PRIVACY NOTICE

We ask that you read this privacy notice carefully as it contains important information on who we are, how and why we collect, store, use and share personal information, your rights in relation to your personal information and on how to contact us and supervisory authorities in the event you have a complaint.

This notice was last updated on Monday August 16th, 2021, and complies to the UK GDPR, underpinned by the UK law the Data Protection Act (2018), additional relevant data protection legislation and is regulated by the UK Information Commissioners Office (ICO).

Scope & Responsibilities

Our scope is any data subject, whose personal data is collected, in line with the requirements under The Data Protection Act (2018) and UK GDPR.

CSRB Limited must adhere to the three main data processing principles of processing personal data – lawfully, fairly and in an open and transparent manner. CSRB Limited has further responsibilities with regards to controlling and processing personal data, which fall under the responsibility of our Data Protection Officer (DPO).

All associates and employees of CSRB Limited who interact with data subjects are responsible for ensuring that this privacy notice is drawn to the data subject’s attention.

Who we are?

CSRB Limited provides data protection support to organisations via advice, consultancy, policies, procedures, and training. We demonstrate how effective data protection practices can ensure compliance with data protection legislation, whilst retaining and winning new clients. Furthermore, CSRB Limited has a confidential document management side to the business, which offers secure destruction, archive document storage and digital scanning/storage services.

CSRB Limited, is registered in England and Wales, under company registration number 10647502. CSRB Limited is registered with the ICO under registration number ZA549552.

CSRB Limited collects and processes certain personal information about you, when we do so we are regulated under the UK General Data Protection Regulation, which is underpinned by the Data Protection Act (2018).

We are responsible as the data controller & data processor (UK GDPR Articles 24-30) for all personal information collected for the purposes of those laws. The Data Protection Officer (DPO) is Chris Burn of CSRB Limited, 160 Aztec West, Almondsbury, Bristol, England, BS32 4TU.

CSRB Limited can be contacted via email info@csrb.co.uk or by phone on 01173 250830.

What information we collect about you

The personal data you have provided, or we have collected from you, includes but is not limited to:

  • Names and, contact details (e.g., Contact name, email address, telephone number)
  • Addresses (e.g., collection/delivery and/or invoice addresses)

Lawful bases for processing of personal data:

The lawful bases for processing are set out in Article 6 of the UK GDPR. At least one of these must apply whenever CSRB Limited processes your personal data:

  • Contract – the processing is necessary for CSRB Limited to fulfil the obligations of an agreement, contract, or service level agreement (SLA) for the provision of confidential document management and/or data protection support. Both parties would be provided with a signed copy of the contract and a copy of this privacy notice.
  • Legitimate Interests – the processing is necessary, as CSRB Limited has ascertained the legitimate interest of the individual/organisation and explained why the processing of personal data is required to action the legitimate interest. CSRB Limited reviews our legitimate interest to hold personal data annually via a Legitimate Interests Assessment (LIA)

You can find more about the UK GDPR lawful bases here or by visiting www.ico.org.uk

How we use your personal information

CSRB Limited uses your personal information:

  • To pre-qualify which of our confidential document management or data protection support services are suitable for your requirements (e.g., responding to website contact forms, email requests for information).
  • To provide our confidential document management and data protection support services (e.g., provision of agreements, contracts, duties of care and service level agreements).
  • To communicate with you, via official CSRB communication channels, to fulfil the objectives as outlined in the contracts, duty of care agreements and service level agreements (e.g., email, letter, phone).
  • To facilitate client and prospect meetings, either electronically via video call (e.g., Microsoft Teams and Zoom), or to arrange meetings at client or other nominated premises.
  • To pass instructions to approved third party CSRB Limited contractors, who carry out contracted confidential document management services on behalf of CSRB Limited. For example, for our onsite secure destruction services. Personal data passed to the contractor is for the purposes of fulfilling the original agreed contract between the client and CSRB Limited. A Data Processing Agreement (DPA) will be in place between CSRB Limited and all approved contractors to protect the processing of CSRB client data.
  • To provide client after care and client support (e.g., obtaining feedback, contract renewal)
  • To keep you informed of any CSRB Limited company updates, new services, and new features.
  • To produce invoices and receipts for our confidential document management and data protection support services (e.g., VAT invoices, receipts, Direct Debit mandates).
  • To provide compliance with all legal requirements of England & Wales.

Who we share your personal information with?

Where relevant, given the nature of the confidential document management and data protection services provided to you by CSRB Limited, we may also share your personal data with the following categories of third parties:

  • Trusted partners who work alongside CSRB Limited on contracts. Disclosure of the nominated trusted partner would be provided at the proposal stage and a relevant Data Processing Agreement (DPA) would be put in place to protect all personal data, from a processing perspective.
  • Third party contractors, who carry out confidential document management services, on behalf of CSRB Limited. The relevant disclosure of this contractor would be made prior to accepting an order for CSRB Limited services and the relevant contract/data processing agreement/duty of care put in place.
  • Third party service providers who support the operation of our business, such as IT security suppliers.
  • Fraud prevention agencies and associations.
  • Regulators and law enforcement agencies, including the police, HM Revenue and Customs or any other relevant authority who may have jurisdiction.

We would always inform you ahead of acting on any instructions to proceed with any of our confidential document management and/or data protection support services, should this be the case.

This data sharing enables CSRB Limited to supply the above confidential document management and/or data protection support services to you in a professional and timely manner, whilst undertaking quality control & regulatory compliance procedures. Furthermore, it ensures compliance with all necessary UK GDPR & Data Protection Act (2018) lawful requirements.

CSRB Limited will share personal information with law enforcement or other authorities if required by applicable law.

Whether information must be provided by you, and if so, why?

The provision of certain personal data including (but not limited to) contact name, email address & telephone number is required from you. This enables CSRB Limited to provide our confidential document management and/or data protection support services to you.

We will inform you at the point of collecting information from you, whether you are required to provide this and any other additional information to us.

International Data Transfers

CSRB Limited does not control, process, or transfer personal data outside of the UK.

Should this situation change, CSRB Limited would issue a company update via our official communication channels to all affected parties. If the international data transfer would fall within the European Union/EEA, data would be able to flow freely under the ‘Adequacy Decision’ agreed between the UK and European Parliament on June 27th, 2021. If the international data transfer is outside the EU/EEA/UK then appropriate safeguards would be put in place, such as a data impact assessment and risk assessment.

This Privacy Notice would also be updated.

Further information on International Data Transfers is provided by the Information Commissioners Office.

How long your personal information will be kept?

  • We will retain your personal information for several purposes, as is necessary to allow us to carry out our business in accordance with our contract or legitimate interests and is necessary for compliance with our legal obligations.
  • Any retention of personal data will be carried out in compliance with legal and regulatory obligations and with industry standards. These data retention periods are subject to change without further notice because of changes to associated laws or regulations.
  • Your information will be kept for up to 1 year after the completion of the contract on our main systems, after which time it will be archived, deleted, or anonymised depending on the content of the material and whether there is any continuing need for it to be retained. For example, some of the archived information may be retained for a further period to allow us to process your existing or future instructions.
  • We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.
  • To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
  • Details of retention periods for different aspects of your personal data are available in our Document Destruction & Retention Policy which you can request from us by contacting us.
  • Any personal data held in hard document copy is securely stored pre-destruction after use and is destroyed with a Certificate of Destruction in line with our UK GDPR Document Destruction & Retention Policy.

Keeping your personal information secure

We have appropriate security measures in place to prevent personal information from being accidentally lost or used or accessed in an unauthorised way.

We limit access to your personal information to those who have a genuine business need to know it. Those processing your information will do so only in an authorised manner and are subject to a duty of confidentiality.

We also have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator (e.g., ICO) of a suspected data security breach where we are legally required to do so.

If you want detailed information from, Get Safe Online on how to protect your information and your computers and devices against fraud, identity theft, viruses, and many other online problems, please visit www.getsafeonline.org. Get Safe Online is supported by HM Government and leading businesses.

Cookies

We use cookies to collect, store and share bits of information about your activities when you use our website.

Cookies do different things, like letting you navigate between pages quickly and generally improving your experience of a website. If a website does not use cookies, it will think you are a new visitor every time you move to a new page on the website – for example, when you enter your login details and move to another page it will not recognise you and it will not be able to keep you logged in.

CSRB Limited only use non-personal data essential cookies on this website to track the performance of the website via Google Analytics. This non personal data helps us to understand how to improve the website content for the benefit of all users. If you want to block cookies, then you can do this through your browser via the help function. You can also visit www.aboutcookies.org for further guidance.

Your rights

Under the UK GDPR, Data Protection Act (2018) and ICO guidance you have several important rights free of charge. At any point while we are in possession of or processing your personal data, you, the data subject, have the following rights:

  • Right of access – you have the right to request a copy of the information that we hold about you.
  • Right of rectification – you have a right to correct data that we hold about you that is inaccurate or incomplete.
  • Right to be forgotten – in certain circumstances you can ask for the data we hold about you to be erased from our records.
  • Right to restriction of processing – where certain conditions apply to have a right to restrict the processing.
  • Right of portability – you have the right to have the data we hold about you transferred to another organisation.
  • Right to object – you have the right to object to certain types of processing such as direct marketing.
  • Right to object to automated processing, including profiling – you also have the right to be subject to the legal effects of automated processing or profiling.

For further information on each of those rights, including the circumstances in which they apply, see the Guidance from the Information Commissioner’s Office (ICO) on individuals rights under the UK General Data Protection Regulation.

If you would like to exercise any of those rights, please:

  • call, email, or write to us in the first instance.
  • let us have enough information to identify you,
  • let us have proof of your identity and address (a copy of your driving licence or passport and a recent utility or credit card bill), and
  • let us know the information to which your request relates?

How to complain

We hope that we can resolve any query or concern you raise about our use of your personal data. The UK General Data Protection Regulation also gives you right to lodge a complaint with a supervisory authority. The supervisory authority in the UK is the Information Commissioners Office (ICO) who may be contacted here or by telephone on 0303 123 1113.

Changes to this privacy notice

This privacy notice was last reviewed and published on Monday August 16th, 2021.

CSRB Limited, is registered in England and Wales, under company registration number 10647502. CSRB Limited is registered with the ICO under registration number ZA549552. We may change this privacy notice from time to time, when we do, we will inform you via email and/or our company website.

How to contact us

Please contact us if you have any questions about this privacy notice or the information, we hold about you.
The Data Protection Officer (DPO) is Chris Burn.

If you wish to contact us, please send an email to info@csrb.co.uk or write to Chris Burn of CSRB Limited, 160 Aztec West, Almondsbury, Bristol, England, BS32 4TU or call 01173 250830.