Internal Data Handling Policy

Business: Drini Facilities Management
 Owner / Data Controller: Shona Campbell
 Last reviewed: 04/02/2026

1. Purpose

This policy sets out how personal and property-related data is handled within Drini Facilities Management. The aim is to ensure that data is managed lawfully, securely, and proportionately, in line with UK GDPR and the Data Protection Act 2018.

Drini Facilities Management operates as a sole trader business and processes only the data necessary to deliver its services.

2. Types of Data Held

The business may process the following types of data:

• Client names and contact details
• Property addresses and access information
• Inspection records and reports
• Communications records (email, phone notes)
• Limited sensitive operational information (e.g. keysafe codes, alarm details, WiFi details)

No special category data is routinely processed.

3. Lawful Basis for Processing

Data is processed on the following lawful bases:

• Contract – to deliver agreed services
• Legitimate interest – to manage properties safely and communicate with clients
• Legal obligation – for tax, insurance, and record-keeping requirements

Data is not used for marketing beyond direct service-related communication.

4. Storage & Systems Used

Data is stored securely using the following systems:

• Airtable – client, property, inspection, and issue records
• ONLYOFFICE – document creation and storage
• Google Workspace (email) – client communications
• Bitwarden – Property access codes & sensitive information

All systems are password protected and use encrypted connections. Sensitive information (e.g. keysafe codes, alarm details) is stored only within secure fields and is not shared.

No client data is stored permanently in personal notes apps or unprotected files.

5. Access Control

Access to all systems is restricted to the business owner only

Strong passwords are used

• Two-factor authentication is enabled where available
• Devices are protected by PIN/password and kept up to date
• Client data is not shared with third parties unless required to support service delivery (e.g. liaising with a contractor at the client’s request).

6. Data Retention

Data is retained only for as long as necessary:

• Active clients: data retained for the duration of the working relationship
• Former clients: records retained for up to 6 years (tax, insurance, and contractual purposes)
• Enquiries that do not proceed: deleted after 12–24 months

Data is securely deleted when no longer required.

7. Data Sharing

Drini Facilities Management does not sell or share personal data for marketing purposes.

8. Data Breach Management

In the event of a suspected data breach (e.g. lost device, accidental disclosure):

• The issue will be contained as quickly as possible
• The risk to individuals will be assessed
• The incident will be recorded internally

The Information Commissioner’s Office (ICO) will be notified only if there is a significant risk to individuals

9. Review

This policy is reviewed periodically and updated if business practices, systems, or legal requirements change.

10. Contact

Any data protection concerns are handled directly by the business owner.