In line with the requirements of General Data Protection Regulation (GDPR), Central Business Equipment Limited (herein CBE) have made every effort to identify the Personally Identifiable Information (PII) we require as a company from our customers, in the course of doing business. Below is a list of the PII and the purpose for which we must seek and retain this information along with the legal grounds on which we do this.

PII Description Reason Collected and Maintained GDPR Classification of CBE Company Retention Period Statutory Retention Period Declared Legal Ground for Processing PII
Customer and Customer Employees Names To allow us to contact you and/or the correct people in your organisation and conduct business Data Controller Duration of Contract / Supply of Services + 1 Year None Necessary in the pursuit of the legitimate interest of the organisation or a third party
Customer and Customer Employees Phone Numbers To allow us to contact you and/or the correct people in your organisation and conduct business Data Controller Duration of Contract / Supply of Services + 1 Year None Necessary in the pursuit of the legitimate interest of the organisation or a third party
Customer and Customer Employees Email Addresses To allow us to contact you and/or the correct people in your organisation and conduct business Data Controller Duration of Contract / Supply of Services + 1 Year None Necessary in the pursuit of the legitimate interest of the organisation or a third party
Customer and Customer Employees Biometric ID Used to log into the EPOS system Data Processor Duration of Contract / Supply of Services + 1 Year None Necessary in the pursuit of the legitimate interest of the organisation or a third party
Customer and Customer Employees Photograph Used to create the Employee Profile in the EPOS software Data Processor Duration of Contract / Supply of Services + 1 Year None Necessary in the pursuit of the legitimate interest of the organisation or a third party
Member of Public PII (aka CBE Customer’s Customer) PII on EPOS systems To allow us to deliver the services as per the contract with the Customer who is the Data Controller Data Processor Duration of Contract / Supply of Services + 90 Days None Necessary in the pursuit of the legitimate interest of the organisation or a third party
Member of Public PII (aka CBE Customer’s Customer) on Rewards Points Systems To allow us to deliver the services as per the contract with the Customer who is the Data Controller Data Processor Duration of Contract / Supply of Services + 90 Days None Necessary in the pursuit of the legitimate interest of the organisation or a third party

IMPORTANT NOTES

    1. The legal grounds claimed for processing the PII identified above falls under article 6.1 f) of GDPR which states; ‘processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party’.
    2. Where the company has been identified in the above table as the Data Processor, this infers that the customer is the data controller and as such has responsibilities for the methods and legal grounds for gathering, collating and transferring the data along with defining the intended purposes and any specific terms by which The Company must abide over and above what has been defined in this document.
    3. None of the above affects the rights of the data subjects in each case and we will ensure compliance and deal with all data subject requests as per the requirements detailed in GDPR.
    4. Member of Public PII related to the customers of CBE’s customers. Such PII may include any or all of the following, depending on the software products used: Name, Email, Phone, Address, Photograph/Video, Loyalty Card Number, Car Registration, Driver’s License Number