a lot of your personal information from the relevant recruitment agencies, temporary worker agencies, recruitment websites or platforms that have your personal information and which supply it to us or make it available to us.
• Third parties such as organisations you have worked for in the past or referees whose details you provide to us, Companies House, professional or trade organisations.
• From our information technology and communications systems, access control systems and CCTV and suppliers we use in connection with them.
• From the internet and social media and other public sources.
• From third parties appointed by you, for example any financial or legal advisors.
• From third parties appointed by us, for example a legal advisor appointed by us or a background check provider that we use.
• From government or government related bodies, regulators, the police, law enforcement authorities or the security services.

We store personal information relating to you in a range of different places, but mainly in our people management systems and in other information technology systems (including our email system).

11. WHAT ARE OUR BASES FOR PROCESSING YOUR PERSONAL INFORMATION?

We will only use your personal information when the law allows us to. This means we must have one or more legal bases to use your personal information. Most of these will be self-explanatory. The most common legal bases which will apply to our use of your personal information are set out below:

• Where we need to perform the contract, we have entered into with you which covers your working relationship with us or to take steps to enter into that contract.
• Where we need to comply with a legal obligation which applies to us, for example complying with health and safety laws.
• Where it is necessary for legitimate interests pursued by us or a third party and your interests and fundamental rights do not override those interests. We have set out in the section below how we use your personal information together with more details on our legitimate interests.
• You have given your consent. Generally, we do not rely on or need your consent for almost all uses we make of your personal information.

Where we are processing any sensitive special category personal information about you (for example personal information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, data concerning health or data concerning a natural person’s sex life or sexual orientation) we also need to have one or more of the following legal bases for using your personal information.

• Where we have your explicit consent to do so, for example to process your medical information to check we can provide you with health insurance as a benefit as part of your proposed remuneration.
• Where it is necessary for us to comply with our obligations and exercising our rights in the field of employment law, social security law and social protection law.
• Where we need to protect your vital interests (or someone else's vital interests).
• Where you have already made public the personal information.
• In establishing, exercising, or defending legal claims, whether those claims are against us or by us.
• Where it is necessary in the public interest.

We will not process all types of special category personal information about you, and in cases where we do process special category personal information about you it will generally be to comply with legal obligations, where you have given your consent or to establish, exercising or defending legal claims. In some cases, more than one legal basis may apply to our use of your personal information.

12. HOW WILL WE USE YOUR PERSONAL INFORMATION?

There are many ways we will need to use your personal information during the application process with us. We have set out the main uses below, and indicated the main applicable legal bases of processing, but there may be other specific uses which are linked to or covered by the uses below.

• We will process your personal information to decide whether to enter into a working relationship with you. For example, we need to process your personal information to provide you with a contract and decide what terms will apply to any offer made to you. As well as relating to the entry into of a contract with you either directly or indirectly, this will also be in our legitimate interests. We may also in some limited cases rely on your consent or be complying with a legal obligation.
• We also need to manage our relationship with you, which may involve interviews, assessments, communications with you, decisions regarding your application and agreeing the terms which will apply to you. As well as relating to the entry into of a contract with you either directly or indirectly, this will also be in our legitimate interests.
• As a business we have many legal obligations connected to your application to work for us or connected to visiting our premises which we need to comply with, for example, checking entitlement to work in the UK, to comply with health and safety laws, to comply with data protection laws, to ensure equality and equal opportunities in our business or to invoke other legal rights or comply with other legal obligations.
• We will also need to keep and maintain proper records relating to your application to work with us and information about you which is relevant to the role you have applied for. As well as relating to the entry into of a contract with you either directly or indirectly, this will also be in our legitimate interests, and we may also have legal obligations to do this.
• In some cases, we may need to process your personal information to prevent, detect or prosecute criminal activity. This will also be in our legitimate interests; we may also have legal obligations or be exercising a legal right to do this, and it will also be in the public interest.
• We may need to gather evidence for and be involved in disputes and possible legal cases. As well as relating to the entry into of a contract with you either directly or indirectly, this will also be in our legitimate interests, we may also have legal obligations or be exercising a legal right to do this and it may also be needed to establish, bring, or defend legal claims.
• To keep records of your application, any interviews or assessments and our decisions. As well as relating to the entry into of a contract with you either directly or indirectly, this will also be in our legitimate interests, and we may also have legal obligations or be exercising a legal right to do this.
• Ensure effective general human resources and business administration and to manage our business. As well as relating to the entry into of a contract with you either directly or indirectly, this will also be in our legitimate interests, and we may also have legal obligations or be exercising a legal right to do this.
• Obtain references from other organisations you have worked for or from referees whose details you provide. As well as relating to the entry into of a contract with you either directly or indirectly, this will also be in our legitimate interests, and we may also have legal obligations or be exercising a legal right to do this.
• Monitor any use you make of our information and communication systems to ensure compliance with our information technology policies, ensure network and information security, including preventing unauthorised access to our computer and electronic communications systems and preventing malicious software distribution and use of social media. This will also be in our legitimate interests, and we may also have legal obligations or be exercising a legal right to do this. In relation to social media, you may also have already made the personal information public.
• We may need to process your personal information to help train our staff, and make sure they deliver the high standards expected in relation to our brand. This will be in our legitimate interests.
• Conduct data analytics studies to review and better understand staff recruitment and other trends in applications to join our workforce. This will also be in our legitimate interests, and we may also have legal obligations or be exercising a legal right to do this. We may anonymise and aggregate personal information for insight and research purposes, but this information will not identify you.

13. CHANGE OF PURPOSE

We will only use your personal information for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. Our main purpose is to collect personal information about you to decide whether to recruit you now or in the future to join our workforce. If we need to use your personal information for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.

Please note that we may process your personal information without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law. We will rarely need to rely on your consent to process any of your personal information.

14. AUTOMATED DECISION-MAKING

Automated decision-making takes place when an electronic system uses personal information to make a decision about that person without any human intervention. We do not currently use automated decision-making in our business in relation to applications to join our workforce.

You will not be subject to decisions that will have a significant impact on you based solely on automated decision-making unless we have a lawful basis for doing so and we have notified you.

15. WHO HAS INTERNAL ACCESS TO YOUR PERSONAL INFORMATION?

Your personal information may be shared internally, including with members of the recruitment team, managers and senior staff in the business area involved in your recruitment, the technology, or legal teams where access to your personal information is necessary for the performance of their roles. We only provide access to your personal information to those of our staff who need to have access to your personal information.

16. WHO DO WE SHARE YOUR PERSONAL INFORMATION WITH EXTERNALLY?

When using your personal information, we may share it with third parties, but we will only do so when it is appropriate, and we have a legal basis for doing so. Third parties that we may share your personal information with include:

• Any third party approved by you.
• Your past employers or referees to obtain references.
• Service or product providers to our business, for example information technology services suppliers, background check providers.
• Third parties that process personal information on our behalf and in accordance with our instructions.
• Another company within our group of companies, especially if you may be working for that part of our group.
• Purchasers, investors, funders, and their advisers if we sell all or part of our business, assets or shares or restructure whether by merger, re-organisation or in another way.
• Our legal and other professional advisers, including our auditors or any professional advisors appointed by you, for example a pensions advisor or legal advisor.
• Governmental bodies, HMRC, regulators, police, law enforcement agencies, security services, courts/tribunals.

We may also disclose your personal information to other third parties where permitted to do so by law, and in such cases, we will impose any legally required protections before providing your personal information.

17. INTERNATIONAL TRANSFERS

It is sometimes necessary to share your personal information outside of the UK and the European Economic Area (the EEA) or it will be collected outside of the UK and the EEA. This will typically occur when service providers to our business are located outside the EEA or if you are based outside the EEA. These transfers are subject to special rules under data protection laws.

The same applies to any transfer of personal information to another part of our group of companies based outside of the UK and the EEA. We also apply the same standards to any transfer of personal information between members of our group, regardless of where the group company is based.

If we transfer your personal information outside of the UK and the EEA, we will ensure that the transfer will be compliant with data protection laws and all personal information will be secure. Our standard practice is to assess the laws and practices of the destination country and relevant service provider and the security measures that are to be taken as regards the personal Information in the overseas location; alternatively, we use standard data protection clauses. This means that when a transfer such as this takes place, you can expect a similar degree of protection in respect of your personal information.

Our directors and other key staff working for us may in limited circumstances access personal information from outside of the UK and EEA if they are on holiday abroad outside of the UK or EEA. If they do so they will be using our security measures and the same legal protections will apply that would apply to accessing personal information from our premises in the UK.

In limited circumstances the people to whom we may disclose personal information may be located outside of the UK and EEA and we will not have an existing relationship with them, for example a foreign police force. In these cases, we will impose any legally required protections to the personal information as required by law before it is disclosed. If you would like any more details about how we protect your personal information in relation to international transfers, then please contact our DPCM at privacy@sigmahomesgroup.co.uk.

18. HOW DO WE PROTECT YOUR PERSONAL INFORMATION?

We are committed to keeping your personal information safe and secure and so we have numerous security measures in place to protect against the loss, misuse, and alteration of information under our control. Our security measures include:

• Encryption of personal information where appropriate.
• Regular cyber security assessments of all service providers who may handle your personal information.
• Regular planning and assessments to ensure we are ready to respond to cyber security attacks and data security incidents.
• Regular penetration testing of systems.
• Security controls which protect our information technology systems infrastructure and our premises from external attack and unauthorised access.
• Aiming to use security systems implemented across our networks and hardware to ensure access and information are protected.
• Regular backups of information technology systems data with functionality to correct errors or accidental deletion/modification to data.
• Internal policies setting out our information security rules for our staff.
• Regular training for our staff to ensure staff understand the appropriate use and processing of personal information.
• Where we engage third parties to process personal information on our behalf, they do so on the basis of our written instructions, they are under a duty of confidentiality and are obliged to implement appropriate technical and organisational measures to ensure the security of personal information.

We take information security very seriously and will use all reasonable endeavours to protect the integrity and security of the personal information we collect about you.

19. HOW LONG DO WE KEEP YOUR PERSONAL INFORMATION?

We will hold your personal information for the duration of your application process to join us and, if your application is unfortunately unsuccessful, for a further period of up to 10 years after our decision not to take you on. We may, during that period, contact you again to check whether you would still like us to keep you on file for any future positions that may become available and contact you about them if we think you may be suitable for the role. However, in some cases we may need to keep your personal information for longer, for example if it is still relevant to a dispute or legal case or claim.

We will not retain your personal information for longer than necessary for the purposes for which it was collected and for which it is being used. We do not guarantee to retain your personal information for the whole of the periods set out above; they are usually the maximum period and, in some cases, we may keep your personal information for a shorter period.

For more information please contact our DPCM at privacy@sigmahomesgroup.co.uk.

20. YOUR RIGHTS

As an individual whose personal information we collect and process, you have a number of rights. You may:

• Withdraw any consent you have given to us, although this will only be relevant where we are relying on your consent as a basis to use your personal information, but it is an absolute right. Once we have received notification that you have withdrawn your consent, we will no longer process your personal information for the purpose or purposes for which you originally gave your consent, unless we have another legal basis for doing so.
• Request details about how your personal information is being used. This right is linked with the right of access mentioned below.
• Request access and obtain details of your personal information that we hold (this is commonly known as a “data subject access request”). This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it.
• Request correction of the personal information that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.
• Request erasure of your personal information. This means that you can ask us to delete or stop processing your personal information, for example where we no longer have a reason to process it. You also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing (set out below). The right to have data erased does not apply in all circumstances.
• Object to the processing of your personal information where we are relying on a legitimate interest (ours or that of a third party) and there is something about your particular situation which makes you want to object to processing on this ground.
• Object to direct marketing where we are processing your personal information for direct marketing purposes, for example contacting you about other positions that might suit you. This is an absolute right.
• Request the restriction of processing of your personal information. This enables you to ask us to stop processing your personal information for a period if it is inaccurate or there is a dispute about whether or not your interests override our legitimate grounds for processing your personal information.
• Request the transfer of your personal information to another party in certain circumstances.
• Object to certain automated decision-making processes using your personal information.

You should note that some of these rights, for example the right to require us to transfer your personal information to another service provider or the right to object to automated decision-making, may not always apply as they have specific requirements and exemptions which apply to them and they may not apply to personal information recorded and stored by us. For example, we do not use automated decision-making in relation to your personal information. However, some have no conditions attached, so your right to withdraw consent or object to processing for direct marketing are absolute rights.

If you would like to exercise any of these rights, please contact our DPCM at privacy@sigmahomesgroup.co.uk.

We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is another appropriate security measure to ensure that personal information is not disclosed to any person or dealt with by a person who has no right to do so.

Whilst this privacy notice sets out a general summary of your legal rights in respect of personal information, this is a complex area of law. More information about your legal rights can be found on the ICO’s website at https://ico.org.uk/for-the-public/.

21. COMPLAINTS

We hope you don’t have any reason to complain, and we will always try to resolve any issues you have, but you always have the right to make a complaint at any time to the ICO if you are based in the UK about how we deal with your personal information or your rights in relation to your personal information. If you are based outside of the UK, you may have the right to complain to your local data protection regulator.

You can make a compliant in writing to the ICO, Wycliffe House, Water Lane, Wilmslow, SK9 5AF, United Kingdom or you can go to https://ico.org.uk/make-a-complaint/.

22. CONTACTING US

If you have any queries regarding our use of your personal information or this privacy notice then please contact our DPCM at privacy@sigmahomesgroup.co.uk or write to DPCM, Sigma Homes Limited, 44-46 Springfield Road, Horsham, West Sussex, RH12 2PD or telephone 0203 019 0741.