GDPR Principles we Operate by…
Accountability: We are committed to the principles of the GDPR by adopting the concept of ‘data privacy by design’ within our operational model. We remain accountable by having detailed policies and systems in place as well as a Data Protection Officer to oversee our overall compliance to data protection regulations including the management of access rights requests. Our policies are regularly reviewed and updated, and our staff are periodically trained on data protection and security throughout the year.
Transparency, Fairness and Lawfulness: We process data with data subjects’ interests in mind and ensure that we approach processing activities with transparency to maintain fairness in what we do. This way we can be sure that we are processing data lawfully. We have a robust process in place to allow us to deal efficient with any access requests we may receive.
Data Integrity and Confidentiality: We hold data on secure systems, and we are IS027001 and cyber essentials plus certified. We can provide evidence of our certifications on request. Information security and integrity is key to our smooth operation and we have dedicated cyber security team who protect our systems. We also have an Incident Response Team on hand to support us in the event data may become compromised.
Data Minimisation and Data Storage: We will not keep data for longer than is necessary and only keep data if there is a lawful basis which allows fair retention. When we do need to remove data from our possession, we do so by using industry approved standards so the disposal or anonymisation is thoroughly compliant.
Data Accuracy: Keeping data accurate is very important to us and we train our staff to ensure they are maintaining data to a high quality and with all the facts available.
Purpose Limitation: We use the data we attain for a specific purpose. This means that data is not processed for any alternative reasons other than what the data was originally collected for.
The tables below explain our stance on different operational areas of our business, so that you can easily see the standards we work by.
If you have any further queries about any topics raised in this document please contact our Data Protection Officer on GDPR@croner.co.uk for further assistance and clarity.
Physical Security of our Sites…
|Buildings||Reception areas are staffed 24/7 and door access control systems are in place throughout the building and all entrances are monitored by CCTV including the data centre.|
|Secure areas||Secure access areas are protected by entry controls to ensure only authorised staff can enter via an access control card. Access rights are removed when staff move roles and access rights are limited to necessary personnel required.|
|Business Continuity||A BCP/DR policy has been implemented. A full annual DR test is conducted within salesforce (our CRM provider) and individual components are tested at Croner TaxWise on a regular basis. All necessary remediation has been carried out.|
|Software and Applications||
|VPN Access||All remote access via remote working employees is secured by VPN log on technology and you are unable to access the networks unless a secure VPN connection has been established.|
|Encryption||All databases, software and hardware/devices are protected with high levels of encryption. Encryption keys are managed with strict policies and procedures. The key is stored in a secure location which is only accessible to database admins.|
|Testing||On our equipment all patches are governed by the change control process which includes evaluation, testing and deployment.|
|System Updates||We update systems when the time is appropriate to ensure we are always using the most advanced technical and organisational tools out there.|
|Data Back Ups||
|Monitoring and testing||
Third Party Security…
Data Retention and Disposal…
|Data Retention||All data retention is handled in line with our retention policy. We are committed in taking a practical approach in line with legal, contractual and commercial requirements relating to the ownership, retention and disposal of information relating to our business activities within the UK and Ireland. We tend to keep our client data for 7 years until the contract end date.|
Queries and Complaints
Our Group Data Protection officer welcomes communication around our policies and practices and they can be directly contacted on the details below, which are also publicly available on the ICO register.
You can also write them at:
Croner TaxWise Data Protection Officer
GDPR Oversight Team: GDPR@cronertaxwise.com
Data Protection Officer: firstname.lastname@example.org
If you’re not satisfied with our response, or believe we’re not processing your personal data in accordance with the law, you can approach the UK regulator for further guidance at www.ico.org.uk/concerns
This version was last updated and reviewed November 2020.
We regularly review and monitor regulatory guidance for any industry changes which may impact our business operations or your rights and freedoms.
In this privacy notice, “personal data” means any information relating to an individual who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data or an online identifier.
We are legally known as Croner Taxwise Limited, and our address is: Croner House, Wheatfield Way, Hinckley, LE10 1YG
We are registered in England and Wales under company number 03116659. ICO Registration Number: Z1761278
We form part of a larger group of undertakings known as ‘The Peninsula Group’. Other Companies that sit within our Group of companies within the global group:
Peninsula Business Services (UK), Croner Group Limited (UK), Croner-i (UK), Bright HR (UK), Health Assured (UK), Peninsula Employment Services (Ireland), Graphite HRM (Ireland), Employsure (Australia), Employsure (New Zealand), Peninsula Business Services (Canada).
Copyright © Croner TaxWise Limited 2020