Date effective 16th January 2025
Commtel Ltd GDPR and Privacy Policy
1. Introduction
Commtel Ltd are committed to safeguarding the privacy of our website visitors, our customers, our customer’s customers, and any other service users.
2. Credit
This document was created using a template from SEQ Legal (https://seqlegal.com/free-legal-documents/privacy-policy).
3. How we use your personal data
In this section we have set out:
- a) the general categories of personal data that we may process.
- b) in the case of personal data that we did not obtain directly from customers, the source, and specific categories of that data.
- c) the purposes for which we may process personal data; and
- d) the legal bases of the processing.
The enquiry data may be processed for the purposes of offering, marketing, and selling relevant goods and/or services to a customer. The legal basis for this processing is consent OR our legitimate interests, namely the proper administration of our website and business OR the performance of a contract between customer and Commtel Ltd and/or the taking steps, at your request, to enter such a contract.
Transaction data may include contact details, card details, and the transaction details. The source of the transaction data is you and/or our payment services provider. The transaction data may be processed for the purpose of supplying the purchased goods and/or services and keeping proper records of those transactions. The legal basis for this processing is the performance of a contract between you and us and/or taking steps, at your request, to enter such a contract; providing that, if you are not the person contracting with us, the legal basis for this processing is our legitimate interests, namely the proper administration of our website and business.
Notification data may be processed for the purpose of sending the relevant notifications and/or newsletters. The legal basis for this processing is consent OR our legitimate interests, namely communications with our website visitors and service users OR the performance of a contract between user and us and/or taking steps, at request, to enter such a contract.
We may process sim card telephone data. This data may include name, contact telephone number, email address, postal address, site address if different, and intercom sim card telephone number. The source of this data is provided by either the installer or customer. This data may be processed for programming the barrier intercom, billing for sim cards if the sim card is provided by TG Telecom. The legal basis for this processing is consent OR our legitimate interests, namely the satisfactory maintenance of the intercom unit OR the performance of a contract between customer and us and/or taking steps, at request, to enter into such a contract.
We may process any personal data identified in this policy where necessary for the establishment, exercise or defence of legal claims, whether in court proceedings or in an administrative or out-of-court procedure. The legal basis for this processing is our legitimate interests, namely the protection and assertion of our legal rights, user legal rights and the legal rights of others.
We may process any personal data identified in this policy where necessary for the purposes of obtaining or maintaining insurance coverage, managing risks, or obtaining professional advice. The legal basis for this processing is our legitimate interests, namely the proper protection of our business against risks.
We may process personal data for marketing purposes, including sharing such data with contracted marketing companies. The legal basis for this processing is:
- Consent from the data subject, where required;
- Legitimate interests, namely the proper administration and promotion of our business activities; or
- The performance of a contract between the customer and Commtel Ltd.
Data shared for marketing purposes is processed under strict security measures, including encryption during transfer and storage. Customers are informed of such processing in our privacy notice and may withdraw consent or object to the processing at any time.
In addition to the specific purposes for which we may process personal data set out in this Section 3, we may also process any of your personal data where such processing is necessary for compliance with a legal obligation to which we are subject, or to protect vital interests or the vital interests of another natural person.
We do not accept any other person’s personal data from a customer unless we have prompted the customer to do so in the interest of full unit operation.
4. Providing Personal data to others
Commtel Ltd may disclose personal data to our insurers and/or professional advisers insofar as reasonably necessary for the purposes of obtaining or maintaining insurance coverage, managing risks, obtaining professional advice, or the establishment, exercise or defence of legal claims, whether in court proceedings or in an administrative or out-of-court procedure.
We may disclose personal data to third-party organisations, such as contracted marketing companies, solely for purposes directly related to our business operations, such as marketing activities. These third-party organisations must comply with the following conditions:
- Personal data is transferred and stored only on secure, encrypted servers.
- Access to the data is strictly limited to authorised personnel of the third-party organisation.
- The third party may only process the data for purposes explicitly agreed upon with Commtel Ltd.
- The third party must comply with all applicable UK GDPR regulations, including data protection principles and the rights of data subjects.
The rights of data subjects as outlined in this policy include the right to object to the sharing of personal data with third parties. Customers can exercise this right by contacting us using the details provided in the “Your Rights” section of this policy.
Personal data is held on our encrypted cloud service and cloud backup service.
In addition to the specific disclosures of personal data set out in this Section 4, we may disclose personal data where such disclosure is necessary for compliance with a legal obligation to which we are subject, or to protect vital interests or the vital interests of another natural person. We may also disclose personal data where such disclosure is necessary for the establishment, exercise or defence of legal claims, whether in court proceedings or in an administrative or out-of-court procedure.
5. Retaining and deleting personal data
This Section 6 sets out our data retention policies and procedure, which are designed to help ensure that we comply with our legal obligations in relation to the retention and deletion of personal data.
Personal data that we process for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
We will retain your personal data as follows:
- account data will be retained for a minimum period of 7 years as required by UK tax law. It will then be deleted.
- enquiry data will be retained for a minimum period of 1 year following the date of the enquiry, and for a maximum period of 18 months following that date.
- transaction data will be retained for a minimum period of 7 years as required by UK tax law. It will then be deleted.
- notification data will be retained for a minimum period of one week following the date that we are instructed to cease sending the notifications, and for a maximum period of two weeks following that date (providing that we will retain notification data insofar as necessary to fulfil any request made to actively suppress notifications).
- Sim card data will be retained for a minimum period of as long as you have a working intercom unit and following one month, after we have been informed that the intercom unit is no longer in active use.
Notwithstanding the other provisions of this Section 6, we may retain personal data where such retention is necessary for compliance with a legal obligation to which we are subject, or to protect vital interests or the vital interests of another natural person.
6. Your rights
In this section, we have listed the rights held under data protection law.
User/customer principal rights under data protection law are:
- the right to access – requests can be made for copies of personal data.
- the right to rectification – requests to ask us to rectify inaccurate personal data and to complete incomplete personal data.
- the right to erasure – request us to erase personal data.
- the right to restrict processing – request to restrict the processing of personal data;
- the right to object to processing – object to the processing of personal data.
- the right to data portability – request that we transfer personal data to another organisation or to that user/customer.
- the right to complain to a supervisory authority – complaints can be made about our processing of personal data; and
- the right to withdraw consent – to the extent that the legal basis of our processing of personal data is consent, consent can be withdrawn.
These rights are subject to certain limitations and exceptions. More can be learnt about the rights of data subjects by visiting https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/.
The above rights in relation to personal data may be exercised via written notice to us or using the contact details set out below.
7. About cookies
A cookie is a file containing an identifier (a string of letters and numbers) that is sent by a web server to a web browser and is stored by the browser. The identifier is then sent back to the server each time the browser requests a page from the server.
Cookies may be either “persistent” cookies or “session” cookies: a persistent cookie will be stored by a web browser and will remain valid until its set expiry date, unless deleted by the user before the expiry date; a session cookie, on the other hand, will expire at the end of the user session, when the web browser is closed.
Cookies do not typically contain any information that personally identifies a user, but personal data that we store may be linked to the information stored in and obtained from cookies.
8. Cookies that we use
We use cookies for the following purposes:
- authentication and status – we use cookies to identify when our website is visited and as our website is navigated, and to determine if a person is logged into the website.
- We also use cookies solely for the purpose of web page analytics.
9. Cookies used by our service providers
Our service providers use cookies and those cookies may be stored on a user’s computer when our website is visited.
We use Google Analytics. Google Analytics gathers information about the use of our website by means of cookies. The information gathered is used to create reports about the use of our website. More about Google’s use of information can be found by visiting https://www.google.com/policies/privacy/partners/ and the Google’s privacy policy can be reviewed at https://policies.google.com/privacy.
10. Managing cookies
Most browsers allow refusal of cookies and the deletion of cookies. The methods for doing so vary from browser to browser, and from version to version. Up-to-date information can be obtained about blocking and deleting cookies via these links:
- https://support.google.com/chrome/answer/95647 (Chrome);
- https://support.mozilla.org/en-US/kb/enable-and-disable-cookies-website-preferences (Firefox);
- https://help.opera.com/en/latest/security-and-privacy/ (Opera);
- https://support.microsoft.com/en-gb/help/17442/windows-internet-explorer-delete-manage-cookies (Internet Explorer);
- https://support.apple.com/en-gb/guide/safari/manage-cookies-and-website-data-sfri11471/mac (Safari); and
- https://privacy.microsoft.com/en-us/windows-10-microsoft-edge-and-privacy (Edge).
Blocking all cookies will have a negative impact upon the usability of many websites.
If block cookies are blocked, not all the features may be used on our website.
11. Amendments
We may update this policy from time to time by publishing a new version on our website.
We may notify users of significant changes to this policy.
12. Our details
This website is owned and operated by Commtel Ltd.
We are registered in England and Wales under registration number 02772105, and our registered office is at Orchard House, 39 Gatwick Rd, Crawley West Sussex RH10 9RB.
Our principal place of business is at Orchard House, 39 Gatwick Rd, Crawley West Sussex RH10 9RB.
Contact Commtel Ltd:
- by post, to Commtel Ltd Orchard House, 39 Gatwick Rd, Crawley, West Sussex RH10 9RB.
- by telephone, on the contact number published on our website; or
- by email, using the email address published on our website.
13. Data breaches
If we discover that there has been a breach of personal data that poses a risk to the rights and freedoms of individuals, it will be reported to the Information Commissioner’s Office (ICO) within 72 hours of discovery. The company will record all data breaches regardless of their effect.
If the breach is likely to result in a high risk to the rights and freedoms of individuals, we will tell affected individuals that there has been a breach and provide them with information about its likely consequences and the mitigation measures we have taken.
If you become aware of a data breach, you must contact the Directors immediately and retain any evidence in relation to that breach. Under no circumstances should you seek to cover up a breach, or the company may be unable to take action to remedy it promptly and effectively.
If a data breach occurs at a third-party organisation, they are obligated to report it to Commtel Ltd within 24 hours of discovery. Commtel Ltd will assess the breach’s impact and notify the ICO and affected individuals if necessary, as outlined in this policy.
14. Breaches of Policy
Commtel Ltd will take all necessary measures to remedy any breach of this policy including the use of our disciplinary or contractual processes where appropriate.
All Commtel Ltd staff have a responsibility to report security incidents and breaches of this policy as quickly as possible through a member of L10, SLT or via the Commtel Ltd Incident reporting tool.
In the case of third-party vendors, consultants, or a contractor’s non-compliance, Commtel will take appropriate measures to remedy any breach of the policy through the relevant frameworks in place. This may result in the immediate removal of access to the system. Any damage or compromise of Commtel’s ICT systems or network may result in legal action against the third party.
15. Annual Audit of this Policy
The Quality and Compliance Manager will audit this policy annually and report any findings to SLT.