We ask that you read this privacy notice carefully as it contains important information on who we are, how and why we collect, store, use and share personal information, your rights in relation to your personal information and on how to contact us and supervisory authorities in the event you have a complaint.
This notice was last updated on Monday January 4th, 2021 and complies to the UK GDPR, underpinned by the Data Protection Act (2018) and ICO (Information Commissioners Office), and covers all post-BREXIT regulatory compliance.
Scope & Responsibilities
Our scope is all data subjects, whose personal data is collected, in line with the requirements of the UK GDPR.
The Data Protection Officer (DPO) is responsible for ensuring that this notice is made available to data subjects prior to CSRB Limited collecting/processing their personal data.
All Employees/Staff of CSRB Limited who interact with data subjects are responsible for ensuring that this notice is drawn to the data subject’s attention and their consent to the processing of their data is secured.
Who we are?
CSRB Limited provide confidential document products & services (e.g., secure destruction of documents, document storage, document scanning & confidential waste bins), data protection consultancy (e.g., reviewing existing compliance) and the provision of privacy notices/policies and other compliance documentation.
CSRB Limited collects, uses and is responsible for certain personal information about you.
When we do so we are regulated under the UK General Data Protection Regulation, which is underpinned by the Data Protection Act (2018)
We are responsible as the ‘data controller’ for all personal information collected for the purposes of those laws. The Data Protection Officer (DPO) is Chris Burn of CSRB Limited, 160 Aztec West, Almondsbury, Bristol, BS32 4TU.
CSRB Limited can be contacted via email [email protected] or by phone on 01173 250830.
The personal information we collect and use.
Legal bases for processing of personal data:
The lawful bases for processing are set out in Article 6 of the UK GDPR. At least one of these must apply whenever CSRB Limited processes your personal data:
- Contract – the processing is necessary for CSRB Limited to fulfil the obligations of an agreement, contract, or service level agreement (SLA) for the provision of confidential document products/services. Both parties would be provided with a signed copy of the contract and a copy of this privacy notice.
- Legal Obligations – the processing is necessary for CSRB Limited to meet the requirements of a UK law and/or regulatory compliance. CSRB Limited will identify the source for obligation (e.g., Data Protection Act 2018) and explain why your personal data is required to meet such obligations.
- Legitimate Interests – the processing is necessary, as CSRB Limited has ascertained the legitimate interest of the individual/organisation and explained why the processing of personal data is required to action the legitimate interest. CSRB Limited reviews our legitimate interest to hold personal data annually via a Legitimate Interests Assessment (LIA)
You can find more about the UK GDPR lawful bases here or by visiting www.ico.org.uk
How we use your personal information
CSRB Limited uses your personal information:
- To pre-qualify which of our products & services are suitable for your requirements (e.g., providing estimates, quotations, proposals, and specification details)
- To provide and maintain our services (e.g., provision of contracts, service level agreements)
- To notify you about changes to our services (e.g., direct communications through secure & trusted CSRB communication channels)
- To allow you to participate in any interactive features of our services when you choose to do so (e.g., feedback surveys, webinars, training events)
- To provide customer care and support (e.g., after sales support and contract renewal)
- To detect, prevent and address technical issues (e.g., secure monitoring of document storage portals)
- To monitor the analysis/usage of the services (e.g., Google Analytics in relation to the CSRB website)
- To produce invoices for our services (e.g., VAT invoices, receipts, Direct Debit mandates)
Information collected by us.
While providing our services CSRB Limited collects the following personal information when you provide it to us:
- Names and, contact details (e.g., company name, job titles, email addresses, contact numbers)
- Financial details (e.g., bank account names, sort codes & account numbers for processing of invoices, customer payments, etc.)
- Addresses (e.g., business invoice addresses & collection/delivery addresses)
- Third Party personal data (e.g., when working with an approved 3rd party contractor/supplier to facilitate the service level agreement agreed between the client and CSRB Limited
Who we share your personal information with?
CSRB Limited may share certain personal details with our approved service contractors & partners, in addition to any required legal bodies. We would always inform you ahead of acting on any instructions to proceed with any of our services, should this be the case.
This data sharing enables CSRB Limited to supply the above documented services to you in a professional and timely manner, whilst undertaking quality control & regulatory compliance procedures. Furthermore, it ensures compliance with all necessary UK GDPR & Data Protection Act (2018) lawful requirements.
CSRB Limited will share personal information with law enforcement or other authorities if required by applicable law. We will not share your personal information with any other third party.
Whether information must be provided by you, and if so why?
The provision of certain personal data including (but not limited to) client contact name, collection/delivery address, invoice address, email address & telephone number is required from you. This enables CSRB Limited to provide our confidential document products & services, data protection consultancy and the provision of privacy notices/policies/compliance documentation to you.
We will inform you at the point of collecting information from you, whether you are required to provide this and any other additional information to us.
How long your personal information will be kept?
- We will hold your personal data, including but not limited to, name, address, and contact details for the duration of your contracted agreement with CSRB Limited plus 3 months after any ‘contract end date’ for aftersales support.
- Bank details are held, and additionally protected by our approved Direct Debit service provider GoCardless only for the duration of your CSRB Limited contract and/or service level agreement.
- All passwords & login details will be securely deactivated & destroyed on termination of any agreement and/or when an agreement reaches its natural end date.
- Financial documents & invoices for a period of 7 years in line with HMRC regulations
- We are required by law to keep certain ‘special category data’ (e.g., personal data for those under the age of 16) for longer periods and this would be advised at the time.
- Any personal data held in hard document form is securely stored pre-destruction and is destroyed with a Certificate of Destruction in line with our ‘UK GDPR Document Destruction & Retention Schedule’.
Reasons we can collect and use your personal information.
CSRB Limited collects your personal data to enable us to provide our confidential document products & services, data protection consultancy and the provision of privacy notices/policies/compliance documentation to you.
CSRB Limited may also contact you by email, phone, video call or letter in line with the service you have paid for. We may occasionally email you or send a letter about something relevant to the service you have paid for.
Furthermore, we may email you to inform of company updates and items of interest via our official channels.
Under the UK GDPR, Data Protection Act (2018) and ICO guidance you have several important rights free of charge. At any point while we are in possession of or processing your personal data, you, the data subject, have the following rights:
- Right of access – you have the right to request a copy of the information that we hold about you.
- Right of rectification – you have a right to correct data that we hold about you that is inaccurate or incomplete.
- Right to be forgotten – in certain circumstances you can ask for the data we hold about you to be erased from our records.
- Right to restriction of processing – where certain conditions apply to have a right to restrict the processing.
- Right of portability – you have the right to have the data we hold about you transferred to another organisation.
- Right to object – you have the right to object to certain types of processing such as direct marketing.
- Right to object to automated processing, including profiling – you also have the right to be subject to the legal effects of automated processing or profiling.
For further information on each of those rights, including the circumstances in which they apply, see the Guidance from the Information Commissioner’s Office (ICO) on individuals rights under the UK General Data Protection Regulation.
If you would like to exercise any of those rights, please:
- Call, email, or write to us in the first instance.
- Let us have enough information to identify you,
- Let us have proof of your identity and address (a copy of your driving licence or passport and a recent utility or credit card bill), and
- Let us know the information to which your request relates?
Keeping your personal information secure
We have appropriate security measures in place to prevent personal information from being accidentally lost or used or accessed in an unauthorised way. We limit access to your personal information to those who have a genuine business need to know it. Those processing your information will do so only in an authorised manner and are subject to a duty of confidentiality.
We also have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator (e.g., ICO) of a suspected data security breach where we are legally required to do so.
If you want detailed information from Get Safe Online on how to protect your information and your computers and devices against fraud, identity theft, viruses, and many other online problems, please visit www.getsafeonline.org. Get Safe Online is supported by HM Government and leading businesses.
CSRB Limited only use essential cookies on this website to track the performance of the website via Google Analytics. This non personal data helps us to understand how to improve the website content for the benefit of all users. If you want to block cookies, then you can do this through your browser via the help function. You can also visit www.aboutcookies.org for further guidance.
How to complain
We hope that we can resolve any query or concern you raise about our use of your personal data.
The UK General Data Protection Regulation also gives you right to lodge a complaint with a supervisory authority. The supervisory authority in the UK is the Information Commissioners Office (ICO) who may be contacted here or by telephone on 0303 123 1113.
Changes to this privacy notice
This privacy notice was last reviewed and published on Monday January 4th, 2021.
CSRB Limited is a UK based company, registered in England & Wales, under company registration number 10647052. We only trade with UK based data subjects.
We may change this privacy notice from time to time, when we do, we will inform you via email and/or our company website.
How to contact us
Please contact us if you have any questions about this privacy notice or the information, we hold about you.
The Data Protection Officer (DPO) is Chris Burn.
If you wish to contact us, please send an email to [email protected] write to CSRB Limited, 160 Aztec West, Almondsbury, Bristol, BS32 4TU or call 01173 250830.