Digital Data Policy

What types of personal information does CMC collect?
CMC may collect personal details which enable us to identify that person as an individual. We request that all clients and users of CMC Flow provide their professional workplace details in preference to any personal details. Those individuals who supply personal details do so with the understanding that this information will be used as detailed below. The information held is as follows:

  • first name;
  • surname;
  • login credentials (including username and password);
  • postal address (including billing/shipping addresses);
  • telephone number (including home and mobile telephone numbers);
  • email address;
  • photographs;
  • device information (such as MAC address, IP address, operation system and browser type);
  • location information (GPS location of images uploaded to CMC Flow).

In accordance with GDPR, CMC endeavours to collect personal information directly from the subject and will use all such information solely for the predefined purpose(s) for which that information has been provided.

CMC does not collect information from third party or external sources,


How does CMC collect personal information?
CMC will only collect directly the necessary data required for us to assist you with your business and/or query. This may also require minimal data (name, email address) to facilitate secure log in of CMC Flow.

The personal information collected may be stored in electronic and/or hard copy formats.


How does CMC use personal information?
CMC only uses personal information to internal business dealings with our clients. 

We do not release data to third party or external agencies.

Additionally we maintain secure records:

  • to enable the data subject to participate in and/or use our services (CMC Flow);
  • to respond to, action and/or deal with the data subject’s feedback, requests and enquiries;
  • to ensure that our services are provided in the most effective manner for the data subject and the device that he/she is using;
  • to manage and improve services;
  • to review and analyse the data subject’s use of our services in order to develop and improve the quality of our offering and strengthen our relationship with him/her;
  • to personalise our services and present the data subject with content and information which are tailored to his/her needs;
  • to provide the data subject with administrative information and/or service announcements and updates (including changes to our policies and terms);
  • to ensure our records are accurate and up to date;
  • to fulfil any contractual obligations assumed by CMC;
  • to comply with our legal obligations;
  • to administer our legitimate internal management analysis, audit, forecasts and business plans and transactions;
  • to establish, defend or exercise our legal rights;
  • to comply with orders, requests received from public, regulatory, governmental and judicial bodies;
  • to comply with our legal, regulatory and internal governance obligations (e.g. record retention policies).

Personal information will, however, be processed if and only if one or more of the following conditions has been satisfied:

  • The data subject has provided informed, unambiguous consent for his/her information to be used for a specified purpose(s);
  • It is necessary for CMC’s fulfilment of a contract with you;
  • It is necessary for the purposes of CMC’s legitimate interests;
  • CMC is under a legal obligation to do so (e.g. for equality monitoring, employment or health and safety purposes).


How does CMC keep personal information safe?
CMC takes all possible steps to protect the security of personal information in accordance with our legal obligations with information being stored either in secure storage or electronically in a secure server and/or databases which are password protected and made accessible to staff on a need-to-know basis only.


What rights do data subjects have in relation to personal information?
Data subjects are entitled to request:

  • If and how their personal data is being collected and processed;
  • A description of the nature of the personal data that is being collected and processed;
  • Copies of, and/or to access their own personal information (see How do I make a subject access request? below);
  • That their personal information be corrected and/or amended where inaccurate or incomplete;
  • That their personal data be deleted or that CMC stop using their personal data where there is no longer a need to do so.


How do I make a subject access request?
A subject access request should be submitted in writing to CMC’s Data Protection Officer via or to The Data Protection Officer, CMC Associates Ltd. Bank House, Penicuik, EH26 9DR.

CMC may require an individual to verify his/her identity and/or to provide further details in order to locate the required information but will endeavour to respond to all such enquiries within one calendar month once the necessary information has been provided.

In instances where a subject access request is likely to result in the disclosure of personal information relating to a third party, CMC will require that third party to consent to the disclosure. If consent from that person cannot be obtained, the subject access request may be denied.


What action(s) will CMC take in response to a personal data breach?
A personal data breach is defined as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. In instances where a data breach is likely to endanger the data subject’s rights or freedoms, CMC will notify the ICO within 72 hours of becoming aware of the breach by completing and submitting a Data Protection Breach Notification Form ( and will record the breach in CMC’s Data Protection Breach Log. Both documents will state:

  • The date and time of the breach (or an estimate);
  • The date and time that the breach was detected;
  • Basic information about the nature of the breach;
  • Basic information about the personal data concerned;
  • The effects of the breach; and
  • Any remedial action taken.

Whenever possible, they will include also:

  • Full details of the incident,
  • The number of individuals affected and its possible effect(s) on them,
  • The measure(s) taken to mitigate those effects, and
  • Details of CMC’s notification of the breach to affected data subjects.

If these details are not yet available, CMC will provide them or an indication of the likely timescale required to provide them to the Information Commissioner’s Office (ICO) by completing and submitting a second notification form within three days of the initial notification.

If a personal data breach is likely to affect the personal data or privacy of CMC’s data subjects adversely, CMC will notify them of the breach without unnecessary delay, detailing:

  • Name and contact details;
  • The estimated time and date of the breach;
  • A summary of the incident;
  • The possible effect(s) that the breach could have on the individual;
  • The measures taken by CMC to address the breach;
  • How the affected individuals can mitigate any possible adverse impact of the breach.


Who should I contact for further information?
For further information relating to CMC, CMC Flow and data protection, please contact the CMC’s Data Protection Officer via