Phone: +447979201706

Email: cnbcpo@contractor.net

1 Brockehurst Mews, Macclesfield SK10 2GY

Data Processing Agreement

Last updated: April 2026

1. Introduction

This Data Processing Agreement ("DPA") is entered into between CNBCPO LTD (Company Registration Number: 16744710) and you as a client, user, or data subject in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

This DPA sets out the terms under which we process personal data on your behalf or in connection with our services.

2. Definitions

  • Personal Data: Any information relating to an identified or identifiable natural person.
  • Processing: Any operation performed on personal data, including collection, storage, use, analysis, or sharing.
  • Data Controller: The person or entity that determines the purposes and means of processing (typically the Client).
  • Data Processor: The person or entity that processes personal data on behalf of the Controller (typically CNBCPO LTD).
  • Data Subject: The individual to whom the personal data relates.

3. Subject Matter and Duration

Subject Matter: Processing of personal data in connection with construction consultancy, bid & tender support, and procurement consulting services.

Duration: This DPA remains in effect for the duration of our service relationship and survives termination to the extent necessary to comply with legal obligations.

4. Nature and Purpose of Processing

We process personal data for the following purposes:

  • Providing construction consultancy and advisory services
  • Processing bid and tender submissions
  • Managing procurement processes and supplier information
  • Client communication and service delivery
  • Regulatory and statutory compliance
  • Maintaining business records
  • Analyzing and improving our services
  • Addressing queries and resolving disputes

5. Categories of Personal Data

We may process the following categories of personal data:

  • Identification data (name, title, contact information)
  • Professional information (job title, organization, credentials)
  • Communication data (email, phone, address)
  • Financial information (where necessary for services)
  • Transaction records and correspondence
  • Technical data (IP address, browser type, cookie information)
  • Sensitive data only where explicitly required and consented to

6. Legal Basis for Processing

We process personal data on the following legal bases:

  • Contract: Processing necessary to perform our services
  • Legal Obligation: Compliance with UK tax, employment, and company law
  • Legitimate Interest: Business interests in service improvement and operational efficiency
  • Consent: Where you have explicitly consented to processing

7. Roles and Responsibilities

7.1 Controller Responsibilities

The Data Controller (typically you, our client) is responsible for:

  • Determining the purposes and means of processing
  • Providing the legal basis for processing
  • Ensuring lawfulness of the personal data provided
  • Responding to Data Subject access requests
  • Maintaining records of processing activities
  • Assessing data protection impact where required

7.2 Processor Responsibilities

CNBCPO LTD as Data Processor is responsible for:

  • Processing personal data only on documented instructions from the Controller
  • Ensuring confidentiality of staff processing personal data
  • Implementing appropriate technical and organizational security measures
  • Assisting with Data Subject access requests
  • Notifying the Controller of any personal data breaches without undue delay
  • Cooperating with data protection authorities

8. Data Security Measures

CNBCPO LTD implements the following technical and organizational security measures:

  • Encryption of personal data in transit and at rest
  • Secure access controls and authentication mechanisms
  • Regular security audits and penetration testing
  • Employee data protection training
  • Secure destruction or deletion of personal data when no longer required
  • Incident response and breach notification procedures
  • Backup and disaster recovery systems
  • Restricted access on a need-to-know basis

9. Sub-processors and Data Transfers

We may engage sub-processors (third parties) to assist in delivering our services, such as:

  • Cloud infrastructure providers
  • Email and communication platforms
  • Document management services
  • Analytics providers
  • Payment processors

All sub-processors are subject to Data Processing Agreements requiring equivalent data protection standards. We notify you of any material changes to our list of sub-processors.

For international transfers outside the UK, we ensure appropriate safeguards in accordance with Chapter 5 of the UK GDPR.

10. Data Subject Rights

We support your rights as a Data Controller to enable Data Subject requests:

  • Right of Access: Obtain copies of personal data held
  • Right to Rectification: Correct inaccurate personal data
  • Right to Erasure: Request deletion of personal data
  • Right to Restrict Processing: Limit how we use personal data
  • Right to Data Portability: Receive data in a structured format
  • Right to Object: Challenge certain types of processing
  • Rights Relating to Automated Decision Making: Challenge automated decisions

We will assist you in fulfilling Data Subject rights requests within 30 days of receipt.

11. Data Retention

We retain personal data only for as long as necessary to fulfill the purposes outlined in this agreement and as required by law. Generally:

  • Client and contractor data: 7 years after service completion (for tax purposes)
  • Website analytics data: 13 months (default period)
  • Communication records: 6 years (standard business retention)
  • Employee/personnel data: 6 years after termination

Upon termination of our relationship, we will securely delete or return all personal data at your request, except where retention is required by law.

12. Breach Notification

If we discover a personal data breach, we will:

  • Notify you without undue delay (where you are the Controller)
  • Provide details of the breach, data affected, and likely consequences
  • Recommend remedial actions and mitigation measures
  • Cooperate with your breach notification to the ICO and Data Subjects

13. Audit Rights

You have the right to audit our data processing activities. We will:

  • Make records of processing available for inspection
  • Provide certifications of compliance where requested
  • Facilitate audits by your external data protection advisors
  • Cooperate with ICO investigations and audits

14. Term and Termination

This DPA commences on the date services begin and continues for the duration of our relationship. Upon termination:

  • We will cease all processing of personal data
  • Personal data will be securely deleted or returned at your request
  • Confidentiality obligations continue after termination
  • We will retain records only as required by law

15. Modifications to This Agreement

We may update this DPA to reflect changes in data protection law or our practices. We will notify you of material changes at least 30 days in advance.

16. Contact and Complaints

For questions about this DPA or to exercise your rights:

CNBCPO LTD - Data Protection Officer

Email: info@cnbcpoltd.co.uk

Phone: +447848158549

You also have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) at www.ico.org.uk

© 2026 CNBCPO LTD. All rights reserved.