Privacy policy — a guide and template for small construction companies
A privacy policy is mandatory for every company that processes personal data — including small construction companies. This guide explains what a privacy policy should contain, why it is needed, and how to prepare one.
What is a privacy policy?
A privacy policy is a document that explains how an organisation processes personal data. It is based on the EU General Data Protection Regulation (GDPR), whose articles 13 and 14 require that data subjects be informed about the processing of their personal data in a transparent and understandable way.
In practice, the privacy policy tells employees, customers, and business partners, for example: what data is collected about them, why the data is collected, how it is stored, and what rights they have regarding their data.
A privacy policy is not the same as a register description. The old register description under the Finnish Personal Data Act was replaced under the GDPR by the privacy policy, which is broader in scope and written from the data subject's point of view.
For a small construction company, a privacy policy can feel like unnecessary bureaucracy, but it is a statutory obligation. The good news is that a small company's privacy policy is simple to put together once you know what to include.
Does a small construction company need a privacy policy?
Yes, it does. Every company that processes personal data needs a privacy policy — regardless of size. A small construction company processes personal data at least in the following contexts:
Employee register. An employer always processes their employees' personal data: names, personal identity codes, addresses, salaries, tax card information, sickness absence information. Even a single employee is enough to trigger the obligation.
Customer register. Customer contact details, billing information, and project-specific data are personal data whenever the customer is a private individual or the information relates to identifiable persons.
Site access register. Construction sites maintain an access card list containing people's names, tax numbers, and employer information. This is a personal data register.
Subcontractor register. Records required under the Contractor's Obligations and Liability Act contain personal data — for example, the names of responsible persons from extracts of the trade register.
Camera surveillance. If there is camera surveillance on the site, the recordings are personal data and their processing requires its own privacy notice.
In practice, every construction company — including a one-person sole trader — processes personal data in a way that requires a privacy policy.
What does a privacy policy contain?
Under GDPR articles 13 and 14, a privacy policy must cover at least the following:
1. Data controller's details. The company's name, business ID, address, and contact person's details. In a small company, the contact person is usually the entrepreneur themselves.
2. Purpose of processing and legal basis. Why personal data is collected (e.g. managing the employment relationship, maintaining the customer relationship, legal obligation) and the legal basis for the processing (contract, legal obligation, legitimate interest, or consent).
3. Categories of data processed. What data is collected: name, contact details, personal identity code, tax number, payroll data, photo, etc. Data is listed register by register.
4. Sources of the data. Where the data comes from: the data subject themselves, public authority registers, the employer, partners.
5. Retention period. How long the data is kept. For example, payroll data must be kept for 10 years and accounting material for 6 years, while marketing register data is only kept as long as the customer relationship lasts.
6. Disclosures of data. To whom the data is disclosed: the Finnish Tax Administration, pension insurance company, other insurance companies, the accountant, the payroll service provider.
7. Rights of the data subject. The right to access one's own data, the right to rectification, the right to erasure ("the right to be forgotten"), the right to data portability, and the right to lodge a complaint with the Data Protection Ombudsman.
8. Security measures. How the data is protected: locked cabinets for physical documents, password-protected systems, and restricted access rights.
Typical personal data registers in a construction company
A small construction company typically has 3–5 personal data registers, each of which needs its own privacy policy or can be covered by a single comprehensive one. Here are the most common:
Employee register
Employees' names, personal identity codes, addresses, bank accounts, tax card information, payroll data, employment contracts, sickness absence records, and training records (e.g. Hot Work Card, Occupational Safety Card).
Customer register
Customers' names, contact details, billing information, and project-specific data. For private customers also the personal identity code for invoicing.
Site access register
Names, dates of birth, tax numbers, employer information, and access card validity of people working on the site.
Subcontractor register
Subcontractors' contact persons, records required by the Contractor's Obligations and Liability Act, and contract information.
Camera surveillance register
If there is camera surveillance at the site or warehouse: the recordings, the purpose of the surveillance, and the retention period for recordings (usually at most 1 year).
For each register, you need to go through the privacy policy requirements: what data is collected, why, how long it is stored, and to whom it is disclosed. In practice, a small construction company can produce a single privacy policy that covers all registers.
Accurate and secure bid calculation — Massoi handles project and customer data in line with the GDPR.
How is a privacy policy prepared? Step by step
Preparing a privacy policy does not require a lawyer. For a small construction company, a simple, plain-language document is enough. Here are the steps:
1. Map your personal data registers. List all situations in which your company processes personal data: employee information, customer data, access cards, subcontractor information.
2. Define the purpose of processing. For each register, you must define why the data is being collected. For example: the purpose of the employee register is managing the employment relationship and paying salaries; the purpose of the access card register is filing the construction report and ensuring site safety.
3. Identify the legal basis. The GDPR requires a legal basis for every processing activity. In a construction company the most common are: employment contract (employee data), legal obligation (tax data, construction report), and legitimate interest (managing the customer relationship).
4. Define retention periods. Decide how long each type of data is stored. Payroll data: 10 years. Accounting material: 6 years. Access card data: duration of the project + 2 years. Camera recordings: at most 1 year.
5. Write the policy. Put the information together in a clear document. Use plain language — the privacy policy should be understandable to an ordinary person, not to a lawyer.
6. Publish and keep it updated. Put the privacy policy on your website and provide it to employees at the start of their employment. Update the policy whenever there are material changes in the processing.
Penalties and GDPR in practice
Breaches of the GDPR can result in an administrative fine of up to €20 million or 4% of the company's worldwide turnover. These, however, are maximum amounts aimed at serious breaches by large companies.
In practice, the Finnish Data Protection Ombudsman usually first gives small companies a reminder and an order to correct the issues. Administrative fines are rare for small companies, but they are possible especially if:
- The company does not respond to the Data Protection Ombudsman's order
- A data breach occurs and the company has not met the basic obligations
- A data subject's complaint shows systematic disregard
Data breach notification: If personal data leaks (e.g. a computer is stolen or an email is sent to the wrong address), the company has an obligation to notify the Data Protection Ombudsman of the breach within 72 hours. If the breach poses a high risk to data subjects, they must also be informed.
GDPR and electronic access control. Construction sites increasingly use electronic access control, which gathers precise information about people's movements. This is processing of personal data and must be explained in the privacy policy. In particular, access control data must not be used to monitor employees beyond what is needed for occupational safety.
GDPR and the construction report. The construction report submitted to the Finnish Tax Administration requires processing of personal data (employees' names, tax numbers, working hours). This is a statutory obligation, so the legal basis is clear, but the processing must still be described in the privacy policy.
How does Massoi look after data protection?
When you use Massoi for bid calculation, you are processing project and customer data in an electronic system. It is important that the software you use complies with the GDPR.
Massoi takes care of data protection in the following ways:
- Data in the EU: All data is stored in the EU in accordance with the GDPR
- Encrypted connection: All traffic is encrypted (HTTPS/TLS)
- Access control: You can manage who in your company has access to which data
- Data deletion: You can request the deletion of your data at any time
When you choose construction industry software, data protection should be one of your selection criteria. Always make sure that the software provider has its own privacy policy and a Data Processing Agreement (DPA) that meets the GDPR requirements.
Frequently asked questions about the privacy policy
What is a privacy policy?
A privacy policy is a document that explains how an organisation processes personal data. Articles 13 and 14 of the GDPR require that data subjects be informed about data processing in a transparent way. A privacy policy is the practical way to meet this obligation.
Does a small construction company need a privacy policy?
Yes. Every company that processes personal data needs a privacy policy — including a small construction firm. An employer always processes at least their employees' personal data, and on top of that the customer register and site access card information are personal data.
What does a privacy policy contain?
A privacy policy contains the data controller's contact details, the purpose and legal basis of processing, the categories of data processed, the sources of the data, the retention period, the rights of the data subject, and any disclosures of data.
Where does the privacy policy need to be published?
The privacy policy must be easily available. In practice, it is published on the company website and provided on request. Employees receive it at the start of their employment. An electronic version is sufficient.
What are the consequences of not having a privacy policy?
Not having a privacy policy is a breach of the GDPR. The Finnish Data Protection Ombudsman can issue a reminder, a warning, or an administrative fine. In practice, small companies usually receive a reminder first and an order to correct the situation.
See also
Contractor's Obligations and Liability Act →
Due diligence obligation and checklist for construction contractors.
Construction Report →
Filing the construction report with the Finnish Tax Administration — obligations and instructions.
Construction Software →
A comparison of construction software and digital tools.
Ready to ditch the paperwork?
Book a 30-minute consultation — we'll show you how AI handles takeoffs, calculations, and bids for you. No commitment.