# Worker Privacy Notice
## Who Are We?
We are **Combined Services Provider (CSP)**, of Unit 1, Abloy House, Hatters Lane, Croxley Park, Watford, WD18 8AJ. Telephone: +44 (0)20 8900 2405.
We manage event car parking and traffic management of every scale and complexity, with a focus on enhancing the experience of visitors, delivering a professional service and being sensitive to the wider impact of our operations on the venue's local residents and business community.
We use your information as further explained in this Privacy Notice. We will be the **data controllers** of the information you provide to us.
Our representative under the GDPR is [kanta.hirani@gotocsp.com](mailto:kanta.hirani@gotocsp.com).
---
## What Does This Privacy Notice Cover?
We at CSP take your personal data seriously. This policy:
- Details the types of personal data that we collect about you
- Explains how and why we collect and use your personal data
- Explains how long we retain your personal data for
- Explains when, why and with whom we may share your personal data
- Sets out the legal basis we have for collecting and using your personal data
- Explains the effect of refusing to provide the personal data when requested
- Explains where we store your personal data and whether we transfer any of your data outside of the European Economic Area (EEA)
- Explains the different rights and choices you have as the data subject
- Explains how you can contact us
---
## What Personal Data Do We Collect About You?
### Identification & Contact Information
- Full name,
- email address,
- phone number,
- address,
- Date of birth,
- Gender, marital status,
- Country of residence,
- Nationality,
- Passport number,
- Driver's licence number.
### Employment & Work-Related Information
- Job title,
- Salary,
- Employment status.
### Educational & Professional Information
- Education history,
- professional certifications and licences,
- Previous work experience,
- References.
### Financial / Payroll Information
- Bank details,
- Tax information,
- Pension contributions,
- National insurance number,
- Payroll number.
### Health Information
- Name and address of doctor,
- Medical records,
- Health insurance details.
---
## App-Specific Data Collection
### Location Usage
We process location only during active session periods for the following:
| Scenario | Purpose |
|---|---|
| **During an Event Session** | To determine inside or outside status relative to the event's geofence boundary, and to support attendance accuracy and safety alerts. |
| **Taking or Returning from Break** | To suppress boundary alerts during an active break and resume them on return. |
| **Responding to a Liveness Check** | To confirm the response occurs within the permitted zone if liveness is enabled. |
Location points are timestamped. If the device is offline, CSP Connect temporarily stores points on the device and synchronises them when connection returns. Synchronised historical points are used for audit and reporting only - no retroactive alerts fire on past points.
### Camera Usage
| Scenario | Purpose |
|---|---|
| **Submitting Face Verification** | Where a session requires identity verification before checking in. |
| **Responding to a Liveness Check** | Where a session requires liveness verification during the shift. |
Camera usage is limited to the verification process. CSP Connect does not store biometric templates or facial recognition models - images are used for momentary verification and then processed according to policy.
---
## How and Why Do We Use Your Personal Data?
We will process personal data only where it is lawful for us to do so - for example, in order to fulfil a legal obligation to which we are subject or in order to pursue our legitimate interests.
We may also collect **sensitive personal data** (ethnic origin, criminal records, health) where it is necessary for compliance with Employment, Social Security, and Social Protection Law.
### Disclosure of Personal Data to Third Parties
Human Resources & Payroll
- Banks
- Insurance companies
- Healthcare providers
- Payroll providers
- Employee benefit providers
Information Technology Support
- Software maintenance
- Data hosting
Human Resources Support
- Compensation administration
- Benefits management
- Human capital management administration and consulting
Corporate Transactions
Mergers and acquisitions, joint ventures, strategic opportunities, and other corporate transactions involving lawyers, accountants, and auditors.
Governmental & Regulatory Authorities
Courts of law, tax authorities, and social services organisations, as required by applicable law.
All involved data processors adhere to the obligations outlined in **Article 28 of the General Data Protection Regulation**. We will not use your information for any other purposes unless we are specifically required to do so by law.
---
## How Long Do We Keep Your Personal Data?
CSP retains personal data for as long as necessary to provide services and fulfil the transactions you have requested, or for other essential purposes such as complying with our legal obligations, resolving disputes, and enforcing our agreements. Actual retention periods can vary depending on the data type and service context.
Contact us at [privacy@gotocsp.com](mailto:privacy@gotocsp.com) if you have concerns about our retention periods.
---
## Where Do We Collect Your Personal Data From?
- **Directly from you** - information you provide to us
- **Agents or third parties** acting on your behalf (e.g. recruitment agencies)
- **Job applications** - via job boards, our website, or social media platforms including LinkedIn, Facebook, Twitter, and Instagram
- **CCTV cameras** - images and movements recorded while on our sites or premises
- **Body-worn video cameras** - carried by uniformed CSP staff during events
- **Vehicle audio / video recordings** - cameras and microphones in CSP vehicles
- **Vehicle tracking devices** - fitted to company vehicles to monitor location, speed, and usage for operational, security, and fleet management purposes
---
## Third-Party Platforms Powering CSP Connect
Below are the principal third parties used to power the CSP Connect platform.
MongoDB Atlas - Database Platform
**Purpose:** Managed database storage for operational data.
**User data shared:**
- Identity and contact data: name, email, phone
- Authentication metadata: OTP status, session identifiers, device identifiers
- Attendance data: check-in/out statuses, breaks, late-checkout reasons, acknowledgements, liveness results
- Payroll identifiers where configured: national insurance number, payroll number
- Equipment records if enabled
- Audit entries and event timestamps
Render - Application Hosting
**Purpose:** Hosting and running the CSP Connect application services.
**Data handled:** Runtime request metadata (IP address, user agent, timestamps) and application logs. No deliberate storage of user content beyond the application's own datastore.
- **Region:** Frankfurt, Germany (EU)
- **Transfer mechanism:** EU/EEA adequacy
GitHub - Source Control & CI/CD
**Purpose:** Source control and CI/CD pipelines. No production user data is stored as repository content.
**Data handled:** Build logs may include generic identifiers such as commit IDs, job IDs, and developer metadata.
- **Region:** United Kingdom
- **Transfer mechanism:** UK domestic
Pusher by MessageBird - Realtime Notifications
**Purpose:** Realtime event signalling for notifications and in-app updates.
**User data shared:** Channel or topic identifiers, minimal notification payloads (type, status, timestamps, targeted user or session identifier), delivery and acknowledgement metadata.
- **Region:** United States and European Union (depending on routing)
- **Transfer mechanism:** UK International Data Transfer Agreement or UK Addendum to EU SCCs
Mapbox - Maps & Geofencing
**Purpose:** Map tiles, geocoding, and geofence visualisation for location-aware features.
**User data shared:** Coordinates for map rendering or geocoding, request telemetry (IP address, SDK/app version, timestamps), session or feature flags.
- **Region:** United States
- **Transfer mechanism:** UK International Data Transfer Agreement or UK Addendum to EU SCCs
SMTP2GO - Email & SMS Delivery
**Purpose:** Delivering OTP and operational email or SMS notifications.
**User data shared:** Recipient addresses or numbers, sender identity, subject or template identifiers, OTP codes, delivery events (sent, bounced, opened).
- **Region:** New Zealand, United States, and European Union (depending on routing)
- **Transfer mechanism:** UK International Data Transfer Agreement or UK Addendum to EU SCCs
---
## Where Do We Store Your Personal Data?
Personal data may be stored and processed in any country where CSP or its affiliates, subsidiaries, or service providers maintain facilities. CSP uses the **Office 365 EU (London) Region** to store and maintain data.
CSP uses approved **Standard Contractual Clauses** for international transfers of personal information collected in the EEA and Switzerland.
---
## How Do We Keep Your Personal Data Secure?
We implement robust hardware and software measures across our infrastructure including:
- Firewalls and encryption software
- User access controls and protected data networks
- Security software and encryption on end-user devices
- Multi-factor authentication (MFA) where available
- **Cyber Essentials** and **Cyber Essentials Plus** certification
We also take steps to ensure all our subsidiaries, agents, affiliates, and suppliers employ adequate levels of security.
---
## Do We Make Automated Decisions About You?
**No.** We do not carry out automated decision-making or automated profiling.
---
## Your Rights
By law, you have a number of rights when it comes to your personal data.
| Right | What It Means |
|---|---|
| **Right to be Informed** | Clear, transparent information about how we use your data - as set out in this notice. |
| **Right of Access** | Obtain access to your information and verify we are using it in accordance with data protection law. |
| **Right to Rectification** | Have inaccurate or incomplete information corrected. |
| **Right to Erasure** | Request deletion or removal of your information where there is no compelling reason to keep it (subject to exceptions). |
| **Right to Restrict Processing** | Block further use of your information while it remains stored. |
| **Right to Data Portability** | Obtain and reuse your personal data across different services. |
| **Right to Object** | Object to processing based on legitimate interests or for direct marketing purposes. |
| **Right to Lodge a Complaint** | Complain to the data protection regulator about how we handle your data. |
| **Right to Withdraw Consent** | Withdraw consent at any time where processing is based on consent. |
---
## How to Exercise Your Rights
To exercise any of the rights above, or to ask a question, contact us at:
**Email:** [privacy@gotocsp.com](mailto:privacy@gotocsp.com)
We will respond within **one month** of receiving your request. We usually act free of charge, but may charge a reasonable fee for baseless, excessive, or repeated requests.
---
## Complaints
If you are not satisfied with our response, or believe our processing does not comply with data protection law, you can make a complaint to the **Information Commissioner's Office (ICO)**:
[https://ico.org.uk/make-a-complaint/](https://ico.org.uk/make-a-complaint/)
---
## Contact Us
**Address:** Unit 1, Abloy House, Hatters Lane, Croxley Business Park, Watford, Hertfordshire WD18 8AJ
**Telephone:** +44 (0)20 8900 2405
**Email:** [privacy@gotocsp.com](mailto:privacy@gotocsp.com)
**Data Protection Representative:** Kanta Hirani
**Email:** [kanta.hirani@gotocsp.com](mailto:kanta.hirani@gotocsp.com)
---
## Our Vision
> To be the 1st choice supplier to our partners and the 1st choice employer to our team by ensuring a caring, safe and professional approach is adopted in all that we do.
---
- **Policy Updated**: April 2025
- **Review Due**: March 2026