Customer Policy Statement
Company: CBF Service Centre Limited
Author: Sheryl Basey-Fisher
Date Created: 23/05/2018 Date Revised: dd/mm/yy
Version Number: V1.0 Location: Main Office/online
Change/Verification Frequency: Annual or upon any material change
Below are our policies to comply with GDPR legislation. Our Data Processing Officer is Sheryl Basey-Fisher. All queries and information requests should be forwarded to him/her in writing.
GDPR Policy Statement
Booking Information. We collect details of all garage appointments that are made in our company 12 month diary. We record the name, phone number, vehicle registration number, the purpose of the appointment, the date of the appointment and an estimate of costs where required. The system is paper based and the diaries are destroyed after 5 years.
Work Orders. We collect the vehicle registration number, the customer name and the work we undertake on the vehicle. The system is paper based and the work orders are destroyed after 12 months.
Quotations. The quotation contains the name of the customer, the date the invoice was prepared and the estimate for undertaking the work. The quotations are in paper form [and an electronic form stored on our Quotation system], paper based quotations are stored at our premises. Both formats are stored for 6 years after the customer account becomes dormant.
Invoices. The invoice contains the name of the customer and address, the date the work was completed and the charges. The invoices are in paper form, stored at our premises and in an electronic format at our designated accountants. Both formats are stored for the statutory 6 years after the end our financial year end. Records are then destroyed.
[Customer Records/Quotation System. We use 3rd Party software to maintain a customer file which contains customer name, address, phone number, email address, vehicle details, invoices and work carried out upon the vehicle. Our 3rd Party software supplier is GDPR compliant. Data is stored for 6 years after the end of our financial year end.]
Lawful Basis for Processing Data
All of the data that we store and process is covered under a Contractual Requirement, A legislative Requirement or Legitimate Interest as defined under the provisions of the GDPR.
Privacy, Consent and Individual Rights.
Data Sharing. Data is only shared with other organisations or entities as described above to comply with statutory record keeping.
Marketing. Data may be used to communicate with customers about MOT renewal dates, service reminders and promotional information relevant to the services we offer. These communications are included as they are classified as being of Legitimate Interest to the recipient. We will cease all communications to customers if the customer account is dormant for more than 3 years. Should the recipient wish to be excluded from these communications, they must write to us to confirm their request and we will exclude them for future communications within 40 days of receipt of the request.
In terms of subject access to view the data we hold
Subject Access. In terms of providing copies of the data we hold, we will upon receipt of a written request provide hard copies of any invoices, quotations and work orders within 40 days of receiving the request.
Individual Data Rights. In terms of providing the right to erase data, data portability and the right to object we are obliged to follow the request as determined by the nature of the data and its processing as defined in the table below.
|
Right to erasure |
Right to portability |
Right to object |
| Consent |
|
|
X
but right to withdray consent |
| Contract |
|
|
X
|
| Legal obligation |
X
|
X
|
X
|
| Vital interests |
|
X
|
X
|
| Public task |
X
|
X
|
|
| Legitimate interests |
|
X
|
|
All requests must be submitted in writing and will be actioned within 40 working days of receiving the request. The right to portability only applies to data that is processed electronically.