RGS Cleaning Ltd Data Policy & Privacy Notice
Last Updated: December 2025
Data Controller Information
This policy covers how RGS Cleaning Ltd collects, uses, and protects your personal data.
- Data Controller: RGS Cleaning Ltd
- Address: 96 Hangingwater Road, Sheffield, S11 7ER
- Data Protection Contact: Oliver Guise-Smith
- Telephone: 0114 263 0303
- Email for Data Requests: info@rgscleaningltd.co.uk (All data subject rights requests must use the subject line: “Data Protection Request”)
- Legal Basis and Purpose of Processing
We process personal data fairly, lawfully, and transparently. We process two main categories of data: Employee/Applicant Data and Customer/Client Contact Data.
| Data Category | Legal Basis (UK GDPR Article 6) | Purpose of Processing |
| Employee/Applicant Data | Performance of Contract, Legal Obligation, Legitimate Interests | Payroll, HR administration, H&S compliance, and workforce management (STAFFCHECK). |
| Customer/Client Contact Data | Performance of Contract, Legitimate Interests | Service delivery, invoicing, contract management, communication, and client support. |
| Special Category Data (e.g., Health) | Employment Law Obligation, Public Interest | Managing sick leave, reasonable adjustments, and H&S compliance. |
- Data Handling and Secure Storage
We employ robust physical and digital security measures to ensure the confidentiality, integrity, and availability of your personal data.
Secure Storage Locations
All personal data is securely stored in one of the following ways:
- Head Office Standalone Devices: Data retained on local, networked, or standalone devices connected to the RGS Cleaning Ltd network at 96 Hangingwater Road, Sheffield, S11 7ER. These devices are protected by multi-factor authentication, firewalls, and encryption.
- GDPR Compliant Cloud Hosting: Data generated by STAFFCHECK and our HR/CRM systems is stored with recognised, GDPR-compliant data hosting services, specifically Digital Ocean and Google Data Hosting Servers. We use Data Processing Agreements (DPAs) and Standard Contractual Clauses (SCCs) to safeguard any data processed outside the UK/EEA.
- Paper Copies: All physical, paper copies are held in locked, fireproof storage cabinets at the Head Office. Paper records required for statutory reasons (e.g., HMRC) are retained for a minimum of 6 years plus the current tax year.
Handling of Customer Information (Incidental Access)
We recognise the risk of incidental access to customer or third-party data left on client premises (e.g., papers on desks, computer screens) as part of cleaning activities.
- Protocol: RGS staff are strictly prohibited from viewing, recording, processing, or removing any customer or third-party data encountered.
- Reporting: Any unsecured data believed to be confidential must be immediately reported to the Site Supervisor or RGS Management.
- Confidentiality: All RGS employees are bound by a Confidentiality Clause in their employment contract regarding client premises and any information encountered there.
- Data Retention Periods
We do not keep personal data for any longer than is necessary.
| Record Type | Retention Policy | Purpose |
| HMRC/PAYE Records (Wages, Tax Codes, NI) | 6 years plus the current tax year. | Statutory compliance and audit requirements. |
| Contracts of Employment/Personnel Files | 6 years after employment ceases. | Reference to employment history and legal litigation defence. |
| Application Forms (Unsuccessful Candidates) | 6 months from notification of outcome. | Reference for future vacancies and defending against discrimination claims. |
| Customer Contracts/Invoices | 6 years after the contract ends. | Accounting requirements and legal liability periods. |
| Time & Attendance Data (STAFFCHECK Logs) | 3 years. | Performance review, H&S compliance, and billing dispute resolution. |
- Recipients and Third-Party Sharing
We only share your data with third parties where necessary for legal, contractual, or operational purposes. All third-party data processors are bound by a Data Processing Agreement (DPA).
| Category of Recipient | Purpose of Sharing | Data Shared (Examples) |
| Government Bodies | Statutory compliance (HMRC, HSE, ICO). | Tax codes, accident reports, NI numbers. |
| Data Processors | HR, hosting, and client relationship management. | Digital Ocean/Google (Hosting), External Payroll Bureau, CRM software. |
| Financial/Benefit Providers | Salary payment and pension management. | Bank details, pension scheme details. |
| Emergency Services | To protect your life in an emergency (Vital Interests). | Next-of-kin details, known medical conditions. |
- Your Data Subject Rights
You have the following rights regarding your personal data under the UK GDPR.
| Your Right | What it Means |
| Right to Access | The right to request a copy of the personal data we hold about you (Subject Access Request). |
| Right to Rectification | The right to have any inaccurate or incomplete personal data corrected without undue delay. |
| Right to Erasure | The right to request the deletion of your personal data where there is no longer a legal reason to keep it (Right to be Forgotten). |
| Right to Restrict Processing | The right to limit the way we use your personal data. |
| Right to Data Portability | The right to receive your data in a structured, commonly used, and machine-readable format. |
| Right to Object | The right to object to processing where the legal basis is Legitimate Interests. |
| Right to Withdraw Consent | The right to withdraw consent at any time (where consent is the legal basis). |
Right to Lodge a Complaint
If you have concerns about the way we have handled your personal data, you have the right to complain to the supervisory authority in the UK:
The Information Commissioner’s Office (ICO)
Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Helpline number: 0303 123 1113
Website: https://ico.org.uk/