This is a statement of the General Data Protection Regulation (GDPR) compliance policy that is adopted by CPS (Midlands) Ltd for delivering our services, which include the enforcement of Parking Charge Notices, Notice to keeper/Driver/Hirer.  Where a Parking Charge remains unpaid, it may be passed to  Debt collection companies and or Solicitors.

CPS (Midlands) Ltd will, when delivering these services, collect and use personal Data only which is relevant to the work that we are undertaking and which will be controlled, stored and processed in accordance with the General Data Protection Regulations (GDPR), howsoever it is collected, recorded and used; whether it be on paper, in electronic media form (e.g. in a computer system), or recorded by other means.

We consider the lawful and correct treatment of personal data by the company as critical in maintaining the confidence of our clients; we therefore manage and process personal information lawfully and correctly.

Information is defined under the GDPR as being Personal Information if any of the following criteria are met:
• Can a living individual be identified from the data, or, from the data and other information in the possession of, or likely to come into the possession of, the data controller?
• Does the data “relate to” the identifiable living individual, whether in their personal or family life, business or profession?
• Is the data “obviously about” a particular individual?
• Is the data “linked to” an individual so that it provides particular information about that individual?
• Is the data used, or is it to be used, to inform or influence actions or decisions affecting an identifiable individual?
• Does the data have any biographical significance in relation to the individual?
• Does the data focus or concentrate on the individual as its central theme rather than on some other person, or some object, transaction or event?
• Does the data impact or have the potential to impact on an individual, whether in a personal, family, business or professional capacity?

We adhere to the Principles of Data Protection, as set out in the Data Protection Act 1998 (the Act) and the General Data Protection Regulations (GDPR), which come into force in May 2018.

Specifically, these Principles require that personal information:
• Shall be processed fairly and lawfully and, in particular, shall not be processed unless specific conditions are met
• Shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes
• Shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed
• Shall be accurate and, where necessary, kept up to date
• Shall not be kept for longer than is necessary for that purpose or those purposes
• Shall be processed in accordance with the rights of data subjects under the Act
• Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to,    personal data
• Shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data    subjects in relation to the processing of personal data.

CPS will, through appropriate management and by strict application of criteria and controls:
• Observe fully the conditions regarding fair collection and use of information
• Meet its legal obligations to specify the purposes for which information is used
• Collect and process appropriate information and only to the extent that it is needed to fulfil operational needs or to comply with any legal requirements
• Ensure that the quality and accuracy of information used is adequate and is maintained
• Apply strict checks to determine the length of time information is held and that it is stored for no longer than is necessary
• Ensure that the rights of people about whom information is held are able to be fully exercised under the Act and Regulations
• These include: the right to be informed that processing is being undertaken, the right of access to one’s personal information, the right to prevent processing in certain circumstances and the right to correct, rectify, block or erase information.
• Take appropriate technical and organisational security measures to safeguard personal information
• Ensure that personal information is not transferred abroad to countries to which transfers are not permitted under GDPR

The information storage and processing systems used by CPS are certified as compliant.

These are designed to ensure that:

• Everyone handling, managing and working with personal information understands that they are contractually and legally responsible for following GDPR and good data protection practice
• Everyone handling, managing and working with personal information is appropriately trained to do so
• Everyone handling, managing and working with personal information is appropriately supervised
• Anyone wanting to make enquiries about personal information knows how to do so
• Queries about personal information are promptly and courteously dealt with, in accordance with GDPR
• Methods of handling, managing and working with personal information are clearly described
• A regular review and audit is made of the way personal information is managed
• Methods of handling, managing and working with personal information are regularly reviewed, assessed and evaluated.

The performance of the methods and process is regularly reviewed, assessed and evaluated.

Information processing – general

We do not undertake automated decision making about, or profiling of personal data.

Data subjects have a right, as set out in GDPR, to obtain the personal information which is stored and used by us, and can obtain this information by contacting the Data Protection Officer if one is assigned. The data comprising the personal information will be delivered to the data subject in a secure manner and in a format which is readily accessible using common proprietary data access tools (such as word processor document or spreadsheet viewer programs).

GDPR compliant policy for Enforcement information
What information we obtain, process and/or store

We receive basic personal information relating to the Driver/Owner/Hirer of the vehicle.

The personal information which is obtained consists of name, address(es), details and pictures of the vehicle

What we use the data we collect for

The information which we obtain, store and process is necessary and is used to enable us to enforce the Parking Charge Notice

We comply with DVLA requirements on data release and only retain/process information for the purpose for which it was obtained and in accordance with data protection laws.
At all stages of the enforcement process we act as a data controller and as such we will fully comply with GDPR and with the Data Protection Act and its guiding principles.

GDPR compliant policy for Tracing Services information
What information we obtain, process and/or store

The personal information which is obtained when enforcement action is necessary to trace individuals and companies consists of name, address and registration number, phone number,email address and photographs.

In cases where it is appropriate and reasonable, we will search for tracing subjects’ names in various databases to which we are granted lawful access. In some circumstances, depending on the nature of the enquiry, this may leave a “footprint” under the search purpose that clients have provided to us on the subject’s credit history file.

Depending on the information we obtain from these databases, we may then determine that further enquiries may be made, such as obtaining telephone numbers for addresses at which we believe the subject may be found. We may also utilise other public databases and/or Registries that we think would be of value to this enquiry (e.g. the Insolvency Register, Land Registry, London Gazette, etc.).
Once this research has been completed, we may then conduct enquiries by telephone at and around the locations identified. At no stage will we divulge to a third party any personal data relating to the data subject.

What we use the data we collect for

We use the data collected relating to the tracing subject’s address to apprise our client of the subject’s current residential and/or commercial address and/or telephone number and/or e-mail address.
Once the tracing operation has been completed, we normally retain the detailed information recording the tracing activity for 6 years, in accordance with the Limitation Act 1980. We are able, upon request of the data subject, to securely erase all personal data stored for the purpose of tracing. At no stage will we divulge to a third party any personal data.

We confirm that no information concerning the data subject obtained by us or during the course of a trace enquiry will be used for any other purpose.
At all stages of enquiries we will fully comply with GDPR and with the Data Protection Act and its guiding principles.

GDPR compliant policy for marketing and general information
What information we collect

CPS does not use any general information for marketing purposes.

The information that we obtain may be dependent upon the nature and context of your enquiry or instruction. The information that we collect can include the following:
Name and contact data: We collect your first and last name, postal address, phone number and e-mail address.

Payment data: Where it is necessary to process your payment if you make a payment the sensitive information such as your credit card number and security code are not collected by us: the payment is processed using external secure processing websites operated by our bank and the information is not processed or stored by our systems or personnel.

Contacts and relationships: We may collect such information that you provide us relating to your contacts and business relationships.

Location data: Our on-line services may obtain imprecise location data: e.g. a location derived from your IP address or data that indicates where you are located with low precision, such as at a city or postcode level.

Content: We may collect the content of any data files and communications that you may send us in the course of an instruction, together with any physical documents that you may give us where is necessary to hold these for our enquires and in accordance with time frames listed in this policy.

Data we collect may include:
• the address, subject line and body of an email
• text or other content of an instant message
• audio and video recording of a video message or attachment, and
• audio recording and transcript of a telephone call or voice message you send to us or receive from us.

What we use the data we collect for

We use the data that we collect to operate our business and to deliver the services that we provide.

We use information which we collect to provide and to improve the services which we offer and to undertake essential business operations. This includes service delivery and monitoring, maintaining and improving the quality standards, security and performance of our services, developing new services, conducting research and providing focused advice to our clients. Examples of such uses include the following:

For information about how to manage, edit or to delete contact data which contains your personal information, please contact us in writing.

Data Retention
Data will be stored up to a maximum of 6 years.

How to Access & Control Personal Data:
Individuals can submit a request to view, edit or delete any personal data that we hold and which is not retained for the purpose of enforcement.
They may do so by submitting a request in writing or by email. We will respond to requests to access or delete personal data within 30 days.

Our Use of Cookies and Similar Technologies
We use cookies and similar technologies for several purposes, including:

• Sign-in and authentication: When you sign into a website using your account credentials, we store a unique ID number, and the time you signed in, in an encrypted cookie on your device. This cookie allows you to move from page to page within the site without having to sign in again on each page. You can also save your sign-in information so you do not have to sign in each time you return to the site.
• Security: We use cookies to detect fraud and abuse of our websites and services.
• Storing information you provide to a website: When you provide information on our websites, we store the data in a cookie to remember the information you have added.
• Analytics: In order to provide our products, we may use cookies and other identifiers to gather usage and performance data. For example, we use cookies to count the number of unique visitors to a web page or service and to develop other statistics about the operations of our services. This includes cookies from us and from third-party analytics providers.
• Performance: We use cookies for load balancing to ensure that websites remain up and running.

How to Control Cookies

Most web browsers automatically accept cookies but provide controls that allow you to block or delete them. Most browsers allow you to refuse to accept cookies. However, blocking cookies will have a negative impact upon the usability of some websites.

Certain features of our websites depend upon cookies. Please be aware that if you choose to block cookies, you may not be able to sign in or use those features and preferences that are dependent on cookies may be lost. If you choose to delete cookies, the settings and preferences controlled by those cookies will be deleted and may need to be recreated.

Changes to This Privacy Statement

We will update this privacy statement when necessary; we encourage you to periodically review this privacy statement to learn how we are protecting your information.

How to Contact Us

If you have privacy concern, complaint or questions please write to us at the follow address:

CPS (Midlands)Ltd, PO Box 11363, Nottingham, NG2 9AS.