Castledene is committed to protecting the privacy and security of your personal information. This privacy notice describes how we collect and use personal information about you in accordance with the General Data Protection Regulation (GDPR).
Any changes we make to our privacy notice in the future will be posted on this page and, where appropriate, notified to you by e-mail or otherwise. Please check back frequently to see any updates or changes to our privacy notice.
2. Your rights
The GDPR says that the personal information we hold about you must be:
- Used lawfully, fairly and in a transparent way.
- Collected only for valid purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes.
- Relevant to the purposes we have told you about and limited only to those purposes.
- Accurate and kept up to date.
- Kept only as long as necessary for the purposes we have told you about.
- Kept securely.
3. What personal information do we collect and how do we collect it?
We may collect the following information at the start of the contract when you complete an account application form: – Business name, contact names, email addresses, telephone numbers, bank account details.
- Personal data, or personal information, means any information about an individual who can be identified. It does not include data where an individual cannot be identified (anonymous data). We collect personal information from you in the following ways.
- We may periodically send promotional emails about new services or other information which we think you may find interesting using the email address which you have provided.
- We may collect information about visitors to our premises. We may record information on your visit, including the date and time, who you are visiting, your name, employer, contact details and vehicle registration number. If you have an accident at our premises, this may include an account of your accident.
- We may collect caller information such as details of phone numbers used to call our company and the date and time of any calls. We do not record calls.
- We operate CCTV at our premises which may record you and your activities.
- If you work for us or one of our customers, suppliers or business partners, the information we collect about you may include your contact information, details of your employment and our relationship with you.
- We may obtain information from the following publicly available sources: LinkedIn and other social media, e.g. Twitter and Facebook; freely available online resources and websites; Companies House.
- We may also collect credit information on you from third party reference agencies.
- Information about your health, including any medical condition, health and sickness records. This may be collected from you via a Medical Questionnaire prior to becoming a Castledene employee.
- Information about criminal convictions and offences. This may be collected as part of a criminal records check prior to becoming a Castledene employee.
- In limited and necessary circumstances, your information may be transferred outside of the EEA (European Economic Area) to comply with our legal or contractual requirements. We are committed to ensuring the information is secure. We have put in place suitable physical, electronic and managerial procedures to safeguard and secure the information we collect in order to prevent unauthorised access or disclosure.
4. How and Why Do We Use Your Information?
We will only use your personal information when the law allows us to do so. Most commonly, we will use your personal information in the following circumstances:
- Where we need to perform a contract we have entered into with you.
- Where we need to comply with a legal obligation.
- Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.
- To protect your interests (or someone else’s interests) or where it is needed in the public interest although these circumstances are likely to be rare.
Specific examples of ways in which we may use your personal information include:
- Customer Administration. We may use information about you including form information, content and other information you provide to us or which we collect about you as necessary to carry out our contracts with you, and for our legitimate interests in administering your account.
- Direct Marketing. We may send direct postal or electronic marketing to you using your contact details and information you have provided us. We use this as necessary for our legitimate interests in marketing to you and maintain a list of potential customers. If you are not acting as a business and have not provided your contact details directly to us in relation to our products, we will only send electronic marketing to you if you have consented to that marketing. We will always provide an “opt-out” option on any marketing messages we send you.
- Third Party Personnel Administration. If you work for one of our customers or suppliers, we may hold information on you. This includes information you provide when you correspond with us, as well as details of your employment, contact details, and our relationship with you. We use this as necessary for our legitimate interests in managing our relationship with your employer.
- CCTV Information and Visitor Information. We use CCTV information and visitor information as necessary for our legitimate interests in administering your visit, ensuring site security and visitor safety, and administering parking.
- Job Applications. If you apply for a position with us, we hold and use information on you. This will include information you provide to us in your application, as well as opinion information on you from any referees you provide. We may also obtain criminal record and identity verification information from reference agencies. We use this as necessary to enter into an employment contract with you, and for our legitimate interests in evaluating candidates and recording our recruitment activities, and as necessary to exercise and perform our employment law obligations and rights.
- Former Employees. If you used to work for us, your information will be used in accordance with our employee privacy notice. If you are a former employee or contractor and require a copy of this, please contact us.
We will only use your personal information for the purposes for which we collected it as set out in this notice, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal information for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.
Please note that we may process your personal information without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.
5. Controlling of your personal data
You may choose to restrict the collection or use of your personal information in the following ways:
We will not sell, distribute or pass your information to third parties unless we are required to do so by law. You may request details of the personal information which we hold about you under the GDPR.
If you believe that any information we are holding on you is incorrect or incomplete, please email or write to us as soon as possible, stating the details in question. We will promptly correct any information found to be in correct.
Castledene, Mill Hall Depot, Mill Hall, Aylesford, Kent, ME20 7JN
6. How long we store data
We will only retain your personal information for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. To determine the appropriate retention period for personal information, we consider the amount, nature, and sensitivity of the personal information, the potential risk of harm from unauthorised use or disclosure of your personal information, the purposes for which we process your personal information and whether we can achieve those purposes through other means, and the applicable legal requirements.
Details of our typical retention periods for different aspects of your personal information are set out below. If you would like details of our retention periods for a particular aspect of your personal information which is not detailed below, please contact us:
- Order information including information about you such as your name, address, email address, telephone number, services used, order date, delivery date and other correspondence with us are kept for a period of up to 7 years after the date of order to enable us to deal with any after sales enquiries or claims.
- Business contact information such as your name, email address and telephone number may be kept for marketing purposes. All marketing data is reviewed annually and erased where no longer relevant.
- Visitor information which is collected about visitors to our premises is kept for a period of up to 3 years. If you have an accident on our premises, our accident records are also retained for a period of up to 3 years.
- CCTV recordings may be kept for a period of up to 60 days (unless there an incident occurs and it is necessary for us to keep recordings for longer to properly deal with it).
- Special categories of data are typically kept for a maximum period of 6 years after employment with Castledene has ended but may vary dependent on applicable employment law.
In some circumstances we may anonymise your personal information so that it can no longer be associated with you, in which case we may use such information without further notice to you.
If you have any concerns or would like to know what data we hold on your company you can contact us on the details below:
Castledene, Mill Hall Depot, Mill Hall, Aylesford, Kent, ME20 7JN
7. Your Rights
The GDPR gives you a number of rights when it comes to personal information we hold about you. The key rights are set out below. More information about your rights can be obtained from the Information Commissioner’s Office (ICO). Under certain circumstances, by law you have the right to:
- Be informed in a clear, transparent and easily understandable way about how we use your personal information and about your rights. This is why we are providing you with the information in this notice. If you require any further information about how we use your personal information, please let us know.
- Request access to your personal information (commonly known as a “data subject access request”). This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it.
- Request correction of the personal information that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.
- Request erasure of your personal information. This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it (for instance, we may need to continue using your personal data to comply with our legal obligations). You also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing (see below).
- Object to processing of your personal information where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to us using your information on this basis and we do not have a compelling legitimate basis for doing so which overrides your rights, interests and freedoms (for instance, we may need it to defend a legal claim). You also have the right to object where we are processing your personal information for direct marketing purposes.
- Request the restriction of processing of your personal information. This enables you to ask us to suspend the processing of personal information about you, for example if you want us to establish its accuracy or the reason for processing it.
- Request the transfer of your personal information to another party where you provided it to us and we are using it based on your consent, or to carry out a contract with us, and we process it using automated means.
- Withdraw consent. In the limited circumstances where we are relying on your consent (as opposed to the other bases set out above) to the collection, processing and transfer of your personal information for a specific purpose, you have the right to withdraw your consent for that specific processing at any time. Once we have received notification that you have withdrawn your consent, we will no longer process your information for the purpose or purposes you originally agreed to, unless we have another legitimate interest in doing so.
If you want to review, verify, correct or request erasure of your personal information, object to the processing of your personal information, withdraw your consent to the processing of your personal information or request that we transfer a copy of your personal information to another party, please contact us in writing.
You will not have to pay a fee to access your personal information (or to exercise any of the other rights). However, we may charge a reasonable fee if your request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.
We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is another appropriate security measure to ensure that personal information is not disclosed to any person who has no right to receive it.
Please consider your request responsibly before submitting it. We will respond to your request as soon as we can. Generally, this will be within one month from when we receive your request but, if the request is going to take longer to deal with, we will let you know.
8. Data security
The Company takes the security of data seriously. The Company has internal policies and controls in place to protect personal data against loss, accidental destruction, misuse or disclosure, and to ensure that data is not accessed, except by employees in the proper performance of their duties.
We have put in place measures to protect the security of your information. Details of these measures are available upon request.
Third parties will only process your personal information on our instructions and where they have agreed to treat the information confidentially and to keep it secure.
We have put in place appropriate security measures to prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal information to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal information on our instructions and they are subject to a duty of confidentiality.
9. Data breaches
It is the policy of Castledene to be fair and proportionate when considering the actions to be taken to inform affected parties regarding breaches of personal data. In line with the GDPR, where a breach is known to have occurred which is likely to result in a risk to the rights and freedoms of individuals, the relevant Data Protection Authority (DPA) will be informed within 72 hours.
The Company will record all data breaches regardless of their effect.