Enlighting limited, trading as Enlighten Facility Services is an electrical contracting and facilities services company that has been trading since 2010, although relatively small as a company, we work with high profile clients on complex and challenging projects. Because of this, the company aims to operate at the highest level practicable in all areas of its operations, staff are encouraged to ensure full understanding of the company’s policies and objectives.

1. Purpose and Scope
This Policy sets out how Enlighting Limited (“we”, “us”, “our”) manages personal data in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and other applicable privacy legislation.
It applies to all permanent staff, temporary staff, subcontractors, agency workers and any third parties handling personal data on behalf of Enlighting Limited.
2. Data Protection Principles
We commit to processing personal data in line with the following UK GDPR principles:
– Lawfulness, fairness and transparency
– Purpose limitation
– Data minimisation
– Accuracy
– Storage limitation
– Integrity and confidentiality
– Accountability
3. Lawful Bases for Processing
We process personal data based on one or more lawful bases:
– Contract
– Legitimate interests
– Legal obligation
– Consent (only where appropriate and demonstrable)
4. Categories of Personal Data
We process:
– Client and contact details
– Job scheduling and operational records
– Evidence documentation (photos, reports, surveys)
– Supplier and subcontractor data
– Employment data (covered by a separate Staff Privacy Notice)
5. Roles and Responsibilities
Directors have overall responsibility for data protection compliance.
All staff must:
– Follow this policy
– Protect confidential information
– Report any data breach immediately
6. Data Storage and Security
We implement technical and organisational measures including:
– Multi-factor authentication (MFA)
– Encrypted storage (e.g. Microsoft 365)
– Role-based access controls
– Secure device management
– Secure disposal of confidential waste
7. Data Retention
We retain data only for as long as necessary. Typical periods:
– Financial data – 6 years
– Testing and inspection records – 7 years
– Project files – up to 7 years
– CCTV (if used) – 30–90 days
– HR documentation – in accordance with statutory guidance
We maintain a detailed Data Retention Schedule internally.
8. International Transfers
Where personal data is transferred outside the UK, we ensure adequate safeguards including Standard Contractual Clauses (SCCs) or the UK International Data Transfer Agreement (IDTA).
9. Data Sharing
We share data only where necessary with trusted partners, including:
– JobLogic
– Microsoft 365
– Accountants and payroll providers
– Insurers and H&S partners
– Subcontractors working under contract
All partners must meet UK GDPR requirements.
10. Individual Rights
Individuals have the right to:
– Access their data (SAR)
– Rectification
– Erasure
– Restriction of processing
– Data portability
– Object to processing
– Withdraw consent (where applicable)
All requests must be handled within one calendar month.
11. Data Breach Reporting
All suspected breaches must be reported immediately to a Director.
We will assess, record and where required notify the Information Commissioner’s Office (ICO) within 72 hours.
12. ICO Contact Information
Information Commissioner’s Office
Wycliffe House, Water Lane,
Wilmslow, Cheshire, SK9 5AF
www.ico.org.uk | 0303 123 1113
13. Staff Training
All staff must receive data protection training at induction and periodically thereafter.
14. Policy Review
This policy will be reviewed annually or sooner if legislation or business processes change