Data Privacy Notice

Last updated: 17th May 2018.

CELLXION LTD (registered number 04780952, address Hallmark House CR3 6LD).

Data Protection Lead can be contacted at dpl@cellxion.net.

We have produced this privacy notice to keep you informed of how we handle your personal data.

All handling of your personal data is done in compliance with the General Data Protection Regulation (EU) 2016/679 (“Data Protection Legislation”).

The terms “Personal Data”, “Special Categories of Personal Data”, “Personal Data Breach”, “Data Protection Officer”, “Data Controller”, “Data Processor”, “Data Subject” and “process” (in the context of usage of Personal Data) shall have the meanings given to them in the Data Protection Legislation.

“Data Protection Lead” is the title given to the member of staff leading our data protection compliance programme in lieu of a requirement for a Data Protection Officer.

What are your rights?

When reading this notice, it might be helpful to understand that your rights arising under Data Protection Legislation include:

You can exercise your right to access personal data held about you by emailing dpl@cellxion.net with the subject line: “Subject Access Request”. When you submit a ‘subject access request’, you will need to provide confirmation of your identity by attaching a photocopy of your driver's license or passport or including your phone number for us to contact you to confirm your identity. This is provided free of charge and our response will be made within thirty (30) days unless our Data Protection Lead deems your request as being excessive or unfounded. If this is the case, we will inform you of our reasonable administration costs in advance and/or any associated delays, giving you the opportunity to choose whether you would like to pursue your request. If you believe we have made a mistake in evaluating your request, please see the section ‘Who can you complain to?’.

If you have questions about any of the rights mentioned in this section, please contact our Data Protection Lead at dpl@cellxion.net.

Who is the Data Controller?

If we have collected your personal data directly from you for our own purposes, we are the Data Controller. If we have been passed your personal data from a third-party for a joint purpose that we both influence, we are the joint Data Controller. We will contact you to let you know before we first start to use your data, or, at the latest, within one month of acquiring it. If we have received your personal data as part of a direct administrative relationship between our business and yours, we are the Data Controller. What are the lawful bases for processing personal data?

Under Data Protection Legislation, there must be a ‘lawful basis’ for the use of personal data. The lawful bases are outlined in Article 6, Section 1 of the GDPR. They are sub-sections:

  1. ‘your consent’;
  2. 'performance of a contract';
  3. 'compliance with a legal obligation';
  4. 'protection of your, or another’s vital interests';
  5. ‘public interest/official authority’; and
  6. 'our legitimate interests'.

What are CELLXION LTD’s ‘legitimate interests’?

Legitimate interests are a flexible basis upon which the law permits the processing of an individual’s personal data. To determine whether we have a legitimate interest in processing your data, we balance the needs and benefits to us against the risks and benefits for you of us processing your data. This balancing is performed as objectively as possible by our Data Protection Lead. You are able to object to our processing and we shall consider the extent to which this affects whether we have a legitimate interest. If you would like to find out more about our legitimate interests, please contact dpl@cellxion.net.

About our processing of your data

We might collect, use, store and transfer different kinds of Personal Data about you which we have grouped together as follows:

Reference

Reference What categories of information about you do we process? Why are we processing your data? Where did we get your personal data from?
Client Order Fulfilment
  • Identity Data
  • Contact Data
  • Financial Data
  • Transaction Data
  • Technical Data
  • Usage Data

We use the personal data of our clients' staff in order to communicate with clients and provide our goods to our clients. This processing is conducted lawfully on the basis of 'performance of a contract'.

Directly obtained from you or referred to us by one of yours or our partners.

B2B Marketing
  • Identity Data
  • Contact Data
  • Transaction Data
  • Marketing and Communications Data

We use the information of business contact information of staff at our current and prospective clients in order to market our products and services to them that we believe they will benefit from. This processing is conducted lawfully on the basis of 'our legitimate interests'.

Directly obtained from you or referred to us by one of yours or our partners.

Export Control
  • Identity Data
  • Contact Data

We process the information of contacts at overseas clients in cooperation with the UK government in order to abide by national export controls. This processing is conducted lawfully on the basis of 'compliance with a legal obligation'.

Directly obtained.

Client Support Contracts
  • Identity Data
  • Contact Data
  • Financial Data
  • Transaction Data
  • Technical Data
  • Usage Data

We use the personal data of our clients' staff in order to communicate with clients and provide our support services. This processing is conducted lawfully on the basis of 'performance of a contract'.

Directly obtained from you or referred to us by one of yours or our partners.

CCTV
  • Identity Data
  • Special Categories of Data

We make use of CCTV security for monitoring and helping secure our premises. This processing is conducted lawfully on the basis of 'our legitimate interests'.

Directly obtained.

Web Enquiries
  • Identity Data
  • Contact Data
  • Technical Data

We use the contact information sent to us through web forms, by phone or by email in order to respond to enquiries from existing and potential clients. This processing is conducted lawfully on the basis of 'our legitimate interests'.

Directly obtained.

What happens if I refuse to give CELLXION LTD my personal data?

If your personal data is used for Export Control, your personal information has been collected as part of a statutory obligation arising under Export Control Order 2008. Failure to process your data could result in us being unable to fulfil your orders.

If your personal data is used for Client Order Fulfilment or Client Support Contracts, your personal information has been collected as part of a statutory obligation arising under Companies Act 2006. Failure to process your data could result in us being unable to fulfil orders or offer support.

The information about you that we have collected for the performance of our contracts is required in order for us to successfully fulfil our obligations to you. If you choose not to provide the personal data requested, we will not be able to enter into a contract with you to provide the good and services we offer.

What profiling or automated decision making does CELLXION LTD perform?

CELLXION LTD does not perform any profiling or automated decision making based on your personal data.

How long will your personal data be kept?

CELLXION LTD holds different categories of personal data for different periods of time. Wherever possible, we will endeavour to minimise the amount of personal data that we hold and the length of time for which it is held.

Who else will receive your personal data?

CELLXION LTD passes your data to the third parties listed in the section ‘Third Party Interests’ below.

Does your data leave the EU?

Yes. Details are included in the section ‘Third Party Interests’ below.

Third Party Interests

Data Controllers

Name or Category of Third Party Controller What processing are we performing for them? If applicable - who is their representative within the EU?
HMRC, regulatory authorities or other authorities We are joint Controller with these authorities who require reporting of processing in some situations. N/A
Postal/courier providers We are joint Controller with these providers for the purposes of order fulfilment. N/A

Our Data Processors

Name or Category of Third Party Processor Purposes for carrying out processing If applicable – where does data leaving the EEA go and what safeguards are in place?
Internal technology providers
  • ERP software providers, whose services we use in order to manage our business with you.
  • Telephony providers.
  • Office software providers, such as email clients.
In the interests of providing a quality service, we use providers located in the United States. These providers are either Privacy Shield certified or bound by the contractual provisions of the EU Commissions model clauses.
Payment Services Providers We use these processors so that we can take electronic or card payments securely and without the requirement for you to disclose this data to us. In the interests of providing a quality service, we use providers located in the United States. These providers are either Privacy Shield certified or bound by the contractual provisions of the EU Commissions model clauses.

Who can you complain to?

In addition to sending us your complaints directly to dpl@cellxion.net, you can send complaints to our supervisory authority. As CELLXION LTD predominantly handles the personal data of UK nationals, our supervisory authority is the Information Commissioner’s Office. If you believe that we have failed in our compliance with data protection legislation, complaints to this authority can be made by visiting https://ico.org.uk/concerns/.