Skip to content
CSP Connect Learning Materials
Changelog v[1.2.0]

Employee Privacy Notice

Who Are We?

Section titled “Who Are We?”

We are Combined Services Provider (CSP), of Unit 1, Abloy House, Hatters Lane, Croxley Park, Watford, WD18 8AJ. Telephone: +44 (0)20 8900 2405.

We manage event car parking and traffic management of every scale and complexity, with a focus on enhancing the experience of visitors, delivering a professional service and being sensitive to the wider impact of our operations on the venue’s local residents and business community.

We use your information as further explained in this Privacy Notice. We will be the data controllers of the information you provide to us.

Our representative under the GDPR is kanta.hirani@gotocsp.com.

What Does This Privacy Notice Cover?

Section titled “What Does This Privacy Notice Cover?”

We at CSP take your personal data seriously. This policy:

  • Details the types of personal data that we collect about you
  • Explains how and why we collect and use your personal data
  • Explains how long we retain your personal data for
  • Explains when, why and with whom we may share your personal data
  • Sets out the legal basis we have for collecting and using your personal data
  • Explains the effect of refusing to provide the personal data when requested
  • Explains where we store your personal data and whether we transfer any of your data outside of the European Economic Area (EEA)
  • Explains the different rights and choices you have as the data subject
  • Explains how you can contact us

What Personal Data Do We Collect About You?

Section titled “What Personal Data Do We Collect About You?”

Identification & Contact Information

Section titled “Identification & Contact Information”
  • Full name
  • Email address
  • Phone number
  • Address
  • Date of birth
  • Gender, marital status
  • Country of residence
  • Nationality
  • Passport number
  • Driver’s licence number

Employment & Work-Related Information

Section titled “Employment & Work-Related Information”
  • Job title
  • Salary
  • Employment status

Educational & Professional Information

Section titled “Educational & Professional Information”
  • Education history
  • Professional certifications and licences
  • Previous work experience
  • References

Financial / Payroll Information

Section titled “Financial / Payroll Information”
  • Bank details
  • Tax information
  • Pension contributions
  • National insurance number
  • Payroll number

Health Information

Section titled “Health Information”
  • Name and address of doctor
  • Medical records
  • Health insurance details

We will process personal data collected during your job interview process, at the start of your employment, and in the course of your employment. We will process personal data only where it is lawful for us to do so - for example, in order to fulfil a legal obligation to which we are subject or in order to pursue our legitimate interests.

We may also collect sensitive personal data (ethnic origin, criminal records, health) where it is necessary for compliance with Employment, Social Security, and Social Protection Law.

How and Why Do We Use Your Personal Data?

Section titled “How and Why Do We Use Your Personal Data?”

Disclosure of Personal Data to Third Parties

Section titled “Disclosure of Personal Data to Third Parties”
Human Resources & Payroll
  • Banks
  • Insurance companies
  • Healthcare providers
  • Payroll providers
  • Employee benefit providers
Information Technology Support
  • Software maintenance
  • Data hosting
Human Resources Support
  • Compensation administration
  • Benefits management
  • Human capital management administration and consulting
Corporate Transactions

Mergers and acquisitions, joint ventures, strategic opportunities, and other corporate transactions involving lawyers, accountants, and auditors.

Safeguards for Third-Party Service Providers

Third-party service providers are selected diligently and bound by contracts ensuring:

  • Adequate technical and organisational security measures
  • Processing of personal data only as instructed by the Company
  • Compliance with applicable law
  • Restriction to specified purposes only
Governmental & Regulatory Authorities

Courts of law, tax authorities, and social services organisations, as required for:

  • Compliance with applicable law or regulations
  • Investigating potential law infringements
  • Addressing disciplinary and grievance matters
  • Establishing, exercising, or defending legal rights
  • Litigation, arbitration, or similar proceedings

All involved data processors adhere to the obligations outlined in Article 28 of the General Data Protection Regulation. We will not use your information for any other purposes unless specifically required to do so by law.

How Long Do We Keep Your Personal Data?

Section titled “How Long Do We Keep Your Personal Data?”

CSP retains personal data for as long as necessary to provide services and fulfil the transactions you have requested, or for other essential purposes such as complying with our legal obligations, resolving disputes, and enforcing our agreements. Actual retention periods can vary depending on the data type and service context.

Contact us at privacy@gotocsp.com if you have concerns about our retention periods.

Where Do We Collect Your Personal Data From?

Section titled “Where Do We Collect Your Personal Data From?”
  • Directly from you - information you provide to us
  • Agents or third parties acting on your behalf (e.g. recruitment agencies)
  • Job applications - your CV including employment history, educational referees, right to work, convictions, and any other information required to process your application
  • Job boards, our website, or social media platforms including LinkedIn, Facebook, Twitter, and Instagram
  • CCTV cameras - images and movements recorded while on our sites or premises
  • Body-worn video cameras - carried by uniformed CSP staff during events
  • Vehicle audio / video recordings - cameras and microphones in CSP vehicles
  • Vehicle tracking devices - fitted to company vehicles to monitor location, speed, and usage for operational, security, and fleet management purposes

Third-Party Platforms Powering CSP Connect

Section titled “Third-Party Platforms Powering CSP Connect”

Below are the principal third parties used to power the CSP Connect platform.

MongoDB Atlas - Database Platform

Purpose: Managed database storage for operational data.

User data shared:

  • Identity and contact data: name, email, phone
  • Authentication metadata: OTP status, session identifiers, device identifiers
  • Attendance data: check-in/out statuses, breaks, late-checkout reasons, acknowledgements, liveness results
  • Payroll identifiers where configured: national insurance number, payroll number
  • Equipment records if enabled
  • Audit entries and event timestamps
Render - Application Hosting

Purpose: Hosting and running the CSP Connect application services.

Data handled: Runtime request metadata (IP address, user agent, timestamps) and application logs. No deliberate storage of user content beyond the application’s own datastore.

  • Region: Frankfurt, Germany (EU)
  • Transfer mechanism: EU/EEA adequacy
GitHub - Source Control & CI/CD

Purpose: Source control and CI/CD pipelines. No production user data is stored as repository content.

Data handled: Build logs may include generic identifiers such as commit IDs, job IDs, and developer metadata.

  • Region: United Kingdom
  • Transfer mechanism: UK domestic
Pusher by MessageBird - Realtime Notifications

Purpose: Realtime event signalling for notifications and in-app updates.

User data shared: Channel or topic identifiers, minimal notification payloads (type, status, timestamps, targeted user or session identifier), delivery and acknowledgement metadata.

  • Region: United States and European Union (depending on routing)
  • Transfer mechanism: UK International Data Transfer Agreement or UK Addendum to EU SCCs
Mapbox - Maps & Geofencing

Purpose: Map tiles, geocoding, and geofence visualisation for location-aware features.

User data shared: Coordinates for map rendering or geocoding, request telemetry (IP address, SDK/app version, timestamps), session or feature flags.

  • Region: United States
  • Transfer mechanism: UK International Data Transfer Agreement or UK Addendum to EU SCCs
SMTP2GO - Email & SMS Delivery

Purpose: Delivering OTP and operational email or SMS notifications.

User data shared: Recipient addresses or numbers, sender identity, subject or template identifiers, OTP codes, delivery events (sent, bounced, opened).

  • Region: New Zealand, United States, and European Union (depending on routing)
  • Transfer mechanism: UK International Data Transfer Agreement or UK Addendum to EU SCCs

As we continue to develop as a business, we may sell or purchase assets. If another company acquires or merges with us, your personal data will be disclosed to that entity. If any bankruptcy or reorganisation proceeding is brought by or against us, all such information will be considered an asset and may be sold or transferred to third parties. We may also need to disclose your personal information to meet legal requirements, at the request of government agencies, for fraud detection and security purposes, during emergencies, or to safeguard the rights, property, safety, or security of others.

Section titled “What Legal Basis Do We Have for Using Your Personal Data?”

We process your information:

  • To fulfil contractual obligations with you or to prepare for entering into a contract upon your request
  • To meet legal requirements that apply to us
  • To safeguard your vital interests or those of others
  • To carry out our official functions or tasks in the public interest, including any related profiling activities
  • In accordance with our legitimate interests - we acknowledge inherent risks, but are confident the benefits outweigh them and have measures in place to safeguard your rights
  • Where you disclose health, disability, or other special category data, we may process this with your consent, which you may withdraw at any time

If you have objections to processing based on legitimate interests, or wish to withdraw consent for special category data, you have the right to do so. See your rights below.

What Happens If You Do Not Provide the Information We Request?

Section titled “What Happens If You Do Not Provide the Information We Request?”

If you do not provide the requested information or ask us to stop processing your information, we may be unable to offer services, enter into agreements, or fulfil our obligations to you.

Where Do We Store Your Personal Data?

Section titled “Where Do We Store Your Personal Data?”

Personal data may be stored and processed in any country where CSP or its affiliates, subsidiaries, or service providers maintain facilities. CSP uses the Office 365 EU (London) Region to store and maintain data.

CSP uses approved Standard Contractual Clauses for international transfers of personal information collected in the EEA and Switzerland.

How Do We Keep Your Personal Data Secure?

Section titled “How Do We Keep Your Personal Data Secure?”

We implement robust hardware and software measures across our infrastructure including:

  • Firewalls and encryption software
  • User access controls and protected data networks
  • Security software and encryption on end-user devices
  • Multi-factor authentication (MFA) where available
  • Cyber Essentials and Cyber Essentials Plus certification

We also take steps to ensure all our subsidiaries, agents, affiliates, and suppliers employ adequate levels of security.

Do We Make Automated Decisions About You?

Section titled “Do We Make Automated Decisions About You?”

No. We do not carry out automated decision-making or automated profiling.

Your Rights

Section titled “Your Rights”

By law, you have a number of rights when it comes to your personal data.

RightWhat It Means
Right to be InformedClear, transparent information about how we use your data - as set out in this notice.
Right of AccessObtain access to your information and verify it is being used in accordance with data protection law.
Right to RectificationHave inaccurate or incomplete information corrected.
Right to ErasureRequest deletion or removal of your information where there is no compelling reason to keep it (subject to exceptions). Also known as the ‘right to be forgotten’.
Right to Restrict ProcessingBlock further use of your information while it remains stored.
Right to Data PortabilityObtain and reuse your personal data across different services.
Right to ObjectObject to processing based on legitimate interests or for direct marketing purposes.
Right to Lodge a ComplaintComplain to the data protection regulator about how we handle your data.
Right to Withdraw ConsentWithdraw consent at any time where processing is based on consent (this does not affect the lawfulness of processing carried out before withdrawal).

How to Exercise Your Rights

Section titled “How to Exercise Your Rights”

To exercise any of the rights above, or to ask a question, contact us at:

Email: privacy@gotocsp.com

We will respond within one month of receiving your request. We usually act free of charge, but may charge a reasonable fee for baseless, excessive, or repeated requests, or further copies of the same information.

Complaints

Section titled “Complaints”

If you are not satisfied with our response, or believe our processing does not comply with data protection law, you can make a complaint to the Information Commissioner’s Office (ICO):

https://ico.org.uk/make-a-complaint/

Contact Us

Section titled “Contact Us”

Address: Unit 1, Abloy House, Hatters Lane, Croxley Business Park, Watford, Hertfordshire WD18 8AJ
Telephone: +44 (0)20 8900 2405
Email: privacy@gotocsp.com

Data Protection Representative: Kanta Hirani
Email: kanta.hirani@gotocsp.com

Our Vision

Section titled “Our Vision”

To be the 1st choice supplier to our partners and the 1st choice employer to our team by ensuring a caring, safe and professional approach is adopted in all that we do.

  • Policy Updated: April 2025
  • Review Due: March 2026