CBR Business Solutions

This is the privacy notice for CBR Business Solutions, the trading arm of Voluntary Norfolk (UK registered charity number 1112017, company registration number 5616120).

Our registered address is: St Clements House, 2-16 Colegate, Norwich, NR3 1BQ

We are registered with the Information Commissioner’s Office (ICO), reference no.: Z632337X


This notice sets out the obligations on CBR Business Solutions under GDPR and how we will collect, process and use client information.

We are committed to protecting your privacy and being clear about how we use personal information that we hold. We understand that you are entitled to know that your personal data will not be used for any unintended purpose.

You have rights and we have obligations in regards to the processing and control of your personal data. You can learn more about your rights here: www.knowyourprivacyrights.org/

Our policy complies with UK law, including that required by the EU General Data Protection Regulation (GDPR). This policy is effective from May 25th 2018.


We will collect personal information about you:

  1. When you give it to us directly

For example, personal information that you submit through our website or any personal data that you share with us when you communicate with us by email, phone or post.

  1. When we obtain it indirectly

Your personal information may be shared with us by third parties, including our sub-contractors, and organisations that contract us to provide services

We also receive data from the following third parties:

  • Due Diligence Checking, for ID validation services, you can see their Privacy Policy online.
  • First Advantage who is a data processor for CBR Business Solutions, processing online DBS checks, you can see their Privacy Policy online.
  1. When you visit our website

CBR Business Solutions uses cookies to improve your experience on our website. Please refer to our cookies policy for details on the way our use of cookies may affect your personal data.


Payroll, HR and Employment services

CBR Business Solutions is contracted to act as a Data Processor for our clients.

We may collect, store and otherwise process the following kinds of HR and employment related personal information on behalf of our clients:

  • Name, postal address, telephone number, email address
  • Data to process payroll, including: marital status, title, date of birth, employment start date, National Insurance number, tax details, benefit and allowance status, student loan details, job title, salary, hours worked, bank account sort code, building society reference, name of account holder, account number
  • Data on protected characteristics, including: gender, disability, race or ethnicity, faith and sexual orientation, including data around making reasonable adjustments
  • Occupational health, sickness absence and medical records data
  • Disciplinary and grievance data
  • Criminal records data

Disclosure and Barring Service (DBS)

CBR Business Solutions is a Registered Body with the DBS and acts as a Data Processor for personal data, for online DBS checks, GB Group Plc (GBG) is a data sub-processor.

The DBS has put Privacy Policies in place which tell you about how they process data and what your rights are, you can access it online.

As a registered body CBR Business Solutions is bound by the DBS Code of Practice, which you can access online

GBG is a Responsible Organisation for the DBS, you can get more information about this online.

As a DBS registered body we may collect, store and otherwise process the following kinds of criminal records related personal information on behalf of the DBS:

  • Full name history, 5 year address history, date of birth, National Insurance number, Driving licence details, passport details, place of birth, E55 declaration, email address, employer details.
  • Approved ID documents mean that we could see bank details, benefit details, passport details, driving licence details, tax information, NI No, place of birth, Residents Permit details, adoption details, school details, mortgage and other financial records etc. Other documents that can be provided include HM Forces ID card, firearms licence, marriage certificate, change of name deed.
  • Name, date of birth, applicant reference number, whether applicant is barred from working with adults (For DBS Adult First applicants only)

DBS Adult First is a service provided by the DBS that can be used in cases where, exceptionally, and in accordance with the terms of Department of Health guidance, a person is permitted to start work with adults before a DBS Certificate has been obtained. This applies to adult services such as care homes, domiciliary care agencies and adult placement schemes where DBS Certificates are required by law.


We are required to have one or more lawful grounds to collect and use the personal information that we have outlined above. We consider the grounds listed below to be relevant:

Legal obligation
Where the processing of your personal information is necessary for us to comply with a legal obligation to which we are subject, for example where we have to share your personal information with regulatory bodies which govern our work.

Contractual relationship
Where it is necessary for us to process your personal information in order to perform a contract to which you are a party (or to take steps at your request prior to entering a contract), for example processing payroll data.

Legitimate interests
The law allows us to use personal information on the condition that to do so is reasonably necessary for our legitimate interests (and the use of your personal information is fair, balanced, and does not unduly impact your rights). We may rely on this ground to process your personal information when we believe that it is more practical or appropriate than asking for your consent. For instance, we rely on the legitimate interest ground to process your personal data in order to validate your identity.

Special categories of data
Certain categories of personal information are sensitive, and therefore require more protection. These categories of data include information about your health, ethnicity and sexual orientation.  We will only process these special categories of data if there is a valid reason for doing so and where the GDPR allows us to do so.


Once you choose to provide us with personal information we will ensure that your personal information is only used for the purposes specified in this privacy policy.

CBR Business Solutions may use your personal information:

  • to deliver HR, Employment and Payroll services under contract to our Clients
  • to deliver DBS services as a registered body to the DBS
  • to answer questions/ requests and communicate in general;
  • to analyse and improve our work and services (including our website) or for our internal records;
  • to audit and/ or administer our accounts;
  • to satisfy legal obligations which are binding on us;
  • for the prevention of fraud or misuse of service;


CBR Business Solutions will not sell, rent or lease your personal information to others. However, we may disclose your personal information to selected third party processors for the purposes outlined above. Third parties are obligated to use any personal data they receive in accordance our instructions.

Payroll services

Personal data is processed using the following methods:

  • SAGE 50 payroll (separate database for each customer)
  • Bank of Scotland commercial banking website
  • Electronic data transfer to third parties such as HMRC and pension companies by the processes provided by the third party

HR and Employment services

Personal data is shared with Leathes Prior Solicitors, who provide employment related legal advice, in accordance with our agreement.

DBS Services

Personal data is shared with:

  • GB Group Plc (GBG) who is a Responsible Organisation for the DBS and a data processor for CBR Business Solutions, you can see their Privacy Policy online.
  • Mayflower Disclosure Service provide ID validation services, you can see their privacy policy online.


As we sometimes use third parties to process personal information, it is possible that personal information we collect from you will be transferred to and stored in a location outside the UK or the European Economic Area (“EEA”).

Please note that certain countries outside of the UK or EEA have a lower standard of protection for personal information, including lower security protections. Where your personal information is transferred, stored, and/or otherwise processed outside the UK or EEA in a country which does not offer an equivalent standard of protection to the UK or EEA, we will take all reasonable steps necessary (including entering into standard contractual clauses to protect your personal information or relying on the Privacy Shield for transfers to organisations in the US) to ensure that the recipient implements appropriate safeguards designed to protect your personal information. If you have any questions about the transfer of your personal information, please contact our Data Protection Lead.


CBR Business Solutions will take reasonable technical and organisational precautions to prevent the loss, misuse or alteration of your personal information and will store personal information you provide on our secure cloud server.

Payroll and HR Data

Data will only be retained using specific methods:

  • Hard copy – within locked cabinets sub divided by customer
  • Electronic copy – within folders in a designated drive on cloud based server
  • Payroll – within SAGE 50 payroll database

Data will not be retained using the following methods:

  • Email server – beyond initial period for processing and verification of processing
  • Bank website – data will not be entered, processed or retained as a named beneficiary

Payroll Bureau data (hard copy and electronic copy) is only accessible by the following:

  • Payroll Manager
  • Payroll Administrators
  • Payment authorisers (Bank of Scotland online processing of payments)

Payroll Bureau data is not accessible to anyone at CBR Business Solutions or Voluntary Norfolk beyond those involved in the running and provision of the payroll service.

CBR Business Solutions undertakes the following procedures to ensure good working practice when processing data:

  • When unattended, PCs will be locked using a password
  • All PCs have a screen saver that obscures the screen which are activated after no more than 1 minute’s activity and are password protected
  • All cabinets containing hard copies of data are locked and the keys kept in a secure locked environment

These procedures are audited to ensure compliance on an at least six monthly basis. CBR Business Solutions will notify the Data Controller (Client/ DBS) without undue delay after becoming aware of a data breach, as per contracts and agreements in place.


We will generally remove your personal information from our records six years after the date that it was collected unless a) we are required to hold for longer for legal or regulatory purposes; or b) it is still required in connection with the purpose for which it was collected and/or processed.

However, we will remove your personal information from our records before this date if we become aware that (a) your personal information is no longer required in connection with such purpose(s); (b) we are no longer lawfully entitled to process it; or (c) you validly exercise one of your rights of erasure.

Payroll Data

  • All payroll data will be held in accordance with the minimum retention period as advised by HMRC (currently three years prior to the current PAYE year).
  • Sage backup files will be retained no longer than one year after the end of tax year
  • Emails containing payroll data (received and sent) will be deleted no later than three months.
  • Payroll data will not be archived on the email server under any circumstance
  • Emails may be copied to folders in a designated drive on cloud based server
  • After the expiry of all retention periods all data (regardless of storage method or medium) relating to the payroll will be destroyed

HR and Employment Service Data

All data on protected characteristics, occupational health, criminal records, discipline and grievance will be held for no longer than 6 years.

Upon termination of a contract with a Client/ Data Controller CBR Business solutions will return all personal data in accordance with the contract terms and conditions and will delete all copies of the data after six months, so as to allow for possible Employment Tribunal claims.

DBS Data

Personal data is destroyed securely on site at six months after a successful submission to the DBS. Any information we receive is used purely for the processing and carrying out of DBS checks. We do not hand it on to any other party unless they are directly involved with the processing of the check, e.g. the DBS, the client organisation, our own Finance Department for invoicing purposes.

Hard copy (paper) personal data is kept in line with DBS guidance, in a lockable, non-portable storage unit (a lockable filing cabinet). Destruction is in line with DBS guidance and hence it is destroyed on site in a cross cut shredder and not placed in confidential waste bins.


CBR Business Solutions may contact you by post, telephone, email, or social media.

Please note that you also have the right to lodge a complaint with the Information Commissioner’s Office at https://ico.org.uk/concerns/


CBR Business Solutions may update this privacy statement by posting a new version on this website. If we update this privacy statement in a way that significantly changes how we use your personal information, we will use reasonable efforts to bring these changes to your attention. Otherwise, we would recommend that you periodically review this privacy statement to be aware of any other revisions.


Our Data Protection Lead is Voluntary Norfolk’s Quality & Governance Manager, Dave Crinson, who is responsible for monitoring compliance with relevant legislation in relation to personal data.

You can contact him if you have any questions about this privacy statement or our treatment of your personal information by:

Email: Privacy@voluntarynorfolk.org.uk
Telephone: 01603 614474
Post: Quality & Governance Manager, St Clements House, 2-16 Colegate, Norwich, NR3 1BQ