Point One Marketing Limited trading as Community Call Prevention (“Community Call Prevention”)

1.    background

1.1.          We know how important data protection is to our customers and we have always been committed to ensuring we protect our customers’ data, but with enhanced data protection laws which came into force in May 2018 we have reviewed the systems and procedures which we use to protect your data.

1.2.          Community Call Prevention offers the following types of goods and services:

  • The provision of a call blocker device which attaches to a phone and blocks withheld numbers, 5 area codes, and up to 1,000 numbers in total
  • The provision of services of contacting data controllers around the UK for 1 year removing our customers’ details from their databases

1.3.          Community Call Prevention may collect Personal Data for the following purposes:

  • The provision of the goods and/or services above at 1.2
  • Administrative reasons to enable us to provide our services
  • For our marketing, publications, webinars and events and to understand how visitors to our website interact with it
  • For security reasons, including our system security and at our premises
  • To meet any legal and regulatory duties we may have

1.4.          We will only collect and hold information or disclose it to someone else if we have a lawful basis to process it. We will explain the basis in our Privacy Notice.

2.    Policy statement

2.1.          This policy sets out our approach to data protection and the legal conditions that should be satisfied when we obtain, handle, process, transfer and store Personal Data.

2.2.          Everyone has rights with regard to the way in which their Personal Data is handled. During the course of our activities we collect, store and process Personal Data about our customers and our staff. We recognise the importance of the correct and lawful treatment of Personal Data. It maintains confidence in the organisation and provides for successful operations.

2.3.          We are committed to the principles set out in the Data Protection Legislation, which set out the legal conditions that must be satisfied in the collection, handling, processing, transportation and storage of Personal Data.

2.4.          Our staff and anyone else who processes Personal Data for Community Call Prevention must adhere to this policy and are obliged to comply with this policy when processing Personal Data on our behalf. It is a condition of the employment of our staff that they adhere to this policy and any breach of the policy may result in disciplinary action.

3.    About this policy

3.1.          The types of Personal Data that we may be required to handle include information about current, past and prospective customers and staff. The Personal Data, which may be held on paper or on a computer or other media, is subject to the legal safeguards specified in the Data Protection Legislation and other regulations.

3.2.          This policy and any other documents referred to in it sets out the basis on which we will process any Personal Data we collect from Data Subjects, or that is provided to us by Data Subjects or other sources.

3.3.          This policy does not form part of any employee’s contract of employment and may be amended at any time.

3.4.          This policy shall be reviewed at least once a year.

3.5.          The Data Protection Legislation is not intended to prevent the processing of Personal Data but to ensure that it is done lawfully and in accordance with the data protection principles described in this policy.

4.    responsibility for data protection

4.1.          The board of directors of Point One Marketing Limited and all members of staff of Community Call Prevention are responsible for data protection within the business and for compliance with the policy.

4.2.          Community Call Prevention is the Data Controller and may be contacted at customerservices@communitycallprevention.co.uk.

5.    Definition of data protection terms

Data
Controller		 : a person or company who determines the means and purposes of the processing of Personal Data
Data Processor : a person or company who processes Personal Data on behalf of a data controller
Data Protection Legislation : (a) the Data Protection Act 2018;

(b) Regulation (EU) 2016/679 General Data Protection Regulation (“GDPR”) and any national implementing laws, regulations and secondary legislation for so long as GDPR is effective in the United Kingdom;

(c) any successor legislation to the Data Protection Act 2018 and the GDPR.
Data Subject : all living individuals about whom we hold Personal Data. A data subject need not be a UK national or resident. All data subjects have legal rights in relation to their personal information.
Personal Data : data relating to a living individual who can be identified from that data (or from that data and other information in our possession). Personal Data can be factual (for example, a name, address or date of birth) or it can be an opinion about that person, their actions and behaviour.
Processing : any activity that involves use of the data. It includes obtaining, recording or holding the data, or carrying out any operation or set of operations on the data including organising, amending, retrieving, using, disclosing, erasing or destroying it. Processing also includes transferring Personal Data to third parties.
Special Category Data : information about a person’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, the processing of biometric data for the purposes of uniquely identifying a person, data concerning health or data concerning a person’s sex life or sexual orientation. Information about criminal conviction must be treated as if it were special category data.

 

6.    lawful processing

6.1.          We will only process Personal Data if we have a lawful basis to do so.

6.2.          The lawful bases for data processing are set out in Article 6 of GDPR. In summary the grounds that may be applicable to us are:

6.2.1.        The consent of the Data Subject, which must be freely given, specific, informed and unambiguous.

6.2.2.        The processing is necessary for the performance of a contract with the Data Subject or with a view to entering into a contract.

6.2.3.        The processing is necessary in the legitimate interests of the data controller or a third party, except where those interests are over-ridden by the interests or fundamental rights and freedoms of the Data Subject.

6.3.          If special category data is processed a further lawful basis set out in Article 9 of GDPR. The bases that are most likely to apply to us are:

6.3.1.        The explicit consent of the Data Subject.

6.3.2.        The processing is necessary in relation to employment and social security law.

6.3.3.        The processing is necessary to establish, exercise or defend a legal claim.

7.    Data protection principles

7.1.          We are obliged to comply with the data protection principles set out in Article 6 of the GDPR. Where we provide information, we will do so in a concise, transparent and intelligible manner in plain language and in a form suited to the needs of the Data Subject.

7.2.          The principles are summarised in the next sections together with the way in which we will comply with them:

7.2.1.        All Personal Data must be processed lawfully, fairly and transparently.

We will ensure that there is a lawful basis for the processing and that the processing is not unlawful for any other reason such as a breach of confidence.

 

If we collect Personal Data directly from Data Subjects, we will provide a Privacy Notice confirming

a.            the purposes for which we need the data;

b.            the lawful basis for the processing and if it is based upon out legitimate interests, the nature of our interests;

c.            who we may share the data with and in particular whether it will be shared outside the EAA;

d.            how long we will keep the data;

e.            the Data Subject’s rights and the right to make a complaint to the ICO;

f.             whether the provision of the data is a statutory or contractual requirement and the consequences if it is not provided.

If we receive personal data about a data subject from other sources, we will provide the data subject with this information together with details of the source of the information within 30 days or before we first contact them, whichever is the sooner.

We will also inform Data Subjects whose Personal Data we process that we are the data controller with regard to that data.

 

7.2.2.        Personal Data must be collected for specified, explicit and legitimate purposes and must not be used for a purpose that is incompatible with those purposes.

In the course of our activities we may collect and process the Personal Data relating to customers and staff. This may include data we receive directly from a Data Subject (for example, by completing forms or by corresponding with us by mail, phone, email or otherwise) and data we receive from other sources.

We will only process Personal Data for the specific purposes set out in the Privacy Notice that we will supply to each Data Subject or for any other purposes specifically permitted by Data Protection Legislation.

7.2.3.        Personal Data must be adequate, relevant and limited to what is necessary for the purposes for which it is held.

We assess whether the information that we request or that we receive is strictly necessary and we will not keep any information that is not required.

7.2.4.        Reasonable steps must be taken to ensure that the personal Data is accurate and kept up to date.

If any customer, member of staff or anyone about whom we hold Personal Data thinks that any of our records are inaccurate or out of date, they should contact: customerservices@communitycallprevention.co.uk.

We will check the accuracy of information at reasonable intervals and we will take reasonable steps to correct inaccurate data.

7.2.5.           Personal data should be kept for no longer than is necessary for the purposes for which it is processed.

We will not keep Personal Data longer than is necessary for the purpose or purposes for which they were collected. We will take all reasonable steps to destroy, or erase from our systems, all data which is no longer required.

7.2.6.        Personal data must be processed in a manner that ensures an appropriate level of security against unlawful or unauthorised processing, loss damage or destruction.

A description of our data security measures is set out below.

8.    Processing in line with data subject’s rights

8.1.        We will process all Personal Data in line with Data Subjects’ rights, set out in the Data Protection Legislation, which includes the rights to:

8.1.1.           obtain details of the Personal Data held in respect of the Data Subject;

8.1.2.           the rectification of inaccurate data;

8.1.3.           the erasure of Personal Data in certain circumstances;

8.1.4.           restrict the processing;

8.1.5.           require communication of information about rectification, erasure or restriction;

8.1.6.           require a copy of the data to provide it to another data controller in certain circumstances;

8.1.7.           object to the processing of the Personal Data on the basis of the data controller’s legitimate interests;

8.1.8.           object to the use of the data for direct marketing purposes.

8.2.        We will respond to any request by a Data Subject to exercise his rights as a Data Subject without undue delay and in any event within 30 days unless an extension of time has been granted.

9.    Data security

9.1.        We will process all Personal Data we hold in accordance with our information security policies, standards and procedures. Our information security procedures and documentation are reviewed and updated annually on how to prevent, detect and respond to information security events and weaknesses, as well as documenting the consequences of non-compliance.

9.2.        We will put in place procedures and technologies to maintain the security of all Personal Data from the point of collection to the point of destruction. Personal data will only be transferred to a data processor if they agree to comply with those procedures and policies, or if they put in place adequate measures themselves and enter into a contract with us containing the safeguards prescribed by the Data Protection Legislation.

9.3.        We will maintain data security by protecting the confidentiality, integrity and availability of the Personal Data, defined as follows:

9.3.1.           Confidentiality means that only people who are authorised to use the data can access it.

9.3.2.           Integrity means that Personal Data should be accurate and suitable for the purpose for which it is processed.

9.3.3.           Availability means that authorised users should be able to access the data if they need it for authorised purposes. Personal Data must therefore be stored on our central computer system and not personal devices.

9.4.        Security procedures include:

9.4.1.           Entry controls. Any stranger seen in entry-controlled areas should be reported.

9.4.2.           Secure lockable desks and cupboards. Desks and cupboards should be kept locked if they hold confidential information of any kind. (Personal information is always considered confidential.)

9.4.3.           Methods of disposal. Paper documents should be shredded. Digital storage devices must be returned to the Operations Team to ensure that all data is wiped from them or be physically destroyed when they are no longer required.

9.4.4.           Equipment. Data users must ensure that individual monitors do not show confidential information to passers-by and that they log off from their PC when it is left unattended.

9.4.5.           Disaster Recovery. A plan is in place to ensure the availability of all Personal Data in the event of a hardware or software failure, cyber attack or physical damage to the devices on which the data is stored.

10.  Transferring personal data to a country outside the EEA

10.1.     We may transfer any Personal Data we hold to a country outside the European Economic Area (“EEA“), provided that one of the following conditions applies:

10.1.1.        The country to which the Personal Data are transferred ensures an adequate level of protection for the Data Subjects’ rights and freedoms.

10.1.2.        The Data Subject has given his consent.

10.1.3.        The transfer is necessary for one of the reasons set out in the Data Protection Legislation, including the performance of a contract between us and the Data Subject, or to protect the vital interests of the Data Subject.

10.1.4.        The transfer is legally required on important public interest grounds or for the establishment, exercise or defence of legal claims.

10.2.     Subject to the requirements in clause 10.1 above, Personal Data we hold may also be processed by outside the EEA where computer servers are located outside the EAA. In such cases we will ensure that there is an appropriate data controller/data processor contract in place.

11.  Disclosure and sharing of personal information

11.1.     We may disclose Personal Data we hold to third parties. In some circumstances we may be required to do so by law, but in other circumstances we will tell you in our Privacy Notice.

11.2.     If we do disclose Personal Data we will:

11.2.1.        Ensure that we have a legal basis for doing so;

11.2.2.        Comply with the Data Subject’s rights unless there is an exemption in the Data Protection Legislation.

12.  Changes to this policy

We reserve the right to change this policy at any time. Where appropriate, we will notify Data Subjects of those changes by mail or email.