Privacy Notice

CSRB Limited has a responsibility to document how your personal data will be protected.

This is a legal requirement of the UK GDPR under the ‘Right to be Informed’.

This privacy notice will outline our responsibilities to you. This privacy notice was last updated in July 2023.

1.0 Key Terms

1.1 Whilst every effort has been made to outline our responsibilities to you in as clear, concise, and easy to understand manner as possible, we do need to use certain terms throughout this privacy notice.

1.2 We will now provide an easy-to-understand definition of each term:

  • Client: The data subject whose personal data CSRB Limited is processing.
  • Data Controller: A data controller has the responsibility of deciding how personal data is processed, the purpose for the data processing, and how to protect the personal data from harm. CSRB Limited is the sole data controller.
  • Data Processor: In a similar way to data controllers, data processors must protect people’s personal data. However, they only process it in the first place on behalf of the data controller. They would not have any reason to have the personal data if the data controller had not asked them to do something with it.
  • Data Protection Act (DPA 2018): The DPA 2018 sets out the legal data protection framework in the UK, including the UK GDPR. It contains three separate data protection regimes:
    • Part 2: sets out a general processing regime (the UK GDPR);
    • Part 3: sets out a separate regime for law enforcement authorities; and
    • Part 4: sets out a separate regime for the three intelligence services.
  • Data Subject: A data subject is a living person who can be identified from personal data, and will often be the client of CSRB Limited.
  • GDPR: This stands for General Data Protection Regulation (GDPR), the UK’s agreed standards for data protection that are also written into UK privacy law through the Data Protection Act 2018 (DPA 2018).
  • Individual Rights: In UK data privacy law, individuals have rights over their personal data. These rights allow the individual to ask the data controller to do something, or stop doing something with their personal data. There are eight individual rights.
  • Information Commissioner’s Office (ICO): The Information Commissioner’s Office (ICO) is the UK’s independent body set up to uphold information rights.
  • Lawful Basis: A lawful basis is the legal reason or legal grounds relied upon for the processing of an individual’s personal data. There are six lawful bases to choose from: consent, contract, legal obligation, legitimate interest, public task, and vital interests.
  • Personal Data: Personal data is information about who you are, where you live, what you do, and much more. It is all information that identifies you as a data subject.
  • Privacy and Electronic Communications Regulations 2003 (PECR): PECR sits alongside the DPA 2018 and the UK GDPR. This legislation gives people specific privacy rights in relation to electronic communications, and electronic processing of their personal data.
  • Processing: Processing means taking any action with someone’s personal data, including storing that data, and archiving personal data.

2.0 Scope

2.1 The scope for CSRB Limited is any data subject whose personal data is processed upon instruction in line with UK privacy legislation including the DPA 2018, PECR (2003), and UK GDPR.

2.2 We also acknowledge any additional responsibilities requested by the industry regulator in the UK, the Information Commissioner’s Office (ICO).

2.3 The DPA 2018 and UK GDPR have a material scope covering personal data that is processed either electronically or is processed as part of a physical paper filing system.

2.4 CSRB Limited will adhere to the seven UK GDPR data processing principles when handling personal data:

  • Lawfulness, Fairness, and Transparency;
  • Purpose Limitation;
  • Data Minimisation;
  • Accuracy;
  • Storage Limitation;
  • Integrity and Confidentiality (Security); and
  • Accountability.

2.5 All associates of CSRB Limited who interact with clients and data subjects are responsible for ensuring that this privacy notice is drawn to their attention, at the earliest available opportunity.

3.0 Lawfulness

3.1 CSRB Limited is a private limited company, based in England, under company registration number 10647502, complying with the laws of England and Wales.

3.2 CSRB Limited is registered with the ICO under registration number ZA549552.

3.3 CSRB Limited acts as a data controller and data processor. We are responsible for the personal data that we process (on behalf of the data subject), and have our own measures for ensuring compliance with the UK data controller regulations (personal data we own).

3.4 CSRB Limited provides certified and professional data protection, GDPR, and privacy support services to organisations in the United Kingdom. CSRB Limited also determines the scope of the personal data processing, the categories of personal data we process, and for what specified purpose.

3.5 From time to time we may appoint data processors on behalf of CSRB Limited. We will always ensure that a written agreement is in place with each of our data processors documenting how personal data will be processed, safeguarded, and stored. CSRB Limited has the overall responsibility for all data processors.

3.6 CSRB Limited has voluntarily decided to appoint a Data Protection Officer (DPO). We have a legal obligation to notify the ICO of their name and contact details. Our appointed Data Protection Officer (DPO) is Chris Burn of CSRB Limited. The DPO can be contacted by telephone on 0117 325 0830 or via email at dpo@csrb.co.uk.

3.7 CSRB Limited uses lawful bases, as set out in UK GDPR Article 6 when we process your personal data:

  • Contract – the processing is necessary for CSRB Limited to fulfil the obligations of an agreement or contract for the provision of our personal data protection services;

  • Legal Obligation – personal data is processed by us to meet a requirement set out in UK law or statute. For example certain personal data is required when retaining financial records for HMRC; and

  • Legitimate Interests – the processing is necessary, as CSRB has ascertained the legitimate interest of the individual and explained why the processing of personal data is required to action the legitimate interest.

3.8 CSRB Limited does not transfer any personal data we collect about you to countries outside the UK. All data processing is carried out within the UK, adhering to UK data privacy legislation.

3.9 CSRB Limited undertakes additional online security and information governance activities each year, in order to ensure maximum security of personal data processing for our clients and data subjects. Additionally, we are awarded with the Cyber Essentials certification each year. This standard demonstrates that our ICT systems, at the time of testing, are satisfactory against commodity level cyber-attack. Our certificate can be viewed here. Our certification body is Indelible Data.

4.0 Fairness

4.1 CSRB Limited processes personal data in a fair way. We do this by putting the individual’s rights at the heart of all processing with regards to personal data. There are eight individual rights:

  • Right to be informed – data subjects have the right to know why we are collecting and processing personal data, this right is met by the provision of this privacy notice and any subsequent privacy documentation;

  • Right of access – you have the right to know what personal data we have on record and request a copy;

  • Right of rectification – you have the right to correct personal data that we hold about you that is inaccurate or incomplete;

  • Right to be forgotten – in certain circumstances you can ask for the personal data we hold about you to be erased from our records;

  • Right to restriction of processing – where certain conditions apply you have a right to ask us to only process your personal data for certain processing activities;

  • Right of portability – you have the right to have the personal data we hold about you transferred to another data controller;

  • Right to object – you have the right to object to certain types of data processing such as marketing; and

  • Right to object to automated processing, including profiling – you also have the right to object to the legal effects of automated processing or profiling.

4.2 CSRB Limited will only handle personal data in ways that individuals would reasonably expect and not use it in ways that have unjustified adverse effects on them.

4.3 CSRB Limited will obtain personal data in a fair way. We will underpin all personal data processing with a lawful basis and ensure any personal data transfers are carried out in a secure manner.

4.4 CSRB Limited always considers the rights and freedoms of data subjects when processing personal data. This could be for individuals or those part of a wider group.

4.5 CSRB Limited will have a written agreement with each client setting out the contract terms and will ensure a copy of this privacy notice is available.

5.0 Transparency

5.1 Transparency is fundamentally linked to fairness. CSRB Limited will always be clear, open, and honest with people from the start about who we are, and how, and why we need to use your personal data.

5.2 CSRB Limited will inform clients and data subjects from the outset regarding the types of personal data we need to process, usually within our business terms, contract documentation, this privacy notice, and other privacy documentation.

5.3 CSRB Limited may process the following personal data types:

  • Identity Data (e.g., contact name, company name, email addresses, telephone numbers); and
  • Location Data (e.g., addresses).

5.4 CSRB Limited informs individuals about all personal data processing in a way that is easily accessible and easy to understand, using clear and plain language. We do this ensuring all CSRB Limited’s associates receive annual data protection and UK GDPR training, whilst having a company information governance framework with up-to-date policies, procedures, and processes.

5.5 CSRB Limited hope we can resolve any query or concern you raise about our use of your personal data. You can contact CSRB Limited in the first instance at any time by telephone on 0117 325 0830 or via email at dpo@csrb.co.uk.

5.6 CSRB Limited has appointed a certified Data Protection Officer (DPO) to act in the interests of all parties. Should you require further information with regards to personal data processing and the protection of your personal data, please contact Chris Burn, Data Protection Officer (DPO), at CSRB Limited. Chris can be contacted by telephone on 0117 325 0830 or via email at dpo@csrb.co.uk.

5.7 Should we not be able to resolve the complaint, you have the right to lodge a complaint with the lead authority. The lead authority in the UK is the Information Commissioner’s Office (ICO), who may be contacted by telephone on 0303 123 1113 or by visiting www.ico.org.uk.

6.0 Purpose Limitation

6.1 CSRB Limited will always be clear about what our purposes for processing are from the start. For example, recording identity and location data to facilitate a contract.

6.2 CSRB Limited will record our purposes for data processing as part of our contract and proposal documentation obligations. We will also specify them in any additional privacy documentation provided.

6.3 CSRB Limited specifically process your personal data for the following purposes:

  • Administering our data protection services;

  • Delivering and supplying our data protection services;

  • Managing payments for our data protection services;

  • Personalising and tailoring our data protection services to you;

  • Communicating with you regarding the management of the contracted data protection service;

  • Communication with you regarding supplementary CSRB Limited’s data protection services;

  • Supplying you with service communications regarding the contracted data protection service;

  • Supplying you with our quarterly e-newsletter which you can opt-out of at any time; and

  • Supplying you with company communications required by law, such as updates to this privacy notice.

6.4 CSRB Limited will only use personal data for a new purpose if either this is compatible with your original purpose, or we obtain consent, or we have a clear obligation or function set out in law.

6.5 Where relevant, CSRB, may also share your personal data with the following categories of third parties:

  • Trusted third party partners who we work alongside and process personal data on behalf of, with regards to agreements and contracts, or for the provision of supplementary support services. Disclosure of the nominated trusted third-party partner would be provided at the agreement/contract stage and a relevant Data Processing Agreement (DPA) would be put in place to protect all personal data, from a data controller, data processor, and data subject perspective.

  • Fraud prevention agencies, money laundering agencies and associations.

  • Regulators and law enforcement agencies, including the police, HM Revenue and Customs, or any other relevant authority who may have jurisdiction. We would always inform you ahead of acting on any instructions to proceed.

6.6 CSRB Limited will share personal information with law enforcement or other authorities if required by law.

7.0 Data Minimisation

7.1 CSRB Limited always ensures the personal data we are processing is:

  • adequate – sufficient to properly fulfil our stated purpose;

  • relevant – has a rational link to that purpose; and is

  • limited to what is necessary – we do not hold more than we need for that purpose.

The UK GDPR does not define these terms. As this is the case, CSRB Limited accepts these terms may have a differing definition from one individual to the other, as the processing will depend on the specified purpose for collecting and using the personal data.

7.2 In order to assess whether we are holding the right amount of personal data, we demonstrate clearly why we need it before any data processing activities take place.

7.3 CSRB Limited undertakes an annual data protection audit to review our personal data processing, and to check that the personal data we hold is still relevant and adequate for the stated purposes.

8.0 Accuracy

8.1 CSRB Limited will take all reasonable steps to ensure the personal data we hold is accurate and up to date.

8.2 CSRB Limited will take reasonable steps to ensure that personal data we hold is not incorrect. This may involve contacting you via our official communication channels, to ensure all personal data held is accurate.

8.3 CSRB Limited will always record the source of where personal data came from and ensure the source is compliant with UK privacy laws, including the UK GDPR.

8.4 If we need to keep a record of a mistake, we clearly identify it as a mistake, and add this to our records of processing for audit purposes and continuous improvement.

8.5 All of CSRB Limited’s records clearly identify any matters of opinion, and where appropriate whose opinion it is, and any relevant changes to the underlying facts.

8.6 CSRB Limited will comply with the individual’s right to rectification, and carefully consider any challenges to the accuracy of the personal data.

8.7 As a matter of good practice, we keep records of processing of any challenges to the accuracy of the personal data.

9.0 Storage Limitation and Deletion

9.1 CSRB Limited will not keep personal data for any longer than is necessary to fulfil the original stated purpose for the processing of such personal data.

9.2 CSRB Limited will only keep personal data for the period outlined to meet the requirements of the contract, legal obligation, or legitimate interest identified.

9.3 Any retention of personal data will be carried out in compliance with legal, professional body, and regulatory obligations. These data retention periods are subject to change, due to any revisions of associated legislation, regulations, or requirements.

9.4 CSRB Limited acknowledges that UK privacy legislation does not determine how long personal data needs to be kept. This is up to the data controller to determine and document accordingly at the earliest possible opportunity.

9.5 CSRB Limited has a personal data retention policy in place, which documents the types of record or information we hold, what we use it for and how long we intend to keep it.

9.6 CSRB Limited periodically reviews the personal data we hold, and erases or anonymises it, when we no longer need to process it for the original purpose.

9.7 CSRB Limited also considers any challenges to the retention of personal data. We understand that individuals have a right to erasure if we no longer need the personal data.

9.8 CSRB Limited acknowledges there are exceptions to retention periods. Here we can keep personal data for longer if we are only keeping it for public interest archiving, scientific or historical research, or statistical purposes. We would always inform you if this was the case, along with our lawful basis for retention.

9.9 When CSRB Limited is provided with an instruction to destroy data it must be destroyed irretrievably either in paper or electronic formats. Paper records will be destroyed by an approved contractor who can provide evidence of destruction and a certificate of destruction. CSRB Limited will retain this certificate.

9.10 CSRB Limited also has secure destruction procedures and processes for any of the devices it has used for the storage of personal data. CSRB Limited will retain evidence of any equipment destruction and will confirm that the destruction is beyond any prospect of retrieving data stored within the device.

10.0 Data Transfer and Confidentiality (Security)

10.1 CSRB Limited will undertake an analysis of the risks presented by our personal data processing and use this to assess the appropriate level of security we need to put in place. We review our Business Continuity Plan (BCP) annually.

10.2 CSRB Limited will make sure that we can restore access to personal data in the event of any incidents, such as by establishing an appropriate backup process.

10.3 CSRB Limited conduct regular testing and reviews of our measures to ensure they remain effective, and act upon the results of those tests where they highlight areas for improvement.

10.4 Where appropriate, we implement measures that adhere to an approved code of conduct or certification mechanism, such as the Cyber Essentials certification, and additional quality standards.

10.5 We ensure that any data processor we use also implements appropriate technical and organisational measures.

10.6 CSRB Limited does not use tracking cookies on our website to track user behaviour and/or improve site experience. The UK GDPR and PECR interprets data collected by cookies as personal. It prohibits the collection of personal data without consent, which means a website is only allowed to collect information that the user voluntarily inputs. This includes name, email address, phone number, or any other information that the user shares with the website. The cookie consent must be freely given, specific, informed, and unambiguous.

11.0 Accountability

11.1 Accountability is one of the UK GDPR data processing principles. CSRB Limited takes our responsibility for complying with the UK GDPR very seriously, as documented by this privacy notice.

11.2 CSRB Limited has put in place several measures that we can, and in some cases must take, including:

  • adopting and implementing data protection policies and procedures;

  • taking a ‘data protection by design and default’ approach;

  • putting written contracts in place with those whose personal data we control and process;

  • maintaining documentation of our processing activities;

  • implementing appropriate online security measures;

  • recording and, where necessary, reporting personal data breaches;

  • carrying out data protection impact assessments for uses of personal data that are likely to result in high risk to individual’s interests;

  • ensuring all CSRB Limited associates receive annual UK GDPR and privacy legislation training;

  • appointing a data protection officer; and

  • adhering to relevant codes of conduct and signing up to certification schemes (where applicable).

11.3 CSRB Limited understand that accountability obligations are ongoing. We review and, where necessary, update the measures we have put in place. For example, we continually enhance our privacy management framework, as this can help embed our accountability measures and create a culture of privacy across our organisation.

11.4 CSRB Limited understand that being accountable can help build trust with individuals and may help mitigate any gaps in compliance, and thus any potential regulatory enforcement action.

11.5 If you have any questions or concerns about how we process and protect your personal data not covered in this privacy notice please contact CSRB Limited by telephone on 0117 325 0830 or via email at dpo@csrb.co.uk.