This Privacy Notice is v1.1 and is valid from 0001hrs on 27 April 2021. It replaces and supersedes all other Privacy Notices associated with CSS Platinum Limited.

CSS Platinum takes your privacy very seriously. This Privacy Notice details what personal data we collect and how we shall use it. Please take time to read this Privacy Notice and ensure that you understand its contents.

Changes to this Privacy Notice.

We continually review our Privacy Notice and update it where necessary. We advise that you regularly check our Privacy Notice for updates. CSS Platinum does not wish to inconvenience their clients with lots of minor amendments, but where we make significant changes to our policy, we shall contact you to inform you.

Your personal data – what is it?

Personal data relates to information about a living individual who can be identified from that data. Identification can be by the information alone or in conjunction with any other information in the data controller’s possession, or likely to come into such possession. From 25 May 2018, the processing of personal data is governed by the EU General Data Protection Regulation (GDPR). From the 1 January 2021 the processing of Personal Data shall be governed by the IoM / UK General Data Protection Regulation.

Our Name & Contact Details.

The Data Controller of your personal data is CSS Platinum. This means that CSS Platinum decides how your personal data is processed and for what purposes. Our contact details are:

CSS Platinum Limited Burleigh Manor

Peel Road Douglas Isle of Man IM1 5EP

Data Protection Officer Contact Details.

In observance of the IoM / UK General Data Protection Regulation, the EU General Data Protection Regulation and other International Data Protection Regulation, CSS Platinum have chosen to establish a Data Protection Officer. Should you wish to contact our Data Protection Officer regarding a data protection matter you can do so by emailing [email protected] or writing to:

Data Protection Officer CSS Platinum Limited Burleigh Manor

Peel Road Douglas Isle of Man IM1 5EP

 

Personal data categories we collect.

We collect, use, store and transfer different kinds of personal data about you which we have categorised as follows:

• Identity Data: This includes first name, maiden name, last name, title, date of birth and gender.

• Contact Data: This includes email address and telephone

• Financial Data: This includes bank account information and payment 

• Compliance Data: This includes recorded calls for quality checks and staff training. Such recordings may also be used to help us combat

• Technical Data: This includes internet protocol (IP) address, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access this

• Usage Data: This includes information about how you use our website, products and

• Marketing and Communications Data: This includes your preferences in receiving marketing from us and your communication

• Aggregated Data: This includes statistical or demographic data for any purpose. Aggregated Data may be derived from your personal data but is not considered personal data in law as this data does not directly or indirectly reveal your identity. For example, we may aggregate your Usage Data to calculate the percentage of users accessing a specific website feature. However, if we combine or connect Aggregated Data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this privacy

• Special Categories of Personal Data: This includes health and vulnerability related data that you may voluntarily share with us during the fulfilment of our services to you. We will always ask for your explicit consent to record and share Special Category

For what purposes do we process personal data, and what are the lawful basis’ by which we process data?

CSS Platinum processes your Personal Data for the following purposes:

For What Purposes Do We Process Personal Data? “CSS Platinum processes your personal data to…”	What is the lawful basis by which we process data?
Communicate with our clients to fulfil, administer or enforce contractual obligations via email, telephone, SMS text, postal mail and push notifications;	Contract
Communicate with clients where we have their consent to do so via email, telephone, SMS text, postal mail and push notifications;	Consent

 

For What Purposes Do We Process Personal Data? “CSS Platinum processes your personal data to…”	What is the lawful basis by which we process data?
Communicate with clients on matters where we have a legal obligation to do so via email, telephone, SMS text, postal mail and push notifications;	Legal Obligation
Communicate with clients on matters where we have a legitimate Interest to do so (see legitimate interest section below), via email, telephone, SMS text, postal mail and push notifications;	Legitimate Interest
Communicate news, events, activities, and services provided by CSS Platinum to those who have consented;	Consent
Inform existing clients about CSS Platinum’s new products and services;	Legitimate Interest
Request specific consent to share information about specific aligned/similar products/services with specific fulfilment partners;	Legitimate Interest
Conduct background checks on our staff, associates,
partners, clients and suppliers, and on behalf of our clients	Legitimate Interest
as part of our “Crew Check,” “Check,” and “Background	Contract
Checking” products.
Verify the identity of individuals where necessary including for Subject Access Requests (SAR);	Legitimate Interest
Update clients about significant changes to our Privacy Notice via email, telephone, SMS text, postal mail;	Legal Obligation
Update clients about changes to how we process their personal data and/or new processing activities via email, telephone, SMS text, postal mail;	Legal Obligation
Gather feedback for service and product improvement via email, telephone, SMS text, postal mail;	Legitimate Interest
Share testimonials, case studies and feedback on CSS Platinum website and in future marketing;	Consent
Manage our staff	Contract
Resolve complaints and/or disputes;	Legitimate Interest
Request continuation of Consent prior to consent expiry;	Consent
Collect payments or arrears should we have the need to do so;	Legitimate Interest
Protect our organisation, staff, associates, suppliers, partners and clients;	Legitimate Interest
Prevent, detect and investigate fraud;	Legal Obligation Legitimate Interest
Prevent, detect and investigate crime;	Legal Obligation Legitimate Interest

 

 

For What Purposes Do We Process Personal Data? “CSS Platinum processes your personal data to…”	What is the lawful basis by which we process data?
Comply with the law;	Legal Obligation
Fulfil our statutory or regulatory obligations;	Legal Obligation
Conduct due diligence checks;	Legitimate Interest
Maintain our own accounts and records;	Legal Obligation
For reporting, analytics and product/service improvement (including training);	Legitimate Interest
Improve and maintain data accuracy or completeness;	Legal Obligation Legitimate Interest
Track your email engagement;	Legitimate Interest
Personalise your online experience;	Legitimate Interest
Conduct market research.	Legitimate Interest

 

What are our legitimate interests for processing your data?

Where we have used legitimate interest as the lawful basis for processing your personal data, we may use your personal data to:

• Direct market products and services to you via post, emails, telephone, SMS text and push notifications where they are similar/aligned to our current products and services, a soft opt- in exists, and it conforms with the UK’s Privacy and E-Communication Regulation (PECR) and EU’s ePrivacy Regulation;
• Request specific consent via telephone to share customer personal data with specific fulfilment partners so that they may direct market similar or aligned new products and services to our existing customers;
• Maintain our own accounts and records, including recording any contact we have with you via post, emails, telephone, SMS text and push notifications;
• Prevent, detect and investigate fraud;
• Prevent, detect and investigate crime;
• Resolve complaints and/or disputes;
• Collect payments or arrears should we have the need to do so;
• Protect our organisation, staff, associates, suppliers, partners, clients and client’s clients;
• Reporting, analytics and product/service improvement, (including internal training);
• Improve data accuracy or completeness;
• Track your email engagement;
• Personalise your online experience. This could include customising the content and/or layout of our pages for individual users, for both visitors and contributors;
• Conduct market research. Including research on the demographics, interests and behaviour of our customers in order to help us gain a better understanding of different audiences and enable us to improve our service. This research may be carried out internally by our employees or we may ask another company to do this work for us. Data will be anonymised to protect your data rights for research
• Verify staff suitability and experience for
• Sell your personal data;

Sharing your personal data.

CSS Platinum may choose to share your personal data internally and/or externally to the business. Where we choose to share your information, we shall do so for the following reasons:

• Where we have your “Consent” to do so. Where we process your data under the consent lawful basis you have the right to withdraw consent. Please refer to “Your Right to Withdraw Consent” section below;
• Where necessary to fulfil the services and/or products we are “Contracted” to provide to you or our client;
• Where we have a “Legal Obligation” and are required by law and to law enforcement agencies, judicial bodies, government entities, tax authorities or regulating bodies around the world, this includes communicating with you to update you about our privacy notice and changes to how we process your personal data;
• Where we have “Legitimate Interest” to do so, including;
  • For the purposes listed in the “What are our legitimate interests for processing your data?” section
  • For reporting, analytics and service improvement purposes across our trading styles and/or within any future group construct should CSS Platinum establish or become part of a
  • Where one of our registered trading styles and/or current associated businesses provides a product or service similar/aligned with our organisation’s aim to help clients protect their data, develop cyber resilience, develop their financial crime resilience and maximise the potential of their data in a fair, lawful and transparent manner that we do not currently provide ourselves. Presently these include:

• Cyber Security Strategies Ltd;
• CSS Assure (A trading style of Cyber Security Strategies Limited);
• Crew Check (A trading style of CSS Platinum Ltd);
• ACrew;
• Churchill Sloan Limited;
• Where an external 3rd Party, with whom we are yet to have a relationship, provides a product or service that we do not currently provide ourselves, and:

• Which we reasonably believe would be of benefit to you, and you would reasonably expect to receive;
• Is similar/aligned to our organisation and the services we provide;
• It conforms with the UK’s Privacy and E-Communication Regulation or the EU’s ePrivacy

In this case we would contact you by telephone using Legitimate Interest to request specific Consent to share your personal information.

• Where we believe it is necessary to protect or defend our rights, property or the personal safety of our people or visitors to our premises or websites;
• Where required for a proposed sale; reorganisation; merger; transfer; financial arrangement; asset disposal; or any other transaction relating to our business and/or assets held by our

• Where we outsource support functions of our organisations to trusted partners. The categories of these recipients include:

 

Categories	Who do we use	Link to their Privacy Notice
Customer
Relationship	Hubspot	https://legal.hubspot.com/privacy-policy
Management
System
Customer
Relationship	Pipedrive	https://www.pipedrive.com/en/privacy
Management
System
E-Mail support provider	Hubspot	https://legal.hubspot.com/privacy-policy
Cookie Provider	Cookiebot	https://www.cookiebot.com/en/privacy-policy/
Web analytics service providers	Google Analytics	https://policies.google.com/privacy?hl=en-US

 

Categories	Who do we use	Link to their Privacy Notice
Social Media	LinkedIn	https://www.linkedin.com/legal/privacy-policy
Social Media	Facebook	https://en-gb.facebook.com/privacy/explanation
Social Media	Twitter	https://twitter.com/en/privacy
Social Media	Instagram	https://help.instagram.com/519522125107875
Legal support providers;	Keystone Law	https://www.keystonelaw.com/privacy-policy
Consultant Time Tracking Service	Clockify	https://clockify.me/privacy
Call centre support providers;	Moneypenny	https://www.moneypenny.com/uk/privacy/
Expenses Management	Expensify	https://use.expensify.com/privacy
Collaboration Tools	Microsoft 365	https://privacy.microsoft.com/en- gb/privacystatement
Human resources support providers (staff only);	Mr Finch Legal Services	https://www.trustmrfinch.com/privacy-policy/
eSigning Service Provider	Adobe	https://www.adobe.com/uk/privacy.html
Payment service providers	Stripe	https://stripe.com/gb/privacy
Online order fulfilment service providers	Woo Commerce	https://automattic.com/privacy/
Training & Learning Management System	Articulate	https://articulate.com/privacy

Where we choose and/or have your permission to share your personal data with 3rd Parties we will, where appropriate, ensure that they have signed data sharing agreement and/or a contract that requires them to:

• Abide by the requirements of all relevant data protection and privacy legislation;
• Treat your information as carefully as we would;
• Only use the information for the purposes it was supplied (and not for their own purposes or the purposes of any other organisation); and
• Allow us to carry out checks to ensure they are doing all these

If your data is provided through a third party, we may share data with that provider in order to assist with the management of the services and to streamline client contact.

 

We may have to disclose your personal data with other third parties as set out below. These organisations or bodies will not use your information to contact you. These third parties will be subject to obligations to process your personal information in compliance with the same safeguards that we deploy.

• HM Revenue & Customs: We’re required to disclose certain data with the

• There may be other regulators and authorities such as Solicitors and Accountants, acting as processors based in the United Kingdom who require reporting of processing activities in certain

Selling your personal data.

CSS Platinum may choose to sell your personal data.

You have the Right to Object to us selling your personal data at any time and can do so by informing us by telephone, email or post.

Where we choose to sell your information, we shall do so in the following circumstances:

• Where we have your “Consent” to do so;

• Where we have a “Legitimate Interest” to do so, including;

o   Where required for a proposed sale; reorganisation; transfer; financial arrangement; asset disposal; merger; or any other transaction relating to our business and/or assets held by our organisation.

International Personal Data Transfer – Countries & Organisations.

CSS Platinum may transfer personal data to countries outside of the IoM / UK. Specifically, we use data processors based in the United States of America, South Africa, Denmark, France, Monaco, Portugal and the Ukraine.

If data is transferred outside of the IoM/UK, to a third country without a current ‘adequacy decision’ in place, CSS Platinum will put in place Standard Contractual Clauses with the Data Controller or Data Processor which contractually obliges them to protect your information to the same standard required by the IoM/UK General Data Protection Regulation.

Personal Data Retention Period.

CSS Platinum has the following data retention policies:

• Where a Regulating Body directs a statutory retention period, we shall retain the relevant data for the statutory period. For example, your financial transactions data shall be retained for 7 years;
• Where you have contracted CSS Platinum’s services, we shall retain any personal details (name, email, telephone, postal address) applicable to the contract delivery for a period of 7 years after the contract has ceased. During this time, we may contact you using legitimate interest to market our additional services and products.

• Where you have signed up to receive information emails from CSS Platinum, we shall retain your contact details (name, email, mobile telephone number, company, job title) for 3 years, or until you withdraw your
• Where you have downloaded free content from our site, we shall retain your contact details (name, email, mobile telephone number, company, job title) for a period of 3 years from your last download. During this time, we may contact you using legitimate interest to market similar free content that may be of interest to

When we no longer need this information, we will erase or anonymise your data and/or dispose of it securely.

The rights available to individuals in respect of the processing.

Unless subject to an exemption under legislation, you have the following rights with respect to your personal data:

• Your right to be informed. You have the right to be informed about how we shall process your information. We use this Privacy Notice as means to inform you about how we process your information. You can read more information about your Right to be Informed here.

• Your right of access. You have the right to ask us for copies of your personal information. This right always applies. There are some exemptions, which means you may not always receive all the information we process. You can read more about your Right to Access here. In most cases CSS Platinum will not charge for this service however we do have the right to charge an administrative cost should we feel the request is excessive (excessive means that you submit a subject access request multiple times for the same or similar information). Fees will not exceed £50. Information will be provided within 30 calendar days from the day you request it. We will take all reasonable steps to verify your identity before providing you with details of any personal information we may hold about
• Your right to rectification. You have the right to ask us to rectify information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete. This right always applies. You can read more about your Right to Rectification here.
• Your right to erasure. You have the right to ask us to erase your personal information in certain circumstances. You can read more about your Right to Erasure

• Your right to the restriction of processing. You have the right to ask us to restrict the processing of your information in certain circumstances. You can read more about your Right to the Restriction of Processing

• Your right to object to processing. You have the right to object to processing if we are able to process your information because the process forms part of our public task, or it is in our legitimate interests. You can read more about your Right to Object to Processing here.

• Your right to data portability. This only applies to information you have given us. You have the right to ask that we transfer the information you gave us from one organisation to another or give it to you. The right only applies if we are processing information based on your consent or under, or in talks about entering into a contract and the processing is automated. You can read more about your Right to Data Portability

If you wish to exercise any of your individual Rights, you can do so by informing a member of our team or by contacting our Data Protection Officer by emailing [email protected], or writing to:

Data Protection Officer CSS Platinum Limited Burleigh Manor

Peel Road Douglas Isle of Man IM1 5EP

Your Right to Withdraw Consent.

You have the right to withdraw your consent to CSS Platinum processing your data at any time. Please note that this only applies for personal data processed under the Consent Lawful Basis. To determine what of your personal data is processed under the Consent Lawful Basis, please refer to the “What are the lawful basis’ by which we process data?” section above.

If you decide you wish to withdraw your Consent from a processing activity that uses the lawful basis of Consent you can do so by informing a member of our team or by contacting our Data Protection Officer by emailing [email protected] or writing to:

Data Protection Officer CSS Platinum Limited Burleigh Manor

Peel Road Douglas Isle of Man IM1 5EP

Automated decision-making, including profiling.

CSS Platinum does not use currently use automated decision-making tools or profiling in the processing of your personal data.

Your Right to Lodge a Complaint with the ICO.

You have the right to lodge a complaint with the Isle of Man’s Supervising Authority: The Information Commissioners Office. Prior to lodging a complaint, CSS Platinum Assure would like the opportunity to address any complaint you may have.

Should you have a complaint please in the first instance contact our Data Protection Officer by emailing [email protected] or writing to:

Data Protection Officer CSS Platinum Limited Burleigh Manor

Peel Road Douglas Isle of Man IM1 5EP

If your complaint has not been resolved, you can lodge a complaint with the Information Commissioner’s Office by completing this complaints form and emailing it to [email protected] or by writing to:

Information Commissioner’s Office First Floor, Prospect House Prospect Hill

Douglas, Isle of Man IM1 1ET

Or by Phone on +44 (0)330 133 0797