Privacy Policy

Data Processing and CDS’s Obligations with respect to Data Protection and Security

Definition of Data

Clients’ Datasets may contain Clients’ own Customer Personal Data. Both CDS and their Clients acknowledge that for the purposes of the Data Protection Legislation, the Client is the Controller of the Customer Personal Data, CDS is the Controller of Clients’ Datasets stored on CDS’s own equipment and systems and CDS is the Controller of CDS’s own Customer Personal Data (which may relate to clients of CDS).

With regard to services provided by CDS on CDS’s own systems

The following paragraphs refer to data stored and/or processed on CDS’s equipment and/or on equipment under CDS’s control and not within the scope of the Client’s own Data Control and Processing (e.g. Bulk data sets, email accounts in their entirety, backups, Databases of information and datasets used and transmitted as part of the operation of systems designed, created or implemented by CDS for the purpose of providing a service to the Client.

CDS undertakes:

1. To process the Customer Personal Data and Clients’ Datasets strictly in accordance with any Support Service Agreement agreed with the client and CDS, the client's instructions from time to time and the Data Protection Legislation;
2. To put in place appropriate technical and organisational measures on CDS’s own systems to ensure appropriate security of the Customer Personal Data and Clients’ Datasets and safeguard against a Data Loss Event. Such measures shall include, but are not limited to:
   • Appropriate measures to ensure the ongoing confidentiality, integrity, availability and resilience of the CDS's systems and services;
   • Appropriate measures to restore the availability and access to the Customer Personal Data and Clients’ Datasets in a timely manner in the event of a physical or technical incident;
   • A process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of Customer Personal Data and Clients’ Datasets;
3. To notify the Client as soon as is reasonably and practically possible of any breach of security measures put in place by the CDS, a Data Loss Event and / or any breach of Data Security by the CDS, its sub-processors or sub-contractors or employees.
4. Not to disclose or allow access to the Customer Personal Data and Clients’ Datasets to any Data Subject or third party other than at the explicit request of the Client;
5. Not to transfer or process the Customer Personal Data and Clients’ Datasets outside the United Kingdom or a Member State of the European Union, without the prior written approval of the Client;
6. To ensure that any of its employees who will have access to the Customer Personal Data and Clients’ Datasets have undergone data protection training and are aware of their obligations under the Data Protection Legislation;
7. To respond to all requests which may be received from the Client in relation to Customer Personal Data and Clients’ Datasets stored by us for our own purposes under Data Protection Legislation;
8. To restrict any processing, return or delete the Customer Personal Data and Clients’ Datasets immediately as directed by the Client.

With regard to systems designed for the customers’ own use, or the use of CDS for the processing of Customers’ Datasets

CDS undertakes:

1. To consider the requirements of Data Protection Legislation at all stages of system development from design through to implementation and operation and shall inform the Client of such procedures as might be necessary or prudent in keeping the systems operating within the data protection framework designed into the system.

Client’s responsibility for their own data

With regard to data stored and/or processed on CDS’s equipment and/or on equipment under CDS’s control that is within the scope of the Client’s own Data Control and Processing:

Legal basis for processing Data

In all cases our basis for processing data is contractual. We will not store or retain data on behalf of customers without contractual agreement.