Privacy Policy

CRIS.UK.COM PRIVACY NOTICE AND POLICY

Introduction

This document refers to personal data, this is defined as information concerning any living person (a natural person who hereafter will be called the Data Subject) that is not already in the public domain.

The Data Protection Act (DPA), Privacy and Electronic Communications Regulations (PECR) and The General Data Protection Regulations (GDPR) which is EU wide and far more extensive, seek to protect and enhance the rights of data subjects. These rights cover the safeguarding of personal data, protection against the unlawful processing of personal data and the unrestricted movement of personal data within the EU. It should be noted that GDPR does not apply to information already in the public domain such as Companies House data.

Who we are

CRIS.UK.COM is a software company specialising in the management of client data. We provide a business to business service allowing users to refer and manage data in a secure and compliant manner.

CRIS.UK.COM is the legal owner of the Client Referral Information System CRIS which the trade name of the data management software.

You agree that we are entitled to obtain, use and process the information you provide to us to enable us to discharge our services to you.

In the main CRIS works with businesses. For Business to Business Clients and Contacts our lawful reason for processing your personal information will be “legitimate interests”.  Under “legitimate interests” we can process your personal information if: we have a genuine and legitimate reason and we are not harming any of your rights and interest

Personal Data

CRIS utilises a secure environment to allow users to refer manage and update client data in a secure and compliant manner. In you making initial contact you consent to CRIS maintaining a marketing dialogue with you until you either optout (which you can do at any stage) or we decide to desist in promoting our services. CRIS may also act on behalf of its clients in the capacity of data processor. When working exclusively as a data processor, CRIS will be acting on the instruction of its client and will work hard to ensure that the client is fully GDPR compliant.

Personal data is collected about you from information entered on our forms, from records of our correspondence and phone calls and details of your visits to our website, including but not limited to personally-identifying information like Internet Protocol (IP) addresses. CRIS may from time to time use such information to identify its visitors. CRIS may also collect statistics about the behaviour of visitors to its website.

CRIS website uses cookies, which is a string of information that a website stores on a visitor’s computer, and that the visitor’s browser provides to the website each time the visitor returns. CRIS website visitors who do not wish to have cookies placed on their computers should set their browsers to refuse cookies before using CRIS website.

When you give us personal information, we take steps to make sure that it’s treated securely. Any sensitive information is encrypted and protected with 128 Bit encryption using SSL. When you are on a secure page, a lock icon will appear on the bottom of web browsers such as Microsoft Internet Explorer.

Any information CRIS holds about you and your business encompasses all the details we hold about you and any sales transactions including any third-party information we have obtain about you from public sources and our own suppliers such as credit referencing agencies.

CRIS will only collect the information needed so that it can provide you with data management services.  We do not sell or broker your data.

Our work for you may require us to pass your information to our third-party service providers, agents, subcontractors and other associated organisations for the purposes of completing tasks and providing the Services to you on our behalf.  However, when we use third party service providers, we disclose only the personal information that is necessary to deliver the Services and we have contracts in place that requires them to keep your information secure and not to use it for their own direct marketing purposes.

By using CRIS you agree that you are responsible for all data compliance and breaches if data is downloaded from CRIS and used on another platform.

As part of the services offered to you through this website, the information which you give to us may be transferred to countries outside the European Union (“EU”). For example, some of our third-party providers may be located outside of the EU.  Where this is the case we will take steps to make sure the right security measures are taken so that your privacy rights continue to be protected as outlined in this policy.  By submitting your personal data, you’re agreeing to this transfer, storing or processing.  Where our third-party supplies are in the US we have ensured that their services fall under the “Privacy Shield” whereby participating companies are deemed to have adequate protection and therefore facilitate the transfer of information from the EU to the US.  Is this applicable to us?

You also agree to notify us at:-  datacontroller@cris.uk.com  immediately you become aware of a breach.

CRIS will not send any client data that is not secure.

Legal basis for processing any personal data

To meet CRIS’s contractual agreements to securely manage data on behalf of clients and their customers

Legitimate interests pursued by CRIS

To effectively and compliantly manage business to business referral data

User status

It is the users responsibility to determine their status under DPA and GDPR legislation and to determine if CRIS meets the users requirements in complying with the legislation

Consent

Through agreeing to this privacy notice you are consenting to CRIS processing your personal data for the purposes outlined. You can withdraw consent at any time by emailing datacontroller@cris.uk.com   or in writing to the following address:- The Data Controller, CRIS.UK.COM, 2, Neptune House, Nelson Quay, Milford Haven, Pembrokeshire, SA73 3BH

Disclosure

CRIS may on occasions pass your Personal Information to third parties exclusively to process work on its behalf. CRIS requires these parties to agree to process this information based on our instructions and requirements consistent with this Privacy Notice and GDPR. CRIS do not broker or pass on information gained from your engagement without your consent. However, CRIS may disclose your Personal Information to meet legal obligations, regulations or valid governmental request. CRIS may also enforce its Terms and Conditions, including investigating potential violations of its Terms and Conditions to detect, prevent or mitigate fraud or security or technical issues; or to protect against imminent harm to the rights, property or safety of CRIS, its clients and/or the wider community.

Retention Policy

CRIS will process personal data during the duration of any contract and will continue to store only the personal data needed for seven years after the contract has expired to meet any legal obligations. After seven years any personal data not needed will be deleted.

Data storage

Data is held in the United Kingdom using different (multiple) servers. Some data is backed-up. CRIS does not store personal data outside the EEA. We secure your personally identifiable information on computer servers in a controlled, secure environment, protected from unauthorised access, use or disclosure. All of our servers run in an enterprise-grade clustered cloud computing environment ensuring maximum uptime. We use private networks, firewalls and VPN features to defend your data and applications from malicious attack. 

Your rights as a data subject

At any point whilst CRIS is in possession of or processing your data you have the following rights:

• Right of access – you have the right to request a copy of the information that we hold about you.
• Right of rectification – you have a right to correct data that we hold about you that is inaccurate or incomplete.
• Right to be forgotten – in certain circumstances you can ask for the data we hold about you to be erased from our records.
• Right to restriction of processing – where certain conditions apply to have a right to restrict the processing.
• Right of portability – you have the right to have the data we hold about you transferred to another organisation.
• Right to object – you have the right to object to certain types of processing such as direct marketing.
• Right to object to automated processing, including profiling – you also have the right to be subject to the legal effects of automated processing or profiling.

In the event that CRIS refuses your request under rights of access, we will provide you with a reason as to why, which you have the right to legally challenge. 

Transfer of data

You have a right under GDPR to receive your data in structured, commonly used and machine- readable format and to transfer your data to another service provider or data controller. This right applies where your data is being processed on the basis of consent or in line with a contract.

CRIS.UK.COM at your request can confirm what information it holds about you and your clients and how it is processed. Any request to transfer data to another data controller should be sent to:- datacontroller@cris.uk.com  or in writing to the following address The Data Controller, CRIS.UK.COM, 2, Neptune House, Nelson Quay, Milford Haven, Pembrokeshire, SA73 3BH

Data access requests – You can request the following information:

• Identity and the contact details of the person or organisation that has determined how and why to process your data.
• The purpose of the processing as well as the legal basis for processing.
• If the processing is based on the legitimate interests of CRIS or a third party such as one of its clients, information about those interests.
• The categories of personal data collected, stored and processed.
• Recipient(s) or categories of recipients that the data is/will be disclosed to.
• How long the data will be stored.
• Details of your rights to correct, erase, restrict or object to such processing.
• Information about your right to withdraw consent at any time.
• How to lodge a complaint with the supervisory authority (ICO).
• Whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether you are obliged to provide the personal data and the possible consequences of failing to provide such data.
• The source of personal data if it wasn’t collected directly from you.
• Any details and information of automated decision making, such as profiling, and any meaningful information about the logic involved, as well as the significance and expected consequences of such processing.
• The process to allow you to view the data we hold

All requests should be made to:- datacontroller@cris.uk.com or in writing to the following address:- The Data Controller, CRIS.UK.COM, 2, Neptune House, Nelson Quay, Milford Haven, Pembrokeshire, SA73 3BH.

The data controller will confirm the information that will be required to allow us to disclose data.

Complaints

In the event that you wish to make a compliant about how your personal data is being processed by CRIS or its partners, you have the right to complain to the CRIS.UK.COM at the above address

ICO

Wycliffe House, Water Lane, Wilmslow, SK9 5AF

Telephone 0303 123 1113 or email: https://ico.org.uk/global/contact-us/email/

Glossary

What is personal data? Personal data relates to any information about a natural person that makes a person identifiable

What is sensitive personal data? Sensitive personal data refers to the above but includes genetic data and biometric data. 

What is a Data Controller? For general data protection regulation purposes, the “data controller” means the person or organisation who decides the purposes for which and the way in which any personal data is processed.

What is a Data Processor? A “data processor” is a person or organisation which processes personal data for the controller.

What is Data Processing? Data processing is any operation or set of operations performed upon personal data, or sets of it, be it by automated systems or not. Examples of data processing explicitly listed in the text of the GDPR are: collection, recording, organising, structuring, storing, adapting, altering, retrieving, consulting, using, disclosing by transmission, disseminating or making available, aligning or combining, restricting, erasure or destruction.

What are Cookies? are text files put on your computer to collect standard internet log information and visitor behaviour information.  This information is then used to track visitor use of the website and to create statistical reports on website activity.  For more information visit www.aboutcookies.or g or www.allaboutcookies.org

What is an IP Address? An IP or Internet Protocol Address is a unique numerical address assigned to a computer as it logs on to the internet.

Last updated May 2018