In order to provide our contracted services to the customer, we need to collect, store and use some personal data about the customer.
Also within this document you’ll find out about the main requirements of the General Data Protection Regulation (GDPR) and the customers rights under the regulation.
Data Controller: City Cabs Buses and Coaches Ltd.
Data Processor: AutoCab and/or City Cabs Buses and Coaches Ltd.
Contact details: email@example.com
Date operational from: 25th May 2018
Date of next review: 31st May 2020
At City Cabs Buses and Coaches Ltd. (The Company) we take the security of the data you provide to us extremely seriously and will always do our utmost to protect this data and maintain your trust in us.
We also recognise that we have a responsibility to protect our customers, staff, the Company and other individuals from the consequences of insecure data being released either accidentally or by means of intrusion.
Requirements under GDPR
The Company is committed to processing data in accordance with its responsibilities under the GDPR.
Article 5 of the GDPR requires that personal data shall be:
1. processed lawfully, fairly and in a transparent manner in relation to individuals;
2. collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;
3. adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
4. accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
5. kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals; and
6. processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.”
LAWFUL BASIS FOR COLLECTION OF DATA
The Company must have a recognisable lawful basis to collect, use and store customers data and have explicit consent from the customer to retain this information.
The Company does not collect personal data from it's customers through our website.
Type of information collected and used
Information we collect during normal browsing of the site and held is information about your computer and about your visits to, and use of, the website (including your IP address, approximate geographical location, browser type, referral source, length of visit and number of page views).
Why do we need this information?
This information is required to analyse the performance and popularity of our website and other than the IP address, no other personal information is collected.
How long does the Company keep your data?
Email data - We will keep your email data, including your email address, until the transaction with you is completed and not deemed to no longer be required for a lawful purpose.
Using cookies or other on-device storage
Cookies are information files stored on your computer, tablet or smartphone that help websites remember who you are and information
Tracking how the website is used
As mentioned previously, information is collected about activity on the website by Google Analytics.
This information is used to:
a. analyse statistics;
b. track pages and paths used by visitors to, or users of, the website;
c. target the adverts or offers, such as banners on the website.
d. track the use of our banner adverts.
Who has access to your data?
Our third party service providers are Google and Basehound Media. Both have been checked by the Company and found, to the best of our knowledge, to be GDPR compliant.
Google and Basehound Media have access to your Google Analytics information about your computer and about your visits to, and use of, the website (including your IP address, approximate geographical location, browser type, referral source, length of visit and number of page views).
DAILY ADMINISTRATIVE OPERATIONS
When the customer contacts the Company to contract our services, we need to collect personal data to enable us to perform the requested service.
Type of information collected and used
The data we collect is the customers’ full name, contact telephone number, address and email address.
The customer gives explicit consent for retention of the collected data when booking the service required as, without this data the Company would not be able to provide the service.
Why do we need this information?
We need this information specifically to provide the service the customer has contracted us to provide. We would not be able to efficiently provide the service without the data collected.
Additionally, as a registered and licenced private hire company we are required to collect and retain records of every service request for a minimum period of five years. The data stored is accessed only when a customer calls to request a service.
The customer gives consent when the service is booked, by willingly providing the necessary information which enables us to provide the service requested.
How does the Company store and how long does it keep your data?
The data is stored for a minimum of five years to enable the Company to provide the best possible service to the customer, but also to adhere to the regulations required by local licensing authorities.
Data is stored using Autocab on Microsoft Azure Datacentres in an encrypted form and is password protected by a required login system.
Azure is compliant with, and regularly audited against, the international security standard ISO27001 and the international security standard for protecting personally identifiable information (PII) ISO 27018.
Who has access to your data?
The Data Controller and Data Processor have access to the database and Company staff have access limited to that deemed necessary to perform the service in hand.
We never share data with any third parties other than those noted in this document, however we would have to share with legal entities such as the police or local council licensing authorities if required to do so. See our disclosure statement below.
In this case Autocab have some responsibilities as a Data Processor and as such have been investigated by the Company and found to be compliant with GDPR.
Rights of the subscriber under General Data Protection Regulations
1. The right to be informed:
Organisations need to tell individuals what data is being collected, how it’s being used, how long it will be kept and whether it will be shared with any third parties. This information must be communicated concisely and in plain language.
2. The right to access:
Individuals can submit subject access requests, which oblige organisations to provide a copy of any personal data concerning the individual. Organisations have one month to produce this information, although there are exceptions for requests that are manifestly unfounded, repetitive or excessive.
3. The right to rectification:
If the individual discovers that the information an organisation holds on them is inaccurate or incomplete, they can request that it be updated. As with the right to access, organisations have one month to do this, and the same exceptions apply.
4. The right to erasure (also known as ‘the right to be forgotten’): Individuals can request that organisations erase their data in certain circumstances, such as when the data is no longer necessary, the data was unlawfully processed or it no longer meets the lawful ground for which it was collected. This includes instances where the individual withdraws consent.
5. The right to restrict processing:
Individuals can request that organisations limit the way an organisation uses personal data. It’s an alternative to requesting the erasure of data, and might be used when the individual contests the accuracy of their personal data or when the individual no longer needs the information but the organisation requires it to establish, exercise or defend a legal claim.
6. The right to data portability:
Individuals are permitted to obtain and reuse their personal data for their own purposes across different services. This right only applies to personal data that an individual has provided to data controllers by way of a contract or consent.
7. The right to object:
Individuals can object to the processing of personal data that is collected on the grounds of legitimate interests or the performance of a task in the interest/exercise of official authority. Organisations must stop processing information unless they can demonstrate compelling legitimate grounds for the processing that overrides the interests, rights and freedoms of the individual or if the processing is for the establishment or exercise of defence of legal claims.
8. Rights related to automated decision making including profiling: The GDPR includes provisions for decisions made with no human involvement, such as profiling, which uses personal data to make calculated assumptions about individuals. There are strict rules about this kind of processing, and individuals are permitted to challenge and request a review of the processing if they believe the rules aren’t being followed.
Exercising your rights
If you wish to contact the Company to exercise any of the above rights, we require a written request either by letter or email. When requesting please include your full name and email address. If you inform the Company via email we'll initially send a verification email to make sure it really is you before we act upon your request. Any request will be actioned within 30 days and you will be informed when the action has been completed.
We reserve the right to check your identity before releasing any data under any of the above rights, if deemed necessary.
Contacting by letter.
Please write to:
The Data Controller,
City Cabs Buses & Coaches Ltd.,
91 London Road, Stoke on Trent. ST4 7QE.
Contacting by email.
Please send your email to:
We will provide the data as requested under any of the above rights free of charge for the first request. Subsequent requests for the same data and under the same legal right may be charged for at a fee of £20 per duplicate request to cover administrative costs.
Disclosure of your information to Third Parties
Your information will not be passed to any third party other than Google and Autocab but may be shared within the Company.
Exceptions to this rule are government and enforcement agencies and the police.
Every now and again, requests are received for information from government departments, the police and other enforcement agencies.
If this happens, and there is a proper legal basis for providing your information, it will be provided to the organisation asking for it.
Last updated May 2018
Next review May 2020 by the Data Controller.