CSL Group HoldingS Limited

Third Party Data Protection Policy

  1. ABOUT THIS POLICY
  2. During the course of our activities we shallcollect and process personal data about our customers and other third parties. This Policy explains the way in which this information is required to be collected, handled, processed and transferred by CSL Group Holdings Limited (“CSL”) employees.
  3. This Data Protection Policy should be read together with our Data Retention and Data Breach Policy, which explains how certain information must be stored and for how long it must be retained, and also explains the way in which any data breaches must be identified, documented and responded to.
  4. If you have any questions about the operation of this Policy, the processing of personal data in general or any concerns that the policy has not been followed, in particular if you are unsure about what to do in a particular situation, please immediately consult Directors’ PA (“Key Individual”).
  5. OVERVIEW
  6. “Personal data” means any information relating to an identified or identifiable natural person (i.e. a “data subject”). Everyone has rights under the law with regard to the way in which their personal data is handled. This applies to data which may be held on paper, a computer or any other structured set of information.
  7. The correct and lawful treatment of this data will maintain confidence in the organisation and will assist in the successful running of our business. You are obliged to comply with this Policy when processing personal data on our behalf. Any breach of this Policy may result in disciplinary action.
  8. In particular, we are legally obliged to ensure the following:
  9. that we process personal data in a fair, lawful and transparent manner;
  10. that we collect personal data for specified, explicit and legitimate purposes;
  11. that we ensure that personal data is adequate, relevant and limited to what is necessary; and
  12. that personal data is only transferred to a third-party processor if it agrees to comply with our procedures and policies, or if it puts in place adequate measures itself in accordance with the relevant data protection legislation in the UK.
  13. Please note that specific rules apply to “special categories” of personal data, namely data which reveal racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and genetic data, biometric data (for the purpose of uniquely identifying a person), or data concerning health, a person's sex life or sexual orientation. Special categories of personal data can only be processed under strict conditions, including with the explicit permission of the person concerned. You must not process this data in any way without first obtaining authorisation from the Key Individualand if you receive such data you must notify the Key Individual immediately.
  14. FAIR, LAWFUL AND TRANSPARENT PROCESSING
  15. For personal data to be processed lawfully, it must be processed on the basis of one of a number of specified legal grounds, which may be summarised as follows:
  16. the data subject has provided their consent to the processing for a specified purpose (please note that the data subject can only normally opt-in to provide their consent to the processing of their data, not opt-out), for example, if we wish to pass on the customer’s details to a third party for marketing purposes;
  17. the processing is necessary for the performance of a contract, or entering into a contract (at the data subject’s request), for example where we send the customer a quotation or an invoice;
  18. the compliance with a legal obligation to which we are subject;
  19. the processing is necessary to protect the vital interests of the data subject or another natural person;
  20. the processing is necessary for the performance of a task carried out in the public interest; or
  21. in the pursuit of our legitimate interests, where we have told the data subject what these interests are, for example to help us monitor or improve the products or services we offer. This does not apply where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
  22. Please note that any consent given for the purpose of data processing must be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject's agreement to the processing of his or her personal data. This could include ticking a box, expressly giving consent or conduct which clearly indicates in this context the data subject's acceptance of the proposed processing or providing consent verbally over the telephone. Silence, pre-ticked boxes or inactivity will not therefore constitute consent. When the processing has multiple purposes, consent should be given for each purpose. It is however of vital importance that, however the affirmative consent is obtained, the time, date, and method of obtaining such consent is clearly recorded on a system established for this purpose.
  23. PROCESSING FOR LIMITED PURPOSES
  24. In the course of our business, we may collect and process personal data as set out in Schedule 1. This may include data we receive directly from a data subject (for example, by completing forms or by corresponding with us by mail, phone, email or otherwise) and data we receive from other sources (including, for example, business partners, sub-contractors in technical, payment and delivery services, credit reference agencies and others).
  25. We shallonly process personal data for the specific respective purposes set out in Schedule 1 or for any other purposes specifically permitted by the relevant data protection legislation. We shallnotify those purposes to the data subject when we first collect the data.
  26. NOTIFYING DATA SUBJECTS
  27. If we collect personal data directly from data subjects, we must inform them, at the point in which we collect the data, of:
  28. our identity and contact details;
  29. the purposes for which we intend to process the personal data as well as the grounds for processing (by reference to paragraphs 3.1.1 to 3.1.6 above);
  30. if the processing is in the pursuit of our legitimate interests, what these interests are;
  31. the recipients or categories of recipients of the personal data, if any;
  32. if applicable, the fact that we intend to transfer personal data to a third country;
  33. the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period;
  34. the existence of the right to request access to and rectification or erasure of personal dataand the right to data portability, as well as the ability to request the restriction of processing concerning the data subject or to object to processing;
  35. where the processing is based on the customer’s consent, the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal;
  36. the right to lodge a complaint with a supervisory authority;
  37. whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the personal data and of the possible consequences of failure to provide such data; and
  38. if applicable, the existence of any automated decision-making process which we intend to use in connection with the personal data, including profiling (including the logic, significance and consequences of any profiling).
  39. We can inform the customer of the above matters by way of directing the customer to our Privacy Policy, which will appear on our website, however we must ensure that the Privacy Policy covers the specific data we will be collecting and the specific purpose for which we shall be processing it. If the Privacy Policy does not cover our intended use of the data, we must supplement this with additional information by way of a written privacy notice to cover the above matter. The ultimate purpose is to ensure that all the information set out in paragraphs 5.1.1 to 5.1.11 above are in some way fully and accurately communicated to the data subject.
  40. If we receive personal data about a data subject from other sources, we should provide the data subject with the above information as soon as possible after we have received it, and in any event no later than one month from when we first received the data, or the date on which the data is first used for communication purposes or disclosed to another recipient (whichever occurs first).
  41. PROCESSING IN ACCORDANCE WITH DATA SUBJECT'S RIGHTS
  42. We shallprocess all personal data in accordance with data subjects' rights, in particular their right to:
  43. request a copy of the information we hold about them (“Access Request”);
  44. request that we rectify any information we hold about them (“Right to Rectification”);
  45. request that we erase any information we hold about them (“Right to be Forgotten”);
  46. restrict the level of processing we carry out with the information (“Restriction of Processing”);
  47. obtain from us all personal data we hold about the, in a structured, machine readable form, and have this information transmitted to another organisation (“Data Portability”);
  48. object to processing their personal data in certain ways (“Right to Object”); and
  49. withdraw their consent at any time to receiving marketing communications from us (“Right to Withdraw Consent”).
  50. Employees who receive a written request of any of the kinds mentioned in Section 6.1must forward it to the Key Individual immediately. We must not refuse to act on any request of the data subject to exercise his or her rights unless we can clearly demonstrate that we are not in a position to identify the data subject.
  51. Where the data subject makes a request under this section by electronic means, such as by email, the information should be provided electronically where possible, unless otherwise requested by the data subject.
  52. We must comply with any request made under this section as soon as possible and, under normal circumstances, within one month from the date of the request. However, if necessary, for example if the request is particularly complex or we receive a number of similar requests, we may extend this period by an additional two months. If we extend this period, we must notify the data subject within one month of the date of the request that we are going to do this and reasons for the delay. We must also inform them that they can lodge a complaint with the Information Commissioner’s Office and seek a judicial remedy if they wish to do so.
  53. Please note that where we receive requests which are manifestly unfounded or excessive (which we must be able to demonstrate), for example because they are repetitive in nature, we may:
  54. charge a reasonable fee taking into account the administrative costs of providing the information or taking the action requested; or
  55. refuse to act on the request.
  56. When receiving telephone enquiries, we must only disclose any personal data that we hold on our systems if we do the following things:
  57. check the caller's identity and ensure that we are satisfied that the caller is entitled to receive the information requested; and
  58. suggest that the caller put their request in writing if we are not sure about their identityor where their identity cannot be verified.
  59. Employees must refer a request to their line manager orthe Key Individual for assistance in difficult situations. Employees should not be pressured into disclosing personal information. If in doubt, we must inform the person making the request that we shall consider it and come back to them.
  60. ACCESS REQUEST
  61. We should not, under normal circumstances, charge the data subject in respect of responding to an Access Request. If the data subject requests further copies of their information after their initial request, we may only charge a reasonable fee which reflects the administrative costs incurred in meeting this further request.
  62. RIGHT TO RECTIFICATION
  63. If we have disclosed any incorrect or incomplete data to any third parties, we must inform them of any necessary amendments or corrections made in accordance with the Right to Rectification.
  64. RIGHT TO BE FORGOTTEN
  65. Upon request, we must erase the personal data we hold about a data subject in circumstances where:
  66. it is no longer necessary for us to handle the personal data for the purpose for which it was originally collected;
  67. the data subject has withdrawn their permission for us to hold the personal data (where this was the basis on which it was collected or used);
  68. the data subject objects to the processing of the data and there is no lawful overriding reason for us to continue processing the personal data;
  69. the personal data was unlawfully processed; or
  70. we have to erase the personal data in order to comply with a legal obligation.
  71. Please promptly refer any data subject request regarding the right to be forgotten to the Key Individual to assist you in complying with this request.
  72. RESTRICTION OF PROCESSING
  73. The data subject can ask us to restrict how we use their personal data in the following circumstances:
  74. where the data subject believes that the information we hold about them is inaccurate, they can ask that we refrain from using their data until we can verify the accuracy of it;
  75. where we have unlawfully processed data: the data subject can ask that we restrict our usage of it rather than erase it completely; or
  76. where we no longer need to hold the information, but the data subject wishes us to retain the information for the purpose of establishing, exercising or defending a legal claim.
  77. Please promptly refer any data subject request regarding the right to the restriction of processing to the Key Individual to assist you in complying with such a request.
  78. DATA PORTABILITY
  79. The data subject has the right to obtain from us all personal data which they have provided to us in a structured, commonly used and machine-readable form, provided that such data was processed based on their consent, or for the purpose of a contract between us and the data subject, and the processing was carried out by automated means. This will allow the data subject to move, copy or transfer personal data easily from one IT environment to another or, if the data subject asked us to do so, we can transmit such data directly to another organisation. However, we must not comply with a request for data portability if this will affect the rights and freedoms of others.
  80. RIGHT TO OBJECT
  81. If the data subject has withdrawn their consent to the processing of their personal data, we must keep a record of this to ensure that we can comply with their request. For example, if a customer does not wish to receive any further marketing communications, we must ensure that we keep a record of this to ensure that no further communications are sent to this individual.
  82. The data subject has the right to object, on grounds relating to their particular situation, to us processing their personal data where we are doing this for the performance of a task carried out in the public interest (which we shallhave told the data subject about, if applicable), or where we are carrying out processing for the purposes of legitimate interests pursued by us.
  83. The data subjectalso has the right at any time to ask us not to process their personal data for direct marketing or profiling purposes (to the extent that such profiling is related to such direct marketing). We must inform the data subject at the time we obtain their personal data whether we intend to process their personal data for this purpose, or if we intend to disclose their information to any third party for such purposes, and obtain consent from them in order to do so.
  84. If we process personal data for automatic decision making or profiling purposes (i.e. to analyse or predict personal preferences and purchase behaviour, and such profiling is automated) we must tell the data subject about this beforehand, and must only do this where this is a necessary condition of entering into a contract between the data subject and us, or where they have given us their explicit consent to do this.
  85. DISCLOSURE OF PERSONAL INFORMATION
  86. We must only share and disclose personal information in the manner set out in this Policy, in particular Schedule 1, unless we are under a duty to disclose or share a data subject's personal data in order to comply with any legal obligation; in order to enforce or apply any contract with the data subject or other agreements; or, to protect the vital rights of the data subject, our employees, customers, or others. We are therefore entitled to exchange information with other companies and organisations for the purposes of fraud protection and credit risk reduction, provided that we have informed the data subject that we are going to do so before they have provided us with their personal information.
  87. TRANSFERRING PERSONAL DATA TO A THIRD COUNTRY OUTSIDE THE EEA
  88. We may only transfer any personal data we hold to a country outside the European Economic Area ("EEA") if one of the following conditions applies:
  89. thecountry or international organisation to which the personal data are transferred has been certified by the European Commission as ensuring an adequate level of protection for data subjects' rights and freedoms, or authorised by the Information Commissioner’s Office by way of a set of binding corporate rules;
  90. if we or the data processor has provided appropriate safeguards, on the condition that enforceable data subject rights and effective legal remedies for data subjects are available in accordance with the relevant data protection legislation;
  91. the data subject has given his or her explicit consent;
  92. the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between us and another natural or legal person;
  93. the transfer is necessary for important reasons of public interest or the transfer is necessary for the establishment, exercise or defence of legal claims;
  94. the transfer is necessary in order to protect the vital interests of the data subject or of other persons, where the data subject is physically or legally incapable of giving consent; or
  95. the transfer is made from a register which according to UK law is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate a legitimate interest.
  96. CHANGES TO THIS POLICY

We reserve the right to change this Policy at any time.