This Privacy Notice is v2.1 and is valid from 00:01hrs on 26 May 2019. It replaces and supersedes all other Privacy Notices associated with CSS Assure.
Changes to this Privacy Notice.
We continually review our Privacy Notice and update it where necessary. We advise that you regularly check our Privacy Notice for updates. We do not wish to bother you with lots of minor amendments, but where we make significant changes to our policy, we shall contact you to inform you.
Our Name & Contact Details.
The Data Controller of your personal data is CSS Assure. CSS Assure is a trading style of Cyber Security Strategies Limited. This means that CSS Assure decides how your personal data is processed and for what purposes. Our contact details are:
Data Protection Officer Contact Details.
In observance of the General Data Protection Regulation and the Data Protection Act 2018, CSS Assure have chosen to establish a Data Protection Officer. Should you wish to contact our Data Protection Officer regarding a data protection matter you can do so by emailing [email protected] or writing to:
Data Protection Officer
For what purposes do we process personal data, and what are the lawful basis’ by which we process data?
CSS Assure processes your Personal Data for the following purposes:
|For What Purposes Do We Process Personal Data?
“CSS Assure processes your data to…”
|What is the lawful basis’ by which we process the data?|
|Communicate with clients to fulfil, administer or enforce contractual obligations via email, telephone, SMS text, postal mail and push notifications;||Contract|
|Communicate with customers where we have your consent to do so via email, telephone, SMS text, postal mail and push notifications;||Consent|
|Communicate with clients on matters where we have a legal obligation to do so via email, telephone, SMS text, postal mail and push notifications;||Legal Obligation|
|Communicate with clients on matters where we have a legitimate Interest to do so (see legitimate interest section below), via email, telephone, SMS text, postal mail and push notifications;||Legitimate Interest|
|Inform existing clients about CSS Assure’s new products and services; Legitimate Interest Request specific consent to share information about specific aligned/similar products/services with specific fulfilment partners;||Legitimate Interest|
|Broker commercial relationships between database owners with aligned/similar product providers or vice-versa;||Consent|
|Verify the identity of individuals where necessary including for Subject Access Requests (SAR);||Legitimate Interest|
|Fulfil our SAR as a Service (SARaaS) service Legitimate Interest Update clients about significant changes to our Privacy Notice via email, telephone, SMS text, postal mail;||Legal Obligation|
|Update clients about changes to how we process their personal data and/or new processing activities via email, telephone, SMS text, postal mail;||Legal Obligation|
|Gather feedback for service and product improvement via email, telephone, SMS text, postal mail;||Legitimate Interest|
|Share testimonials, case studies and feedback on CSS Assure on website and future marketing;||Consent|
|Resolve complaints and/or disputes; Legitimate Interest Request continuation of Consent prior to consent expiry;||Consent|
|Collect payments or arrears should we have the need to do so;||Legitimate Interest|
|Protect our organisation, staff, associates, suppliers, partners and clients;||Legitimate Interest|
|Prevent, detect and investigate fraud;||Legal Obligation|
|Prevent, detect and investigate crime;||Legal Obligation|
|Comply with the law;||Legal obligation|
|Fulfil our statutory or regulatory obligations;||Legal obligation|
|Maintain our own accounts and records;||Legal obligation|
|For reporting, analytics and product/service improvement (including training);||Legitimate Interest|
|Improve and maintain data accuracy or completeness;||Legitimate Interest|
|Track your email engagement;||Legitimate Interest|
|Personalise your online experience;||Legitimate Interest|
|Conduct market research.||Legitimate Interest|
What are our legitimate interests for processing your data?
Where we have used legitimate interest as the lawful basis for processing your personal data, we may use your personal data to:
- Direct market products and services to you via post, emails, telephone, SMS text and push notifications where they are similar/aligned to our current products and services;
- Maintain our own accounts and records, including recording any contact we have with you via post, emails, telephone, SMS text and push notifications;
- Prevent, detect and investigate fraud;
- Prevent, detect and investigate crime;
- Fulfil our statutory or regulatory obligations;
- Reporting, analytics and product/service improvement, (including internal training);
- Resolve complaints and/or disputes;
- Improve data accuracy or completeness;
- Track your email engagement;
- Personalise your online experience. This could include customising the content and/or layout of our pages for individual users, for both visitors and contributors;
- Conduct market research. Including research on the demographics, interests and behaviour of our customers in order to help us gain a better understanding of different audiences and enable us to improve our service. This research may be carried out internally by our employees or we may ask another company to do this work for us. Data will be anonymised to protect your data rights for research purposes.
- Verify staff suitability and experience for employment.
- Verify eligibility to work in the UK.
Sharing your personal data
CSS Assure may choose to share your personal data internally and/or share/sell your personal data externally to the business. Where we choose to share/sell your information, we shall do so for the following reasons:
- Where we have your “Consent” to do so. Where we process your data under the consent lawful basis you have the right to withdraw consent. Please refer to “Your Right to Withdraw Consent” section below;
- Where necessary to fulfil the services and/or products we are “Contracted” to provide to you;
- Where we have a “Legal Obligation” and are required by law and to law enforcement agencies, judicial bodies, government entities, tax authorities or regulating bodies around the world, this includes communicating with you to update you about our privacy notice and changes to how we process your personal data;
- Where we have “Legitimate Interest” to do so, including;
- For the purposes listed in the “What are our legitimate interests for processing your data?” section above.
- For reporting, analytics and service improvement purposes across our trading styles and/or within any future group construct should CSS Assure establish or become part of a group.
- Where one of our registered trading styles and/or current associated businesses provides a
product or service similar/aligned with our organisation’s aim to help clients maximise the
potential of their data in a fair, lawful and transparent manner that we do not currently provide
ourselves. Presently these include:
- Churchill Sloan Ltd;
- White Collar Management Ltd;
- Red Star Financial Management Ltd;
- Lead the Way (UK) Ltd.
- Where an external 3rd Party, with whom we are yet to have a relationship, provides a product or service that we do not currently provide ourselves, and which we reasonably believe would be of benefit to you and you would reasonably expect to receive and is similar/aligned to our organisation. In this case we would contact you using Legitimate Interest to request specific Consent to share your personal.
- Where we believe it is necessary to protect or defend our rights, property or the personal safety of our people or visitors to our premises or websites;
- Where required for a proposed sale; reorganisation; transfer; financial arrangement; asset disposal; or any other transaction relating to our business and/or assets held by our organisation.
- Where we outsource support functions of our organisations to trusted partners. The categories of these recipients include:
|Categories||Who we we use||What is the lawful basis’ by which we process the data?|
|Payment service providers||Stripe||https://stripe.com/gb/privacy|
|Order fulfilment service providers||Woo Commerce||https://automattic.com/privacy/|
|Website chat support providers||Drift||https://www.drift.com/privacy-policy/|
|Web analytics service providers||Google Analytics||https://policies.google.com/technologies/partnersites?hl=en-US|
|Social Media Provider||https://www.linkedin.com/legal/privacy-policy|
|Customer Relationship Management System||PipeDrive||https://www.pipedrive.com/en/privacy|
|Legal support providers;||Tozers Solicitors LLP||https://www.tozers.co.uk/privacy/|
|Associate Time Tracking Service||Harvest||https://www.getharvest.com/privacy-policy|
|Human resources support providers (staff only);||Trust Mr Finch||https://www.trustmrfinch.com/privacy-policy/|
|Data Accuracy Support Provider||UK Search||TBC|
|Debt collection support providers;||UK Search||TBC|
|Medical and health providers (staff only);||TBC||TBC|
|IT support providers;||Not presently used; although, we may choose to do so in the future||N/A|
|Mail support providers||Not presently used; although, we may choose to do so in the future||N/A|
|Call centre support providers;||Not presently used; although, we may choose to do so in the future||N/A|
|Feedback/review service providers;||Not presently used; although, we may choose to do so in the future||N/A|
|Feedback/review service providers;||Not presently used; although, we may choose to do so in the future||N/A|
|Research agencies;||Not presently used; although, we may choose to do so in the future||N/A|
|Auditing firms;||Not presently used; although, we may choose to do so in the future||N/A|
|Credit reference agencies;||Not presently used; although, we may choose to do so in the future||N/A|
|Travel management support providers (staff only);||Not presently used; although, we may choose to do so in the future||N/A|
|Training and learning providers (staff only);||Not presently used; although, we may choose to do so in the future||N/A|
|Perk providers (staff only)||Not presently used; although, we may choose to do so in the future||N/A|
Where we choose and/or have your permission to share/sell your personal data with 3rd Parties we will, where appropriate, ensure that they have signed a contract that requires them to:
- Abide by the requirements of all relevant data protection and privacy legislation;
- Treat your information as carefully as we would;
- Only use the information for the purposes it was supplied (and not for their own purposes or the purposes of any other organisation); and
- Allow us to carry out checks to ensure they are doing all these things.
International Personal Data Transfer – Countries & Organisations.
CSS Assure does transfer personal data to any countries outside of the UK. These countries include Isle of Man, France, Spain, Macedonia and South Africa.
The Isle of Man, France and Spain are covered by the GDPR. Macedonia and South Africa do not currently have an EU or UK Adequacy Agreement. CSS Assure has put in place an ICO endorsed Safeguard contract with the Data Controller or Data Processor within the Country which contractually obliges them to protect your information to the same standard required by the General Data Protection Regulation.
Personal Data Retention Period
CSS Assure has the following data retention policies:
- Where a Regulating Body directs a statutory retention period, we shall retain the relevant data for the statutory period. For example, your financial transactions data shall be retained for 7 years;
- Where you have purchased, or enquired about purchasing, a CSS Assure product or services, we shall retain any personal details applicable to the contract delivery for a period of 7 years (name, email, telephone, postal address). During this time, we may contact you using legitimate interest to market additional products or services.
- Where you have downloaded free content from our site, we shall retain your contact details (name, email, mobile telephone number, company, job title) for a period of 7 years. During this time, we may contact you using legitimate interest to market similar free content that may be of interest to you
- Where you have signed up to receive information emails from CSS Assure, we shall retain your contact details (name, email, mobile telephone number, company, job title) for 7 years, or until you withdraw your consent.
When we no longer need this information, we will erase or anonymise your data and/or dispose of it securely.
The rights available to individuals in respect of the processing
Unless subject to an exemption under legislation, you have the following rights with respect to your personal data:
- Your right of access. You have the right to ask us for copies of your personal information. This right always applies. There are some exemptions, which means you may not always receive all the information we process. You can read more about your Right to Access here. In most cases CSS Assure will not charge for this service however we do have the right to charge an administrative cost should we feel the request is excessive (excessive means that you submit a subject access request multiple times for the same or similar information). Fees will not exceed £50. Information will be provided within 30 calendar days from the day you request it. We will take all reasonable steps to verify your identity before providing you with details of any personal information we may hold about you.
- Your right to rectification. You have the right to ask us to rectify information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete. This right always applies. You can read more about your Right to Rectification here.
- Your right to erasure. You have the right to ask us to erase your personal information in certain circumstances. You can read more about your Right to Erasure here.
- Your right to the restriction of processing. You have the right to ask us to restrict the processing of your information in certain circumstances. You can read more about your Right to the Restriction of Processing here.
- Your right to object to processing. You have the right to object to processing if we are able to process your information because the process forms part of our public task, or is in our legitimate interests. You can read more about your Right to Object to Processing here.
- Your right to data portability. This only applies to information you have given us. You have the right to ask that we transfer the information you gave us from one organisation to another, or give it to you. The right only applies if we are processing information based on your consent or under, or in talks about entering into a contract and the processing is automated. You can read more about your Right to Data Portability here.
If you wish to exercise any of your individual ights, you can do so by informing a member of our team or by contacting our Data Protection Officer by emailing [email protected], or writing to:
Data Protection Officer
Automated decision-making, including profiling.
CSS Assure does not use currently use automated decision-making tools or profiling in the processing of your personal data.
Your Right to Lodge a Complaint with the ICO
You have the right to lodge a complaint with the UK’s Supervising Authority: The Information Commissioners Office. Prior to lodging a complaint, CSS Assure would like the opportunity to address any complaint you may have.
Should you have a complaint please in the first instance contact our Data Protection Officer by emailing [email protected], or writing to:
Data Protection Officer
If your complaint has not been resolved, you can lodge a complaint with the Information Commissioners Office via email https://ico.org.uk/global/contact-us/email/ or by writing to:
Information Commissioner’s Office
Or by telephone on 0303 123 1113.