Who we are
Our website address is: https://www.ceme.co.uk
1.2 “We” and “CEME” refers to CEME (Centre for Engineering and Manufacturing Excellence Ltd), its subsidiaries and other partnerships, corporations undertakings and entities which are authorised to practice using the name CEME and/or Centre for Engineering and Manufacturing Excellence Ltd.
1.3 CEME is a data controller within the meaning of the GDPR and we process personal data. The firm’s contact details are as follows: CEME Campus, Marsh Way, Rainham, London, RM13 8EU. Tel. 020 8596 5400. Data Protection Officer (‘DPO’) can be contacted at: email@example.com.
1.4 We may amend this privacy notice from time to time. If we do so, we will supply you with and/or otherwise make available to you a copy of the amended privacy notice.
2 What personal information do we collect about you?
2.1 We will collect personal information in the course of our business, including through your use of our website, when you engage our legal or other services, and when you request information from us or contact us.
2.2 The personal information we process includes:
2.2.1 Basic information: such as your name, prefix/ title, the entity you work for, and your position.
2.2.2 Banking and financial information: such as payment information, or to establish the source of funds where a transaction is involved and ensure we have the correct details.
2.2.3 Business information: such as data identifying you in relation to matters on which you instruct us or in which you are involved, or otherwise generated or provided to us in the course of providing services to our clients – which may include special categories of data.
2.2.4 Contact details: such as postal address, email address and phone numbers.
2.2.5 Events data: names for the attendees to events and dietary requirements, which would be regarded as sensitive data.
2.2.6 Photographic identification and other background identification information where relevant.
2.2.7 Social media: such as likes, posts, tweets and other interactions with us online.
2.2.8 Subscription information such as when you subscribe to our newsletters, briefings and updates.
2.2.9 Technical and online information: such as information from your visits to our website (including IP address, browser type and version, time zone setting, browser plug-in types and versions), unique identifiers and mobile information, or applications or in relation to materials and communications sent to you electronically (such as whether you click on certain links or open our emails. Please see our cookies policy for further details).
3 How is your personal data collected?
3.1 We collect personal information from and about you using different methods, for example:
3.1.1 Direct interactions: when you provide us with information or interact directly with us such as by engaging with our staff in any way (including during our business relationship with you, during the provision of legal services to you or where you are involved in a legal matter), when you attend meetings or events hosted by us, or when you sign up or register with us or our website.
3.1.2 Automated technologies or interactions: if you interact with our website or other electronic communications such as emails we may issue to you, we may automatically collect internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions,
3.1.3 Third parties or publicly available sources: we obtain information from public registries, directories and publications, in addition to information from third parties such as other parties involved in any legal proceedings (including other solicitors, other professional services firms (e.g. accountants and tax specialists), credit reference agencies, government agencies and analytics providers such as Google.
4 The purposes for which we intend to process personal data
4.1 We intend to process personal data for the following purposes:
4.1.1 To enable us to supply and improve our professional services to our clients (including handling the personal information of others on behalf of our clients).
4.1.2 To better understand you and your needs, and to determine how these may best be met.
4.1.3 To provide the information requested by you.
4.1.4 To manage our relationship with you and any matter in which you may be involved.
4.1.5 To maintain and manage our client files, internal administrative records, business records about services, payments and business contacts and keep CEME’s records up to date (e.g. automated processing and profiling may be used to process any payments by you and to carry out credit checks whether by CEME or third parties such as credit reference agencies and payment service providers).
4.1.6 To fulfil our obligations under relevant laws in force from time to time (including but not limited to the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (“MLR 2017”)).
4.1.7 To verify identity and establish the source of funding in any transaction.
4.1.8 To seek advice from third parties in connection with your matter such as Counsel or solicitor advocates.
4.1.9 To use in the investigation, process and/or defence of potential or actual complaints, disciplinary proceedings and legal proceedings.
4.1.10 To enable us to invoice you for our services and investigate/address any attendant queries or disputes that may have arisen.
4.1.11 To market and promote our services, including sending updates, publications and details of events.
4.1.12 To contact you about other services we provide which may be of interest to you if you have consented to us doing so.
4.1.13 To provide and improve our website and other technology services, including auditing and monitoring its use (e.g. automated processing and profiling may be used in relation to the assessment of technical and online information).
4.1.14 For statistical and research purposes so we can analyse figures to help us manage our business, plan for the future and review or develop the service we offer (again automated processing and profiling may be used to fulfil these legitimate interests).
5 The legal bases for our intended processing of personal data
5.1 Our intended processing of personal data will have at least one of the following legal bases:
5.1.1 The processing is necessary for compliance with legal and regulatory obligations;
5.1.2 The processing is necessary for the purposes of our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests:
5.1.3 the proper delivery of professional services to our clients;
5.1.4 managing our business and relationship with you or your company or organisation;
5.1.5 understanding and responding to client demands, enquires, requests and feedback;
5.1.6 improving our service;
5.1.7 the proper processing of financial transactions for the purposes of our business including credit control and debt recovery;
5.1.8 to enforce our terms of business and contracts;
5.1.9 to manage our supply chain;
5.1.10 the marketing and promotion of our business services (including the use of suppression lists to exclude you from any direct marketing should you unsubscribe).
6 Marketing and withdrawing consent.
6.1 Where you have given consent. If you agree, CEMEwill send you notifications by post, telephone, e-mail, SMS text or otherwise about such of our services as we believe may be of interest to you.
6.2 Where there is no consent in relation to marketing. Marketing will not happen if you have not given or give but later withdraw your consent (you can contact us at any time to withdraw your consent). CEME do however, reserve the right to contact you by post, telephone, email, SMS text or by other means in connection with any services we are contracted to provide to you, where we rely on the contractual obligation.
7 How we use sensitive personal data
7.1 “Special categories” of personal data (also known as sensitive personal data) include personal information in relation to religious/philosophical beliefs, political opinion, gender or sexual orientation, genetics, identifying biometrics, health, racial or ethnic origin. We may process special categories of personal data where:
7.1.1 we have your explicit consent;
7.1.2 processing is necessary to protect the vital interests of an individual or of another natural person, such as where the individual is physically or legally incapable of giving consent;
7.1.3 processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity;
7.1.4 processing is needed for reasons of public interest, such as for equal opportunities monitoring or in relation to any employee pension scheme;
7.1.5 processing relates to data which are manifestly made public by the individual data subject; or
7.1.6 such processing is otherwise permitted by applicable law.
8 Persons/organisations to whom we may give personal data
8.1 We may need to share your personal data with some third parties in order to comply with our legal obligations, including our legal obligations to you, and where we have a legitimate interest in doing so and in the course of providing our services.
8.2 The following list includes (but is not limited to) recipients that we may share your personal data with:
8.2.1 our subsidiaries, to provide you with certain services;
8.2.2 courts, tribunals, other dispute resolution bodies or other competent authorities in accordance with our services, legal or regulatory requirements or good practice;
8.2.3 Government bodies (such as HMRC, Registers of Scotland or the Land Registry);
8.2.4 any third parties with whom you require or permit us to correspond;
8.2.5 third parties who help facilitate hosting or events to which you have been invited and indicated you wish to attend;
8.2.6 third parties in relation to any acquisition or transfer of any part of our business or any reorganisation of it;
8.2.7 IT subcontractors and suppliers who provide us with their services, screening service providers (so as to comply with anti-money laundering obligations and checks in relation to sanctions), any outsourced business support, marketing and advertising agencies;
8.2.8 our insurers, professional indemnity insurers, auditors, banks and others who provide services to us;
8.2.9 the police and law enforcement agencies.
8.3 Occasionally we are required to disclose your information to comply with legal or regulatory requirements.
8.4 All third party service providers are required to take appropriate measures to protect your personal information.
9 Transfers of personal data outside the EU
Where your data is processed outside of the EEA, we will ensure that your personal data is protected with appropriate safeguards and that we comply with the conditions for transfer as set out in applicable legislation.
10 Retention of personal data
We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. Details of retention periods for different types personal data are contained in our data retention policy which is available on request from our DPO. To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data, whether we can achieve those purposes through other means, and the applicable legal requirements. In some circumstances we may anonymise your personal data so that it can no longer be associated with you, in which case we may use such information without further notice to you. Once you are no longer a client of CEME we will securely destroy your personal data in accordance with our data retention policy and our retention and disposal schedule. However we may store your data for longer if the law requires us to do so.
11 Your duty to inform us of changes
It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us.
12 Your rights in connection with personal data
12.1 Under certain circumstances, by law you have the right to:
12.1.1 Request access to your personal data (commonly known as a “data subject access request”). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.
12.1.2 Request correction of the personal data that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.
12.1.3 Request erasure of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have exercised your right to object to processing.
12.1.4 Object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. You also have the right to object where we are processing your personal data for direct marketing purposes.
12.1.5 Request the restriction of processing of your personal data. This enables you to ask us to suspend the processing of personal data about you, for example if you want us to establish its accuracy or the reason for processing it.
12.1.6 Request the transfer of your personal data to another party.
12.2 If you want to exercise any of the above rights, please contact our DPO in writing.
13 No fee usually required
You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.
14 What we may need from you
We may need to request specific information from you to help us confirm your identity and exercise any of the above rights. This is another appropriate security measure to ensure that personal data is not disclosed to any person who has no right to receive it.
15 Withdrawal of consent
15.1 Where you have consented to our processing of your personal data, you have the right to withdraw that consent at any time. Please inform us immediately if you wish to withdraw your consent.
15.2 Please note:
15.2.1 the withdrawal of consent does not affect the lawfulness of earlier processing;
15.2.2 if you withdraw your consent, we may not be able to continue to provide services to you;
15.2.3 even if you withdraw your consent, it may remain lawful for us to process your data on another legal basis (e.g. because we have a legal obligation to continue to process your data).
16 Data protection officer (DPO)
We have appointed a DPO to oversee compliance with this privacy notice. If you have any questions about this privacy notice or how we handle your personal data, please contact the Data Protection Officer.
17 Changes to this privacy notice
We reserve the right to update this privacy notice at any time, and we will provide you with a new privacy notice when we make any substantial updates. We may also notify you in other ways from time to time about the processing of your personal data.
18.1 If you have requested details of the information we hold about you and you are not happy with our response, or you think we have not complied with applicable data protection legislation in some other way, you can complain to us.
18.2 Please send any complaints to The DPO, CEME Business Campus, Marsh Way, Rainham, London, RM13 8EU or alternatively email us at firstname.lastname@example.org. If you are not happy with our response, you also have the right to lodge a complaint with the ICO (www.ico.org.uk).