Data Management and You Policy

This Policy sets out the obligations of CPMSregarding data protection and the rights of its data subjects being its customers, staff, business contacts, those on its marketing databasein respect of their personal data under EU Regulation 2016/679 General Data Protection Regulation (“GDPR”). We are registered with the Information Commissioner as a data controller under the register held by the Information Commissioner. Our registration reference is ZA749507.

This Policy incorporates our Data Retention Policy, IT Security Policy and Employee Data Protection Policy.CPMS places high importance on the correct, lawful, and fair handling of all personal data, respecting the legal rights, privacy, and trust of all individuals we deal with. We are committed not only to GDPR, but also to the spirit of protecting personal data of our data subjects. ThisPolicy statement sets our obligations regarding the collection, processing, transfer, storage, and disposal of personal data. The procedures and principles in this policy must be followed at all timesby us, our employees, agents, contractors, or other parties working on behalf of us.

CPMS holds personal data that is directlyrelevant to our employees andpersonal data shall be collected, held, and processed in accordance with employee data subjects’ rights and our obligations under the GDPR and this Policy.

Data subjects may make Subject Access Requests (“SARs”) at any time to find out more about the personal data which we hold about them, what we are doing with that personal data, and why.

CPMS will ensure that all personal data is held securely and in compliance with the rulesestablished under the GDPR. This personal data shall only be used for the following business activities:

To ensure Safe Access to the railway (compliance with the Sentinel Regulations)

For the personal development of every individual who wishes to benefit from establishing a Personal Development Plan (PDP)

For the ongoing development and growth of the business through tendering for work using provided technical / academicresumes / CV’s

For the purposes of Insurance cover and provision of Healthcare facilities for both company and personal policies. For the contacting and developing a network of strategic suppliers

For payment and credit requirements.

For compliance with statutory obligations such as the payment of Income tax and National Insurance

A detailed list of all data uses can be found in the CPMS Policy Document PDC001

CPMS commits to regularly reviewing and evaluating its methods of collecting, holding, and processing personal data and that all personal data, held by us shall be reviewed periodically, as set out in our Data Retention Policy document.

CPMS has appropriate security measures in place to prevent personal information from being accidentally lost or used or accessed in an unauthorised way. We limit access to your personal information to those who have a genuine business need to know it. Those processing your information will do so only in an authorised manner and are subject to a duty of confidentiality.

This Policy shall be deemed effective as of April 2018. No part of this Policy shall have retroactive effect and shall thus apply only to matters occurring on or after this date.