CSM Security Locksmiths will be (hereafter referred to as the ‘Company’) and the client or the representative of a company will be (hereafter referred to as the ‘Customer’).
The new General Data Protection Regulation (GDPR) came into force on 25th May 2018, our ‘Company’ would like to let the ‘Customer’ know what data the ‘Company’ hold, and how it is stored and used.
Data Collection, Storage & Usage
Any data collected by the ‘Company’ is provided by the ‘Customer’ at their request. This is done for the purpose of providing service(s) to the ‘Customer’. The ‘Company’ needs the ‘Customers’ full name and address for the purpose of providing service(s) and related invoice(s). This invoice(s) will also detail the services and materials used/supplied. The invoice(s) are never passed on to any third party unless it is for the purpose of debt collection, in which case the ‘Company’ will inform the ‘Customer’ before instructing any debt collection service to act on behalf of the ‘Company’. If the ‘Customer’ does NOT wish for their details to be passed on to a debt collection agency, the ‘Customer’ must make the invoiced payment in full. Any ‘Customer’ dispute must be made in writing, before being dealt with by the ‘Company’. If the ‘Customer’ is not satisfied with any given outcome, the ‘Customer’ must seek legal advice in order to rectify the dispute.
Invoicing & Job sheets
All data collected by the ‘Company’ will be used for the sole purpose of providing service(s) to the ‘Customer’. This may include an online diary and job sheets, to enable the ‘Company’ to schedule engineer(s). When the service(s) have been completed successfully, the ‘Company’ will generate an electronic invoice(s) for ‘Company’ accounts. A copy of the invoice(s) will be emailed to the ‘Customer’. In order for the ‘Company’ to comply with statutory HMRC, (Her Majesty’s Revenue & Customs) law, the ‘Company’ will securely store these invoice(s) for a period of 7 years. On a weekly basis, the ‘Company’ security deletes all diary entries and job sheets.
All ‘Company’ accounts and invoice(s) are stored on the ‘Company’s’ NAS (Network Attached Storage) device. The ‘Company’s’ NAS is implemented as follows: a. RAID (Redundant Array Inexpensive Disks) – to facilitate data integrity in the event of hardware failure. b. UPS (Uninterruptible Power Supply) – to provide power in the event of power loss. c. A strict admin account policy, which includes strong passwords. d. Real-time virus scanning, which is updated and run on a weekly basis. e. Additionally: the ‘Company’ NAS is only available when it is required and is firewalls making it only accessible via the ‘Company’ LAN (Local Area Network). The ‘Company’ NAS is secured within ‘Company’ premises at all times. ‘Customers of the ‘Company’ do not attend our premises.
Key Duplication of High-Security Keys
The ‘Company’ do not hold any records of any unique key codes that are given to the ‘Company’ in order to duplicate high-security keys. Once the unique code is given by the ‘Customer’, whether verbally, by email or by text. The unique key code will be deleted as soon as the additional key(s) have been duplicated. To promote further understanding here: the unique key code(s) are deleted by the ‘Company’. The ‘Company’ do not keep any records of unique key code(s) given by the ‘Customer’.
The ‘Company’ does not keep any card details for payments that are made over the phone, or via the ‘Company’ PayPal card reader. To promote further understanding here: no details are recorded, besides being taken verbally over the phone and entered directly into the ‘Company’ PayPal card reader and only while the ‘Customer’ is on the phone. The ‘Customer’ will receive a receipt for this transaction, which will either be by SMS or email. No data relating to this transaction is kept by the ‘Company’.
Any other data that is provided to the ‘Company’ by the ‘Customer’ for the purpose of the ‘Company’ providing service(s) will be stored on the ‘Company NAS. Subsequent to this, if the ‘Customer’ then requires any data to be returned, a request must be made in writing, specifically detailing the data details. If the ‘Customer’ requests any data held by the ‘Company’ to be deleted, the ‘Customer’ must also be made in writing, specify exactly what data, if not all data, requires deleting. All costs incurred are chargeable and payable by the ‘Customer’.
This policy is effective as of 1 August 2022.