Cameron Baum Davis “CBD” are committed to adhering to the highest standards of data protection and data security. We have designed and are progressing along with a comprehensive GDPR implementation program.
The Board of Directors and management of CBD regard the compliance with all relevant UK and EU laws relating to personal data as one of the top priorities. We are committed to protecting the rights and freedoms of individuals whose information CBD collects in accordance with the General Data Protection Regulation (GDPR).
We are committed to protecting any information you share with us, including any information that you tell us about yourself, what we learn by having you as a customer and consent you gave us to process your data in a specific way.
Our commitment to privacy of your data
- To keep your data safe and private.
- Not to disclose your data to our partners and affiliates without relevant non-disclosure agreements.CBD promises that we will never sell your data whether in explicit or pseudonymised form.
The purposes for which personal data may be used by us:
We will use the personal data we collect and process only to perform our business functions. This includes dealing with personnel, administrative, financial, regulatory, payroll and business development purposes. We may use personal information for operational reasons, such as recording transactions, training and quality control, ensuring the confidentiality of any sensitive information.
There are instances where we would have to comply with law and deal with your personal data for regulatory, legal and compliance purposes. These may include:
- Compliance with the legal and regulatory requirements
- Gathering information as part of investigations by regulatory bodies or in connection with legal proceedings or requests
- When we are investigating complaints
- When we perform functions that are part of our business requirements to deliverbest-in-class service to you, e.g. when we are checking references, monitoring and managing staff access to systems and facilities, staff conduct, disciplinary matters etc.
CBD shall comply with the principles of data protection (the Principles) enumerated in the EU General Data Protection Regulation. We will make every effort possible in everything we do to comply with these principles.
The EU GDPR provides the following rights for individuals:
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision making and profiling.CBD data processing is in line with the key principles stated by the EU GDPR: We ensure that your data is:
- Processed lawfully, fairly and in a transparent manner in relation to individuals;
- Collected for specified, explicit and legitimate purposes only;
- Adequate, relevant and limited to what is necessary in relation to thepurposes for which they are processed;
- Accurate and, where necessary, kept up to date;
- Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed;
- Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
CBD has adopted strict controls of dealings with the personal data falling within special “sensitive” data categories. These categories of data, if unlawfully disclosed,could create more significant risks to a person’s fundamental rights and freedoms,for example by putting them at risk of unlawful discrimination. The special categories of data include data on:
- Ethnic origin;
- Political views;
- Trade union membership;
- Biometrics (where used for identification purposes)
- Sexual orientation
We also have strict policies on processing data on children and persons with criminal convictions.
At CBD we have set the high standard for consent.
- We will only ask you for a positive opt-in and will not use pre-ticked boxes.
- We will only ask you for a very clear and specific statement of consent.
- You may withdraw your consent for data processing by us partially or in full at any time by filling in the Consent Withdrawal request.
- We will always keep evidence of consent in a form or a register of consent.
- We will ask you to review your consent if we will have a material change indata processing activities.
In line with EU GDPR you may file a subject access request to find out what information exactly CBD holds on you in our files. Our Data Protection Officer will handle such request promptly.
CBD will not transfer your data outside of the EU, unless the level of protection of your data will be maintained at least at the same level as if it remained in the EU. We will ask your explicit consent if you are dealing with us would require such a transfer (unless stipulated by regulatory authorities).
Security controls of data processing activities at CBD
CBD are employing high standards for data security, which include, to the minimum:
- Adhering to information security assets and data security policies and procedures CBD has adopted;
- Maintaining privacy of your data by design;
- Maintaining segregation of access rights for different individuals who are partof CBD;
- Encrypting equipment, wireless networks, data at rest individual files;
- Maintaining strict mobile device policies
- Strong physical and other controls.
CBD, together with its IT services provider, has established and maintains incident response and business continuity procedures, which would allow us to respond to data incident promptly and inform ICO, if required, within the 72 hours specified by the EU GDPR documentation.
Data Access Request procedure
All data-related requests of the data subjects (including data access, data rectification, data erasure, etc.) must be made in writing using the following contact details: firstname.lastname@example.org. If we receive the data-related request from you in any other way, we will forward it to the above mentioned electronic address, however, it may take us longer to process your request, but we will never exceed the 40 days stipulated by the EU GDPR documentation.
Policy review and version control
We have committed to reviewing all our GDPR-related policies at least once a year. The CBD Board of Directors has ultimate control of all our GDPR documentation.