1. Who is responsible for your personal data?
CCC is responsible for your personal data. “CCC” or “the CCC group of companies” comprises of Sean Louis Investments Ltd, City Centre Commercials Ltd, City Centre Commercials Waste Ltd & Simonswood Properties Ltd. The expression “CCC Entity” means any one of these companies. In circumstances where a CCC Entity is providing services to you, your data will be controlled by the CCC Entity that is providing those services.
2. Which personal data do we collect?
The personal data we collect may include:
Contact information, such as your name, job title, postal address, including your home address, where you have provided this to us, business address, telephone number, mobile phone number, fax number and email address;
Payment data, such as data necessary for processing payments and fraud prevention, including credit/debit card numbers, security code numbers, bank account numbers and sort codes and other related billing information;
Further business information necessarily processed in a contractual relationship with CCC or voluntarily provided by you, such as instructions given, payments made, requests etc.
Information collected from publicly available resources, databases and credit reference agencies;
If legally required for compliance purposes, information about relevant and significant litigation or other legal proceedings against you or a third party related to you and interaction with you which may be relevant for antitrust purposes?
3. How do we collect your personal data?
We may collect personal data about you in a number of circumstances, including
When you or your business engages us to provide services;
When you or your business browse, make an enquiry or otherwise interact with us on our website or by telephone;
When we attend your premises to provide services;
When we or the vehicles or plant we operate are in close proximity to you;
When you or your business offer to provide or provide services to us.
4. Are you required to provide personal data?
As a general principle, you will provide us with your personal data entirely voluntarily; there are generally no detrimental effects for you if you choose not to consent or to provide personal data. However, there are circumstances in which CCC cannot take action without certain of your personal data, for example, because this personal data is required to provide you with services, process your requests or deal with queries or complaints connected with our services or provide you with access to web portals or newsletters. In these cases, it will unfortunately not be possible for us to provide you with what you request without the relevant personal data and we will notify you accordingly.
5. For which purposes will we use your personal data?
We may use your personal data for the following purposes (“Permitted Purposes”):
Providing services you may have requested, including on-line services as requested by you or your business;
Managing and administering your or your business’s relationship with CCC, including processing payments, accounting, auditing, billing and collection, support services;
Compliance with our legal obligations (such as record-keeping obligations), compliance screening or recording obligations (e.g. for anti-money laundering, financial and credit check and fraud and crime prevention and detection purposes), which may include automated checks of your contact data or other information you provide about your identity and contacting you to confirm your identity;
To analyse and improve our services and communications to you;
Protecting the security of and managing access to our waste facilities, premises, plant, vehicles and equipment, IT and communication systems, online platforms, websites and other systems, preventing and detecting security threats, fraud or other criminal or malicious activities;
For insurance purposes including dealing with claims made against or by CCC which CCC may pass to its insurers, insurance claims handlers, loss adjusters or legal advisers;
For monitoring and assessing compliance with our policies and standards;
To identify persons authorised to trade on behalf of our customers or suppliers;
To comply with our legal and regulatory obligations including reporting to and/or being audited by regulatory bodies;
To comply with court orders and exercise and/or defend our legal rights;
To investigate and respond to complaints; and
For any purpose related and/or ancillary to any of the above or any other purpose for which your personal data was provided to us.
Where you have expressly given us your consent, we may process your personal data also for the following purposes:
Communicating with you through the channels you have approved to keep you up to date on industry developments, announcements, and other information about CCC and the services CCC provides, (including newsletters and other information) as well as or Customer surveys, marketing campaigns, market analysis, sweepstakes, contests or other promotional activities or events; or
Collecting information about your preferences to create a user profile to personalise and foster the quality of our communication and interaction with you (for example, by way of newsletter tracking or website analytics).
With regard to marketing-related communication, we will – where legally required – only provide you with such information after you have opted in and provide you with the opportunity to opt-out anytime if you do not want to receive further marketing-related communication from us. We will not use your personal data for taking any automated decisions affecting you or creating profiles other than described above.
6. What is the legal basis that permits us to use your personal data?
Depending on which of the above Permitted Purposes we use your personal data for, we may process your personal data on one or more of the following legal grounds:
Because processing is necessary for the performance of a contract with you or your business;
To comply with our legal obligations (e.g. to keep records for tax purposes); or because processing is necessary for purposes of our legitimate interest or those of any third party recipients that receive your personal data, provided that such interests are not overridden by your interests or fundamental rights and freedoms.
In addition, the processing may be based on your consent where you have expressly given that to us.
7. With whom will we share your personal data?
We may share your personal data in the following circumstances:
We may share your personal data between the CCC Entities on a confidential basis where required for the purpose of providing services and for administrative, billing and other business purposes.
If we have collected your personal data in the course of providing services to your business, we may disclose it to that business or others in that business, and where permitted by law to others for the purpose of providing those services;
We may share your personal data with any third party to whom we assign or novate any of our rights or obligations;
We may share your personal data with courts, law enforcement authorities, regulators or legal advisers or other parties where it is reasonably necessary for the establishment, exercise or defence of a legal or equitable claim, or for the purposes of a confidential alternative dispute resolution process;
CCC will retain control over and will remain fully responsible for your personal data and will use appropriate safeguards as required by the applicable law to ensure the integrity and security of your personal data when engaging such service providers;
We may also use aggregated personal data and statistics for the purpose of monitoring website usage in order to help us develop our website and our services.
Otherwise, we will only disclose your personal data when you direct us or give us permission when we are required by applicable law or regulations or judicial or official request to do so, or as required to investigate actual or suspected fraudulent or criminal activities.
8. Personal data about other people which you provide to us
If you provide personal data to us about someone else (such as one of your directors or employees, or someone with whom you have business dealings) you must ensure that you are entitled to disclose that personal data to us and that, without our taking any further steps, we may collect, use and disclose that personal data as described in this Privacy Statement. In particular, you must ensure the individual concerned is aware of the various matters detailed in this Privacy Statement, as those matters relate to that individual, including our identity, how to contact us, our purposes of collection, our personal data disclosure practices (including disclosure to overseas recipients), the individual’s right to obtain access to the personal data and make complaints about the handling of the personal data, and the consequences if the personal data is not provided (such as our inability to provide services).
9. Keeping personal data about you secure
We will take appropriate technical and organisational measures to keep your personal data confidential and secure in accordance with our internal procedures covering the storage, disclosure of and access to personal data. Personal data may be kept on our personal data technology systems, those of our contractors or in paper files.
10. Updating personal data about you
If any of the personal data that you have provided to us changes, for example, if you change your email address or if you wish to cancel any request you have made of us, or if you become aware we have any inaccurate personal data about you, please let us know by sending an email to email@example.com
We will not be responsible for any losses arising from any inaccurate, inauthentic, deficient or incomplete Personal Data that you provide to us.
12. For how long do we keep your personal data?
Your personal data will be deleted when it is no longer reasonably required for the Permitted Purposes or you withdraw your consent (where applicable) and we are not legally required or otherwise permitted to continue storing such data. We will, in particular, retain your personal data where required for Biffa to assert or defend against legal claims until the end of the relevant retention period or until the claims in question have been settled.
13. Your rights
Subject to certain legal conditions, you have the right to request a copy of the personal data about you which we hold, to have any inaccurate personal data corrected and to object to or restrict our using your personal data. You may also make a complaint if you have a concern about our handling of your personal data.
If you wish to do any of the above please send an email to firstname.lastname@example.org. We may request that you prove your identity by providing us with a copy of a valid means of identification in order for us to comply with our security obligations and to prevent unauthorised disclosure of data. We reserve the right to charge you a reasonable administrative fee for any manifestly unfounded or excessive requests concerning your access to your data, and for any additional copies of the personal data, you request from us.
14. Review of this Statement
This Privacy Statement was last updated in August 2018. We reserve the right to update and change this Privacy Statement from time to time in order to reflect any changes to the way in which we process your personal data or changing legal requirements. In case of any such changes, we will post the changed Privacy Statement on our website or publish it otherwise. The changes will take effect as soon as they are posted on this website.
15. How to get in touch with CCC
If you would like to contact us with any queries or comments regarding this Privacy Statement please send an email to email@example.com or send a letter to The Managing Director, CCC, Tower House, Stopgate Lane, Simonswood Industrial Park, West Lancashire. L33 4XY
GENERAL DATA PROTECTION REGULATION (GDPR)
We issue this privacy notice in the interests of transparency over how we use (“process”) the personal data that we collect from job applicants/employees (“you”).
Personal data for these purposes means any information relating to an identified or identifiable person.
“Sensitive personal data” means personal data consisting of information as to –
a) the racial or ethnic origin of the individual,
b) their political opinions,
c) their religious or philosophical beliefs,
d) their membership of a trade union,
e) their physical or mental health or condition,
f) their sexual life,
g) the commission or alleged commission by them of any offence,
h) any proceedings for any offence committed or alleged to have been committed by them, the disposal of such proceedings or the sentence of any court in such proceedings,
i) genetic data; and
j) biometric data where processed to uniquely identify a person (for example a photo in an electronic passport)
For data protection purposes the “data controller” means the person or organisation who determines the purposes for which and the manner in which any personal data are processed.
The data controller is the Director
PURPOSE OF PROCESSING THE DATA
It is necessary for us to process personal data of both job applicants and employees for the following reasons:
1. We will need the information in order to identify the individual for the purposes of recruitment;
2. We will need to maintain that information for the general purposes of the ongoing employment relationship including performing the employment contract and maintaining the health and safety of individuals on our premises.
Our legal basis for processing personal data of applicants and staff is that:
1. Processing the personal data is necessary for the purpose of carrying out the employment contract or to take steps to enter into an employment contract;
2. Processing is necessary to comply with a legal obligation (for example we are obliged under employment law to include in a written statement of employment terms the identity of the parties to the employment contract);
3. Processing the data is necessary to protect the vital interests of an individual (for example we are legally responsible for the health and safety of staff and job applicants (when they are on our premises) and so it is necessary to process data relating to those individuals for that reason); and/or
4. Processing the data is necessary for the purposes of our “legitimate interests” as the data controller (except where such interests are overridden by the interests, rights or freedoms of the individual).
Our “legitimate interests” for these purposes are:
1. the need to process data on applicants and staff for the purposes of assessing suitability for employment and then carrying out the employment contract;
2. the need to gather data for the purposes safeguarding the health and safety of job applicants and employees;
3. the need to transfer employee data intra-group for administrative purposes; and
4. the need to process employee data for the purposes of ensuring network and information security.
We may from time to time need to process sensitive personal data, for example, medical records or other information relating to the health and wellbeing of an individual.
In that case, we will either obtain the explicit consent of the individual to the processing of such data or we may consider the processing of that data as being necessary for carrying out our obligations as an employer. That will be assessed on a case by case basis.
There is no strict statutory or contractual requirement for you to provide data to us but if you do not provide at least that data that is necessary for us to assess suitability for employment and then to conduct the employment relationship then it will not practically be possible for us to employ you.
RECIPIENTS OF PERSONAL DATA
Your personal data may be received by the following categories of people:
1. Our HR department;
2. In the case of job applicants, the interviewer and prospective manager;
3. Any individual authorised by us to maintain personnel files;
4. Our professional advisers; and
5. Appropriate external regulators and authorities (such as HMRC and HSE)
We do not envisage that your data would be transferred to a third country. If we perceive the need to do that we would discuss that with you and explain the legal basis for the transfer of the data at that stage.
DURATION OF STORAGE OF PERSONAL DATA
We will keep personal data for no longer than is strictly necessary, having regard to the original purpose for which the data was processed. In some cases, we will be legally obliged to keep your data for a set period. Examples are below:
Income tax and NI returns, income tax records and correspondence with HMRC: We are obliged to keep these records for not less than 3 years after the end of the financial year to which they relate.
Wage and salary records: We are obliged to keep these records for 6 years.
YOUR RIGHTS IN RELATION TO YOUR PERSONAL DATA
1. The right to be forgotten
You have the right to request that your personal data is deleted if:
a) it is no longer necessary for us to store that data having regard to the purposes for which it was originally collected; or
b) in circumstances where we rely solely on your consent to process the data (and have no other legal basis for processing the data), you withdraw your consent to the data being processed; or
c) you object to the processing of the data for good reasons which are not overridden by another compelling reason for us to retain the data; or
d) the data was unlawfully processed; or
e) the data needs to be deleted to comply with a legal obligation.
However, we can refuse to comply with a request to delete your personal data where we process that data:
a) to exercise the right of freedom of expression and information;
b) to comply with a legal obligation or the performance of a public interest task or exercise of official authority;
c) for public health purposes in the public interest;
d) for archiving purposes in the public interest, scientific research, historical research or statistical purposes; or
e) the exercise or defence of legal claims.
2. The right to data portability
You have the right to receive the personal data which you have provided to us, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided (us) where:
a) the processing is based on consent or on a contract; and
b) the processing is carried out by automated means.
Note that this right only applies if the processing is carried out by “automated means” which means it will not apply to most paper-based data.
3. The right to withdraw consent
Where we process your personal data in reliance on your consent to that processing, you have the right to withdraw that consent at any time. You may do this in writing to your line manager.
4. The right to object to processing
Where we process your personal data for the performance of a legal task or in view of our legitimate interests you have the right to object on “grounds relating to your particular situation”. If you wish to object to the processing of your personal data you should do so in writing to your line manager stating the reasons for your objection.
Where you exercise your right to object we must stop processing the personal data unless:
• we can demonstrate compelling legitimate grounds for the processing, which override your interests, rights and freedoms; or
• the processing is for the establishment, exercise or defence of legal claims.
5. The right of subject access
So that you are aware of the personal data we hold on you, you have the right to request access to that data. This is sometimes referred to as making a “subject access request”.
6. The right to rectification
If any of the personal data we hold on you is inaccurate or incomplete, you have the right to have any errors rectified.
Where we do not take action in response to a request for rectification you have the right to complain about that to the Information Commissioner’s Office.
7. The right to restrict processing
In certain prescribed circumstances, such as where you have contested the accuracy of the personal data we hold on you, you have the right to block or suppress the further processing of your personal data.
8. Rights related to automated decision making and profiling
The GDPR defines “profiling” as any form of automated processing intended to evaluate certain personal aspects of an individual, in particular, to analyse or predict:
• performance at work;
• economic situation;
• personal preferences;
• location; or
You have the right not to be subject to a decision when it is based on automated processing; and it produces a legal effect or a similarly significant effect on you.
However, that right does not apply where the decision is necessary for purposes of the performance of a contract between you and us. We may use data related to your performance or attendance record to make a decision as to whether to take disciplinary action. We consider that to be necessary for the purposes of conducting the employment contract. In any event that is unlikely to be an automated decision in that action will not normally be taken without an appropriate manager discussing the matter with you first and then deciding whether the data reveals information such that formal action needs to be taken. In other words, there will be “human intervention” for the purposes of the GDPR and you will have the chance to express your point of view, have the decision explained to you and an opportunity to challenge it.
Complaints – Where you take the view that your personal data is processed in a way that does not comply with the GDPR, you have a specific right to lodge a complaint with the relevant supervisory authority. The supervisory authority will then inform you of the progress and outcome of your complaint. The supervisory authority in the UK is the ICO.