We will never buy or sell your data. We obtain your data through a variety of means, predominantly from yourself directly, either via written correspondence, web entries, face-to-face or by means of email or telephone contact. Certain data may be supplied to us by other customers, for example if we are asked to ship an item to a third-party address.
When you register and use this site you will be asked to provide certain information such as your contact details. We will use this data to fulfil our agreement with you. The data and information we hold and process about you consists of the following, if applicable:
We may use information that you provide or that is obtained by us, and may share this information with our third-party service partners:
If we process any ‘special categories’ of personal data (for example any information relating to your health, religious beliefs, sexual orientation, etc), we will usually rely on receiving your specific consent at the time, unless there is otherwise a legal requirement for us to process such information.
The Company has in place appropriate security measures which ensures that hard copy personal data is kept in lockable storage and filing areas with controlled access. These measures include:
We endeavour to take all reasonable steps to protect your personal information. However, we cannot guarantee the security of any data you disclose online. Due to the inherent security risks of providing information and dealing online, you will not hold us responsible for any breach of security unless due to our negligence or wilful default.
Please be aware that our website may link to other websites which may be viewed through our website. We are not responsible for the data policies or procedures and content of these linked websites.
In addition, the Company has put in place appropriate measures for the deletion of personal data where it is held by the Company; manual records will be shredded or disposed of as ‘confidential waste’ and appropriate contract terms have been put in place with any third parties undertaking this work. Hard drives of redundant PCs will be wiped clean before disposal or if that is not possible, destroyed physically. A log will be kept of the records destroyed. This information will be held by the Company for as long as we both are parties to a contract or transaction, or until such a time as you withdraw your consent for us to hold it. Accounting information will be retained for the suggested time period as recommended by government legislation following the termination of the contract or transaction for record-keeping purposes in relation to tax.
If you have reason to believe that a child under the age of 16 has provided personal information to the Company, please contact us and we will delete that information from our databases.
As part of our security services within common areas and external perimeters at a number of our sites, we and/or our service partner may collect personal images through CCTV or through ANPR technology (Automatic Number Plate Recognition), and signs will be displayed notifying you of these arrangements. This live feed and stored footage can only be viewed by appropriate Company employees and may be shared with essential third parties with legitimate cause (for example, police or insurers in the instance of crime or injury).
Stored footage may be shared with any individual depicted in such footage, by request. We will only share footage with relevant individuals if theirs is the sole image depicted. Any request to view footage should be made in writing to the Company at their registered address. Each request will be responded to in writing within 30 days of receipt.The Company has retention policies which govern how long this information should be kept, generally for no longer than 30 days unless an incident has been logged. Any data stored in relation to any logged incident is held for as long as is required to perform these functions.
The Company may provide an access control system that allows secure entry to a relevant building or property, and/or details of visitors to the premises. We deliver these services pursuant to prevent and identify crime. These systems hold personal data – typically an individual’s name and access data as they enter various parts of the building or property in question.
To ensure compliance with data protection laws, the Company will review personal data within any access control and visitor systems, and any historic personal data will be permanently deleted at appropriate intervals. If you require any accounts to be subject to alternative treatment please provide written instructions to the Company at their registered address.
We and our third-party service providers normally store and process your data in the United Kingdom. However, we and third-party service providers may from time to time store and process your data elsewhere, including outside the European Economic Area. This may be because our contractor or supplier who carries out any order fulfilment or payment processing, for instance, may be based elsewhere.
If your data is to be stored or processed outside the European Economic Area, we will comply with, and take all reasonable steps to ensure our contractors and suppliers comply with, the rules under the Data Protection Act 1998 and General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) for processing personal data outside the European Economic Area.
We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is another appropriate security measure to ensure that personal information is not disclosed to any person who has no right to receive it.
You can also lodge a complaint with the Information Commissioner’s Office.
Where the Company is the Data Controller in respect of personal data processing, our details are as follows:
CCA Galleries Ltd (company number 02710748) whose registered office is at Estate Management Office, Greenhills Estate, Tilford Road, Tilford, Surrey, GU10 2DZ The Company is registered with the Information Commissioner’s Office.
This policy was last updated in May 2018.