CTR needs to obtain and process some personal data when entering in to a contract for services with an individual or company.
CTR takes your data privacy very seriously and will only use your Personally Identifiable Information (PII) or Sensitive Personal Identifiable Information (SPII) for the purpose that it was given to us and to be able to communicate with you.
Why we collect and need your personal data?
When you supply your personal details to CTR they are stored and processed for 5 reasons (words in bold are the relevant terms used in the Data protection Act 2018, which includes the General Data Protection Regulation – i.e. the law):
1. CTR needs to obtain and process some personally identifiable information (PII) when entering in to a business relationship with any individual. This is to ensure that every individual will be:
a. Identified correctly
b. Addressed correctly
c. Have their requests or concerns met
d. Able to communicate appropriately by post, phone or email.
2. We have a “Legitimate Interest” in collecting that information, because without it we couldn’t do our job effectively.
3. We also think that it is important that we can contact you to confirm your agreements with us or to update you on matters related to our business/contract. This again constitutes “Legitimate Interest”, but this time it is your legitimate interest.
4. In the course of a contractual agreement for service, we may be requiring to pass a responsible amount of your PII to clients, customers or contractors for the purpose of communication between you and the third-party.
5. Provided we have your “consent”, we may occasionally send you general information in the form of articles, advice or newsletters. You may withdraw this consent at any time – just let us know by any convenient method.
What we do with it?
CTR takes data privacy very seriously and will only use PII or SPII for the purpose that it was given to us and to be able to communicate effectively. We only ever use your personal data with your consent, or where is necessary:
• To enter into, a contract with you
• To comply with legal duty
• To protect your vital interests
• For our own (or third party’s) lawful interests, provided your rights don’t override these
• Be compliant to the European Union General Data Protection Regulations
• Adhere to all the GDPR Principles
• Promote and embrace EU citizens’ Rights
• Protect your PII at all times
• Be compliant to all applicable data protection laws
• Request the minimum of data necessary for our mutual purpose
• Encrypt any data that needs to be retained
• Be transparent and open to you concerning your PII
• Provide you with data access if requested
• Safely delete any PII when no longer required
CTR will not:
• Hold any PII longer than is necessary
• Share your PII without explicit consent (other than stated above)
• Use your PII for any other purpose without explicit consent
Where we keep it?
We are based in the UK and we store our data within the UK. Some organisations which provide services to us may transfer or process personal data outside of the EU, but we will only allow them to do if your data is adequately protected (through our strict diligence process).
Some of our systems such as Microsoft 365 and Dropbox products are US Company’s and as such are compliant to the strict USA’s Privacy Shield Scheme.
How long we keep it?
We will only use and store information for so long as it is required for the purposes it was collected for. How long information will be stored depends on the information in question and what it is being used for.
We continually review what information we hold and delete what is no longer required. We never store payment card information. We will not retain your data for any longer than necessary and the longest time that we will hold your data will be six years or eight years if medical information is collected.
Your records via CCTV will be stored in the following manner:
• For positive Unscheduled events a report will be generated and held for 12 months.
• For positive trespass with intent the video footage and a report will be held for 12 months.
• For all other data obtained our GDPR policy states we only store 14 days of CCTV footage on a re-write principal.
Some data will be held electronically (“in the cloud”) via our office computer. These are password-protected, backed up regularly and kept secure through encryption.
What are your rights?
We want to ensure that you remain in control of your personal data. Part of this is making sure you understand your legal rights, which are as follows:
• the right to confirmation as to whether we have your personal data and, if we do, to obtain a copy of the personal information we hold (this is known as a data subject access request)
• the right to have your data erased (though this will not apply where it is necessary for us to continue to use the data for a lawful reason)
• the right to have inaccurate data rectified
• the right to object to your data being used for marketing or profiling; and
• where technically feasible, you have the right to personal data you have provided to us which we process automatically based on your consent or the performance of a contract. This information will be provided in a common electronic format.
Understanding and contact?
Please keep in mind that there are exceptions to the rights above and, though we will always try to respond to your satisfaction, there may be situations where we are unable to do so.
If you wish to raise a complaint on how we have handled your personal data, you can contact CTR below who will investigate the matter.
• The CTR Data Controller registered with the DPA is Tremaine Kent and he is contactable by email: firstname.lastname@example.org
• The CTR Data Protection Officer is Doug Cook and he is contactable by email: email@example.com
By Mail or telephone: CTR Secure Services, Beacon Innovation Centre, Gorleston,
Norfolk, NR31 7RA Tel: 0333 370 4999
If you are not satisfied with our response or believe we are processing your personal data not in accordance with the law you can complain to the Information Commissioner’s Office, the UK supervisory authority for data protection issues.