Privacy Notice © May 2018

This is the privacy policy of Control Systems/Control Systems Hire, operating from 5 Holland Way, Hayes, Kent BR2 7DW. It sets out the relationship between you the customer and Control Systems the company, as required by the Data Protection Act 1998 and more recently the General Data Protection Regulation of May 2018.

This document, together with the company Terms and Conditions of contract, which is available upon request, describes how the personal data held by the company will be controlled and processed. By visiting the company website and by accepting any present or future contract or quotation for products and services, you are accepting and consenting to the practises described in this policy.


Control Systems/Control Systems Hire has a portfolio of products and services available to its clients, being principally the supply, installation and maintenance of electronic security systems for purchase or for hire.

As an independent security systems provider, Control Systems is described under the GDPR as both the controller and processor of customer data. The customer data has never and will never be passed on to any third party for financial gain or favour, except in the eventual sale or acquisition of the company, in which case personal data held will be one of its transferred assets.

Information held

1. Contact information you provide

In order to perform its duties, Control Systems will collect personal data contact information which may include any or all of name, address, telephone number(s) and email addresse(s).

This information will always be provided, freely and knowingly, by the customer themself and is clearly necessary to be able to provide professional services from the first instance of communication, such as a request to provide a quotation for work, through to installation and provision of on-going services.

In some instances, this personal data will be shared with other external companies to provide additional specialised security services requested by the client that are outside the scope of Control Systems capabilities. These services could include telephonic and internet provision, manned response teams or alarm receiving centre monitoring. In this case, Control Systems is defined as the data controller and the external company defined as the data processor. A contract will be in place to define the roles of each party in compliance with the GDPR.

The personal data held by Control Systems will be kept up to date as far as practically possible by requesting confirmation of existing contact details at every time that business takes place. It is accepted though, customers can and do sometimes change their contact details such as telephone numbers and email addresses, and fail to inform Control Systems accordingly.

Personal data will be held in electronically secure form for as long as the business relationship is knowingly in place. As a company policy, if no business transaction or communication has taked place for a period of ten years, the electronic personal data will be deleted, and any hard copy will be securely shredded.

2. Information provided by your visit to the company website

Some technical information is recorded off-site every time you visit the company website, including via a search engine. This will include browser type, operating platform and IP address location. This information, together with browsing data such as page response times, length of visit to certain pages ( such as scrolling, clicks and mouse-overs ) may be retained for company website performance analysis only.

3. Use of cookies

The company website uses cookies to distinguish you from other users of the website. This helps to provide a smooth running, effective experience when you browse the site. They may need to be shared with external services such as web traffic analysis/performance programs that ensure the company website works at its best.

The cookies are small files of numbers and letters that are stored on your browser with your permission. You can block cookies on your computer by activating the setting on your browser, though you may not be able to access all or some parts of the company website.

Communicating privacy information

At the onset of every new business relationship, Control Systems will collect the personal data, given knowingly and freely by the client, for the performance of its contract to provide goods and services. The customer will at this time be directed to this Control Systems privacy notice on the company web site.

Under the new GDPR implementation as of 25.05.18, this notice will include the lawful basis for processing the data, the data retention period, and that individuals have a right to complain to the Information Comissioners Office, as well as request to see data that is currently held by Control Systems that pertains to them.

Individual’s rights

Individuals have new rights afforded to them under the new GDPR, and Control Systems will be compliant with these.

They include

the right to be informed of data that is held
the right to access the data that is held
the right to rectification of incorrect data
the right to deletion of data held
the right to restirct processing
the right to data portability to another provider
the right to object to data held, and
the right not to be subject to automated decision-making.

These requests will be granted free of charge to individuals, in a commonly used and easily processed electronic form, within a reasonable time frame.

Subject access requests

Control Systems anticipates little or no requests for access to personal data from its clients, however, if required these requests will be discharged easily and swiftly, without hindrance and without charge.

The GDPR does though make provision to allow Control Systems to refuse access to data if the request is manifestly unfounded or excessive. Similarly, if the nature of the request is time consuming or repetitve, the GDPR allows a charge of up to £10 to be made to the individual for each such request.

Lawful basis for processing data

The GDPR lawful basis for processing customer data by Control Systems is defined as by contract. That is to say, Control Systems needs the personal data to fulfill its contractual obligations to the client, such as to provide a quotation for work, installation of a security system, or perform a servicing function.

The implied contract may frequently be a verbal type, such as a request to perform a service during a telephone call.


The personal data collected and processed by Control Systems, described under section ‘information held’ of this document, is given freely and knowingly by the client to fulfill a commercial contract to provide goods and services. By definition then, the disclosure of data by the customer to the company is by consent.

The initial and ongoing consent to record, process and retain this personal data will be signed for, by the client on a work sheet document, whenever practically possible, at the outset of any kind of contract, and continually at every job of work. It should be recognised the customer may not always be present on site to comply in this way, though every effort will be made to continually reaffirm the consent.


Control Systems has never and will never engage in any contract of work with individuals under the age of 18.

No special measures or provisions are required by the company for this part of the GDPR.

Data breaches

Every reasonable and realistic physical and electronic effort will be made to maintain the security of customer’s personal data, and prevent breaches of that data.

In the event of a probable, possible or actual data breach, the individuals concerned will be contacted in good time to advise them of the nature of the breach and action that should be taken.

Data protection by design/Data protection impact assessments

Control Systems does not collect and process personal data that gives high risk to individuals, nor does it or will it ever engage in profiling or marketing of the data to others.

There are accordingly no data protection impact assesments in place at this time.

Data Protection officers

Data protection compliance for Control Systems is currently performed by its proprietor. This will continue for the foreseeable future.

Regional operation

Control Systems only operates in the UK, in fact for 30 years solely in London and the south east, and there is no realistic prospect of engaging in future business further afield in the EU or worldwide.

No special measures or provisions are required by the company for this part of the GDPR.

Changes to the Control Systems Privacy Notice ©

If future legislation requires any change to the company Privacy Policy, it will be documented on this page of the company web site, and if appropriate, you will be notified by email. If you have any questions regarding this Privacy Notice please communicate in writing to

This privacy notice is subject to Copyright Law under the copyright, designs and patents act 1988. You may not copy all or part of it for your own use.