Data Protection & UK GDPR Compliance Statement
About Us
Call Handling Services Ltd (‘CHS’) provides cloud-based contact centre and communication services which facilitate interactions between organisations and their customers, clients and service users.
In delivering these services, CHS primarily acts as a Data Processor on behalf of its customers (Data Controllers). In limited circumstances, such as managing its own business relationships or recruitment activities, CHS may act as a Data Controller.
CHS is committed to safeguarding the privacy, security and lawful processing of all personal data handled through its Virtual Contact Centre (VCC) platform and associated services.
This Data Protection & UK GDPR Compliance Statement outlines how CHS processes, stores and protects personal data in accordance with:
- UK General Data Protection Regulation (UK GDPR)
- Data Protection Act 2018 (DPA 2018)
- Privacy and Electronic Communications Regulations (PECR)
- NHS Data Security and Protection Toolkit expectations where applicable
This statement should be read alongside the CHS Privacy Notice, Artificial Intelligence Ethical Use Statement, and AI Transparency & Data Processing Statement, which provide further information regarding specific data processing activities.
Key Governance Roles
To support strong data protection governance, CHS appoints the following roles:
- Data Protection Officer (DPO): Adam Scott – Operations Director
- Senior Information Risk Owner (SIRO): Pablo Mesples – Chief Financial Officer
- Caldicott Guardian: Ana Leyton – Compliance Officer
- Head of IT & Cyber Security Lead: Nathan Leyton – Chief Technology Officer
These roles provide oversight of data protection, cyber security, information risk management, and compliance with applicable regulatory and NHS governance principles.
Contact Information
If you have questions about this statement or wish to exercise your data protection rights, please contact:
clientsupport@callhandling.co.uk
Requests will be reviewed and responded to in accordance with UK GDPR requirements.
Scope
This statement applies to personal data processed by CHS in the course of providing its cloud communication services.
As CHS provides configurable services tailored to individual customer requirements, not all processing activities described may apply to every deployment.
Certain exemptions under UK GDPR or the Data Protection Act 2018 may apply where disclosure could adversely affect the rights and freedoms of others or would involve disproportionate effort.
Personal Data We Process
Depending on the services provided, CHS may process the following categories of personal data:
- Contact data
Name, postal address, email address, telephone number.
- User account information
Usernames, authentication credentials and access identifiers for authorised system users.
- Technical data
IP addresses, browser and device information, authentication logs and system access metadata.
- Communication data
This may include:
- call records, including CLI and routing information
- call recordings
- voicemail recordings
- SMS, email, web chat and social media messages
- interaction notes entered by authorised personnel
- data capture records submitted by agents
- AI-generated transcripts or automated interaction summaries where AI-enabled services are activated by the Data Controller
- Transaction records
Records of completed transactions facilitated through the VCC platform may include cardholder name and billing address.
- CHS does not collect, process or store payment card numbers, expiry dates or CVV codes.
Lawful Bases for Processing
CHS processes personal data under the following lawful bases where applicable:
- Performance of a contract
Processing necessary to deliver the VCC platform and contracted services.
- Legal obligation
Processing required to comply with statutory or regulatory obligations.
- Legitimate interests
Processing necessary for system monitoring, service performance, fraud prevention and security purposes where proportionate.
- Consent
Processing undertaken where consent is explicitly required, for example where optional service features require it.
Where CHS acts as a Data Processor, processing occurs solely under the documented instructions of the Data Controller.
Data Retention
CHS retains personal data only for as long as necessary to fulfil operational, contractual or legal obligations.
Customers may configure bespoke retention periods for most data types. Where no bespoke retention period is defined, the following default retention periods apply.
Communication records
Call records, data capture records, transaction records, emails, SMS messages and web chat or social media interactions may be retained for up to 3 years, unless otherwise agreed with the customer.
Recordings
Call recordings and voicemail recordings are typically retained for 45 days, unless an alternative retention period is agreed with the customer.
Transcripts and AI-generated interaction summaries
Where transcripts or automated interaction summaries are generated (including through AI-assisted transcription or conversational AI features), they are retained only for the same period as the associated source interaction or recording and are deleted simultaneously with the source material unless otherwise agreed with the customer, therefore also typically retained for 45 days.
Agent account data
Agent email addresses and contact numbers are retained while the agent remains active. Where an agent ceases to be active, associated data is deleted within 6 months of service termination notification.
At the end of the retention period, data is securely removed through secure deletion or cryptographic key destruction (crypto-shredding).
How We Use Personal Data
CHS processes personal data only to deliver and support contracted services.
This may include:
- operating and maintaining cloud communication services
- routing communications and recording interactions
- supporting customer operational workflows
- monitoring system performance and service security
- complying with applicable legal and regulatory obligations
CHS does not sell personal data or use personal data for advertising profiling, behavioural targeting or model training.
Data Storage and Security
Personal data may be stored on:
- CHS-owned physical infrastructure hosted within secure UK data centres; and/or
- encrypted cloud infrastructure managed by CHS within the United Kingdom or European Economic Area.
CHS implements a range of technical and organisational security controls, including:
- encryption of data at rest and in transit
- role-based access controls and multi-factor authentication
- secure VPN administrative access
- network segmentation and firewall protection
- vulnerability scanning and patch management
- security monitoring and incident detection
- secure change management procedures
- staff information security training
CHS operates an information security management framework aligned with ISO/IEC 27001:2022, supported by Cyber Essentials Plus certification, independent penetration testing by CREST-accredited security assessors, and ongoing vulnerability monitoring.
Security and privacy controls are implemented in accordance with the principles of security by design and privacy by design under Article 25 UK GDPR.
International Data Transfers
CHS processes and stores personal data primarily within the United Kingdom and European Economic Area.
Where a customer instructs CHS to use services involving international transfers outside these regions, appropriate safeguards are implemented including:
- UK International Data Transfer Agreement (IDTA)
- UK Addendum to EU Standard Contractual Clauses
- other lawful transfer mechanisms approved by the Information Commissioner’s Office (ICO).
Data Sharing
CHS may share limited personal data with trusted service providers where necessary to deliver communication services.
This may include telecommunications network providers or infrastructure providers responsible for transmitting communications traffic.
All third-party processors are subject to due diligence and contractual obligations in accordance with UK GDPR Article 28.
CHS does not disclose personal data to third parties for marketing or unrelated commercial purposes.
Personal Data Breaches
CHS maintains incident response procedures to identify, assess and respond to suspected personal data breaches.
All security incidents are logged and investigated in accordance with internal incident management procedures.
Where a breach meets the legal threshold for notification:
- the Information Commissioner’s Office (ICO) will be notified within 72 hours where required;
- affected individuals will be notified without undue delay where the breach is likely to result in a high risk to their rights and freedoms.
Data Subject Rights
Individuals have rights under UK GDPR including the right to:
- request access to their personal data
- request correction of inaccurate data
- request erasure of personal data
- restrict certain processing activities
- object to processing based on legitimate interests
- request data portability where applicable
Requests may be submitted to:
clientsupport@callhandling.co.uk
Governance, Review & Approval
AI-enabled capabilities are subject to CHS governance processes including:
- architectural and security review;
- change management approval;
- risk-based assessment;
- Data Protection Impact Assessments where appropriate.
CHS may update this Data Protection & UK GDPR Compliance Statement from time to time to reflect changes in operational practices, regulatory requirements or technological developments.
This statement is approved by the Board of Directors and will be reviewed at least annually, or sooner to reflect evolving technologies, regulatory requirements, or operational practices.