At Company Bureau our policy is simple – we understand the importance of trust in our business. We take great care with personal information that is provided to us online or otherwise, taking steps to keep it secure and ensure it is used only for legitimate purposes. This information will not be disclosed to any 3rd party, other than the Companies Registration Office without your full consent. We are fully compliant with the EU General Data Protection Regulation (GDPR). The only possible exception to this is in the unlikely event of a police or Revenue investigation for money laundering, terrorist financing, etc., in which case we are legally obliged to disclose our files. We may from time to time, send you an e-mail to remind you that you have an Annual Return coming up, or to inform you of services that we feel may be of interest to you, but you may opt out of these e-mails at any time.
Any information which is provided by you will be treated in accordance with the terms of the Data Protection Act, EU General Data Protection Regulation (GDPR), 1988, Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the Protection of Individuals with regard to the Processing of Personal Data and on the Free Movement of Such Data, and any implementing and/or amending legislation as may be adopted in Ireland from time to time.
When we provide services, we want to make them easy, useful and reliable. Where services are delivered on the internet, this sometimes involves placing small amounts of information on your device, for example, computer or mobile phone. These include small files known as cookies. They cannot be used to identify you personally.
These pieces of information are used to improve services for you through, for example:
enabling a service to recognise your device so you don’t have to give the same information several times during one task recognising that you may already have given a username and password so you don’t need to do it for every web page requested measuring how many people are using services, so they can be made easier to use and there’s enough capacity to ensure they are fast If you wish to restrict or block the cookies which are set by our website, or indeed any other website, you can do this through your browser settings. (please be aware that restricting cookies may impact on the functionality of our website). By continuing to use this website you consent to us using cookies to enhance your experience.
Data Protection Notice
Company Bureau Formations Limited as the Data Controller in compliance with Data Protection regulation and as a Trust and Company Service Provider (TCSP) is required to gather and use a variety of information about individuals and businesses through the course of our business.
Information gathered includes customers, suppliers, employees and any other person deemed necessary throughout the course of conducting business.
This policy exists to greater strengthen the compliance displayed by CBF, showing good practice and process with regards to data protection legislation. It will protect the rights of staff, customers and all other connected parties while being transparent about how individuals’ data is processed and maintained. This policy should also protect CBF from risk of data breach.
The organisation should comply with the requirements of the relevant Irish legislation, namely the Irish Data Protection Act (1988), and the Irish Data Protection (Amendment) Act (2003). Along with GPDR regulations being implemented by the EU Data Protection Commission on the 25th May 2018, CBF will adhere to the below broad points throughout with regards to data processing:
- Fair and Lawful Processing
- Obtained only for specific lawful purposes
- To be relevant, adequate and not excessive
- Be kept up to date and accurate
- Retained no longer than is necessary
- Maintained and managed in accordance with data protection rights and regulations
- To be protected appropriately
- Not to be transferred outside of the European Economic Area (EEA), unless the country or territory can be confirmed as having an adequate level of protection
2. Policy Scope
When referring to “Company Bureau Formations Limited”, “CBF”, “us”, “the company”, “we” or “CBF Group” within the body of this policy document, encompasses all trading names, subsidiaries and direct affiliates including but not limited to – Company Bureau Formations Limited (CBF).
All staff associated with any of the above entities or trading names, volunteers, contractors, suppliers or anyone else acting on behalf of Company Bureau Formations Limited will be covered by this policy.
This policy encompasses the Subject Access Request procedure, the Data Retention and Destruction Policy, the Data Retention Periods List and the Data Loss Notification procedure all detailed within.
It will cover any and all information or other data held on any identifiable individuals. This includes:
Names, Dates of Birth, Addresses, Email Addresses, Telephone Numbers, Passport Copies, Proof of Address Copies and any other information relating to any individual.
3. Data Protection Risks
This policy exists to cover a wider protection against direct risks the company is to which can be generally classified as the below:
- Breaches in Confidentiality
- Failing to offer choice
- Reputational Damage
4. Data Collection
CBF collects an amount of personal data either through direct means, requested as part of providing any kind of service within the company or through standard business procedures. We will also collect data through our websites, social media platforms, market research, discussion forums and CCTV footage if applicable. Our websites use cookie technology, which is a section of text our servers place on your device to help make our sites perform better for our clients and visitors. Any changes to the above methods of data collection will be fully explained in advance of their use.
To meet our legal obligation as a TCSP and to comply with up to date data protection regulation (GDPR), we collect some personal information and verify it. This information will also be kept up to date and maintained but will be deleted/appropriately disposed of once the information is no longer required. In some cases, third parties may be used to obtain further information about individuals if required. If the appropriate level of information is not received, we may not be able to provide services to an individual.
No collected data is to be written down unnecessarily or passed informally between employees.
Through the course of business, the CBF Group collects data from a variety of sources and types which can change based on the specific requirements of the service being ordered/enquired about.
When data is collected/obtained, the individual should be made aware of the below:
- The CBF in any of the above listed forms is the overall Data Controller in all cases.
- Why data is being obtained/collected.
- What parties, internal or external the data will be processed by.
- All or any other relevant information that can be provided to add to the information surrounding the same should be provided.
In all cases, the individual has the right to a full and transparent explanation as to the reason data is being collected and the intended use of the data in question.
Data should only be used within the purposes it was acquired for.
The company will have high standards in all cases when it comes to the protection of data. In tandem with requirements as a TCSP, appropriate protection should be put in place to prevent unauthorised access to information in any way takes place.
In all cases, access to data should only be granted to the employees who require the same for the completion of their role.
CBF will also ensure:
- All departments conduct regular reviews of admin and IT processes to ensure data security.
- Reviews of this nature should apply to both personal data or clients/individuals and employees, sample data should be taken by the DPO and updated where appropriate every year.
- Review amount of data being obtained relevant to each service/job under the same time period
All staff and the company as a whole will ensure that data collected is fit for purpose and relevant to the service being provided to individuals. Where data is not applicable it should not be collected or if inadvertently provided by an individual be destroyed.
As a Trust and Company Service Provider, we are legally obliged to retain files and personal information throughout an on-going service period and for six years after a client has cancelled services with the company.
As soon as the appropriate retention period has expired, all data should be destroyed and/or put beyond use.
In line with legislation, the CBF Group have established a Subject Data Request process, with further information details below. Requests can be directed to the DPO at firstname.lastname@example.org.
5. Employee and Potential Employee Data
As part of the standard recruitment process, the CBF Group may collect, CVs, Personal Information from online and social media sources, Proof of Identity/Address and Proof of Qualifications where appropriate. When a role has been filled, personal information gathered on an unsuccessful candidate is destroyed using external shredding facilities.
As a direct employee, all of the above is gathered where required and stored within the company in the safe located in the head office of the CBF Group. As with all information, the company is required to retain data for six years after it becomes inactive, e.g. ceases employment. Once this information is no longer required it will be destroyed as above.
6. Internal Processes
While a general overview of staff responsibilities will be discussed below, there are some key relevant positions:
The Board of Directors
Ultimately responsible for ensuring that CBF complies with its legal obligations. All of the sitting directors are to be considered Representatives for the purposes of Data Protection Legislation.
Data Protection Officer
Tasked with keeping the board up to date with data protection regulation and renewing data protection procedures and related policies. Arranging training and handling queries in this regard from staff. To deal with requests from individuals to see data held by CBF on them – called ‘subject access requests’. Review of contracts, agreements in place with any third party that maintains or handles any sensitive data associated with CBF.
Ensuring systems, services and equipment meet acceptable data storage standards. To perform regular checks and updates to confirm all security software and hardware is functioning correctly. Evaluation of any third-party data storage provider.
Review of any data protection statements attached to any communications. Addressing any data protection queries from media sources, etc. Aid with the implementation of marketing initiatives where needed, working with other staff to ensure compliance.
In all cases, staff are required to undergo full training in compliance with this policy and their assigned role. Staff will not be allowed handle any information subject to Data Regulation policy prior to undergoing full training.
Once personal information has been provided to the CBF Group through a means of communication or website with the appropriate consent, marketing materials of a legitimate interest including related products or services in line with those originally requested may be sent.
If a client does not wish to receive these materials, then they can simply click the ‘unsubscribe’ link in any email or communication. Note, we do not consider unsubscribing the same as the cancellation of services – this must be communicated separately.
When appropriate consent has not been obtained through a web portal, clients may be asked over the phone if they wish to receive marketing materials, offers and other content from the CBF Group prior to the same being sent.
In all cases, a client or potential client will not be contacted with marketing materials, etc. where consent through them being classified as an on-going or professional client, legitimate interest in services or direct permission cannot be established.
In some situations, the company may have obtained sensitive personal information from a client directly as part of providing a service. This information will not be shared with any party unless the express agreement of the client has been obtained.
8. Data Storage
Questions about storing data safety can be directed to the DPO or IT Manager where applicable.
- Data collected in hard copy, paper format, will be stored in a secured location where access is restricted to those employees that require access as part of their role only and the room shall be locked when access is not required.
- When documents/files are not required they are stored in locked/secured areas.
- Where appropriate, documents containing any kind of personal information or client communications should be disposed of using approved shredding services.
Register Post, Mail Forwarding Services
A specific set of protocols exist for clients who use our services for mail forwarding and scanning service provided for clients.
- Mail is not to be opened for a client unless expressly requested to do so.
- The exception to the above is if the post is subject to an internal AML review on the basis of suspicious activity brought to light – this is compliant under our role as a TCSP.
- All mail is to be stored in a secure location where access by unauthorised persons can be easily prevented.
- Post is sent out unopened in weekly batches where required.
- As per our terms and conditions for this service, post may not be sent on if payment for the service has not been confirmed and all items will be sent to the relevant address once the service is deemed cancelled.
- Where appropriate or requested directly, mail shall be destroyed using paper shredding services.
- Electronic data is secured and maintained by our external IT partners and further information with regards to how this data is managed is available on request.
- Internal policies are also in place to ensure security is maintained once handled by all employees.
9. Data Use
Computers with access to any personal data; each employee should ensure that screens are locked appropriately before leaving machines unattended.
Personal Data should not be shared informally. Where appropriate data should be encrypted before being transferred electronically.
No data should be transferred outside of the European Economic Area. The only exception would be when the transfer is specifically requested by the client.
10. Data Accuracy
In all cases, data should be held in as few places as possible. Hard copy files are stored in secured location and CRM data and soft copies of files are held on the secure server.
In tandem with the CBF’s regulation as a Trust and Company Service Provider, an on-going review of all company files takes place based on a risk-based scoring system. Based on risk, files should be reviewed on a staggered basis to ensure data is updated and inaccuracies are discovered and corrected.
Facilities are in place, through the website general contact section and an appointed account manager to easily communicate any alterations in personal data of a client in a secure way.
11. Data Retention & Destruction
In all cases, personal data will not be held longer than is necessary and when appropriate destroyed in a secure manner.
As a Trust and Company Service Provider we are legally obliged to retain files and personal information throughout an on-going service period and for six years after a client has cancelled services with the company. Files no longer considered on-going clients are transferred to the archive section of our secure file storage area, retained and appropriately disposed of when no longer required. Once a client has left, remaining documents, where appropriate are securely sent to the client. Documents held securely by CBF following the cancellation of services are destroyed using shredding facilities, as below once the tracked time period has expired.
Data is, in all cases to be destroyed in an appropriate manner. All elements of the CBF Group use approved shredding facilities to ensure data integrity. These bins are located through the offices, are locked at all times with access restricted and cleared for on site shredding once a month.
Unless where specifically specified in this policy, data will be retained by the CBF Group for a period of six years following the data being classed as inactive. This is represented by client or enquiry no longer being considered live or on-going. This will be indicated by the cancellation of services either by the client, any element of the CBF Group or if an enquiry received is deemed to be inactive – more than one year old.
12. Data Loss Notification Procedure
In the event of a breach or any data suspected of being compromised, any member of staff is to inform both the Data Protection Officer and both company Directors at the earliest possible opportunity.
Where appropriate, the relevant authorities should be informed of the breach at the earliest possible instance. The earliest possible timeframe for this report should be as soon as the extent and nature of the data loss has been confirmed or no more than seven days after the breach. This should include the nature of the breach, the amount of personal information compromised, and the action being taken to rectify the issue.
Any individual that has been subject to the breach should be informed as soon as the extent and nature of the data loss has been confirmed or no more than seven days after the breach, detailing the steps being taken to rectify the issue and the steps, if any that the individual should take directly to further secure their information.
In all cases, the relevant authorities and any effected individuals should be kept informed of the progress of dealing with any breach until a time when the issue is considered closed. A report should be maintained and made available when required by any effected party.
13. Subject Access Requests
All individuals who have personal data stored by CBF and its sister companies are entitled to what information the company holds about them, why it is retained and how to obtain access to the data.
Each individual should be informed how their personal data is kept up to date and how the CBF Group meets its data obligations.
Requests for any such information can be submitted to the Data Protection Officer at email@example.com. The aim is to provide information on all requests within 14 days, however, in exceptional circumstances, this will not be beyond 30 days. Note that, appropriate measures will be taken to confirm the identity of the requestee prior to providing any information.
Once a request has been made it is the responsibility of the Data Protection Officer (or when unavailable a Company Director), to prepare the Subject Access report.
The report should review all email communication and information held on the sever in relation to an individual. In addition, any hard copy documentation or files should be listed, and the subject made aware of a data contained within.
A report should be presented within the above timeframes, which should include a listing of all information held by the company on an individual and any relevant third party that information has been shared with.
The report should be reviewed, verified and signed off on by the DPO and at least one Director of the company.
In all cases, an individual will have the right for their personal information to be removed (forgotten) from our system. The sole caveat to this being when it impacts CBF in providing or completing any service which the entity has been contracted to provide.
14. Personal Information and Third Parties
The CBF Group does not share personal information with third parties in any ancillary way. Information may, however, be shared with a third party in direct connection with a service being provided by a division of the company. In a number of cases, pre-approved agents in various jurisdictions are used to complete company formations, secretarial services and other related activities.
In providing personal information in relation to a service, clients should be aware this information may be shared with a third party in direct support of a service being provided by the relevant third party.
We are also required to share information with third parties to meet any applicable law, regulation or lawful request. When we believe we have been given false or misleading information, or we suspect criminal activity we must record this and inform appropriate law enforcement agencies which may be either within or outside of Ireland.
The CBF group use several verified third parties for services not managed internally. These services include, payment processing, IT support services data transfer and storage.
A full itemised list of the providers that apply to an individual’s data is available on request from the Data Protection Officer.
15. Internal Communication
All staff communicate internally through email services provided by our IT support services. Where avoidable personal information on clients should not be shared through email and under no circumstances should information of a sensitive nature be sent in this way.
16. Making a Complaint
Should any person have a concern with regards to the use of their personal information, a member of staff can be informed in person and via phone or email. All complaints or concerns will be fully investigated and reviewed. We would simply ask that as much information is provided as possible to enable us to resolve the complaint as quickly as possible.
17. Update to Data Policy
From time to time, particularly when how we are required to use information changes or when our systems are upgraded and in line with future legislation on data protection, changes will be made to this policy. An up to date version of this policy can be found on our website at all times.