Entrustor Logo

Data Protection and GDPR Overview

Entrustor is an operational management system for site safety, compliance, workforce administration, gatehouse activity, visitors, vehicles, checks, SOPs and stock control. This page explains the type of data Entrustor may process and the safeguards expected around that data.

Limited operational data

Entrustor stores information needed to run site processes, prove compliance and support authorised management tasks. It is not designed as a broad personal profile or HR master-data system.

Controlled access

Access is controlled through user login, role permissions and account or site separation so users only access information relevant to their authorised site or account.

SQL Server storage

Operational records are held in a SQL Server environment and are accessed through the Entrustor application rather than being made directly available to general users.

What Entrustor May Store

  • Staff names, usernames, payroll or employee identifiers and work contact details where required.
  • Role, access and permission information used to control what users can see and do.
  • Attendance, staff sign-in, scan history and staff-on-site records.
  • Visitor records, visitor card/badge information and site access activity.
  • Vehicle registrations, gatehouse activity, ANPR-related events where configured, and trailer movements.
  • Training, equipment, licence, SOP acknowledgement and compliance records.
  • Holiday, sickness, HR note or workforce administration records where those modules are enabled.
  • Consumables, cleaning supplies, purchasing, stock, maintenance and operational reporting records.

Controller and Processor Roles

For most deployments, the organisation operating the site is the data controller. That organisation decides why the data is processed, which modules are enabled, how long records are kept and how rights requests are handled.

A J RICHARDS HOLDINGS LIMITED, Suite A, 82 James Carter Road, Mildenhall, Bury St. Edmunds, IP28 7DE, United Kingdom, with contact email admin@entrustor.co.uk, will usually act as a processor or sub-processor when Entrustor is hosted, supported or maintained on the controller's behalf.

Data Sources

Personal data may come directly from individuals, from authorised users entering operational records, from customer imports such as payroll or staff lists, or from configured workflows such as scanners, badge systems, gatehouse logs, ANPR-related processes or uploaded evidence.

What Entrustor Is Not Intended To Store

  • Home addresses.
  • Dates of birth.
  • Bank details or personal financial information.
  • National Insurance numbers unless a customer separately configures or imports them.
  • Broad personal profile information not needed for site operations.

Special Category Data

Where sickness or health-related records are used, that information should be treated as special category data under UK GDPR. Access should be restricted to authorised management, HR or other appropriate users with a genuine need to view it.

Security and Separation

Entrustor is built around account and site separation. Each client or site account should only be able to access its own records. Permissions should be reviewed regularly, especially for administrator, manager, HR and security/gatehouse users.

Retention and Responsibilities

Based on the current stated approach, the intended retention period is 5 years for visitors, attendance, training, SOP acknowledgements, fire and truck checks, holidays, sickness records and audit logs, unless a shorter or longer period is required by law or by the controller's documented policy.

The controller should keep a retention schedule, ensure rights requests are routed properly, review user permissions regularly and document the lawful basis for each material processing activity.

Sharing and International Transfers

Data should only be shared with authorised users, hosting and infrastructure providers, support providers, auditors, insurers, professional advisers or regulators where there is a lawful reason. The current stated hosting location is a UK data centre and no suppliers outside the UK or EEA are intended to receive personal data. If that changes, the controller should ensure suitable transfer safeguards are put in place.

Automated Decisions

Entrustor is designed as an operational workflow and record system. It is not intended to make solely automated decisions with legal or similarly significant effects on individuals. Alerts, flags and workflow rules should still be subject to human oversight.

Typical Entrustor Functions

  • Staff sign-in, staff-on-site visibility, scan history and late-today reporting.
  • User management, permissions, payroll/user imports, shifts, crews and roster management.
  • Holiday, sickness and HR workflow support where enabled.
  • Visitor management, badge/card printing, allowed-on-site controls and gatehouse checks.
  • Vehicle, truck, trailer, yard, fleet, MOT and service management.
  • Fire, emergency lighting, equipment, forklift and training compliance checks.
  • SOP document management, SOP viewing and acknowledgement reporting.
  • Consumables, cleaning supplies, purchasing analysis, stock control and email notifications.

UK and EU Data Protection Expectations

  • Provide a privacy notice that identifies the controller, contact details, purposes, lawful bases, recipients, retention and rights.
  • Identify any special category processing and the additional Article 9 condition relied upon.
  • Tell people where their data came from if it was not collected directly from them.
  • Explain whether providing data is required and what happens if it is not provided.
  • Explain any international transfers and safeguards.
  • Tell people whether any solely automated decisions are made.
  • Provide a route for access, correction, restriction, objection, deletion and complaint requests.
Contact us About Entrustor Privacy notice Request account deletion