Customer Privacy Notice
Customer Privacy Notice
Last updated: 06-04-26
At a glance
This section explains how Chelton Limited uses personal data about individuals who deal with Chelton in a commercial context, including customer contacts, vendor and supplier personnel, contractors, consultants and other third parties. To print a full copy of the Data Privacy Notice, click the print icon.
|
This Notice applies to personal data about individuals who deal with Chelton in a commercial or business context. This includes customer contacts, service providers, suppliers, vendors, partners, professional services firms, visitors and other third parties who interact with Chelton in the course of its business. It doesn’t apply to Chelton employees, workers or other members of Chelton’s workforce, who are covered by a separate Data Privacy Notice. |
|
|
Chelton Limited is the data controller for the personal data covered by this Notice. Chelton’s Data Privacy Office oversees compliance, provides advice and is a point of contact for privacy questions, rights requests, complaints and escalation. |
|
|
Chelton may collect personal data directly from you, from the organisation you work for or represent, from business communications and meetings, during due diligence, onboarding, contracting, delivery of products or services, site visits, visitor management, security processes and from lawful public or professional sources where appropriate. Chelton may also create records during the relationship itself, for example records of communications, contract management, support, incidents, audits and off-boarding. |
|
|
The personal data Chelton uses will depend on the relationship and circumstances. It may include your name, role, business contact details, the organisation you work for, business correspondence, contract and order records linked to named individuals, due diligence and assurance records, visitor and access records, CCTV images used on Chelton sites, and records relating to complaints, incidents, investigations or disputes. Chelton will only collect personal data that is relevant and proportionate to the purpose. |
|
|
Chelton uses personal data to manage commercial relationships, respond to enquiries, carry out due diligence, onboard and manage suppliers and service providers, negotiate and perform contracts, manage orders, deliveries, invoicing and support, protect its people, premises, systems, information and operations, investigate concerns, and meet legal, regulatory, audit, security and governance requirements. |
|
|
Chelton doesn’t rely on one single legal basis for all processing of personal data. Depending on the purpose, Chelton will usually rely on contract, legal obligation or legitimate interests. In limited situations, Chelton may rely on vital interests. Chelton will normally rely on contract rather than consent for ordinary business-to-business relationship management. |
|
|
Chelton shares personal data only where there’s a proper reason to do so. Depending on the circumstances, this may include relevant teams within Chelton on a need-to-know basis, service providers acting on Chelton’s instructions, auditors, advisers, insurers, regulators, Health, Safety & Environment Inspectors, courts, law enforcement or government bodies where required or permitted by law, and customers, prime contractors or public sector bodies where this is necessary, lawful and proportionate. Where Chelton uses a third party to process personal data on its behalf, Chelton requires appropriate technical, organisational, contractual, privacy and physical security controls to be in place. |
|
|
Chelton processes personal data in secure systems and approved business environments in the UK. Personal data may be held electronically and, where necessary, in paper records. Chelton uses appropriate technical, organizational and physical security measures to protect personal data. These include access controls, role-based permissions, secure storage, monitoring, records management controls, incident response processes and supplier assurance measures. |
|
|
Chelton keeps personal data only for as long as it’s needed for the purpose it was collected, and then for any legal, regulatory, contractual, audit, security, quality, safety, evidential or claims period that applies. Different records are kept for different lengths of time. This Notice aligns with Chelton’s Records Retention and Deletion Policy & Schedule. Chelton may also suspend deletion where a legal hold, investigation, audit, complaint, incident or regulatory enquiry means records must be preserved. |
|
|
Under data protection law, you have rights including the right to be informed, to ask for access to your personal data, to ask for inaccurate data to be corrected, and in some cases to ask for erasure, restriction, objection or portability. These rights aren’t absolute. Chelton may still need to retain or continue using personal data where there’s a lawful, regulatory, contractual, audit, security, quality, evidential or other legitimate basis for doing so. |
|
|
Some Chelton systems or service providers may store or access personal data in the United States. If Chelton transfers personal data internationally, it will do so only where there is a lawful transfer mechanism and appropriate safeguards in place. |
|
|
If you have a question about this Notice, want to exercise your rights, or think Chelton has handled your personal data incorrectly and want to make a complaint, please contact the Data Protection Officer in the first instance. Data Privacy Office: Chelton would appreciate the opportunity to put things right first, but you also have the right to complain to the Information Commissioner’s Office (ICO). |
1. Who this Notice applies to
This Data Privacy Notice applies to personal data about individuals who deal with Chelton in a commercial or business context.
This may include personal data about:
- customers and prospective customers;
- customer contacts and representatives;
- supplier, vendor and contractor personnel;
- consultants, advisers and service provider contacts;
- visitors to Chelton sites; and
- other third parties who interact with Chelton in the course of its business.
This Notice applies to personal data used before a commercial relationship begins, during that relationship, and after it ends where Chelton still needs to keep or use information for lawful business, legal, regulatory, contractual, audit, security, quality, evidential or claims-related reasons.
This Notice doesn’t apply to prospective, current and former Chelton employees, apprentices, agency workers, contractors, consultants and temporary workers, who are covered by a separate Data Privacy Notice.
2. Who is responsible for your personal data
Chelton Limited is the data controller for the personal data covered by this Notice. That means Chelton decides why your personal data is used and how it’s handled for the purposes described in this Notice.
Chelton Limited
The Chelton Centre
Fourth Avenue
Marlow
Buckinghamshire
SL7 1TF
United Kingdom
Chelton’s Data Privacy Office (DPO) helps oversee compliance with data protection law, provides guidance and advice and is a point of contact for privacy questions, rights requests, complaints and escalation.
Data Privacy Office
Chelton Limited
The Chelton Centre
Fourth Avenue
Marlow
Buckinghamshire
SL7 1TF
United Kingdom
E: [email protected]
Telephone: 44 (0)1628 472072
Where Chelton and another organisation each process personal data for their own purposes in the context of a commercial relationship, each organisation will normally act as a separate data controller for its own processing. Chelton doesn’t intend this Notice to create a joint controller relationship unless this is expressly stated elsewhere in writing.
Where Chelton appoints a service provider to process personal data solely on Chelton’s behalf and under Chelton’s instructions, that service provider will act as a data processor.
3. The legal basis Chelton relies on
Chelton doesn’t rely on one single legal basis for all processing of personal data covered by this Notice. The legal basis depends on what Chelton is doing and why.
Chelton will usually rely on one or more of the following legal bases:
Contract
This applies where Chelton needs to use personal data to take steps before entering into a contract, to enter into a contract, or to perform, manage, support, review, renew or end a contract.
Legal obligation
This applies where Chelton must use personal data to comply with the law or a regulatory requirement. This may include obligations relating to accounting, tax, fraud prevention, health and safety, audit, sanctions, export control, record-keeping, reporting, security or regulatory cooperation.
Legitimate interests
This applies where Chelton has a genuine and proportionate business reason to process personal data and where that reason doesn’t override your rights and freedoms under UK law. This may include relationship management, business communications, due diligence, supplier assurance, contract management, customer support, information security, physical security, governance, audit, investigations, records management, business continuity and protecting Chelton’s people, premises, systems and operations.
Vital interests
In limited circumstances, Chelton may use personal data to protect someone’s life or physical safety without the need to obtain their consent.
Chelton won’t normally rely on consent as the legal basis for processing personal data in the course of ordinary business-to-business relationship management. Where consent is used as the legal basis for processing personal data, Chelton will make this clear.
4. How Chelton gets your personal data
Chelton may collect personal data about you in a number of ways.
Chelton may receive personal data directly from you, for example, when you contact Chelton, attend meetings, exchange business cards, visit a Chelton site, submit information during due diligence, negotiate a contract, place or receive an order, or correspond with Chelton by email, telephone or other business communication channels.
Chelton may also receive personal data from the organisation you work for or represent, from your colleagues, from customers, suppliers, vendors, advisers and other third parties involved in the commercial relationship.
In some cases, Chelton may collect personal data from lawful public sources or professional sources, such as company websites, professional networking platforms, tender documentation, public registers, sanctions screening sources, or other sources used for legitimate business, compliance, due diligence or assurance purposes.
Some personal data is also created during the relationship itself. This may include records of communications, meeting notes, visitor records, onboarding and due diligence records, contract management records, support records, incident records, audit findings, complaints, disputes, off-boarding records and records relating to the return, retention or secure deletion/destruction of information.
5. The types of personal data Chelton collects and processes
The personal data Chelton uses will depend on the relationship and circumstances. It may include your name, role, business contact details, the organisation you work for, businesscorrespondence, contract and order records linked to named individuals, due diligence and assurance records, visitor and access records, CCTV images used on Chelton sites, and records relating to complaints, incidents, investigations or disputes. Chelton will only collect personal data that is relevant and proportionate to the purpose.
Depending on the circumstances, Chelton may also process:
- Information relating to meetings, site visits and attendance;
- Records of communications and contact history;
- Records linked to products, services, projects, deliveries, support or invoicing;
- Identity and verification information where needed for due diligence, access or security purposes; and
- Records needed for legal, regulatory, audit, export-control, quality, safety or contractual compliance.
Chelton doesn’t seek to collect more personal data than it needs for the relevant purpose.
In limited cases, Chelton may also process more sensitive personal data where the law allows this and where appropriate safeguards apply. This may arise, for example, in the context of health and safety, incident handling, site access, legal claims, complaints, investigations or security-related requirements.
6. Why Chelton uses your personal data
Chelton uses personal data to run its business, manage commercial relationships, protect its people and operations, and meet its legal, regulatory and contractual obligations.
Chelton may use personal data to:
- respond to enquiries and business communications;
- assess prospective customers, suppliers, vendors and other third parties;
- carry out due diligence, onboarding and assurance checks;
- negotiate, enter into, perform, manage, review, renew and terminate contracts;
- manage orders, deliveries, support, invoicing and payment processes;
- administer commercial and operational relationships;
- manage site visits, visitor handling, building access and physical security;
- protect Chelton’s people, premises, systems, information and operations;
- prevent fraud, misconduct, misuse and unauthorised access;
- investigate concerns, incidents, complaints, disputes and potential legal claims;
- meet legal, regulatory, audit, export-control, quality, safety and governance requirements; and
- manage off-boarding, including return, retention and secure deletion/destruction of information where services or relationships end.
Chelton will only use personal data where there’s a proper and lawful reason to do so and where that use is relevant to a clear business, legal, regulatory, contractual, security, quality or operational purpose.
7. Where we process your personal data and how we protect it
Chelton processes personal data in secure systems and approved business environments in the UK. Personal data may be held electronically and, where necessary, in paper records.
Chelton uses appropriate technical, organisational and physical security measures to protect personal data. These measures may include encryption, access controls, role- based permissions, secure storage, monitoring, records management controls, incident response processes and supplier assurance measures.
Chelton also limits access to personal data to those who need it for their role and expects staff, contractors and relevant third parties to follow applicable confidentiality, privacy, data protection, information security and records management requirements.
Where Chelton uses third-party service providers, Chelton expects them to keep personal data secure, act only on documented instructions where they are acting as data processors, and meet applicable technical, organisational, legal, privacy, contractual and physical security requirements.
If you’d like more information about how we protect your personal data or want to know more about the safeguards used for relevant international data transfers, please contact the Data Protection Office.
8. Who Chelton shares personal data with
Chelton shares personal data only where there’s a proper and lawful reason to do so.
Depending on the circumstances, Chelton may share personal data with:
- relevant teams within Chelton on a need-to-know basis, including commercial, procurement, operations, quality, finance, IT, security, legal, compliance and management teams;
- service providers acting on Chelton’s instructions and under appropriate contractual controls;
- professional advisers, auditors, insurers and certification bodies;
- customers, prime contractors or public sector bodies where this is necessary, lawful and proportionate in the context of the relevant relationship;
- regulators, courts, law enforcement bodies, government authorities or other official bodies where required or permitted by law; and
- counterparties involved in a transaction, reorganisation, merger, sale or transfer of business, where appropriate safeguards are in place.
Where Chelton uses a third party to process personal data on its behalf, Chelton requires appropriate technical, organisational, contractual, legal, privacy and physical security controls to be in place.
Chelton will never offer for sale personal data.
9. How long Chelton keeps personal data
Chelton keeps personal data only for as long as it’s needed for the purpose it was collected, and then for any legal, regulatory, contractual, audit, security, quality, safety, evidential or claims period that applies.
Different records are kept for different lengths of time. Retention will depend on factors such as:
- the nature of the relationship;
- the purpose for which the information was collected;
- contractual requirements;
- legal and regulatory obligations;
- audit and assurance requirements;
- quality, safety and traceability requirements;
- security and incident management needs; and
- complaint, dispute or claims risk.
Chelton’s Records Retention and Deletion Policy & Schedule set out the broader framework used to manage retention, review, archiving and secure deletion/destruction.
Chelton may also suspend deletion/destruction where a legal hold, investigation, audit, complaint, incident, dispute, regulatory enquiry or legal claim means records must be preserved.
Where third parties hold records on Chelton’s behalf, Chelton requires appropriate controls covering retention, return and secure deletion/destruction.
If you want to know the retention period for a particular type of record or need more information on the legal hold notice, please contact the Data Protection Office.
10. Your data protection rights
Under UK data protection law, you have rights over your personal data. These may include:
- the right to be informed about how your personal data is used;
- the right to ask for access to your personal data;
- the right to ask for inaccurate personal data to be corrected;
- the right to ask for erasure in some circumstances;
- the right to ask for restriction of processing in some circumstances;
- the right to object to certain processing, including some processing based on legitimate interests;
- the right to data portability where that right applies; and
- and the right to withdraw consent where Chelton is relying on consent.
These rights are not absolute, in other words, there may be circumstances when the request can be denied or partially complied with, such as compliance with a court order, dealing with legal claims, carrying out investigations, meeting regulatory requirements or protecting the privacy rights of others.
If you would like to exercise your rights, please contact the Data Protection Officer in the first instance.
Chelton would appreciate the opportunity to put things right first, but you also have the right to complain to the Information Commissioner’s Office (ICO) if you feel that your complaint hasn’t been satisfactorily dealt with.
The Information Commissioner’s Office (ICO) can be contacted at:
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
United Kingdom
Website: ico.org.uk
Telephone: 0303 123 1113
11. International data transfers
Some Chelton systems or service providers may store or access personal data outside the United Kingdom, for example, in the US.
If Chelton transfers personal data internationally, it will do so only where there’s a lawful transfer mechanism and appropriate safeguards in place. This may include a UK adequacy decision, the UK International Data Transfer Agreement, approved contractual clauses, or another safeguard permitted by law.
If you would like more information about relevant international transfer safeguards, please contact the Data Protection Officer.
12. Contact details and complaints
If you have a question about this Notice, want to exercise your rights, or think Chelton has handled your personal data incorrectly, please contact the Data Protection Officer.
Data Privacy Office
Chelton Limited
The Chelton Centre
Fourth Avenue
Marlow
Buckinghamshire
SL7 1TF
United Kingdom
E: [email protected]
Telephone: 44 (0)1628 472072
Chelton would appreciate the opportunity to put things right first, but you also have the right to complain to the Information Commissioner’s Office.
All enquiries about your personal data are handled by the DPO on a strictly confidential basis.