1.0 OUR USER PRIVACY AND DATA PROTECTION
- We take user privacy and data protection very seriously
- We understand we have a duty of care to the people within our data
- We only collect and process data when absolutely necessary
- We will never spam you
- We will never sell, rent or otherwise distribute or make public your personal information
- This privacy notice will let you know what happens to any personal data you give us or that any we might collect from or about you.
2.0 RELEVANT LEGISLATION
Concept Data Solutions (CDS) LTD complies with the following national and international legislation with regards to data protection and user privacy:
- UK Data Protection Act 1998 (DPA)
- EU Data Protection Directive 1995 (DPD)
- EU General Data Protection Regulation 2018 (GDPR)
Specifically, our website, internal business and IT systems comply to said legislation.
3.0 PERSONAL INFORMATION THAT WE COLLECT AND PROCESS
- Personal details, contact details: Title, full name, date of birth, mother’s maiden name, bank details, contact details including address, mobile and landline.
- Products and services you hold with us, as well as have been interested in and associated payment methods used.
- The usage of our products and services, including landline and mobile numbers you have called with associated minutes.
- Product and service information, including any current and previous packages.
- Personal information obtained from Credit Reference agencies, including public (including defaults and CCJs) and shared credit history, financial situation and financial history.
- Your residency and/or citizenship status, if relevant, such as your nationality, your length of residency in the UK and/or whether you have the permanent right to reside in UK.
- Call recordings, between you and CDS LTD staff for training and quality purposes.
4.0 THE SOURCE OF YOUR PERSONAL INFORMATION
Personal information is collected from the following sources:
- From you directly.
- Information generated about you when you use our products and services.
- We buy information from third parties including name, address, landline and mobile number.
- Data that is provided by verified third party call centres, who are GDPR compliant.
5.0 PERSONAL INFORMATION THAT THIS WEBSITE COLLECTS AND WHY WE COLLECT IT
This website collects and uses personal information for the following reasons:
5.1 Google Analytics
5.2 Contact Forms and email links
If you wish to contact us via our contact us page, your data will not be held on this website or be passed to any third party data processors. The data will be collated into an email and sent to us over the SMTP. The email content is then decrypted by our local computers and devices.
5.3 Email newsletter
If you sign up to our newsletter, the email address you provide will be forwarded to MailChimp who provide us with email marketing services. MailChimp are a third party data processor. The email address supplied will not be stored within our website’s database or on any internal computer system.
Your email address will remain within MailChimp’s database for as long as we continue to use MailChimp’s services for email marketing and if this changes we will inform you. You can also specifically request removal from the list by unsubscribing using the unsubscribe links contained in any email newsletters that we send you or by requesting removal via email. Please send your email to us using the email account that is subscribed to the mailing list.
If you are under 16 years of age you must obtain parental consent before joining our email newsletter. You will receive periodic newsletter emails from us, approximately once a year.
6.0 OUR THIRD PARTY DATA PROCESSORS
This website uses third parties to process personal data on our behalf. All of them comply with the legislation. The following third parties are based in the USA and are EU-U.S Privacy Shield compliant:
7.0 WHAT DO WE USE YOUR PERSONAL DATA FOR?
- For assessing and processing your application including the consideration about whether or not to offer the product or service and associated credit, the price, risk of doing so, availability of payment method and terms.
- Providing the service including collecting direct debit payments, provisioning your line, notifying Openreach engineers and you if an engineer visit is deemed necessary.
- Ensuring your records are kept up to date, tracing your whereabouts and recovering debt.
- To offer you an improved package or service in the future should one become available.
- Managing all aspects of your service.
- To perform and test the performance of your service.
- To improve the operation of our business and business partners.
- To record calls between you and our staff for quality assessments and training purposes.
- For direct marketing communications to help us offer you relevant messages regarding our services or information about the business. We may send you a limited amount of marketing messages to you via SMS, email, phone, post and social media channels.
- To process any donations, where relevant, to any of our chosen charities.
8.0 WHAT ARE THE LEGAL GROUNDS FOR OUR PROCESSING OF YOUR PERSONAL INFORMATION?
If you have ordered or take a service from us, we are entitled to process your information so we can provide you with a service and bill you for this. Our lawful grounds for processing your data is that it is necessary for entering or performing a contract with you, the data subject.
- For assessing your application for our services including whether to offer you the requested service and associated credit.
- Updating your records, tracing your whereabouts and recovering debt if relevant. In some instances, this information will be passed to a third party debt collection agency.
- Managing all aspects of delivering the service to you as detailed in your contract including sharing your information with business partners to be able to service your account.
- To perform and to test our services that we provide to you.
- To carry out credit checks using a third party Credit Reference Agency.
Secondly, if we want to collect and use your information for other purposes, this will be with your consent:
- For some direct marketing messages, either service related or information about the business.
- Consent will be collected using a positive action from you, such as ticking a box, in a clear and unambiguous way. You are also free to remove your permission at any time.
Thirdly, it may be that contacting you falls within a legitimate interest. This may occur for example, that we have met you at an event and exchanged business cards.
9.0 WHEN DO WE SHARE YOUR PERSONAL INFORMATION WITH OTHER ORGANISATIONS?
We share information with companies mentioned above including:
- Debt collection agencies
- Business Partners (including telecoms suppliers, financial institutions)
- Back up and server hosting providers, IT software and maintenance providers
- Credit reference agencies
- External billing providers
- Government and regulatory bodies such as HMRC, Ofcom, The Ombudsman, CICAS.
- External human resource and employment law providers
10.0 CALL RECORDINGS
Call recordings are kept in a secure and encrypted file that is password protected and only accessed by the IT Manager (who is also our Data Protection Officer). Should another Manager require access, a unique password is provided for that file.
Where calls are held on behalf of our business customers and we are acting as a data processor, the call recordings are downloaded onto a secure FTP site. Only the IT Manager (DPO) and Tech Manager have access to these. The customer is provided with a unique password and after they have downloaded their call recordings, they are deleted immediately.
11.0 HOW AND WHEN CAN YOU WITHDRAW YOUR CONSENT?
Where we’re relying upon your consent to process personal data you can withdraw this at any time by contacting us using the following email address: DataProtectionOfficer@conceptdatasolutions.co.uk
12.0 DATA BREACHES
We will report any unlawful data breach of this website’s database or the database(s) of any of our third party data processors to any and all relevant persons and authorities within 72 hours of the breach if it is apparent that personal data stored in an identifiable manner has been stolen. We have a full internal data breach process which is available upon request.
13.0 KEEPING PERSONAL DATA UP TO DATE
If your personal details change, you should tell us as soon as possible, either by emailing DataProtectionOfficer@conceptdatasolutions.co.uk or using the contact us form on our website www.conceptdatasolutions.co.uk. We will do our upmost to keep our personal records up to date and may contact you to ensure your details are correct.
14.0 DO YOU HAVE TO PROVIDE YOUR PERSONAL INFORMATION TO US?
It is not possible to deliver our services to you if certain information is not provided. If there are instances where providing information is optional, we will make this clear in our marketing preferences.
15.0 ACCESSING YOUR PERSONAL DATA
You have the right to access the personal data we hold on you. You can make a Subject Access Request (SAR) by emailing DataProtectionOfficer@conceptdatasolutions.co.uk or using the contact us form on our website www.conceptdatasolutions.co.uk. We will respond to your request within 28 days however we do reserve the right to take up to two extra months for extensive requests as per the ICO website: ico.org.uk/your-data-matters/your-right-of-access/. You will be informed within 28 days if we need the extra time.
16.0 FOR HOW LONG IS YOUR PERSONAL INFORMATION RETAINED BY US?
- Your personal information is held for as long as it reasonably takes us to fulfil our business commitment to you.
- Once the contract has come to an end, we will keep your data as long as someone could reasonably bring a claim against us.
- Retention periods in line with legal and regulatory requirements or guidance.
17.0 EMAIL MARKETING
B2B email marketing is still acceptable under GDPR. The data for some email campaigns has been bought from a reputable and GDPR compliant data organisation. Consent is generally obtained on all marketing data at point of collection and is renewed by the data company periodically. However, it is important to note that consent is not the only valid ground for processing data under the GDPR. Due to the stringent consent requirements, including the need for granularity (which is difficult to achieve for the data company and its suppliers, due to the size and broadness of our customer bases), the data company is continuing to supply marketing data on “legitimate interests” grounds under GDPR and CDS LTD is legally covered by this legitimate interest.
This is specifically acknowledged in recital 47 of the GDPR as being a plausible ground for marketing (“The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest”). In our case, we rely on legitimate interests on the basis that a business has made its details available and it is for the benefit of all businesses that marketing is facilitated. For businesses which do not wish to receive marketing, there are legitimate means to prevent it, including not supplying the details for inclusion in business registers, objecting to direct marketing under the GDPR, and/or registering with the TPS/CTPS.
In the case of non-limited businesses, the Privacy of Electronic Communications Regulations apply and dictate that express must be obtained, and the data company complies with this legal requirement.
The data company remains the data controller in all instances, and is wholly responsible for all its processing activities and ensures it only shares personal data when it is lawful to do so.
All emails sent from CDS LTD give a clear, unambiguous opt out and if selected, you will be removed from all future mailings and added to a suppression list to ensure you receive no future contact.
- Using one of our products or services paid for by someone else.
- Taking part in a survey or trial.
- Entering a prize promotion.
- Calling our help desk.
- Enquiring about our product or service.
20.0 DATA CONTROLLER
The data controller of this website is: CDS Ltd, a UK Private Limited Company with company number: 07963138
Whose registered address is:
The Bromley Centre, Bromley Road, Congleton, Cheshire CW12 1PT
Contact details: DataProtectionOfficer@conceptdatasolutions.co.uk