Full Privacy Policy

Privacy Policy

Our Privacy Policy aims to show transparency and let you know how we obtain, process, use, collect, manage, and store data, including personal data. It also aims to assure you that we only use your personal information and any other data we use, process and collect for the purposes of managing our Company and carrying out our services. Data will be processed and controlled in accordance with the Data Protection Act 2018 and the UK General Data Protection Regulations (UK-GDPR), which is applicable if you are a UK-based business or organisation subject to the UK GDPR and you transfer personal data to or from other countries (including European countries). Ceatta do not transfer personal data to or from other countries.

All information we collect is stored and used in accordance with the Data Protection Act 2018. In accordance with the regulations, we will only collect and retain personal information that is relevant, and we will only keep it for as long as necessary. We ensure all information we have is kept up to date and accurate, and we dispose of all information that we no longer need securely. We will only use the information we collect for the purposes of our work and the needs of our business. We will not disclose information to unauthorised third parties and we will never sell this information under any circumstances. Our Administration Staff and Repossession Field Agents are trained to handle, manage and work with personal information, and will handle your data under strict policy and procedure, and in accordance with Data Protection. 

Information relevant to Customers subject to our involvement with them

We will not sell your data and we do not use any automated decision-making or profiling tools.

Who we are and what we do

Ceatta Limited is a Repossession and Debt Recovery company. Our services include repossessions, debt collection, asset recovery, investigations and enquiry activities, execution of court orders, and other related services. The services we perform requires the processing, use and collection of personal information. Our staff who handle, manage, and maintain personal information are trained to do so and are also fully aware and understand their legal and contractual obligations and responsibilities regarding Data Protection.

Why we process, use, obtain, collect and store personal Data

Basic Data - Under the services we provide we are required to process personal data in providing a service to our client. Our Client will share with us your personal data for us to process to carry out their instruction. We call this the Basic Data, our Client is the Controller of this Basic Data. They will have provided you with their contact details and other relevant information relating to the processing of your personal data by us.

Additional Data – When we process the Basic Data we use the information to carry out our client’s instruction. Whilst carrying out the instruction we may also obtain additional personal information about you. It is necessary to record this information and the activity history of the instruction we have carried out; to ensure we maintain accurate up to date records. We are the Controllers of the additional data. Our Contact details are stated further on in this document.

What personal information do we process, use, obtain and store

It is necessary for us to process, use, obtain and store personal information to enable us to carry out our services. Any information will only be necessary and proportionate to enable us to carry out our work.

The basic data will be personally identifiable information including, but not limited to, your name, address, Date of Birth, email address, contact numbers, employment details and also may include photographic ID. We will also be provided with relevant notes, legal documents and/or agreements, our clients asset/vehicle details and details of monies due. We will also be provided with information concerning potential vulnerability and/or sensitive circumstances, for example a recent bereavement. This ensures forbearance and due consideration is being applied to your individual circumstances.

We may obtain and process additional personal data whilst carrying out our client’s instruction. This additional data may include but is not limited to, your up to date contact details (address, contact numbers, employment details), your current circumstances, including financial circumstances and, with your consent, any potential vulnerability or sensitive or mitigating circumstances relevant to you regarding our instruction to act. 

How we obtain, collect and store additional information

We may obtain additional information directly from you, from our clients, and where necessary, from enquiries and investigations carried out whilst attempting to conclude our client’s instruction, which can include the processing of witness information and their details. Enquiries and investigations could include, where appropriate and necessary, speaking to third parties, carrying out searches from publicly available sources, other data sources freely available in the public domain and via databases to which we have lawful access. Any information provided by you, or otherwise obtained /collected whilst in the process of carrying out our work, will only be used in accordance with this Privacy Policy. We maintain up to date activity details on the case record to ensure a fully documented history of the instruction is recorded and stored. 

Data Protection Verification Process

We take data security extremely seriously and ask you to assist in the security of your personal data, when we contact you, and when you contact us. Any information that we ask you to provide is needed in order to identify you to enable us to speak to you. You will be asked to confirm certain information and details which we hold to assist in verification. If you authorise a third party to speak on your behalf, they will also be required to go through a verification process.

Sharing your information

Unless necessary, obligated by law, regulatory requirements or compliance; for example, under Court or Law Enforcement Agency Instruction, the Financial Ombudsman Service or a medical emergency, we will not share your data with anyone other than; our client, whose instruction we are acting under, other associated agents acting under our instruction, and any third party authorised by you.

As part of our work we will share certain relevant information obtained and collected with our client. This information will only be relevant and in accordance with their instruction, it will include updates regarding the carrying out of our instruction and any other relevant information, which will include your updated contact and employment details, if applicable. Our client will process the relevant information we share and record the information on your account held with them. It is necessary to share this information with our Client, especially personal information, such as new address and contact numbers, to enable them to maintain accurate and up to date records, ensuring their compliance with Data Protection regulations.

We will never disclose information to unauthorised third parties, unless required to do so in an emergency situation, for example a medical emergency.

Please Note: We will disclose information to law enforcement departments in the case of actual, potential, or suspected criminal activity; including but not limited to acts of, or threats of, violence and / or aggression against our employees or others, or where we have a duty or are legally or regulatory obliged to disclose information; for example, financial crime and fraud. 

Retention periods for Basic Data and Additional Data – How long we retain data

We retain your data only for as long as is necessary and in line with UK-GDPR and other applicable Acts. Our retention periods are guided by what we deem no longer than necessary and takes into account the Limitation Act 1980.

Once our instruction is complete, we have the following retention periods in place to either anonymise your data (make it unidentifiable to any individual person(s)) or delete your data (securely and irretrievably destroy);

Anonymisation of Live Data – Current year plus 3 Years

Deletion of hardcopy Data – Current year plus 3 Years

Deletion of electronically stored data - Current year plus 6 Years

Body Worn Video data and any data in relation to an incident will be kept indefinitely

Different categories of Company information have their own retention periods set by the Company or Law. Retention periods are based on company requirements along with legal requirements and obligations.

Note: Our Clients will have their own retention periods, which they should make available to you on their own privacy policy. 

Company Data General Information

Lawful Basis for processing personal information

We have lawful basis to process personal data, being;

  • a) We have your consent (if consent is needed)
  • b) We need to process the information due to the data subject being party to contractual obligations.
  • c) We need to process the information to comply with legal obligations
  • d) We need to process the information to exercise official authority under acts of law vested in the Controller
  • e) It is necessary for us to process the information to maintain accurate and up to date records which streamline and evidence the debt recovery and enforcement process for the data subject and our clients.   

Other data we process, use, obtain, collect and store

We also process, use, obtain, collect and store information on our clients, potential clients, our current and past employees, job applicants, suppliers, information, feedback and enquiries from customers, clients and others who contact us, information on complainants and other individuals in relation to service complaints or enquiries made.

We will only collect, process, use and store information that is relevant to our services and necessary for Company records, legal obligations and compliance. Some of the information we process, use, collect, store and share is necessary for us to comply with our legal obligations. The information we collect is also used for internal record keeping; maintaining accurate and up to date records, and for improving our services; any feedback we receive is used for management information.

Company information can be in any format including electronic records.

Sharing data

We will only share company data, including employee data, where obligated by law, regulatory requirements, contractual obligations, business administration purposes, insurance purposes, recruitment purposes, audit & compliance purposes or when authorised to do so. We will not sell company data. 


We use our best endeavours to protect and safeguard the personal information we hold. Policies and procedures have been implemented to safeguard against unauthorised access, improper use, unlawful loss and unlawful or accidental destruction. We use physical and electronic security measures in our efforts to safeguard all information we collect and hold.

We strive to protect your personal information, but the internet or electronic storage is never a 100% completely secure environment, therefore we cannot guarantee that hackers or unauthorised persons will not gain access to personal information, despite our best efforts.

Please note that our website may contain links to other sites, if you use these links, you will be directed to the third-party link website. We are not responsible and have no control over any other website’s content, privacy policies or practices. You should make yourself familiar with the privacy policy of other sites before providing them with any information.

Retention periods

Different categories of Company information have their own retention periods set by the Company or Law. Retention periods are based on company requirements along with legal requirements and obligations. 

Calls to our office

All calls made to our office are recorded for training and quality assurance purposes.

Body Worn Video

For specific purposes and legitimate aims, including but not limited to health and safety and transparency, Staff use and activate Body Worn Video upon attendances. Any data held will only be accessed by management in certain specific circumstances in line with our specific purposes and legitimate aims of the equipment being deployed. Data will only be disclosed based on circumstances in which disclosure is appropriate and will be controlled and consistent. Disclosure will be at the discretion of Ceatta Limited; the system operator. They have the right to refuse any request for information unless there is an overriding legal obligation. Data will never be disclosed by Ceatta Limited to the media. 

Rights of a Data Subject

All data subjects have rights. They have the right to obtain from a controller confirmation as to whether or not personal data concerning them are being processed, and where they are being processed, access to the personal data. They also have the right to rectify and correct any inaccurate or incorrect data, and also withdraw consent at any time, where relevant. In certain circumstances they also have the right to object to the processing of their data, and have their data erased. 

Data Subject Rights Requests

You can contact us to make enquiries for further information about exercising any of your rights or to exercise them. Please make all requests in writing. We will respond to a request in accordance with Data Protection law. You will be required to provide proof of your identity, and should you be unable to provide proof, we reserve the right to refuse to disclose.


You can make a complaint to us by any reasonable means; in person, by telephone or in writing. However, we suggest that communication of a complaint is sent to us in writing. This gives you chance to fully consider and then clearly explain a grievance to us, as well as providing all parties with a documented account.

You can also make a complaint to the data protection supervisory authority, the Information Commissioner’s Office, at https://ico.org.uk

Transfers to third Countries

We do not transfer personal data outside of the Economic European Union or to Countries not permitted under UK-GDPR.

Contact Information

You can contact us at:

Ceatta Limited
1st Floor, 35 Mandale Road, Thornaby, Stockton-on-Tees, TS17 6AD

Or alternatively; Email: [email protected] Telephone: 0333 4567999 (Calls are recorded) or visit our website: www.ceatta.co.uk


Cookies are small text files that are sent to your browser by websites you visit. Cookies are used to help websites store information about your visit, such as preferred settings e.g. language, text size. You can remove or block cookies using your internet browsers settings, however doing so may impact your ability to use our website.

Changes to this privacy Policy

We may update this Privacy Policy (V5 10.21) from time to time including in light of legislative changes. You are advised to review this Privacy Policy periodically for any changes. You can request a copy of this Privacy Policy and we can provide one electronically (via email) or via post.

Contact Us

Ceatta Ltd
Head Office: 1st Floor, 35 Mandale Road, Thornaby, Stockton-on-Tees, TS17 6AD
Tel: 0333 4567999 (Local Rate) Email: [email protected]

NOTE: Calls to Ceatta may be recorded for security, monitoring and training purposes. Ceatta Limited are legally bound by the Data Protection Act; Data Protection Licence Z1592468. We can only discuss matters with named parties, unless consent to speak to a third party is authorised and granted by the named parties.