The purpose of this privacy notice is to explain how CTR Secure Services (“CTRS”) processes personal data to fulfil our data protection responsibilities for anyone making enquiries either through the website contact page or by direct contact, and/or whose images are captured by the CCTV system that covers our premises in Gorleston.

The role of CTRS in data protection terms is that of a data controller where we determine the purpose and use of the personal data being processed. It is the responsibility of our Privacy Manager (PM) to ensure the processing of your personal data is in accordance with the UK’s data protection legislation. The PM is contactable using privacy@ctrservices.co.uk 

Please note that when CTRS is providing CCTV monitoring services on behalf of our clients, it does so in our role as a data processor. This is because we are only processing personal data on behalf of, and in accordance with our clients’ instructions. This means our clients are the data controllers in this role.

The sort of personal data collected by CTRS will be basic contact details sufficient to be able to respond to your general enquiries and for sales purposes. In addition, we will capture your image using CCTV, but only if you are visiting our Gorleston office.

CTRS’s duty of confidentiality means that our staff will treat your personal data with due respect and confidence. It is only disclosed to others when absolutely required. We use reasonable organisational and technical measures to ensure personal data is kept secure. We also expect the same duty of confidentiality of all third parties with whom we share your personal data. All processing takes place on-site and/or agreed off-site locations, all within the UK, with routine backups performed on UK and EU based servers.

The processing of personal data by CTRS is processed in accordance with the principles of data protection and always against a lawful basis such as those below:

• We will pursue our legitimate interests:
  • to respond to your general enquiries and stay in touch with you for marketing purposes
  • to operate a CCTV system around our offices that will capture the image of anyone visiting or working at our offices
• To comply with our legal obligations
• When processing for a pre-defined purpose for which your consent will be sought prior to the processing commencing – please note that consent can be withdrawn at any time by contacting the PM

CTRS will share your personal data but only when necessary, with some or all of the following:

• Administrative support where personnel are bound by a data processing agreement and/or contractual arrangements
• Appointed contractors for specific outsourced services who are subject to a data processing agreement or equivalent as bound by their contracts
• Law enforcement agencies
• Public authorities

These organisations are reviewed regularly, and the number is kept to a minimum.

CTRS follows a retention schedule to determine the length of time we hold different types of personal data. The key retention periods are as follows:

• Routine correspondence for casual enquiries in hard copy or in emails will be stored for 7 years after the last interaction with CTRS
• Images captured by the CCTV system that covers our Gorleston office, will only be retained for 30 days although extracts may be retained for longer but only if required to support an ongoing enquiry or investigation
• Contact data is stored indefinitely unless a valid request to erasure has been received, in which case it will be given due consideration

At the end of the retention period CTRS will destroy or delete your personal data and any associated emails or relevant documentation for which CTRS has no lawful basis to justify retention. If it is technically impractical to delete electronic copies of personal data, it will be put beyond operational use. It should be noted that CTRS allows up to 3 months after the retention period has ended to complete this action.

The UK General Data Protection Regulation defines the rights that you have (although these do not apply in all situations) and these are summarised below:

• Right to be informed as to how your personal data are being processed – this is done through this notice
• Right to access personal data held by us; this is done by submitting a ‘Subject Access Request’ (SAR) to the privacy manager
• Right to rectification of personal data if we have collected it incorrectly or it needs to be updated
• Right to erasure of your personal data for which we no longer have a legitimate purpose to process
• Right to restrict processing under certain circumstances, during which your personal data will be taken out of operational use until the matter is resolved
• Right to data portability of your personal data in a machine-readable version, but this only applies to data provided with your consent or under contract
• Right to object to processing personal data for which we do not have a legal or contractual obligation
• Rights related to automated decision making and profiling, however, CTRS does not use these techniques in its decision making

Further details of all these rights can be found on the Information Commissioner’s Office (ICO) website: https://ico.org.uk.

Raising concerns, exercising rights, or making queries about our processing of your personal data can be done by contacting the PM. Please be aware that CTRS will need to verify a requesters/ enquirer’s identity before responding fully. For that reason, you may be asked for proof of identification that, in context, will enable CTRS to confirm your identity. Alternatively, you may contact the ICO directly, using the details provided above.