PRIVACY & DATA PROTECTION POLICY – CAPEX MARKETING
If you have any questions or concerns about our use of your personal information, then please contact us using the contact details provided at the end of this policy.
CONTROLLING YOUR PERSONAL INFORMATION
You may choose to restrict the collection or use of your personal information at any time by emailing us at email@example.com.
You may also wish to sign up to one or more of the preference services operating in the UK: The Telephone Preference Service (“the TPS”), the Corporate Telephone Preference Service (“the CTPS”), and the Mailing Preference Service (“the MPS”). These may help to prevent you receiving unsolicited marketing. Please note, however, that these services will not prevent you from receiving marketing communications that you have consented to receiving.
CAPEX Marketing LTD is registered in England and Wales under company number 10544963. Our registered office is CAPEX Marketing LTD, 20-22 Wenlock Road, London, England, N1 7GU. Our business operations address is CAPEX Marketing LTD, North Warehouse, Gloucester Docks, Gloucester, GL1 2FB.
WHAT DATA WE COLLECT
We only collect data that you provide to us by completing a form on our website, sending us an email, calling via the telephone, or making an enquiry to us via a third party resource online or offline. In some cases, we may also collect data that is available within the public domain where it has a legitimate business use. We only store data that we have a specific and legitimate business purpose for.
As standard, this may include, but is not limited to:
- Email address
- Phone number
- First name
- Last name
- Organisation name
- Details of your enquiry
Where personal data is collected, its purpose will be made explicitly clear to you at the time of collection.
HOW WE USE DATA
We may use the data we collect for a range of reasons, including:
- Responding to your enquiry.
- To enter into a contract with you.
- To communicate with you about your account and provide support.
- To bill and collect money owed to us by you.
- To send you important system alert messages.
- To provide information to representatives and advisors, including accountants, to help us comply with legal, accounting, or security requirements.
- To meet legal requirements, including complying with appropriate legal mechanisms.
- To prosecute and defend a court, arbitration, or similar legal proceeding.
- To respond to lawful requests by public authorities, including to meet national security or law enforcement requirements.
- To carry out other legitimate and lawful business activities, about which we will notify you.
- Analysing your use of www.capexmarketing.com (our website) to enable us me to continually improve your user experience on our website.
- Only with your express permission and where permitted by law, we may also use your personal data to contact you with information and news about services.
We do not share your personal data with any third parties, subject to three exceptions:
- If in the course of managing your account and delivering our services to you, it became necessary to share your data with a third party supplier – such as an advertiser/publisher who is running an advertising campaign for your business – this would only be done so with your express written consent.
- To help us comply with legal and accounting requirements, we may need to provide information access to our advisors. For example: our accountants will require limited access to certain data to provide accounting services to us. In such cases, data access is limited and we will have obtained a statement of GDPR compliance from the third party in question prior to any transaction taking place.
- Under limited circumstances, we may be legally required to share certain personal data, to facilitate legal proceedings or comply with legal obligations, a court order, or the instructions of a government authority.
HOW WE STORE AND PROCESS DATA
The Company shall ensure that all personal data collected, held, and processed is kept secure and protected against unauthorised or unlawful processing and against accidental loss, destruction, or damage. All data we hold is encrypted and access is limited by password protection.
Any data you submit submitted is held in two places:
- Enquiries via the website are stored on an encrypted and password protected UK-based server.
The Company shall not keep personal data for any longer than is reasonably necessary in light of the purpose or purposes for which that personal data was originally collected, held, and processed.
OTHER STEPS WE TAKE TO PROTECT YOUR DATA DURING STORAGE AND PROCESSING
The Company shall ensure that the following measures are taken with respect to the storage and use of personal data:
- Internally, only team members with a specific and vital need as part of their role within the company will have access to the data we hold. In such cases, employees are trained in privacy and data protection policy and data access is only granted by consent of a company director.
- All hardcopies of personal data, along with any electronic copies stored on physical, removable media is stored securely in a locked box, drawer, cabinet, or similar.
- All personal data stored electronically is encrypted and password protected.
- No personal data should be stored on any mobile device (including, but not limited to, laptops, tablets, and smartphones), whether such device belongs to the Company or otherwise without the formal written approval of a Company Director and, in the event of such approval, strictly in accordance with all instructions and limitations described at the time the approval is given, and for no longer than is absolutely necessary; and
- No personal data should be transferred to any device personally belonging to an employee and personal data may only be transferred to devices belonging to agents, contractors, or other parties working on behalf of the Company where the party in question has agreed to comply fully with the letter and spirit of this Policy and of the GDPR (which may include demonstrating to the Company that all suitable technical and organisational measures have been taken).
IF YOU WANT COPIES OF YOUR DATA – SUBJECT ACCESS REQUEST (SAR)
Under data protection law, you are entitled to make a subject access request (SAR) at any time to find out more about the personal data we hold on you (if any), how we are using it and why.
The response time for a SAR request is one month. However, this may be extended by up to two additional months for complex requests.
There is no fee for the handling of a single SAR request by a data subject (you). However, we do reserve the right to charge reasonable fees for additional copies of information that has already been supplied to a data subject, and for requests that are manifestly unfounded or excessive, particularly where such requests are repetitive.
YOUR RIGHT TO BE FORGOTTEN
You have the right to ask us to delete or otherwise dispose of any of your personal data that we have. Should you wish to do so, please contact us using the details at the bottom of this policy.
OUR DATA BREACH PROCEDURES
In the event of a data breach, such as a hack of our systems, or loss of physical documents, our Data Protection Officer (DPO) Joseph Cox, will be immediately notified. The DPO will then make a detailed record of the event and, where applicable and appropriate, notify the data subjects and Information Commissioners Office (ICO) within 72 hours.
Data breach notifications will include the following information:
- The categories and approximate number of data subjects concerned;
- The categories and approximate number of personal data records concerned;
- The name and contact details of the Company’s data protection officer (or other contact point where more information can be obtained);
- The likely consequences of the breach;
- Details of the measures taken, or proposed to be taken, by the Company to address the breach including, where appropriate, measures to mitigate its possible adverse effects.
LINKS TO OTHER WEBSITES
Our website may contain links to other websites of interest. However, once you have used these links to leave our site, you should note that we do not have any control over that other website. Therefore, we cannot be responsible for the protection and privacy of any information which you provide whilst visiting such sites as such sites are not governed by this privacy statement. You should exercise caution and look at the privacy statement applicable to the website in question.
HOW WE CONDUCT DATA PROTECTION ASSESSMENTS FOR NEW PROJECTS OR ENDEAVOURS
CAPEX Marketing Ltd shall carry out Data Protection Impact Assessments for any and all new projects and/or new uses of personal data.
Data Protection Impact Assessments shall be overseen by the Data Protection Officer and shall address the following:
- The type(s) of personal data that will be collected, held, and processed.
- The purpose(s) for which personal data is to be used.
- The Company’s objectives.
- How personal data is to be used.
- The parties (internal and/or external) who are to be consulted.
- The necessity and proportionality of the data processing with respect to the purpose(s) for which it is being processed.
- Risks posed to data subjects.
- Risks posed both within and to the Company; and
- Proposed measures to minimise and handle identified risks.
FAIR PROCESSING NOTICE
In the event that CAPEX Marketing Ltd is sold, the new owners shall own all company data lawfully collected and stored, and they shall continue to use the data for the same purposes only, in accordance with this policy and the law.
IMPLEMENTATION OF THIS POLICY
This Policy shall be deemed effective as of 19TH May 2018. No part of this Policy shall have retroactive effect and shall thus apply only to matters occurring on or after this date.
CHANGES TO THIS POLICY
HOW TO CONTACT US
To contact us about data protection, please use the following details:
- Email: firstname.lastname@example.org
- Phone: 01452 234115
- Postal address: CAPEX Marketing LTD, North Warehouse, Gloucester Docks, Gloucester, GL1 2FB
MORE INFORMATION ABOUT DATA PROTECTION PRINCIPLES
The above policy aims to be compliant with the General Data Protection Regulation (GDPR). The GDPR sets out the following principles with which any party handling personal data must comply. All personal data must be:
- Processed lawfully, fairly, and in a transparent manner in relation to the data subject.
- Collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes. Further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes.
- Adequate, relevant, and limited to what is necessary in relation to the purposes for which it is processed.
- Accurate and, where necessary, kept up to date. Every reasonable step must be taken to ensure that personal data that is inaccurate, having regard to the purposes for which it is processed, is erased, or rectified without delay.
- Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed. Personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes, subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of the data subject.
- Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organisational measures.