Data controller means the organisation that determines the purposes for which, and the manner in which any personal data are, or are to be, processed. CPL (‘we’) is the data controller of all personal data used in our business for our own commercial purposes.
Processing of data means any set of operations performed on personal data including collection and storage, and contacting. Data means information stored electronically or in certain paper-based filing systems.
Personal data is any data that identifies an individual person, not generic company data.
CPL Processing Statement
CPL collects data on our data subjects (‘you’), and the following statements provide further detail on how this data will be processed.
- We, CPL, are the data controller
- We will process data on our data subjects under one of two legal bases. The legal basis will either be Article 6 1(b), necessary for performance of a contract (for example if a previous sale has taken place) or 6 1(f) legitimate interest (for example if a sale did not take place but the data subject expressed an interest in our services)
- The categories of recipients of that data include our CRM system, hosting providers, our financial systems, our email client, our internal file storage system.
- In some circumstances we may need to transfer that data outside the EU or to an international organisation. If this is the case, we have safeguards in place to ensure that data is transferred securely, and we can provide detail of these safeguards if required.
- The data will be stored in line with our data retention policy for commercial contacts unless we contact you to confirm that you are still interested in our services.
- You have the right to access, edit and erase this data and move it to another provider, you also have the right to object to data processing.
- You have the right to lodge a complaint about processing with the Information Commissioner’s Office.
- We will advise whether processing the data is necessary to perform the contract.
Where personal data has not been obtained from a data subject (e.g. from web searches, a phone call from another contact, a show guide), we will contact that person with the items and rights a) to h) within one month. If the data is being used for communication with the data subject, we will do this, at the latest, at the time of the first communication to that data subject.
Within the markets where we operate, we may hold some personal data on individuals in companies who are not current customers or that we have had conversations with about our products and services in the past. In this situation, the items and rights a) to h) apply, the reason for processing this data is direct marketing with relevant products and services in that market, the legal basis is legitimate interest. The data subject has the right to object and/or to have the data removed permanently from our data categories (as defined above).
We may make marketing emails or calls to existing customers who have bought a product to inform them about similar products and services. In this situation customers are clearly given the opportunity to object or unsubscribe at the time of collection of data and each time an email or phone call is made.
Recruitment or applicant data
We actively encourage speculative applications from potential candidates for employment at CPL. This personal data will be stored on our email system and storage drives for the purpose of future recruitment for five years, unless requested otherwise. Where you have volunteered ‘sensitive’ data (for example racial or ethnic origin; political opinions; religious or philosophical beliefs; or trade union membership; and the processing of genetic data; biometric data for the purpose of uniquely identifying a natural person; data concerning health; or data concerning a natural person's sex life or sexual orientation) we will hold this information on file, but it is not required for the purpose of future recruitment.
The details of unsuccessful candidates in a recruitment process will be held on file for no more than six months, unless we request, and the candidate actively consents, that we may keep these details for future recruitment.
If you are employed by an organisation that is a CPL client or prospective client, it is possible that we might record data about you (in which case, you become the ‘data subject’ in the context of the GDPR).
A list of responses to questions frequently asked by ‘data subjects’ follows:
Where and how will the data about me be recorded?
We will collect and store information about you when you enquire about our services by telephone; when you email us; or when you meet with us.
We may supplement the information we hold about your business (or you as an individual if you are a sole trader or corporate entity of some kind) with information from third parties such as CreditSafe, LinkedIn and other publicly available platforms.
When you visit our website, we will collect electronic ID data such as your Internet Protocol (IP) address. We collect information about your browsing habits on our websites using ‘cookies’.
Your data is likely to be recorded in our Customer Relationship Management (CRM) database system. There may also be emails that you have sent to us (and that we have sent to you) recorded in our CRM system and within our email server database.
If you are a sole trader or consumer client, it is probable that we will hold a record which relates to you within our accounting software database as well.
Our CRM, email and accounting databases are all maintained within a secure location in the European Union.
We may also record your email address, name and company name in our mass email broadcasting system (which is a secure cloud-based database).
What data does CPL hold about me?
Our CRM system is configured to provide for the recording of the following personal information:
- Full name
- Name prefix
- Nickname (AKA)
- Type of role
- Any preference which you have expressed relating to the receipt of marketing materials from us via email or direct mail
- Phone number(s)
- Email address(es)
- Postal address (usually a business address, unless you work from home)
In addition, we may have attached to your record in our CRM system:
- Documents that you have sent us
- Emails that you may have sent to us or we have sent to you
- Notes that we have made as outcomes from interactions with you (telephone conversations and meetings)
- Details of any future planned activities that we have with you
Records held within our accounting system will include a history of transactions (including sales orders, invoices and financial status information that relates specifically to your trading history with us). These may be regarded as ‘personal’ if you are a sole trader or a corporate entity of some kind.
How does CPL ensure data security?
All our database systems are password-protected and access is only afforded to those with a legitimate reason for so doing.
All users are required to have a domain user name and password to authenticate against the security model for access to our databases. A second layer of security, when available, is always used to check the user’s identity – commonly known as two-factor authentication.
Where corporate systems are available to staff via the internet, all web services are secured via SSL/TLS certificate security certificate and all internet data transactions are encrypted as a consequence.
Remote workers are only able to access data services within our corporate network via secure Virtual Private Network (VPN) from trusted devices.
What do you do with my information?
We use your information for the following purposes:
- To communicate with you in relation to the products and services that your employer has contracted with us to provide.
- To monitor our levels of customer service and manage the way in which we support you (if your employer is our customer).
- To understand our customers’ needs and requirements.
- To advise you of other products and services that we offer which we feel may be of benefit to you and/or your employer.
- To alert you to events and news that we feel might be relevant and/or useful to you.
With whom do you share my information?
We will never share your information with a third party without your express permission, unless we are required to do so by law.
Do you process sensitive personal data?
We do not directly process data which the Data Protection Act 1998 defines as ‘sensitive personal data’. As a business to business (B2B) company, most data recorded within our systems is of a corporate nature.
How will you use my information to contact me?
We may contact you by telephone (via a business phone number where it has been provided, and sometimes via a mobile phone), by post (to your business address), by email (via a business email address if you have provided us with one) or by Social Media platform (such as LinkedIn, Facebook or Twitter).
Will you send me marketing information?
We will only send you marketing information about other products and services that we (ourselves) offer. Most of our marketing communications are broadcast via an email marketing platform. This platform includes an ‘unsubscribe’ link. You may use this link to inform us that you no longer wish to receive email marketing messages from us or you may alert us to this via phone on 01223 378000, email to firstname.lastname@example.org or in writing (to our head office address in Cambridge).
Can I see the information that you hold about me?
If you would like a copy of the personal information that we hold about you, simply call us on 01223 378000 or write to us at Cambridge Publishers Limited, 1 Cambridge Technopark, Newmarket Road, Cambridge CB5 8PB. We will acknowledge the request as soon as we receive it and will provide a full response within 40 calendar days of our acknowledgement.