Construction companies sit at an unusual intersection of GDPR obligations. You process highly sensitive worker health data, operate CCTV across sites, collect biometric access credentials, and manage complex subcontractor chains — all while running client projects that generate their own paper trail of personal information. This guide covers what you need to know.
What Personal Data Do Construction Companies Collect?
Most construction companies collect far more personal data than they realise. The main categories include:
Site worker data
- Names, addresses, national insurance numbers, and date of birth
- Right-to-work documentation (passports, visas, biometric residence permits)
- CSCS card details and trade qualifications
- Emergency contact information
Health and safety records
- Medical fitness assessments and pre-employment health checks
- Occupational health reports (audiometry tests, lung function tests, HAVS assessments)
- Accident and incident reports including injury details and medical treatment received
- Drug and alcohol test results
Subcontractor and supplier data
- Company directors' and sole traders' personal details
- Bank account information for payment purposes
- Insurance certificates naming individuals
- Tax registration numbers (UTR numbers for CIS)
Client data
- Client contact names, email addresses, and phone numbers
- Residential addresses for domestic projects
- Financial information including payment history and credit checks
- Meeting notes and correspondence containing personal opinions or sensitive context
Site surveillance data
- CCTV footage capturing workers, visitors, and members of the public
- Vehicle registration plates in site car parks
- Biometric data from fingerprint or facial recognition access control systems
Health Data Is Special Category Data — Treat It Accordingly
Medical fitness assessments, occupational health reports, and accident records involving physical injury all constitute special category data under Article 9 of GDPR. This is the most sensitive tier of personal data, carrying heightened obligations.
Standard lawful bases (like legitimate interest) are not enough for special category data. You need both a standard lawful basis and one of the specific Article 9 conditions. For construction companies, the most relevant conditions are:
- Explicit consent — for voluntary health checks beyond statutory requirements
- Legal obligation — for health surveillance required under health and safety legislation
- Vital interests — if processing is necessary to protect someone's life in an emergency
- Employment law obligations — processing necessary to fulfil obligations under employment or social security law
Practical implication: Keep health records strictly separate from general HR files. Limit access to occupational health professionals, HR personnel with a genuine need, and site management where safety-critical decisions depend on that data.
Lawful Basis for Common Construction Data Processing Activities
| Processing Activity | Lawful Basis |
|---|---|
| Paying employees and subcontractors | Contract (Article 6(1)(b)) |
| Right-to-work checks | Legal obligation (Article 6(1)(c)) |
| CIS deductions and tax reporting | Legal obligation (Article 6(1)(c)) |
| Statutory health surveillance | Legal obligation (Article 6(1)(c)) |
| Voluntary occupational health checks | Explicit consent (Article 9(2)(a)) |
| Accident and incident reporting | Legal obligation (Health and Safety at Work Act) |
| CCTV on construction sites | Legitimate interests (Article 6(1)(f)) — subject to balancing test |
| Marketing to past clients | Legitimate interests or consent depending on channel |
| Client contact management | Contract or legitimate interests |
Biometric Data: Fingerprint Scanners on Construction Sites
Fingerprint and facial recognition access control systems are increasingly common on larger construction sites. This data is special category biometric data under Article 9 of GDPR.
The legal position is strict: you cannot use biometric systems on the basis of legitimate interests alone. You need explicit, freely given consent from each worker — and that consent is only valid if workers genuinely have an alternative way to access the site if they decline.
Requirements if you use biometric access control:
- Workers must be offered a non-biometric alternative (such as a swipe card or PIN) with no disadvantage for choosing it
- Consent must be documented individually for each worker
- Biometric templates must be stored securely and deleted when workers leave
- You need a clear retention period — biometric data should not be retained longer than necessary for site access
- A Data Protection Impact Assessment (DPIA) is likely required before deployment
Construction Management Software as Data Processors
Platforms like Procore, Buildertrend, and Autodesk Construction Cloud are widely used to manage projects and subcontractor information. Under GDPR, when you store personal data about workers, subcontractors, or clients in these platforms, the software provider becomes your data processor.
This triggers a specific legal requirement: you must have a Data Processing Agreement (DPA) in place with each provider before you upload personal data.
Key things to verify in these DPAs:
- Where is the data stored? (If outside the UK/EEA, you need appropriate transfer safeguards)
- What sub-processors does the platform use, and are you notified of changes?
- What are the breach notification timelines?
- Does the provider delete your data on request or at contract termination?
Custodia can help you identify which third-party tools on your website and project management stack are processing personal data, giving you a clear starting point for DPA compliance.
Sharing Worker Data Across Main Contractor and Subcontractor Chains
Construction projects routinely involve multiple tiers of contractors. Main contractors typically require subcontractors to provide worker details for site induction records, health and safety documentation, and access control — but this sharing must be handled lawfully.
Key principles:
- Workers should be informed (via a privacy notice) that their data may be shared with the main contractor or principal designer
- Only share data that is necessary for the stated purpose
- When acting as a subcontractor passing worker data to a main contractor, you remain a controller of that data
- CDM 2015 places specific information requirements on dutyholders
CCTV on Construction Sites
Construction sites are among the most common environments for CCTV deployment. Under GDPR and the ICO's CCTV guidance, operating a CCTV system means you are processing personal data.
Requirements for construction site CCTV:
- Prominent signage at all site entrances and camera locations
- A written purpose — security and theft prevention, health and safety monitoring, or access control
- A balancing test documenting why the surveillance is proportionate
- Restricted access to footage — only authorised personnel should be able to review recordings
- Clear retention and deletion procedures — most footage should be deleted within 30 days unless needed for an incident
- Subject access procedures — workers or members of the public can request their footage
Accident and Incident Report Data
RIDDOR (Reporting of Injuries, Diseases and Dangerous Occurrences Regulations 2013) requires construction companies to report certain accidents, diseases, and near-misses to the Health and Safety Executive.
Data protection considerations for accident records:
- Retain accident records for at least three years from the date of the accident
- For injuries to workers under 18, retain records until the injured person reaches age 21
- For COSHH-related health records, retain for 40 years from the date of the last entry
- Accident reports may be disclosable in personal injury litigation — apply appropriate access controls
CDM Regulations and Data Retention
Retention periods for key construction documents:
| Document Type | Minimum Retention Period |
|---|---|
| Health surveillance records (COSHH) | 40 years from last entry |
| Audiometry and respiratory records | 40 years |
| Accident records (RIDDOR) | 3 years from date of accident |
| Right-to-work documentation | 2 years after employment ends |
| CIS records | 3 years after the end of the tax year |
| CCTV footage (no incident) | 30 days (industry guidance) |
| CCTV footage (incident recorded) | Until legal proceedings are resolved |
| Biometric access control data | Delete when worker leaves site |
Marketing to Past Clients
Construction companies often rely on repeat business and referrals. Under GDPR (and the UK's PECR regulations for electronic marketing), contacting past clients requires a lawful basis.
Email marketing: You need either prior consent or the "soft opt-in" exemption. For B2B contacts, legitimate interests can apply — but you should still offer an easy opt-out.
Direct mail and phone calls: Legitimate interests can apply for postal marketing to past clients. For phone calls, check the Telephone Preference Service (TPS) register before calling.
GDPR Compliance Checklist for Construction Companies
Foundations
- [ ] Privacy notice in place covering all data subjects (workers, subcontractors, clients, site visitors)
- [ ] Records of Processing Activities (RoPA) documented for all key processing activities
- [ ] Data retention schedule documented and implemented
Worker and HR data
- [ ] Separate lawful basis documented for health data vs. standard employment data
- [ ] Explicit consent obtained for any voluntary health checks
- [ ] Health records access restricted to authorised personnel
CCTV
- [ ] Signage at all entrances and camera locations
- [ ] Written CCTV policy with legitimate interests assessment
- [ ] Footage retention and deletion procedure in place
Subcontractor and supply chain
- [ ] Worker privacy notice includes supply chain sharing disclosures
- [ ] DPAs in place with all construction management software providers
Get a Free Privacy Compliance Scan
Not sure where your construction company stands on data privacy? Custodia scans your website in under 60 seconds, identifying trackers, compliance gaps, and actionable fixes — no signup required.
Scan your website free at app.custodia-privacy.com/scan
This guide provides general information about GDPR compliance for construction companies operating under UK and EU law. It does not constitute legal advice. Consult a qualified data protection professional for advice specific to your business.
Top comments (0)