1. Who We Are
MY Group (“we”, “us”, “our”) is the data controller responsible for personal data collected through this subcontractor management system. If you have any questions about how we handle your data, contact us at admin@mycgroup.co.uk.
2. What Data We Collect
We collect the following categories of personal data from subcontractors:
- Full name, date of birth, nationality
- Home address, phone number, email address
- National Insurance (NI) number and Unique Taxpayer Reference (UTR)
- Bank account details (account name, sort code, account number)
- Right to work documentation (passport, BRP/VISA, HMRC Share Code)
- Proof of address (utility bill or bank statement)
- Accreditation documents (CSCS card, CITB certificate, etc.)
- Emergency contact details
- Health information (pre-existing injuries or medical conditions relevant to site safety)
- Electronic signature, IP address, and submission timestamp
3. Why We Collect It (Lawful Basis)
Contract performance — Most data is necessary to fulfil our contractual obligations to you, including processing CIS payments, issuing payslips, and complying with HMRC reporting requirements.
Legal obligation — We are required by law to verify your right to work in the UK and to maintain accurate HMRC records under the Construction Industry Scheme (CIS).
Legitimate interests — Emergency contact information and health declarations are collected to protect worker safety on site.
4. How We Store and Protect Your Data
Your data is stored securely on Supabase (hosted within the EU). Access is restricted to authorised MY Group personnel only. Files uploaded through this system (passport, proof of address, etc.) are stored in encrypted, private cloud storage and are not publicly accessible. All access is logged and audited.
5. How Long We Keep Your Data
Financial and payroll records (NI, UTR, bank details, signed contracts) — retained for 6 years after the end of your engagement, as required by HMRC.
Right to work documents — retained for 2 years after the end of employment, in line with Home Office guidance.
Health and safety records — retained for the duration of the engagement and up to 3 years thereafter.
After these periods, your data will be securely deleted.
6. Who We Share Your Data With
We do not sell or share your personal data with third parties for marketing purposes. We may share limited data with:
- HMRC — as required under CIS regulations
- Our accountant or payroll provider — for payment processing only
- Site clients — limited to name, trade, and accreditation status for site access
7. Your Rights
Under UK GDPR you have the right to:
- Access — request a copy of the personal data we hold about you
- Correction — ask us to correct inaccurate or incomplete data
- Erasure — request deletion of your data where we have no legal obligation to retain it
- Restriction — ask us to restrict processing while a dispute is resolved
- Portability — receive your data in a structured, machine-readable format
- Objection — object to processing based on legitimate interests
To exercise any of these rights, email admin@mycgroup.co.uk. We will respond within 30 days.
8. Complaints
If you believe we have not handled your data correctly, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk or by calling 0303 123 1113.
9. Changes to This Policy
We may update this policy from time to time. The latest version will always be available at this page. Where changes are significant, we will notify active subcontractors directly.
MY Group — Registered in England and Wales | UK GDPR compliant