1. About Us
CFB Boilers Limited (“CFB Boilers”) operates the website, www.steamboilers.co.uk. Our office address is CFB Boilers Ltd, Brunel Road, Gorse Lane Industrial Estate, Clacton-on-Sea, Essex, CO15 4LU. We are registered in England and Wales under company registration number 02846857.
CFB Boilers manages personal data as a Data Controller, and we recognise and act on our obligations under applicable data protection law. For issues relating to data protection you can contact us by email to email@example.com
2. Policy Statement
CFB Boilers recognises the trust you place in us when you share personal data with us. We are committed to being open, honest and transparent with our use of personal data.
- Policy Acceptance
4. What personal data do we collect?
Personal data is any information relating to an identified or identifiable individual. It does not include data where the identity has been removed (anonymous data). We may collect, use, store and transfer different kinds of personal data about you when we engage with you. This may include the following categories:
- Identity Data – title, first name, last name or similar identifiers. If you interact with us through social media, this may include your social media user name;
- Contact Data – billing address, email address and telephone numbers;
- Financial Data – bank account and payment card details;
- Transaction Data – details about services you have purchased from us;
- Technical Data – includes internet protocol (IP) address, your login data, browser type and version, time zone setting and location, operating system and platform, and other technology on the devices you use to access this website;
- Profile Data – your username and password, purchases or orders made by you, your interests, preferences, images and videos uploaded, feedback and other responses;
- Geographical Data – information setting out your primary address to control the use of location services in most mobile devices and desktop settings;
- Usage Data – information about how you use our website and services;
- Marketing and Communications Data – includes your preferences in receiving marketing from us and our third parties and your communication preferences.
5. How do we collect personal data?
We use different methods to collect data from and about you, through:
Contact / Get In Touch
Personal details provided when contacting us through the website are processed so that we can respond to your communications with details of our services and answer any queries. Data is held on the grounds of being legitimate to our business interests.
Calls to us may be recorded (including notes made on any matter discussed) and any data relating to the call may be retained by us on the basis of being for our legitimate business interests or in order to fulfil our contractual obligations if you are a client of ours.
Other direct interactions
You may give us your data by filling in forms or by corresponding with us by post, or through social media. This includes personal data you provide when you: sign up to receive our services; make enquiries or request information be sent to you; use our services; ask for information to be sent to you; engage with us on social media; submit feedback; contact us direct; or leave comments or reviews on our services.
We may ask for a review of our services and these may be published on our website or social media, if you give your consent for us to do so. You may withdraw your consent at any time.
Visits to our website
When you visit our website, we do not attempt to identify you as an individual user, and we will not collect personal data about you unless you specifically provide this to us.
Special categories of personal data
We do not generally collect any special categories of personal data about you (this includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health and genetic and biometric data). Nor do we collect any information about criminal convictions and offences.
We do not market this website at those under 18 years old. Consistent with the GDPR we will never knowingly request personally identifiable information from anyone under the age of 16 years old.
We will take appropriate steps to delete any personal data of individuals less than 16 years of age that has been collected on our website upon learning of the existence of such data.
6. Information we get from other sources
From time to time, we may need to obtain information from third parties about you. This will only apply where it is necessary to provide our services and as permitted by law.
We may receive personal data relating to your identity and contact data from data partners, data from any third parties who are permitted by law or have your permission to share your personal data with us.
7. How we use your data
UK data protection law requires us to have a “legal basis” for processing personal data. The legal bases we rely on are:
- Performance of a contract we are about to enter into or have entered into with you;
- Compliance with a legal or regulatory obligation;
- Carrying out activities that are legitimate to our business interests;
- However, generally, we shall not rely on consent as a legal basis for processing your personal data other than where the law requires it. Where our legal basis is consent, you have the right to withdraw consent any time.
We may use the personal data we collect from you as outlined in this table:
|Use of personal data||Type of data||Legal basis|
|To register you on our website||(a) Identity
|Performance of a contract or to take steps to enter into a contract|
|To provide, manage and personalise our services to you, respond to communications||(a) Identity
|Where necessary for the perform of our agreement or to take steps to enter into an agreement
It is in our legitimate interests to make sure that our customer accounts are well-managed, and to provide a high standard of service
|To process payments for our services||(a) Identity
|Performance of a contract
Necessary to comply with a legal obligation
|To administer and improve the website||(e) Technical
|It is in our legitimate interests to develop and improve our products and services, so that we can continue to provide products and services that our customers want to use, and to make sure we continue to be competitive|
|To send email notifications which have been specifically requested||(a) Identity
|It is in our legitimate interests to give you information about our products and services that you may be interested in|
|To send marketing communications, where expressly agreed||(a) Identity
(i) Marketing and Communications
|In the case of electronic marketing we have your consent to do so|
|To provide third parties with statistical information about our users||(e) Technical
|It is in our legitimate interests to better understand how our customers use our products and what changes we could make to improve them|
|To ask for feedback, a testimonial or review||(a) Identity
|It is in our legitimate interests to better understand how our customers use our products and what changes we could make to improve them|
|To deal with enquiries and complaints made by or about you relating to the website||(a) Identity
|It is in our legitimate interests to make sure that our customer accounts are well-managed, so that our customers are provided with a high standard of service|
|To recover debt and exercise other rights we have under any agreement with you, as well as to protect ourselves against harm to our rights and interests in property||(a) Identity
|Where necessary to perform a contract or to take steps to enter into an agreement with you
Where the law requires this
It is in our legitimate interests to ensure that we can recover debts owed to us, as well as making sure our assets are protected
Users contacting this website and/or its owners do so at their own discretion and provide any such personal data requested at their own risk. Your personal data is kept private and stored securely until a time it is no longer required or has no use.
Our legitimate interests
When we use our legitimate interests as the legal basis for processing your personal data, we will consider and balance any potential impact on you and your rights before we process your personal data. We will only then proceed where we believe our interests are not overridden by the impact on you. Our legitimate business interests include the management of our business operations.
8. Sharing Information
We may use Data Processors who act on our instruction in relation to the management of your data and they must adhere to all data protection laws and regulations. We will ensure that any Data Processors used only operate on our written instructions and comply with their obligations under the GDPR. You will be informed of any other Data Controllers who have access to your data and who may determine processing activities separately to us, or as a Joint Data Controller.
We may carry out direct marketing by email, phone, text or post, where we have a lawful basis to do so.
We will ask for your consent to receiving marketing communications (including newsletters) when you register on the website and you have the option not to give consent and to withdraw consent given at any time. You may withdraw your consent for us to contact you by email to firstname.lastname@example.org. We may continue to contact you for non-marketing purposes if there is another lawful basis to do so.
Non-personally identifiable information may be provided to third parties for marketing, advertising or other uses.
Social media platforms
Communication, engagement and actions taken through external social media platforms that this website and its owners participate on are subject to our terms and conditions as well as the privacy policies held with each social media platform respectively.
Users are advised to use social media platforms wisely and communicate and/or engage with them with due care and caution in regard to their own privacy and personal details. This website nor its owners will not ask for personal or sensitive information through social media platforms and encourage users wishing to discuss sensitive details to contact them through primary communication channels such as by telephone or email.
CFB Boilers uses social sharing buttons which help share web content directly from web pages to the social media platform in question. Users are advised that before using such social sharing buttons, that they do so at their own discretion, and should consider that the social media platform may track and save requests to share a web page, through the users’ social media platform account.
We do not process any payment for our services though our website or online. All payment transactions are carried out securely by our accounts staff ensuring data is safeguarded at all times and handled in accordance with recognised industry standards.
9. Data Retention
We keep your personal data in accordance with our Data Retention Policy which reflects our needs to provide contracted services and to meet our legal, statutory and regulatory obligations. The need to retain information is regularly reviewed and data will be disposed of when no longer required.
We will hold your personal information for the following periods:
Name and address kept for 6 years to satisfy UK tax law.
Email address for as long as contact is necessary.
These periods are no longer than necessary in each case.
Reasons we can collect and use your personal information
We rely on the following as the lawful basis on which we collect and use your personal information:
The legitimate interests relied upon are as follows:
The information is used for marketing purposes and the impact on personal data is minimal.
10. Data Security
We have in place appropriate security measures to prevent personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. Personal data is contained behind secured networks and is only accessible by a limited number of persons who have special access rights to such system and are required to keep the information confidential.
We will also use technological and organisation measures to keep your information secure.
We are certified to ISO 27001. This family of standards helps us manage your information and keep it safe and secure.
We also have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.
Indeed, while we will use all reasonable efforts to secure your personal data, in using the site you acknowledge that the use of the internet is not entirely secure and for this reason we cannot guarantee the security or integrity of any personal data that are transferred from you or to you via the internet. If you have any particular concerns about your information, please contact us using the details below.
Transfers of your information out of the EEA
We will not transfer your personal information outside of the EEA at any time.
11. Data Storage and International Transfers
- In the case of US based entities, entering into European Commission approved standard contractual arrangements with them, or ensuring they have signed up to the EU-US Privacy Shield; or
- In the case of entities based in other countries outside the EEA, entering into European Commission approved standard contractual arrangements with them.
12. Rights of Data Subjects
CFB Boilers recognises a data subjects rights and will uphold these in accordance with data protection laws. You are entitled to see the information held about you and you may ask us about any of the following:
Subject access requests (SAR)
Data subjects (i.e. individuals) have the right to access personal data held by us by submitting a subject access request by email to email@example.com. We will endeavour to respond quickly to any such request, which legally requires us to respond within one month of receiving the request and necessary information. In limited circumstances a fee may apply.
Right to rectification
Data subjects have the right to request that personal data is amended or changed if it is inaccurate or incorrect. We will act on any such request without delay.
Right to erasure
Data subjects have the right to ask us to delete personal data from our systems without giving any reason and at any time. We will act on any such request without delay.
Right to restrict processing
Data subjects have the right to rectification or erasure of personal data in the following circumstances:
- Personal data is not accurate;
- The processing of data is unlawful;
- Data is required to exercise legal rights or defend legal claims;
- Data is unlawful, although there may be lawful grounds for processing, which override this right.
Right to data portability
Data subjects have the right to obtain and request the transfer of their data to different service providers.
Right to object
Data subjects have the right to object to the processing of personal data at any time based on their particular situation. This includes objecting to profiling unless it is in the ‘public interest’ or exercised lawfully by an official authority. We will only process data if permitted to do so on a valid legal basis.
Right not to be subject to decisions based on automated processing
We do not use any automated processing that results in any automated decision based on a data subject’s personal data.
For further information on each of those rights, including the circumstances in which they apply, see the Guidance from the UK Information Commissioner’s Office (ICO) on individual’s rights under the General Data Protection Regulations (http://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/)
Using your rights
If you wish to invoke any of these rights, you should contact the person responsible for data protection by email to firstname.lastname@example.org
There is usually no fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in limited circumstances.
Do you need extra help?
If you would like this policy in another format (for example: audio, large print, braille) please contact us using the details below.
13. Data Breaches
We will report any unlawful breach of data as required by the GDPR within 72 hours of the breach occurring, if it is considered that there is an actual, or possibility, that data within our control including the control of our data processors, has been compromised. If the breach is classified as ‘high risk’ we will notify all data subjects concerned using an appropriate means of communication. We will report any relevant breaches to the ICO, see below.
15. Reporting Complaints
If you want to raise a concern about the use of your personal data, you can contact us by email to INSERT
Alternatively, you can formally raise a concern or complaint to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection.
Address: Information Commissioner’s Office
Telephone: 0303 123 1113
If you have any questions about this policy or the information we hold about you, please contact us by:
CFB Boilers Ltd
Gorse Lane Industrial Estate
telephone: 01255 224500
Calls will be answered at the following times:
Monday- Friday 9am- 5pm
We may record calls for quality and training purposes.
Our data protection officer is Mrs Brenda Hickey.
Copyright © 2019 CFB Boilers Limited