CTSI and Data Protection - Product compliance
1. Data protection registration
The Trading Standards Institute, itsa Limited and Chartered Trading Standards Institute (Institute) are notified and registered with The Information Commissioner’s Office (ICO) under data protection legislation as a Data Controller.
2. Data protection legislation compliance
The Institute complies with data protection legislations and personal data terms as defined by the General Data Protection Regulation (GDPR) and any national implementing laws, regulations and secondary legislation in the UK and then any successor legislation to the GDPR.
3. Processing of personal data
The Institute will use any personal data supplied by the customer solely for the purpose of providing the product and its services, and in fulfilling the Institute’s obligations under the product agreement and in complying with any financial and regulatory requirements.
Personal data will only be retained and shared within the Institute and any of our suppliers as appropriate to fulfilling the Institute’s obligations in providing the product.”
Personal data supplied by the customer will be used by the Institute for the purposes of:
• managing the contract, invoicing and processing payments;
• creating any administrator or user login accounts; and
• supplying the Help Desk Service as detailed in the product agreement.
The Institute will process personal data and support the customer in respect of compliance to data protection legislations as set out in the Institute’s Data Protection Policy document. A copy of policy this can be made available upon request.
4. Roles and Responsibilities
4.1 Under data protection legislation, the customer shall be the Data Controller and the Institute shall be the Data Processor in relation to the processing of Personal Data in the course of the product and services ordered by the customer and being provided by the Institute.
4.2 To the extent within the customer’s control having regard to the Institute's obligations, the customer shall be solely responsible for the accuracy and quality of the Personal Data it provides to the Institute for processing under the product agreement.
4.3 Both the Institute and customer to the extent it processes or controls any personal data, has in place appropriate technical and organisational security measures against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, Personal Data. It has taken all such measures as may be necessary to ensure that it complies with its obligations under all applicable data protection legislation in its performance of its obligations under the product agreement.