1. Introduction

C&F Millier Ltd is committed to conducting its business in accordance with all applicable Data Protection laws and regulations and in line with the highest standards of ethical conduct.

This policy details expected behaviours of C&F Millier Ltd’s Employees and Third Parties in relation to the collection, use, retention, transfer, disclosure and destruction of any Personal Data belonging to a C&F Millier Ltd’s Customers and Staff (i.e. the Data Subject) and irrespective of the media used to store the information.

Personal Data is any information (including opinions and intentions) which relates to an identified or Identifiable Natural Person. Personal Data is subject to certain legal safeguards and other regulations, which impose restrictions on how organisations may process Personal Data.

An organisation that handles personal data and makes decisions about its use is known as a Data Controller. C&F Millier Ltd, as a Data Controller, is responsible for ensuring compliance with the Data Protection requirements outlined in this policy.

Non-compliance may expose C&F Millier Ltd to complaints, regulatory action, fines and/or reputational damage.

C&F Millier Ltd’s leadership is fully committed to ensuring continued and effective implementation of this policy and expects all C&F Millier Ltd Employees and Third Parties to share in this commitment.

Any breach of this policy will be taken seriously and may result in disciplinary action or business sanction.

2. Scope

2.1. This policy applies to all C&F Millier Ltd Entities where a Data Subject’s personal data is processed:

• in the context of the business activities of the C&F Millier Ltd Entity
• for the provision or offer of goods or services to individuals (including those provided or offered free-of-charge) by C&F Millier Ltd
• to actively monitor the behaviour of individuals.

2.2. Monitoring the behaviour of individuals includes using data processing techniques such as persistent web browser cookies or dynamic IP address tracking to profile an individual with a view to:

• taking a decision about them

• analysing or predicting their personal preferences, behaviours and attitudes.

2.3. This policy applies to all processing of personal data in electronic form (including electronic mail and documents created with word processing software) or where it is held in manual files that are structured in a way that allows ready access to information about individuals.

2.4. This policy has been designed to establish a baseline standard for the processing and protection of personal data by all C&F Millier Ltd Employees. Where national law imposes a requirement that is stricter than that imposed by this policy, the requirements in national law must be followed. Furthermore, where national law imposes a requirement that is not addressed in this policy, the relevant national law must be adhered to.

2.5. The protection of personal data belonging to C&F Millier Ltd Employees is not within the scope of this policy.

2.6. The DPO is responsible for overseeing this Privacy Standard and, as applicable, developing Related Policies and Privacy Guidelines.

2.7. Please contact the DPO with any questions about the operation of this Privacy Standard or the GDPR, or if you have any concerns that this Privacy Standard is not being or has not been followed. In particular, you must always contact the DPO in the following circumstances:

• If you are unsure of the lawful basis which you are relying on to process Personal Data (including the legitimate interests used by the Company)
• If you need to rely on Consent and/or need to capture Explicit Consent
• If you need to draft Privacy Notices or Fair Processing Notices
• If you are unsure about the retention period for the Personal Data being Processed
• If you are unsure about what security or other measures you need to implement to protect Personal Data
• If there has been a Personal Data Breach
• If you are unsure on what basis to transfer Personal Data outside the EEA
• If you need any assistance dealing with any rights invoked by a Data Subject
• Whenever you are engaging in a significant new, or change in, Processing activity which is likely to require a DPIA or plan to use Personal Data for purposes others than what it was collected for
• If you plan to undertake any activities involving Automated Processing including profiling or Automated Decision-Making
• If you need help complying with applicable law when carrying out direct marketing activities; or
• If you need help with any contracts or other areas in relation to sharing Personal Data with Third Parties (including our vendors).

3. Policy

3.1. Governance

3.1.1. Policy Dissemination and Enforcement

The management team of C&F Millier Ltd must ensure that all C&F Millier Ltd Employees responsible for the Processing of Personal Data are aware of and comply with the contents of this policy. In addition, C&F Millier Ltd will make sure all Third Parties engaged to Process Personal Data on their behalf (i.e. their Data Processors) are aware of and comply with the contents of this policy. Assurance of such compliance must be obtained from all Third Parties, whether companies or individuals, prior to granting them access to Personal Data controlled by C&F Millier Ltd.

3.1.2. Data Protection by Design

To ensure that all Data Protection requirements are identified and addressed when designing new systems or processes and/or when reviewing or expanding existing systems or processes, each of them must go through an approval process before continuing. C&F Millier Ltd must ensure that a Data Protection Impact Assessment (DPIA) is conducted, for all new and/or revised systems or processes for which it has responsibility. C&F Millier Ltd should consult with a Data Protection subject matter expert during the course of completing the DPIA. The subsequent findings of the DPIA must then be submitted to the senior risk office for C&F Millier Ltd for review and approval. Where applicable, the Information Technology (IT) department, as part of its IT system and application design review process, will cooperate with the Data Protection subject matter expert to assess the impact of any new technology uses on the security of Personal Data.

3.1.3. Compliance Monitoring

To confirm that an adequate level of compliance is being achieved by C&F Millier Ltd in relation to this policy, C&F Millier Ltd will carry out an annual Data Protection compliance audit. Each audit will, as a minimum, assess compliance with this policy and the operational practices in relation to the protection of Personal Data, including:

• The assignment of responsibilities
• Raising awareness
• Training of Employees
• Adequacy of organisational and technical controls to protect Personal Data
• Records management procedures (including data minimisation)
• Adherence to the qualified rights of the Data Subject
• Privacy by Design and Default
• Consent for direct marketing
• Personal Data transfers
• Personal Data incident management (including Personal Data breaches)
• Personal Data complaints handling
• The currency of Data Protection policies and Privacy Notices
• The accuracy of Personal Data being stored
• The conformity of Data Processor activities
• The adequacy of procedures for redressing poor compliance.

Any major deficiencies identified will be reported to and monitored by C&F Millier Ltd Executive Management team.

3.2. Principles

3.2.1. Data Protection

C&F Millier Ltd has adopted the following principles to govern its collection, use, retention, transfer, disclosure and destruction of Personal Data.