Data Privacy Notice

Child Graddon Lewis Limited understands how important your privacy is and has implemented measures in order to protect it. This policy outlines the basis on which we collect your personal data and how it will be processed.

To better understand the General Data Protection Regulation (GDPR) you may wish to read the guidance produced by the Information Commissioner’s Office –

Who we are:

Child Graddon Lewis Limited is the Data Controller and determines the purposes for which and the method in which personal data is processed.

You may contact us on the following details:

Child Graddon Lewis | Level 2 Irongate House Aldgate London EC3A 7LP

Our dedicated contact for data related matters and/or to exercise any relevant rights, queries or complaints related to data protection is:

You also have the right to log a complaint with the Information Commissioners Office:

  • Commissioner’s Office
  • Wycliffe House
  • Water Lane
  • Wilmslow
  • Cheshire
  • SK9 5AF
  • 0303 123 1113

The lawful basis for processing your data, why we hold your data and the types of data we hold: 

Basis (we may rely on one or more of these conditions)

Example of Activity

Example of Data Required

Consent – where you have given clear consent to process your personal data for a specific purpose.

E.g. Applicable where you have opted in to receive our newsletters, event invitations and general marketing communications  (to inform you of news, our events or activities)

i) Name

ii) Contact details

Contract - where processing is necessary for the performance of a contract to which you are party or in order to take steps at your request prior to entering into a contract.

E.g. In order to deliver projects and tender information for potential projects,

i) Name

ii) Contact details

iii) Financial details


Legal Obligation – where it is necessary for compliance with a legal or regulatory obligation that we are subject to.

E.g. To comply with duties, regulatory and general legal duties in the performance of architectural services

i) Name

ii) Contact details

iii) Financial details


Legitimate interests – where the processing is necessary for our legitimate interests or the legitimate interests of a third party unless there is a good reason to protect your personal data which overrides such legitimate interests.

E.g  To manage of business relationships and day to day running of an architectural practice (to hire or purchase your goods, materials and obtain services from you)

i) Name

ii) Contact details

iii) Financial details

iv) Technical information


How we protect your data:

Child Graddon Lewis, taking expert advice from IT Consultants, has implemented security measures to prevent any unauthorised access to your personal data. Access to such personal data is limited to our employees, agents, contractors and other third parties who have a legitimate business reason to access it. Such third parties will only process your personal data on our instruction and are subject to a duty of confidentiality.

We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

Sharing your personal data:

Your data is treated as strictly confidential and will only be shared where necessary for project purposes by our design teams. Your data will not be shared with third parties for any marketing purposes.

Data retention:

We will retain your data only as long as required, on the basis for which it was originally collected, or as long as we are required to do so by law – including but not limited to:

Data Subject

Retention Period

Existing Clients

To end of business relationship

Potential Clients

1 year post campaign

Employee Contact Information

5 years post employment

Employee Bank Details

3 years post employment

Employee Pension Information

75 years post employment

Employee Tax Details

6 years post employment

Unsuccessful Candidate Applications

6 months post campaign

Your rights under GDPR

Child Graddon Lewis pledges to uphold your rights and will assist with the following, save for where an exemption under GDPR applies:

  • The right to request a copy of the personal data which we hold about you;
  • The right to request that we correct any personal data if it is found to be inaccurate or out of date;
  • The right to request your personal data is erased where it is no longer necessary to retain such data;
  • The right to withdraw your consent to the processing at any time, where consent was your lawful basis for processing the data;
  • The right to request that we provide you with your personal data and where possible, to transmit that data directly to another data controller (known as the right to data portability), (where applicable, i.e. where the processing is based on consent or is necessary for the performance of a contract with the data subject and where the data controller processes the data by automated means);
  • The right, where there is a dispute in relation to the accuracy or processing of your personal data, to request a restriction is placed on further processing;
  • The right to object to the processing of personal data, (where applicable i.e. where processing is based on legitimate interests (or the performance of a task in the public interest/exercise of official authority); direct marketing and processing for the purposes of scientific/historical research and statistics).

Transfer of Data Abroad

We do not usually transfer personal data outside the EEA, save for communication purposes to client or supplier companies in which case project information and contact details may be shared for business purposes only.


Data controller – A controller determines the purposes and means of processing personal data.

Data processor – A processor is responsible for processing personal data on behalf of a controller.

Data subject – Natural person

Categories of data: Personal data and special categories of personal data

Personal data – The GDPR applies to ‘personal data’ meaning any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier (as explained in Article 6 of GDPR). For example name, passport number, home address or private email address. Online identifiers include IP addresses and cookies.

Special categories personal data – The GDPR refers to sensitive personal data as ‘special categories of personal data’ (as explained in Article 9 of GDPR). The special categories specifically include genetic data, and biometric data where processed to uniquely identify an individual. Other examples include racial and ethnic origin, sexual orientation, health data, trade union membership, political opinions, religious or philosophical beliefs.

Processing – means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Third party – means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.

Child Graddon Lewis Limited – Last reviewed: May 2018