Close Dialog Window
The Plastic Card Factory

Data Protection & GDPR Policy

Company Cards & all their divisions - Data Protection & GDPR Policy

This document has been produced to outline the intended use of customer data and our privacy policy surrounding data protection.

Context and Overview

Key Details:


Company Cards holds ISO 27001 Security Management System.
However, Company Cards requires specific information from customers, to carry out their specified service.

This policy explains how customer’s data is used, stored and disposed of. Due to GDPR regulations enforced on 25th May 2018, Company Cards will work with this policy to ensure they are compliant with the Data Protection Bill.

All information regarding orders and customer data will be dealt with under the strictest of circumstances. Customers also reserve the right to opt out of all communication at any point.

Why this policy exists:

This data protection policy ensures Company Cards:

Data Protection Law:
The Data Protection enforced 25th May 2018 supersedes the UK Data Protection Act 1998. This describes how the organisation – Company Cards, must collect, handle and store personal information. These rules apply regardless of whether data is stored electronically on paper or on other materials.

The Data Protection Act is underpinned by eight important principles.

  1. Data must be processed fairly and lawfully
  2. Data must be obtained only for specific use
  3. Be relevant and not excessive
  4. Be accurate and continually monitored
  5. Data cleansed and not held for any longer than necessary
  6. Data must be processed on accordance with the rights of data subjects
  7. Be well protected
  8. Not to be transferred, unless otherwise instructed.

All transfers must include a high level of protection.

People, Risk and Responsibilities

This policy applies to:

This applies to all data held by the company regarding the identity of individuals, even if that information has been submitted on behalf of another individual. Information as follows:


This policy has been put in place to protect Company Cards from data breach and reinforce their strict security policy.


Those responsible for handling data within Company Cards must ensure all data is kept within the company and used as specified, for the purpose of providing the customer with their product and service.

Should the customer wish to receive more information all staff must request consent for further communication.

People of responsibility:

General Staff Guidelines

Data Receipt and Storage

Here we explain how and where data should be safely stored.

Receipt of data, preferably should not be sent via email, but by secure methods such as FTP2, encrypted etc. Alternatively any new data must be checked by account managers for accuracy and must also be submitted via secure method, either including password protection or encrypted files. Incorrectly set data will be erased and customers notified to resend correctly

Unnecessary data should NOT be submitted, only data required to carry out current orders.

Any printed data must be used to perform work related tasks and destroyed securely once orders have been completed.

On any occasion Company Cards works as a sub processor all the above rules will be applied.

Data Use

Personal data is of no use to Company Cards unless the business can make use of it. However, it is when personal data is accessed and used that it can be at the greatest risk of loss, corruption or theft:

Bureau Data

Company Cards bureau service enables clients the opportunity to purchase stock cards, ready to order when necessary. Data is submitted for each order in a secure manner, by fax or email, as specified by each client. Removal of data from clients’ accounts can be organised on request. Alternatively bureau client’s data is stored securely, as previously acknowledge within their contract, prior to their initial order.

Data Accuracy

The law requires Company Cards to take reasonable steps to ensure data is kept accurate and up to date. It is the responsibility of all employees who work with data, to ensure all their individual work data is kept as accurate and up to data as possible.

Subject Access Request

All individuals who are subject of personal data held by Company Cards are entitled to:

Subject Access Request - the right, given to any individual whose personal information Company Cards holds.
Subject access requests from individuals should be made by email, addressed to their account manager. The data controller can supply a standard request form, although individuals do not have to use this.
The data controller will always verify the identity of anyone making a subject access request before handing over information.


Company Cards will only target individuals based on legitimate interest. They will ask for consent to contact the individuals further and will provide the option to unsubscribed at all times. Anyone who opts out of our marketing emails will be removed instantly and their data erased.

Providing Information

Company Cards aims to ensure that individuals are aware that their data is being processed, and that they understand:

To these ends, the company has a privacy statement, setting out how data relating to individuals is used by the company.