GDPR statement

The General Data Protection Regulation (‘GDPR’) is effective from 25 May 2018.

The General Data Protection Regulation, or “Regulation (EU) 2016/679”, became law on 27 April 2016, but businesses were given just over 2 years to become compliant. Therefore, GDPR will be enforceable as of 25 May 2018.

GDPR applies to processing of data of EU subjects.


Data controller means the organisation that determines the purposes for which, and the manner in which any personal data are, or are to be, processed. CPL (‘we’) is the data controller of all personal data used in our business for our own commercial purposes.
Processing of data means any set of operations performed on personal data including collection and storage, and contacting. Data means information stored electronically or in certain paper-based filing systems.
Personal data
is any data that identifies an individual person, not generic company data.


In preparation for GDPR, CPL acknowledges its responsibility to develop and maintain business-wide awareness of the rights of individuals to be empowered and protected in terms of data privacy.

We have consulted broadly and implemented processes, procedures and training to ensure that a legal basis for the processing of personal data underpins all business practices at CPL.
We recognise that there are some circumstances in which personal data may be processed and that the GDPR clarifies the responsibilities of companies as far as the processing (collection, storage, maintenance and use) of personal data is concerned.

CPL is actively working on its strategy in relation to data protection, and considers this to be an ongoing endeavour that will continue to be operational beyond the enforcement date of 25 May 2018. We will continually strive to ensure that personal data privacy is embedded as routine practice on a perpetual basis.

CPL has undertaken to ensure that all staff receive training in the concepts and requirements of data protection law. Staff will be expected to embrace the ethos of data protection law and to adopt practices in the workplace that reflect the company’s commitment to ensuring that the rights of individuals are respected and protected at all times.

CPL’s internal policy for data protection requires any products, services or systems adopted by the company (relating in any way to the processing of personal data) to undergo an assessment to establish that they do not contravene the company’s policies to maintain compliance with the GDPR. We also strive to ensure that our suppliers, where relevant (for example, mailing and fulfilment businesses), have appropriate policies in place to safeguard personal data and that the data is transferred securely.

CPL has implemented training and processes to enable staff to recognise and respond to Data Subject Access Requests (‘SARs’).  We have also reviewed our current work processes and records in detail, before 25 May 2018, to be sure existing consents meet the GDPR standard.