Who are we?
We at XPO IT Services are registered with the Information Commissioners Office as a Data Controller registration number Z135569X. We are specialist in IT Asset Disposal, Asset Management, Data Sanitisation, IT Projects and operate from Tech Point, Halesfield 9, Halesfield Industrial Estate, Telford, Shropshire, TF7 4QW.
Your privacy matters to us and we are committed to the highest data privacy standards and client confidentiality. To disclose this to you, our Privacy Notice includes the following:
- What data we collect from you.
- How and why we process it.
- Who we share it with and why.
We adopt the six core principles of data protection which are:
- Lawfulness, fairness and transparency – we process personal data lawfully, fairly and in a transparent manner in relation to you, the data subject.
- Purpose limitation – we only collect personal data for a specific, explicit and legitimate purpose. We clearly state what this purpose is in this Privacy Notice, and we only collect data for as long as necessary to complete that purpose.
- Data minimisation – we ensure that personal data we process is adequate, relevant and limited to what is necessary in relation to the processing purpose.
- Accuracy – we take every reasonable step to update or remove data that is inaccurate or incomplete. You have the right to request that we erase or rectify erroneous data that relates to you, and we will complete this task as soon as possible but guarantee to do so within a month.
- Storage limitation – we delete personal data when we no longer need it. Whilst the timescales in most cases aren’t set, we outline our retention strategy within this Privacy Notice.
- Integrity and confidentiality – we keep personal data safe and protected against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
Collection of your Personal Data
We collect Personal data directly from you, to be able to supply any products or services which you have requested from us. We will only ask for and keep the data needed to ensure we provide you with an efficient level of service and support and any legal commitments we have as a business.
We will use Personal data we have gathered to contact and inform you of products and services which we believe will be of genuine interest to you and/or your organisation.
Categories and Type of Personal Data Collected and processed.
We collect contact details from you including:
- Telephone number(s)
- email addresses
- Date of Birth
In addition to this contact information we collect:
- All types of IT hard drives which could contain any type of personal data
- Banking details and other personal financial data
- Information and photographs of family members or friends
We treat all personal data as sensitive but acknowledge that we also process special category data.
Reason for Data collection and processing activities.
Contact information is captured to enable us to provide you with the services we offer and to maintain customer support. Payment information is collected to facilitate the payment of our services.
Sharing of Personal Data
During the delivery of our service to you, we will share your data with other companies who are critical for the provision of our service to you and will be viewed as Data Processors. They are under contract with us and have provided sufficient guarantees that they will process your data only as per the terms of that contract and throughout processing activities will ensure your data is protected using appropriate technical and organisation measures.
A full list of processors is available from our Data Protection Officer.
Securing and Processing of your Personal Data
We have a responsibility to protect data we hold about you and ensure that access to it is limited to only those who need it to provide you with the services you have requested or consented to receiving, or have legal authority to request access to it.
We also have a responsibility to ensure that your data is accurate, retrievable and is not kept any longer than is necessary or legally required.
Your data is stored mainly within our software system which has appropriate security processes in place. Electronic data is erased to recognised standards from these servers when it is no longer required. Paper records are held securely until no longer required and destroyed by securely shredding.
We have assessed the risks to the security of your data and implemented high levels of physical security and operational rigour to keep it protected. These controls are updated regularly to ensure that any new risks or threats can be countered.
In the unlikely event that we lose your data, or a device on which your data resides, or it is accessed by someone unauthorised, we have a duty to inform you immediately. If the loss or unauthorised access of your data has potential to cause you harm, we will also report this to the Information Commissioners Office; who are responsible for regulating data protection legislation in the UK. https://ico.org.uk/
Our legal basis for processing your personal data?
We are required to identify one of six possible legal grounds for processing. These are:
- legitimate interests
- vital interests
- public task
- legal obligation
As all of our processing activities are crucial to the provision of the service which we enter into a contract with you to provide, we process your data based on that contractual relationship.
We could also process your data under our legitimate interests as all processing activities are essential for the provision of our service to you.
How long do we keep your personal data for?
We process the following categories of personal data and retain this data for different periods of time.
Contact information is retained as long as the data subject is a customer of ours. Where the data subject has not used our services recently, and in the absence of a direct data subject request, we hold contact information for a period of 7 years from the last appointment.
Payment information is held by us only as long as is necessary to process the payment or to set up the direct debit mandate.
Your rights in relation to personal data
Under the GDPR, you have rights to access and control your personal data. These rights include:
- access to personal information
- correction and deletion
- withdrawal of consent (if processing data on condition of consent)
- data portability
- restriction of processing and objection
- lodging a complaint with the Information Commissioner’s Office
You can exercise your rights by emailing our Data Protection Officer on XPOITservices@ClinicalDPO.com
If you are unhappy with anything we have done with your data, you have the right to complain to the Information Commissioners Office. To make a complaint to the Information Commissioners Office use the link below or call their hotline on Tel No.: 0303 123 1113.https://ico.org.uk/concerns/
How to contact us?
For all data protection matters or questions relating to how we manage your data, you can contact our Data Protection Officer via these means:
Data Protection Officer: Clinical DPO.
Phone Number 0203 411 2848