Centred Solutions Limited (CSL) understands that your privacy is important to you and that you care about how your personal data or that of your clients is used by us when we provide our services to you. We respect and value the privacy of all of our data subjects whoever they are, and thus we will only collect and use personal data in ways that are described below; specifically in a manner that is consistent with our obligations for transparency and accountability; plus incorporating privacy by design and honouring your rights under the data protection law. We are very aware that in the pharmacy sector where we operate, privacy security and confidentially are everything, thus we hope the information provided below confirms our commitment to the highest standards in this regard.
1) Information About Us
Centred Solutions Ltd (CSL), incorporated and registered in England and Wales with company number 10723808 whose registered office is 43 Castle Chambers, Castle Street, Liverpool, L2 9TL.
VAT number: 270 4305 32
Data Protection Officer: Colin Hardy
Email address: firstname.lastname@example.org
Telephone number: Mobile +44 (0)7943404246; Landline 0333 335 5023
Postal address: 43 Castle Chambers, Castle Street, Liverpool L2 9TL
We are registered with and regulated by the Information Commissioners Office (ICO), our registration number is ZA563447
2) What Does This Notice Cover?
This Privacy Notice explains how we use your personal data: how it is collected and when; how it is held; what our legal basis is for its collection; and how it will be processed; how long it is retained and if and to whom we may share it with. It also explains if we allow any information under our control to leave the UK or EEA and if so what safeguarding mechanisms we employ to safeguard your rights under the law. Lastly we detail your rights as a data subject, relating to your personal data and how you can go about requesting access to these rights. We have tried to keep the information clear and concise so it allows easy access to the sections of interest to you.
3) What Is Personal Data?
Personal data is defined by the General Data Protection Regulation (EU Regulation 2016/679) (the “GDPR”) and the Data Protection Act 2018 (collectively, “the Data Protection Legislation”) as ‘any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier’.
Personal data is, in simpler terms, any information about you that enables you to be identified. Personal data covers obvious information such as your name and contact details, but it also covers less obvious information such as identification numbers, electronic location data, and other online identifiers if captured. The law also details personal information that is special or sensitive and thus special conditions must exist to store and process this data, such as biometric data, health data, political or religious beliefs or affiliations etc. Thus below we detail what data we collect and when depending on how you interact with us, this is detailed in section 5.
It is important to note that CSL are the data controllers for the information we detail below. This data is collected for the purpose and by the means as defined by CLS and thus requires us to provide your data subject rights.
When dealing with our clients who utilise our automation solutions for prescription processing we act as a data “Processor” for any patient data temporarily parsed within the on-site automation systems for this purpose. In this scenario we are under a data processing agreement that defines our data processing actions, and this data by default never resides with us.
4) What Are Your Rights under the Legislation?
Under the Data Protection Legislation, you have a substantive number of rights afforded to you, which we will always work to uphold: When you ask us for access to any of these rights we call this request a Data Subject Access request (DSAR), you can ask us in any way that is easiest for you; email, phone call, letter, personal meeting; your rights are listed below
- The right to be informed about our collection and use of your personal data. This Privacy Notice should advise you regarding everything you need to know, but you can always contact us to find out more or to ask any questions using the details in Part 12. You should always be provided with a clear understanding of what we are doing at the point of data collection however you interact with us.
- The right to access or be given sight of the personal data we hold about you. Part 12 will tell you how to do this.
- The right to have your personal data rectified if any of your personal data held by us is inaccurate or incomplete or simply changes. Please contact us using the details in Part 12 to find out more.
- The right to be forgotten, is a right available to you, but it does depend on certain circumstances i.e. the legal basis used for processing can have an effect; also if there is a reason to retain the data under law that overrides privacy legislation. If you wish to make use of this right to ask us to delete or otherwise dispose of any of your personal data that we hold then please contact us using the details in Part 12 to find out more.
- The right to restrict (i.e. prevent) the processing of your personal data is another right afforded to you but like (d) above does have some caveats. If you feel this option is something you wish to pursue then please make contact as per part 12.
- The right to object to us using your personal data for a particular purpose or purposes again is dependent on the legal basis for processing and what the processing is actually being used for, i.e. if we were profiling you for instance. Similarly please us the contact details in 12 below if you wish to request this right.
- The right to withdraw consent at any time and for any reason is a fundamental right that must be made clear to you at the point you gave consent initially. This means that, if we are relying on your consent as the legal basis for processing your personal data, and you withdrawer your consent we must stop all processing activities relying on this legal basis. This usually refers to things like receiving emails or newsletters or other marketing activities will be withdrawn with immediate effect. Similarly you can withdraw from a job application. You can withdrawer consent usually via unsubscribe or similar links in emails etc. or you can contact as at any time using details in Part 12.
- The right to data portability. This means that, if you have provided personal data to us directly, and we are using it with either (a) your consent or (b) for the performance of a contract, and that data is being processed using automated means, you can ask us for a copy of that personal data in a common electronic form to re-use with another service or business in many cases.
- Rights relating to automated decision-making and profiling. You have the right to object to this type of processing particularly if the legal basis is legitimate interest or a purpose carried out for the public interest. However, we currently do not process any of your personal data in this way for any of our company processing so currently you have no need for recourse for this right as it simply does not happen.
If you feel you still require more information about our use of your personal data or exercising your rights as outlined above, please contact us using the details provided in Part 12.
It is important that your personal data is kept accurate and up-to-date. If any of the personal data we hold about you changes, please keep us informed as long as we have a legal basis to process that data, we will update it with immediate effect.
Further information about your rights can also be obtained from the Information Commissioner’s Office or your local Citizens Advice Bureau.
It is important that we advise you that in the event we do not satisfy your requests for access to any of the rights listed above, you always have access to our regulator the ICO and use their web site to raise a complaint about our lack of compliance, this is free and easy to do, just use this link: https://ico.org.uk/make-a-complaint/ . However, if you do have any cause for complaint about our use of your personal data, or how we failed to provide satisfactory answers to your requests we would welcome the opportunity to resolve your concerns ourselves, so we can learn from our mistakes for the benefit of all our clients. Please contact us using the details in Part 12.
5) What Personal Data Do We Collect, Why We Collect It, How Long We Retain It?
Depending upon how you interact with us, will dictate what data we collect and the legal basis for processing it. To make this section as easy and concise as possible we have provided the most common interactions into a table and explain what we capture and why. Please note we do not collect any ‘special category’ or ‘sensitive’ personal data from you apart from one exception, if you are an employee as we are required under law to collect this information.
Personal Data Collected and Retention
Why We Collect the Data
Name, address, post code, DOB, passport number, NI number, gender, qualifications; work experience, partner details for insurance etc. visa status; work status; criminal convictions; disabilities; ethnicity etc.
Retention period: 7 years post-employment termination.
You are an employee and we are required to collect all relevant information to comply with employment law, HMRC, Payroll, Health and Safety, Equalities legislation etc.
Our legal basis is 6 1 (c) processing is necessary for compliance with a legal obligation ……
If your employment is such that you visit pharmacy locations and installations etc. then criminal checks must be carried out.
Name, contact details, qualifications and work experience only.
Retention period: 3 months post interview.
Job/ Vacancy Applicant.
Legal basis is consent for application process.
Business Name, address, post code, contact details, email, phone, B2B contact staff, bank account details, purchase ledger details. VAT details, credit reference etc. pharmacy location
Retention period is 7 years past contract end.
To enter into a service supply contract as our client
Legal basis 6 1 (b) processing is necessary for the performance of a contract.
There will also be the setting up of a data processing agreement (DPA) between the parties to process prescription data for the pharmacy client (we act as processor for this aspect).
No personal data just essential cookies plus cookie banner cookie.
Retention period is 3 months
Anonymous web site visitor to company web site.
If you decide to allow analytics cookies then legal basis is 6 1(a) Consent.
We do not place any marketing or third party cookies at all; we do not use forms or gather any personal data from you. We do not allow our web site to host any first or third party adverts. Please see our Cookie Notice for more details.
Company name, address, contact details, email, phone number, B2B contact names, bank details, VAT number, Company number, Credit rating, etc.
Retention period 7 years post contract termination.
Company Supplier/Contractor if you supply a service to the company you will be entered into our purchase ledger and CRM system.
Legal basis is 6 1 (b) processing is necessary for the performance of a contract……
Name, email address phone number.
Marketing Activities if you receive any emails or phone calls from us, our legal basis for processing this data is 6 1 (a)consent. We do not collect data via forms or cookies from our web site in this regard. You must have attended one of our trade stands at a show/exhibition and provided the necessary info. Opt out is available at any time.
Any other sources of data collection
6) Do We Process Your Data Using Legitimate Interest Legal Basis?
Under the Data Protection Legislation, we are required to bring to your attention if we process any of your data under Legitimate Interest, as you have a right to object if we do. As noted above in the table we do not rely on this legal basis at all thus we have not provided a Legitimate Interest Assessment record to justify this basis.
7) Do We Carry Out Any Profiling Activities
We do not carry out any automated or manual profiling activities using your personal data.
8) How Long Do We Keep Your Personal Data?
As we have detailed above in section 5 we retain your data depending on the circumstances we collected it. For the majority of purposes we retain for 7 years, but in most cases this is a legal requirement under statute applied to the company. Where we have a genuine choice we use the principle of data minimisation thus collect only what we must collect and keep it no longer than required. Thus applicant data is deleted after 3 months. Marketing data is deleted immediately on consent withdrawal and we refresh consent every 13 months.
9) How and Where We Store Your Personal Data?
We store your data in secure web hosted applications, which are only available to our employees, using secure authentication methods, and configured on a role based access model (if you don’t need access, you don’t have access). Data is encrypted in flight (secure HTTPS protocols) and at rest (disk encryption) within UK or EEA data centres.
The security of your personal data is essential to us, and to protect your data, over and above that mentioned above we take a number of important measures, including the following:
- As well as limiting access to your personal data to those employees, agents, contractors, and other third parties with a legitimate need to know, we also require all employees etc. to comply with our strict company policies and undergo annual data protection training to ensure the culture of compliance and confidentiality is embedded within the company;
- Policies and procedures for dealing with data breach incidents (the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, your personal data) including notifying you and/or the Information Commissioner’s Office where we are required to do so;
- We keep a breach report log where all accidental or attempted unauthorised data access incidents are listed; many of these are used for training purposes to highlight where minor issues have occurred to further enhance our transparency and accountability duties in this regard.
10) Do We Share Your Personal Data?
By default we do not share any of your personal data with any third parties for any purposes whatsoever, subject to the following exceptions:
- In the event that a service contract requires support 24/7 we allow access to our on- site hardware and software solution by our affiliated group company Centred Solutions LLP, their level 3 support team based in the US (Florida), as this allows a better working hours coverage spread within the UK time zone. They have the support contract details only and VPN access to hardware. This access is certified secure and has been specifically agreed to by the client within the data processing agreement before access is allowed. See safeguarding section below for third party transfers.
- In the event the company is sold, transferred, or merged, parts of our business or assets, which may include your personal data, may be transferred to a new third party owner. Any new owner of our business will continue to use your personal data in the same way(s) that we have used it, as specified in this Privacy Notice.
- In some limited circumstances, we may be legally required to share certain personal data, which might include yours, if we are involved in legal proceedings or complying with legal obligations, a court order, or the instructions of a government authority.
If any of your personal data is shared with a third party (above), we will take steps to ensure that your personal data is handled safely, securely, and in accordance with your rights, our obligations, and the third party’s obligations under the law, as described above in Part 9. In particular your rights are afforded and protected as described within the UK data protection legislation and the legal jurisdiction is UK Law.
11) Third Party Transfers Outside the UK Or EEA Area
By default there are no transfers allowed outside the areas deemed adequate by the EU Commission. However as mentioned above, there is one specific case where we support, via our affiliated group company, Centred Solutions LLP (Florida) our hardware and software solution (based on clients’ premises). We allow remote VPN access as agreed within the data processing agreement to fix and support P1 reported issues. To ensure all data subject rights are protected and compliance with the UK law we have put in place the EU Standard Contractual Clauses (2010) between the group companies assuring complete compliance as if the company was based within UK and subject to UK Law and jurisdiction.
12) How Can I Access My Personal Data Rights?
As mentioned above in section 4 you are afforded a number of data protection rights. If you wish to ask for, or access, any of these rights, all you have to do is ask us in the most convenient way for yourself; either phone, email, letter, personal meeting. Thus to enable us to action your data subject access request (DSAR) as efficiently as possible please use the template provided at the end of this notice. Simply copy and paste into word or similar text application and type in the required data fields and send it to us, or phone us and complete the form whilst on the line with our staff. Either way once this form has been received we will usually complete you request within 30 days and free of charge.
All subject access requests we process will be stored and logged as per our policy and will be in writing and usually sent to the email or postal addresses as per the request. We will always make sure the request is genuine; we will make contact with you to confirm your identity or confirm any nominated representative you have advised in the request. If we cannot confirm the identity we will not process the request until we can.
If the DSAR request is particularly complex we may need more time, in such cases we will inform you before the 30 day period has expired and inform you accordingly of the additional time required. However if your request is repetitive or manifestly unfounded we reserve the right to charge you or refuse to answer, but we will always advise you accordingly in due course of this action.
The most efficient contact mechanisms are shown below:
Email: email@example.com Please use “DSAR Request” in subject field
Phone: Mobile: +44 (0)7943404246
Phone: Landline 0333 335 5023
When calling please advise that you are calling to request a DSAR request.
Letter: Centred Solutions Limited, 43 Castle Chambers, Castle Street, Liverpool, L2 9TL.
Please provide a RE: DSAR Request on the letter.
13) Changes to this Privacy Notice
We will make changes to this Privacy Notice from time to time as business processes change or new data collection processes are designed. This may also be necessary, for example, if the law changes, or if we change our business sector in a way that affects personal data protection.
Any changes will be made available on our company web site. This Privacy Notice was last updated on 5th December 2019.
DPO Centred Solutions Ltd
DSAR request: (what right under the regulation are you requesting, you can request more than 1 at a time)
Background Information: (can you please explain the nature of your request, what specifically you are looking for or information you require, the reason why the request is being made; have we done something wrong etc. etc.)
Do you want to appoint a representative if so please provide their name and details and a signed letter of authority for us to release the information to them.
Any specific request as to how you want the answers to be provided to you? (email, letter etc.)
What identification information will you provide (passport , driving license, other photographic ID, etc.).