Construction companies sit at an unusual intersection of GDPR obligations. You process highly sensitive worker health data, operate CCTV across sites, collect biometric access credentials, and manage complex subcontractor chains — all while running client projects that generate their own paper trail of personal information.
What Personal Data Do Construction Companies Collect?
Most construction companies collect far more personal data than they realise. The main categories include:
Site worker data
- Names, addresses, national insurance numbers, and date of birth
- Right-to-work documentation (passports, visas, biometric residence permits)
- CSCS card details and trade qualifications
- Emergency contact information
Health and safety records
- Medical fitness assessments and pre-employment health checks
- Occupational health reports (audiometry, lung function, HAVS assessments)
- Accident and incident reports including injury details and medical treatment
- Drug and alcohol test results
Subcontractor and supplier data
- Directors and sole traders personal details
- Bank account information for payment
- UTR numbers for CIS
- Insurance certificates naming individuals
Client data
- Client contact names, email addresses, and phone numbers
- Residential addresses for domestic projects
- Financial information including payment history
Site surveillance data
- CCTV footage capturing workers, visitors, and members of the public
- Vehicle registration plates in site car parks
- Biometric data from fingerprint or facial recognition access control systems
Health Data Is Special Category Data
Medical fitness assessments, occupational health reports, and accident records involving physical injury all constitute special category data under Article 9 of GDPR. Standard lawful bases like legitimate interest are not enough. You need both a standard lawful basis and one of the specific Article 9 conditions.
For construction companies, the most relevant conditions are:
- Explicit consent — for voluntary health checks beyond statutory requirements
- Legal obligation — for health surveillance required under COSHH or Control of Noise at Work Regulations
- Employment law obligations — processing necessary to fulfil obligations under employment law
Keep health records strictly separate from general HR files. Limit access to occupational health professionals and those with a genuine need.
Lawful Basis for Common Construction Data Processing
| Processing Activity | Lawful Basis |
|---|---|
| Paying employees and subcontractors | Contract (Article 6(1)(b)) |
| Right-to-work checks | Legal obligation (Article 6(1)(c)) |
| CIS deductions and tax reporting | Legal obligation (Article 6(1)(c)) |
| Statutory health surveillance | Legal obligation (Article 6(1)(c)) |
| Voluntary occupational health checks | Explicit consent (Article 9(2)(a)) |
| Accident and incident reporting | Legal obligation (Health and Safety at Work Act) |
| CCTV on construction sites | Legitimate interests (Article 6(1)(f)) |
| Marketing to past clients | Legitimate interests or consent |
Biometric Data: Fingerprint Scanners on Construction Sites
Fingerprint and facial recognition access control systems are increasingly common on larger construction sites. This data is special category biometric data under Article 9 of GDPR.
You cannot use biometric systems on the basis of legitimate interests alone. Requirements include:
- Workers must be offered a non-biometric alternative (swipe card or PIN) with no disadvantage for choosing it
- Consent must be documented individually for each worker
- Biometric templates must be stored securely and deleted when workers leave
- A Data Protection Impact Assessment (DPIA) is required before deployment
- A Data Processing Agreement must be in place with any third-party access control provider
Construction Management Software as Data Processors
Platforms like Procore, Buildertrend, and Autodesk Construction Cloud become your data processors when you store personal data in them. This means you must have a Data Processing Agreement (DPA) in place with each provider before uploading personal data.
Key things to verify in these DPAs:
- Where is the data stored? (Outside UK/EEA requires Standard Contractual Clauses)
- What sub-processors does the platform use?
- What are the breach notification timelines?
- Does the provider delete your data at contract termination?
Sharing Worker Data Across Subcontractor Chains
Construction projects routinely involve multiple tiers of contractors. Worker data sharing must be handled lawfully:
- Workers should be informed via privacy notice that their data may be shared with the main contractor
- Only share data necessary for the stated purpose
- When acting as a subcontractor, you remain a controller of worker data you pass upward
- CDM 2015 information requirements should be documented and appropriate to the CDM role
Accident and Incident Report Data
RIDDOR requires construction companies to report certain accidents to the HSE. Key retention requirements:
- Retain accident records for at least 3 years from the date of the accident
- For injuries to workers under 18, retain until age 21
- For COSHH-related health records, retain for 40 years
CDM Regulations and Data Retention
Key retention periods for construction documents:
| Document Type | Minimum Retention Period |
|---|---|
| Health surveillance records (COSHH) | 40 years from last entry |
| Audiometry and respiratory records | 40 years |
| Accident records (RIDDOR) | 3 years |
| Right-to-work documentation | 2 years after employment ends |
| CIS records | 3 years after end of tax year |
| CCTV footage (no incident) | 30 days |
| CCTV footage (incident recorded) | Until legal proceedings resolved |
| Biometric access control data | Delete when worker leaves |
CCTV on Construction Sites
Requirements for construction site CCTV:
- Prominent signage at all site entrances and camera locations
- A written purpose — security, theft prevention, or health and safety monitoring
- A balancing test documenting why surveillance is proportionate
- Restricted access to footage — only authorised personnel
- Clear retention and deletion procedures (30 days for routine footage)
- Subject access procedures for footage requests
Marketing to Past Clients
For email marketing, you need either prior consent or the soft opt-in exemption. The soft opt-in applies when you collected the email address in the context of a sale of similar services, gave an opt-out opportunity at the time, and give them an opt-out in every subsequent message.
For phone calls, check the Telephone Preference Service (TPS) register before calling.
GDPR Compliance Checklist for Construction Companies
Foundations
- [ ] Privacy notice covering all data subjects
- [ ] Records of Processing Activities (RoPA) documented
- [ ] Data retention schedule implemented
- [ ] Designated data protection contact
Worker and HR Data
- [ ] Separate lawful basis for health data vs standard employment data
- [ ] Explicit consent for any voluntary health checks
- [ ] Health records access restricted
- [ ] Right-to-work documentation stored securely
Biometric Access Control
- [ ] DPIA completed before deployment
- [ ] Non-biometric alternative available
- [ ] Individual consent documented
- [ ] DPA in place with provider
Subcontractor and Supply Chain
- [ ] Privacy notice includes supply chain sharing disclosures
- [ ] DPAs in place with construction management software providers
- [ ] Data transfer safeguards verified for non-UK/EEA storage
CCTV
- [ ] Signage at all entrances and camera locations
- [ ] Written CCTV policy with legitimate interests assessment
- [ ] Footage retention and deletion procedure in place
- [ ] DPA with any third-party security monitoring provider
Accident and Incident Records
- [ ] RIDDOR records retained minimum 3 years
- [ ] COSHH health records retained 40 years
- [ ] Accident record access restricted
Marketing
- [ ] Marketing preference records maintained
- [ ] TPS checks before phone marketing
- [ ] Opt-out in all email communications
Not sure where your construction company website stands on data privacy? Scan it free at app.custodia-privacy.com/scan — results in 60 seconds, no signup required.
This guide provides general information about GDPR compliance for construction companies. It does not constitute legal advice. Consult a qualified data protection professional for advice specific to your business.
Top comments (0)