1. About us
1.1. We are CES Quarry Products Limited, a company incorporated in Northern Ireland with its registered address at 124 Crossgar Road, Saintfield, County Down, BT24 7JQ with company registration number: NI005383. We are registered with the Information Commissioners Office (ICO) as a Data Controller and our registration number is ZA313857.
1.2. We manufacture a range of products including ready mix concrete, screed, masonry units, aggregates, asphalt, bitmac and associated services and niche products (Services).
2. Who do we hold data about
2.1 The nature of our Services means that we may obtain and use Personal Data (that is information relating to an individual who can be identified) which we collect about or from our clients or prospective clients. This can be divided into 3 categories of individuals:
(i) Prospective Clients: that is people in organisations which we think might be interested in becoming a client of ours. Any reference in this notice to Prospective Client Data means Personal Data about Prospective Clients;
(ii) Client Contacts: that is people in our clients’ organisations who have been designated as the relevant party to contact in connection with the provision of our Services. Any reference in this notice to Client Contact Data means Personal Data about Client Contacts;
(iii) Job Applicants, Current & Former Employees: that is the individuals that the company has engaged with during recruitment exercises and those that are / have been employed by the company. Any reference in this notice to Job Applicants, Current & Former Employees Data means Personal Data about those individuals;
(iv) Other Third Parties: that is people in organisations that we interact with during the course of our business that are not a client or a prospective client. Any reference in this notice to Third Party Data means Personal Data about individuals that represent those third parties;
We will hold Personal Data about the categories of individuals listed above (each such individual, a Data Subject) as a Controller, which means that we make decisions about what data we collect and how it should be used to best serve our purposes. The reason for this notice is so that each Data Subject is clear as to what data we collect about them, what we do with that data, how long we store it for and their rights in relation to that data.
2.2. In addition to the above, we may also hold Personal Data about individuals who can be identified from the data our clients want us to help them manage as part of our Services (Managed Data). We will only be handling this data as a Processor, which means that our client is the Controller and makes the decisions about what data it wants to collect and how to use it. This privacy notice does not cover how we use the Managed Data. Any Managed Data will only be processed in accordance with our client’s instructions. As a Processor, we are required to enter into an agreement with our client setting out the terms of processing. If you would like to know more about this, please feel free to contact us at: email@example.com.
3. About this notice
3.1. Under the General Data Protection Regulation (EU) 2016/679 (GDPR) and the Data Protection Act 2018, we are required to provide individuals about whom we hold data as a Controller certain information about what we are doing with their data. This notice is intended to do just that. We’ve listed the individuals this notice is addressed to at paragraph 2.1 above.
3.2. This notice only deals with our use of Personal Data. If you click on any links to third party sites or products, you should check their privacy notices before disclosing any Personal Data to them. 3.3. We might need to change this privacy notice from time to time. We will publish our privacy notice on our website (www.cesquarryproducts.com) and do our best to update you directly if we think the changes might affect you. Please do keep an eye on our notice before sending us any Personal Data. 3.4. If you have any questions about this notice feel free to send us an email to firstname.lastname@example.org.
4. What personal data do we collect and where do we collect it from?
4.1 There are a number of ways we might collect information about Prospective Clients:
(i) If you contact us directly (whether by calling us up, sending us an email or if we meet you somewhere in person) and you ask for information about our Services, we may retain information about your request, including your name, where you work and your contact details.
(ii) Our marketing team may also carry out its own research using online sources to try to locate businesses and key contacts within those businesses who we think may be interested in hearing about our Services.
(iii) If you sign up to receive our newsletter or receive marketing information from us, we may retain information about marketing preferences and any contact details you provide us with.
4.2 We may collect Client Information in the following ways:
(i) Primarily we will obtain Client Contact Data from our clients when they instruct us who we should contact in connection with our Services. This is likely to include their name and business contact details as well as their role in our client’s business. We will also need to hold information about our client which we need to set them up as a client and avail of our rights and fulfil our obligations under any services agreement we enter into with them. This is likely to include our clients’ financial data as well as details of any past transactions and payment history with us.
(ii) If our client contacts us directly with a support request or other issue (whether by email, telephone or letter), we may retain details of the request for our records and to make sure that the issue was properly resolved.
(iii) Due to the nature of our service provision, we may need to access personal data relating to our clients’ employees / customers. The purpose of this is to provide evidence (Documented within a report) to certification body auditors to ensure we are compliant. Only the data required will be obtained and stored. If we are required to store this on our own cloud storage, it will be subject to the controls in place as per Section 8 of this privacy notice.
(iv) If our client signs up to receive our newsletter or receive marketing information from us, we may retain information about marketing preferences and any contact details our client provides us with. Job Applicants, Current & Former Employees
4.3. We collect Data in the following ways:
(i) When individuals apply to work with us, we will only use the information they supply to us to process their application and to monitor recruitment statistics. Where we want to disclose information to a third party, for example where we want to take up a reference or obtain a ‘disclosure’ from a credit or criminal reference agency we will not do so without informing them beforehand unless the disclosure is required by law.
(ii) We may retain anonymised statistical information about applicants to help inform our recruitment activities, but no individuals are identifiable from that data.
Other Third Parties
4.4 We collect Data in the following ways:
(i) Primarily through email and letter, we will obtain personal details of the representative of that organisation for us to carry out the agreed / contractual arrangements between our respective organisations. This information will be stored securely as detailed within Section 8.
Website & Social Media
4.7 Website Security - We use a third-party service to help maintain the security and performance of our website. To deliver this service it processes the IP addresses of visitors to our website.
4.8 Social Media – We only use social media platforms / aggregator applications for sharing information about our company, engaging with those that have interacted with us and contributing to news / comments / groups that are relevant to our service offerings.
5. Special Categories of data and criminal offence data
5.1 In the UK some types of Personal Data are afforded special status because they are considered to be more sensitive in nature and could potentially cause more harm to an individual if the data was misused. These are:
Special Categories of data include details about an individual’s race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about health and genetic and biometric data; and Criminal Offence Data means data relating to an individual’s criminal record.
5.2 We do not require nor request any data of this nature from Prospective Clients or Clients Contacts for the provision of our Services.
6. How we use personal data and our lawful basis for doing so
Prospective Client Data
6.1 We may use Personal Data about Prospective Clients as set out in the table below.
Purpose Description Lawful Basis To provide you with information about our services If you have asked us to do so, we may use the details you give us to provide you with a quote for our services. We would usually do this by email. Consent Marketing We might use the contact details you have provided us with to send you emails about events we are running or information about our Services which we think might be of interest to you. We will always include an opt-out in any such emails. Legitimate Interest
Client Contacts Data
6.2 We may use Personal Data relating to Client Contacts for the following purposes.
Purpose Description Lawful Basis To provide our client with services This includes recording and retaining communications with our clients about their requirements, policies and infrastructure as well as the nature of the data they collect and store, and using that information to fulfil our contractual obligations. Necessary for the performance of the contract / Legitimate Interest. Administration and Dispute Resolution We might use the contact details you have provided us with to send you emails about events we are running or information about our Services which we think might be of interest to you. We will always include an opt-out in any such emails. Legitimate Interest Marketing From time to time we might send you an email about events we are running or other products or services which we think might be of interest to you. We will always include an opt-out in any such emails. Legitimate Interest Marketing We might use information about people who have purchased our products / services to carry out a survey to find out if they are happy with the level of service they received and request some feedback. Legitimate Interest / Consent
Job Applicant, Current & Former Employee Data
6.3 We may use Personal Data relating to this group as set out in the table below.
Purpose Description Lawful Basis To allow us to establish your suitability for the advertised role and to meet our legislative requirements An applicant will submit their personal date to facilitate the processing of their application. Furthermore, it allows us to ensure that we can monitor recruitment statistics. Consent Administration & Dispute Resolution
We may also need to process Personal Data about you to meet our internal administration requirements, to facilitate payments and, as well as for matters such as dispute resolution (HR etc.).
There may be instances where we have to share your personal details with third parties for the purpose of fulfilling our legal /contractual obligations with regards to;
- Providing you with a pension - meeting employment law legislation
- Achieving security clearance
- Meeting financial legislation
- Seek legal advice
Following the termination of employment we will keep records regarding your employment as per our retention policy. This is in order to process any Finance / HR related queries from yourself or regulatory bodies.
Other Third Parties
6.4 We may use Personal Data relating to this group as set out in the table below.
Purpose Description Lawful Basis Administration & Dispute Resolution
We may also need to process Personal Data about your representatives to meet our internal & external administration requirements.
There may be instances where we have to share your representatives personal details with third parties for the purpose of fulfilling our legal /contractual obligations to;
- Providing a pension
- Meeting employment law legislation
- Achieving security clearance
- Prevention of crime (CCTV)
- Meeting financial legislation
- Seek legal advice
Following the termination of our engagement we will keep records as per our retention policy.
7. Disclosure of personal data
7.1 We may disclose the Personal Data that we hold to our employees as well as other third parties who we engage to help us provide our Services. For example, we use third parties to provide the following services for the following services:
- Email Provider
- Host Server provider
- Marketing Database Provider
- Pension Provider
- Payroll Provider
- Security Clearance Provider/CCTV Provider
- HR Advisor
- H&S Advisor
- Hauliers and specialist contractors
- Certification Bodies
- Occupational Health Provider
- Financial services Provider
Any such parties contracted by us will be acting as our Processors and will be subject to strict contractual requirements only to use Personal Data in accordance with our privacy notice. If you would like more information about third party processors used by us, please contact us at email@example.com
7.2 We may also disclose Personal Data if:
8. What security measures are in place?
8.1 We are aware how important it is for us to keep the data we hold about Users and other parties secure and have implemented the following processes and procedures:
8.1.1 Our employees are required to hold any data which they handle on our behalf securely and confidentially and are contractually bound to do so.
8.1.2 We make sure that any data processors (such as Microsoft) we use have a strong reputation for data security and are contractually obliged to implement adequate security measures to safeguard the data held. 8.1.3 We have physical and administrative security measures at our offices.
8.1.4 There are individual and company boundary firewalls.
8.1.5 Continuously updated anti-virus programmes minimise the likelihood of a phishing attack.
8.1.6 Encrypted file storage solutions with data access controlled on a ‘need to know’ basis.
8.1.7 On expiry of document retention date paper documentation is securely shredded by accredited professional confidential waste shredding services.
9. Where do you store the personal data you collect?
9.1 We store any Personal Data we hold within the EEA and only use processors with servers in the EEA.
- Secure cloud storage (Microsoft) with data centres in the EEA.
- Secure cloud storage (One drive) with data centres in the EEA.
- Both Microsoft and OneDrive are signatories to the Privacy Shield Framework.
- CCTV images are held by onsite encrypted hard drive by Wilson Security Solutions.
9.2 We will only transfer Personal Data outside the EEA if:
- The territory has been deemed by the European Commission to implement adequate safeguards;
- Appropriate measures (such as model contract clauses) have been put in place;
- The company has registered with an EU recognised framework such as the EU-US Privacy Shield;
- The transfer is necessary for the performance of the contract with the Data Subject in question – for example, if users are based outside the EEA and it is necessary to contact them in connection with our Services to Users; or
- If we have obtained explicit consent from the Data Subject.
10. Our retention policies
Type of Data Retention Policy Transaction data For the life of the client contract + 7 years to ensure that we have sufficient records from an accounting and tax perspective Financial data For the life of the client contract + 5 year in case of renewed contract and/or any payment issues outstanding after the contract is completed. Emails Retained for life of the contract with automatic archiving after 10 years Marketing lists Retained until opt out with update and rectification procedure carried out every 5 years Usage data For the life of the client contract + 6 years in case of any dispute arising. Employee personal data For the life of the employee’s employment and an additional 6 years in case of any dispute arising. Employee medical records are retained for 40 years. Job applicants personal data This will be kept for the duration of the recruitment exercise and an additional 2 years in case of any dispute arising. Third party representative personal data This will be kept for the duration of our engagement with this party and an additional 5 years in case of any dispute arising. CCTV data The CCTV data is held for approximately 6 weeks from date of recording Integrated management system (IMS) data IMS related documentation will be retained in accordance with retention periods from the date of issue as specified in Document Register IF 13
11. Rights of data subjects
11.1 Data Subjects have the following rights against the Controller in respect of Personal Data held by the Controller which relates to them.
- (a) Right to be informed: the right to be informed about what Personal Data the Controller collects and stores about you and how it’s used.
- (b) Right of access: the right to request a copy of the Personal Data held, as well as confirmation of: • The purposes of the processing; • The categories of personal data concerned; • The recipients to whom the personal data has/will be disclosed; • For how long it will be stored; and • If data wasn’t collected directly from you, information about the source.
- (c) Right of rectification: the right to require the Controller to correct any Personal Data held about you which is inaccurate or incomplete. (d) Right to be forgotten: in certain circumstances, the right to have the Personal Data held about you erased from the Controller’s records. (e) Right to restriction of processing: the right to request the Controller to restrict the processing carried out in respect of Personal Data relating to you. You might want to do this, for instance, if you think the data held by the Controller is inaccurate and you would like to restrict processing until the data has been reviewed and updated if necessary.
- (f) Right of portability: the right to have the Personal Data held by the Controller about you transferred to another organisation, to the extent it was provided in a structured, commonly used and machine-readable format.
- (g) Right to object to direct marketing: the right to object where processing is carried out for direct marketing purposes (including profiling in connection with that purpose).
- (h) Right to object to automated processing: the right not to be subject to a decision based solely on automated processing (including profiling) which produces legal effects (or other similar significant effects) on you. We do not carry out any automated decision-making process.
11.2 If you want to avail of any of these rights, you should contact us immediately at firstname.lastname@example.org. If you do contact us with a request, we will also need evidence that you are who you say you are to ensure compliance with data protection legislation.
11.3 We will confirm to you in writing to acknowledge receipt of any request we receive relating to your rights as a Data Subject, and we will let you know if we have complied with your request. If having, carried out an assessment, we believe we have an overriding reason for retaining the data, we will let you know why we have reached that conclusion.
12. What happens if you ask us to stop processing data about you?
12.1 You may notify us at any time that you no long want us to process Personal Data about you for particular purposes or for any purposes whatsoever. This may have an impact on the services you receive from us.
13. Details for questions or complaints on how we purchase data about you
13.1 If you have any questions or concerns about how we are using Personal Data about you, please contact our Data Protection Officer immediately at our registered address (see paragraph 1.1 above) or by email to email@example.com. If we are processing Personal Data about you on behalf of Users, we will need to pass your complaint to Users – we will only do so with your consent.
13.2 We take any complaints or criticisms we receive very seriously. We encourage people to bring it to our attention if they think that our collection or use of information is unfair, misleading or inappropriate. When we receive a complaint, we make up a report containing the details of the complaint, which we sometimes term a ‘non-conformance’. This normally contains the identity of the complainant and any other individuals involved in the complaint. We will only use the personal information we collect to process the complaint and to check on the level of service we provide.
13.3 We will keep records of complaints for a minimum of 2 years.
13.4 You may lodge a complaint with the Information Commissioner’s Office by following this link: https://ico.org.uk/concerns/.