We treat your data seriously and below we set our revised policy which explains what data we need, how we use the data we need to supply our goods and services. It details how what we do with that data, how we store it and how long we keep it. It sets out your rights to view, amend and remove your data. It lets you know how to contact us regarding your data.
If you have any queries regarding our Policy contact us at
Centurion Signs UK Ltd is committed to protecting your privacy and maintaining the security of any personal information received from you. We strictly adhere to the requirements of the GDPR legislation in the UK. Information we need When you buy goods or services from us we need to know basic personal information, which does not include any special types of information. This allows us to fulfil, your order and manage any ongoing contract. You have the option to withhold personal information that is not required for the order process. Why we hold personal information We collect information about you to manage your account for the purposes of providing goods and services you have ordered. We will not share your information for marketing purposes with any third-party companies.
The following personal data may be collected, held, and processed by the Company: Current and former employees, personal data held is required for administering Payroll under HMRC requirements, in line with employment contract, and also for daily staff management, no sensitive personal data is held; Recruitment data, held for a brief period of time to facilitate recruitment process. Customer data, necessary information held for daily administration; Supplier data, necessary information held for daily administration; Marketing data, held for direct marketing; Basic Client Employees Data, necessary data held for the provision of the software; What we do with your personal information All the personal data we process is processed by our staff in the UK. We follow strict security procedures in the storage and disclosure of information which you have given us, to prevent unauthorised access in accordance with the UK data protection legislation. In order to maintain the accuracy of our database, you can check, update or remove your personal details by emailing us at email@example.com We do not sell, rent or exchange your personal information with any third party, except to help prevent fraud, or if required to do so by law. How long we hold personal information We are required under UK tax law to keep your basic personal data (name, address, contact details) for up to 6 years after which time it will be destroyed. Your information we use for marketing purposes will be kept with us until you notify us that you no longer wish to receive this information.
Introduction to our Data Protection Policy
This policy sets out the obligations of Centurion Signs UK Ltd regarding data protection and the rights of customers regarding their personal data under the General Data Protection Regulation. Personal data is described as any information relating to an identified or identifiable natural person or data subject. An identifiable natural person is someone who can be identified directly or indirectly, particularly by their name, identification number, location, online identifier or other factors such as physical, physiological, genetic, mental, economic, cultural or social identity of that person. This document details the processes which must be followed when dealing with personal data by the Company, its employees, agents, contractors or other parties working on their behalf. The Company is committed to the letter and spirit of the law, placing high importance on the correct, lawful, and fair handling of all personal data, respecting the legal rights, privacy and trust of the people with whom it deals.
Data Protection Principles
The Company aims to ensure compliance with the GDPR by following the principles with which any party handling personal data must comply. This includes:
a) processed lawfully, fairly and in a transparent manner in relation to individuals.
b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes.
c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals; and processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
Lawful, Fair and Transparent Data Processing
GDPR ensures personal data is processed lawfully, fairly and transparently, without adversely affecting the data subject’s rights. The data processing will be classed as lawful if one of the following applies: Consent: the individual has given clear consent for you to process their personal data for a specific purpose. Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract. Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations). Vital interests: the processing is necessary to protect someone’s life. Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.) To ensure fair and transparent data processing the Company must be open and honest about their identity. The Company must tell people how they intend to use and handle any personal data you collect about them (unless this is obvious) in ways you would reasonably expect. Above all, do not use information in ways that unjustifiably have a negative effect on the data subjects. Process – Specified, Explicit & Legitimate Purpose The concept of legitimate interests as a lawful basis for processing is based on 3 key principles:
Purpose, Necessity and Balancing. Processing is necessary for the purposes of the legitimate interests pursued by Centurion Signs UK Ltd or by a third party except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. The personal data collected and processed may be received directly from data subjects and data received from third parties. The Company only processes personal data for the specific purposes set out in this Policy (or for other purposes expressly permitted by GDPR). The purposes for which we process personal data will be informed to data subjects at the time that their personal data is collected, where it is collected directly from them, or as soon as possible (not more than one calendar month) after collection where it is obtained from a third party. Adequate, Relevant and Limited Data Processing The Company will only collect and process personal data for the specific purpose(s) informed to data subjects. We will not hold any more information than is required.
Accuracy of Data and Keeping Data Up To Date
The Company will take reasonable steps to ensure the accuracy of any personal data held. We will ensure that the source of any personal data is made clear to the data subject and will carefully consider any challenges to the accuracy of information and whether it is necessary to update the information. The accuracy of data shall be checked when it is collected and at intervals.
Personal Data Retention
Centurion Signs UK Ltd shall not keep personal data for any longer than is necessary for the purposes for which that data was originally collected and processed. When the data is no longer required, all reasonable steps will be taken to erase it without delay. The Company will regularly review the personal data held and delete anything that is no longer needed. Information that does not need to be accessed regularly, but which still needs to be retained, will be safely
archived or put offline. Generally, retention periods follow HMRC guidelines and will be removed after 6 years. However, we take account of any professional rules or regulatory requirements that apply.
The Rights of Individuals
GDPR defines the following rights to individuals: The right of access to a copy of the information comprised in their personal data. A right to object to processing that is likely to cause or is causing damage or distress. A right to prevent processing for direct marketing. A right to object to decisions being taken by automated means. A right in certain circumstances to have inaccurate personal data rectified, blocked, erased or destroyed. A right to claim compensation for damages caused by a breach of the Act.
Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
Good practice tools such as privacy impact assessments and privacy by design are now legally required in certain circumstances. The accountability principle requires the Company to demonstrate that compliance with the principles and states explicitly that this is your responsibility. To demonstrate accountability we will: Implement appropriate technical and organisational measures to ensure and demonstrate compliance. Including internal data protection policies such as staff training, internal audits of processing activities, and reviews of internal HR policies. We will maintain relevant documentation on processing activities.
We have implemented documentation that meets the principles of data protection by design and data protection by default. We will provide details on personal data, how it is used and shared to the data subject We will also create and improve security features on an ongoing basis. Following approved codes of conduct and/or certification schemes where appropriate.
Data Protection Impact Assessment
Data protection impact assessments will also be implemented where appropriate, they will be overseen by the DPO. We will ensure they are used when using new technologies and if the processing is likely to result in a high risk to the rights and freedoms of individuals. Also, processing that is likely to result in a high risk includes (but is not limited to):systematic and extensive processing activities, including profiling and where decisions that have legal effects or similarly significant effects on individuals. large scale processing of special categories of data or personal data relation to criminal convictions or offences. This includes processing a considerable amount of personal data at regional, national or supranational level; that affects a large number of individuals; and involves a high risk to rights and freedoms eg based on the sensitivity of the processing activity. Finally, large scale, systematic monitoring of public areas (CCTV). Right to be informed The information provided to a data subject about processing personal data must be concise, transparent, intelligible and easily accessible. It will be written in clear and plain language, particularly if addressed to a child and is free of charge. When personal data is collected directly from the data subject we will provide: The identity and contact details of the controller The purpose of the processing and the lawful basis for the processing. The legitimate interests of the controller or third party, where applicable. Details of any recipient or categories of recipients of the personal data. Details of transfers to third country and safeguards Details of transfers to third country and safeguards Retention period or criteria used to determine the retention period The existence of each of data subject’s rights The right to withdraw consent at any time, where relevant The right to lodge a complaint with a supervisory authority Whether the provision of personal data is part of a statutory or contractual requirement or obligation and possible consequences of failing to provide the personal data The existence of automated decision making, including profiling and information about how decisions are made, the significance and the consequences
Right of Access
Under GDPR individuals will have the right to obtain confirmation that their data is being processed, access to their personal data and any other supplementary information this largely corresponds to the information provided in the privacy notice. This is so that data subjects can confirm the lawfulness of the processing. A charge will only be made if a request is manifestly unfounded or excessive, particularly if it is repetitive. Or if requests for further copies of the same information are made, however, this does not mean charges can be made for all subsequent access requests. The fee is based on the administrative cost of providing the information. Information must be provided without delay and at the latest within one month of receipt. An extension to the period of compliance of a further two months where requests are complex or numerous can be made. If this is the case, you must inform the individual within one month of the receipt of the request and explain why the extension is necessary. We will verify the identity of the person making the request, using reasonable means. If the request is made electronically, we will reply by email. All subject access requests received must be forwarded to The Company’s data protection officer, Centurion Signs UK Ltd, 36/38 Carron Place, Kelvin Industrial Estate, East Kilbride, G75 0TS or to:
The right to obtain a copy of information or to access personal data through a remotely accessed secure system should not adversely affect the rights and freedoms of others.
Right to Rectification
Individuals are entitled to have personal data rectified if it is inaccurate or incomplete. If we have disclosed the personal data in question to third parties, we must inform them of the rectification where possible. We must also inform the individuals about the third parties to whom the data has been disclosed where appropriate. Response must be within one month. This can be extended by two months where the request for rectification is complex. Where we take no action in response to a request for rectification, we must explain why to the individual, informing them of their right to complain to the supervisory authority and to a judicial remedy.
Right to Erasure
This is also known as ‘the right to be forgotten’. It does not provide an absolute ‘right to be forgotten’. Individuals have a right to have personal data erased and to prevent processing in specific circumstances. If a data subject requests the right to be forgotten, the Company must comply in the following situations: Where the personal data is no longer necessary in relation to the purpose for which it was originally collected/processed. When the individual withdraws consent. When the individual objects to the processing and there is no overriding legitimate interest for continuing the processing. The personal data was unlawfully processed (ie otherwise in breach of the GDPR). The personal data has to be erased in order to comply with a legal obligation. The personal data is processed in relation to the offer of information society services to a child.
Under the GDPR, this right is not limited to processing that causes unwarranted and substantial damage or distress. However, if the processing does cause damage or distress, this is likely to make the case for erasure stronger. You can refuse to comply with a request for erasure where the personal data is processed for the following reasons: To exercise the right of freedom of expression and information. To comply with a legal obligation for the performance of a public interest task or exercise of official authority or the exercise or defence of legal claims. For public health purposes in the public interest. For archiving purposes in the public interest, scientific research historical research or statistical purposes If you have disclosed the personal data in question to third parties, you must inform them about the erasure of the personal data, unless it is impossible or involves disproportionate effort to do so.
Right to Restrict Personal Data Processing
Where an individual contests the accuracy of the personal data, or has objected to the processing we will restrict the processing until you have verified the accuracy of the personal data. When processing is deemed unlawful and the individual opposes erasure and requests restriction instead. If we no longer need the personal data but the individual requires the data to establish, exercise or defend a legal claim. Where these requests are made, we will only retain the personal data necessary and no further processing will take place. Any personal data disclosed to third parties, will be informed about the restriction on the processing of the personal data, unless it is impossible or involves disproportionate effort to do so.
Right to Data Portability
The right to data portability only applies to personal data an individual has provided to a controller. Or where the processing is based on the individual’s consent or for the performance of a contract and when processing is carried out by automated means. We will provide the personal data in a structured, commonly used and machine, readable form. Open formats include CSV files. Machine readable means that the information is structured so that software can extract specific elements of the data. This enables other organisations to use the data. The information will be provided free of charge. If the individual requests it and it is technically feasible you may be required to transmit the data directly to another organisation. If the personal data concerns more than one individual, we cannot provide the data on other individuals without their prior consent. We will respond without undue delay, and within one month. This can be extended by two months where the request is complex, or you receive a number of requests. You must inform the individual within one month of the receipt of the request and explain why the extension is necessary. Where you are not taking action in response to a request, you must explain why to the individual, informing them of their right to complain to the supervisory authority and to a judicial remedy without undue delay and at the latest within one month. Where data subjects have given their consent to the Company to process their personal data in such a manner or the processing is otherwise required for the performance of a contract between the Company and the data subject, data subjects have the legal right under the Regulation to receive a copy of their personal data and to use it for other purposes (namely transmitting it to other data controllers, e.g. other organisations).
Right to Object to Data Processing
Individuals must have an objection on grounds relating to his or her particular situation. If we receive a notification from a data subject we must stop processing the personal data unless: we can demonstrate compelling legitimate grounds for the processing, which override the interests, rights and freedoms of the individual or the processing is for the establishment, exercise or defence of legal claims. We must inform individuals of their right to object at the point of first communication and in your privacy notice. This must be explicitly brought to the attention of the data subject and shall be presented clearly and separately from any other information.
Centurion Signs UK Ltd do not intend to however there may be occasion where We may legally transfer personal data where the organisation receiving the personal data has provided adequate safeguards. Individual’s rights must be enforceable and effective legal remedies for individuals must be available following the transfer. Adequate safeguards may be provided for by: a legally binding agreement between public authorities or bodies; binding corporate rules (agreements governing transfers made between organisations within in a corporate group); standard data protection clauses in the form of template transfer clauses adopted by the Commission; standard data protection clauses in the form of template transfer clauses adopted by a supervisory authority and approved by the Commission; compliance with an approved code of conduct approved by a supervisory authority; certification under an approved certification mechanism as provided for in the GDPR; contractual clauses agreed authorised by the competent supervisory authority; or provisions inserted into administrative arrangements between public authorities or bodies authorised by the competent supervisory authority. A transfer, or set of transfers, may be made where the transfer is: made with the individual’s informed consent; necessary for the performance of a contract between the individual and the organisation or for pre-contractual steps taken at the individual’s request; necessary for the performance of a contract made in the interests of the individual between the controller and another person; necessary for important reasons of public interest; necessary for the establishment, exercise or defence of legal claims; necessary to protect the vital interests of the data subject or other persons, where the data subject is physically or legally incapable of giving consent; or made from a register which under UK or EU law is intended to provide information to the public (and which is open to consultation by either the public in general or those able to show a legitimate interest in inspecting the register).
Data subject: A data subject is a natural person. Examples of a data subject can be an individual, a customer, a prospect, an employee, a contact person, etc. Personal data: Any information relating to an identified / identifiable individual, whether it relates to his or her private, professional, or public life. Can be anything from a name, photo, email address, bank details, posts on social networking sites, medical information, IP address, or a combination of the data that directly or indirectly identifies the person. Sensitive personal data: The GDPR refers to sensitive personal data as special categories of personal data. The special categories of data include racial or ethnic origin, political opinions, religious or philosophical views, trade union membership, sexual orientation, and health, genetic and biometric data where processed to uniquely identify an individual. Personal data relating to criminal convictions and offenses are not included, but similar extra safeguards apply to its processing. Data controller: Any organization, person, or body that determines the purposes and means of processing personal data, controls the data and is responsible for it, alone or jointly. Examples when the data controller is an individual include general practitioners, pharmacists, and politicians, where these individuals keep personal information about their patients, clients, constituents etc. Examples of organizations can be data controllers, for profit or not for profit, private or government-owned, large or small, where those organizations keep personal information about their employees, clients, etc. Data processor: A data processor processes the data on behalf of the data controller. Examples include payroll companies, accountants, and market research companies. DPO: An appointment of a Data Protection Officer is obligatory if: (1) processing is carried out by a public authority; or (2) the core activities of a data controller / data processor either require the regular and systematic monitoring of data subjects on a large scale or consist of processing of special categories of data or data about criminal convictions on a large scale. Accountability: Accountability is the ability to demonstrate compliance with the GDPR. The Regulation explicitly states that this is the organization’s responsibility. In order to demonstrate compliance, appropriate technical and organizational measures have to be implemented. Best practice tools such as privacy impact assessments and privacy by design are now legally required in certain circumstances. Consent Consent: Consent is any freely given, specific, informed and unambiguous indication of the individual’s wishes by which the data subject, either by a statement or by a clear affirmative action, signifies agreement to personal data relating to them being processed for one or more specific purposes. The affirmative action, or a positive opt-in, means that the consent cannot be inferred from silence, pre-ticked boxes, or inactivity. It should also be separate from terms and conditions and have a simple way to withdraw it. Public authorities and employers will need to pay special attention to ensure that consent is freely given. The existing consents do not have to be refreshed automatically in preparation for the GDPR, but they have to meet the GDPR standard for being specific, granular, clear, opt-in, properly documented, and easily withdrawn. If not, change your consent mechanisms and seek fresh GDPR-compliant consent, or find an alternative to consent. One-stop-shop concept If a business is established in more than one Member State, it will have a lead authority, determined by the place of its main establishment• in the EU. A supervisory authority that is not a lead authority may also have a regulatory role, for example where processing impacts data subjects in the country where that supervisory authority is the national authority. Privacy Impact Assessment (PIA) The GDPR imposes a new obligation on data controllers and data processors to conduct a Data Protection Impact Assessment (also known as a privacy impact assessment, or PIA) before undertaking any processing that presents a specific privacy risk by virtue of its nature, scope, or purposes. Processing: Processing is any operation performed on personal data (sets), such as creation, collection, storage, view, transport, use, modification, transfer, deletion, etc., whether or not by automated means. Profiling: Profiling is any form of automated processing of personal data intended to evaluate certain personal aspects relating to an individual, or to analyze or predict in particular that person’s performance at work, economic situation, location, health, personal preferences, reliability, or behaviour. Subject access: This is the data subject’s right to obtain from the data controller, on request, certain information relating to the processing of his/her personal data. Territorial scope: The territorial scope of the GDPR includes the European Economic Area (EEA + all 28 EU member states), Iceland, Lichtenstein, and Norway, and does not include Switzerland. Third party: A third party is any natural or legal person, public authority, agency, or any other body other than the data subject, the controller, the processor, and the persons who, under the direct authority of the controller or the processor, are authorized to process the data. Transfer: The transfer of personal data to countries outside the EEA or to international organizations is subject to restrictions. As with the Data Protection Directive, data does not need to be physically transported to be transferred. Viewing data hosted in another location would amount to a transfer for GDPR purposes.
Should you wish to stop receiving e-mails or communication from us or even check what data we hold for you, please reply to the following email address with your request and we shall action it within the timescale detailed above:- firstname.lastname@example.org.
Data Protection Officer Lorna Queen
Centurion Signs UK Ltd
36/38 Carron Place
Kelvin Industrial Estate
Tel: 01355 265222