GDPR Statement

Data Protection at CMS Distribution

CMS Distribution (“CMS”) takes the protection and privacy of our customers’, suppliers’ and employees’ data very seriously, and believe the GDPR regulations introduced by the European Union in May 2018 has been an important step forward in clarifying and protecting individual privacy rights.

CMS fully comply with relevant laws or regulations such as the UK Data Protection Act 2018, the Irish Data Protection Act 2018 and the EU General Data Protection Regulation (“GDPR”). These rules are considered the world’s strongest set of data protection rules.

 Our primary considerations are to ensure that:

  1. The protection of any data entrusted to us is never compromised or misused.
  2. We are fully compliant with our legal and regulatory responsibilities.
  3. We continue to provide the highest standard of services to our customers globally.

 We have a multi-disciplinary GDPR team to review our compliance, and the following are just some of the actions we are taking to ensure our continued GDPR compliance:

  • Carrying out personal data audits to better understand and document our processing activities.
  • Carrying out gap analysis and risk assessments.
  • Updating existing, and implementing new, policies and procedures to comply with individual rights and obligations.
  • Maintain a robust breach management processes which is regularly reviewed by senior management.
  • Schedule regular training for our employees to ensure continued data privacy best practice.
  • Working with all our suppliers to monitor their GDPR compliance. This includes contract amendments where appropriate.
  • Keeping a watching brief on, and implementing, best practice and regulatory guidance in the countries where we conduct business.

When is CMS Distribution a Data Controller or Data Processor?

We can confirm that for the provision of fulfilling purchase orders and providing products and services that customers buy, CMS is always the Data Controller. It is also the Data Controller for the internal staff data it processes.

 As with most organisations, CMS is on occasion the Data Processor. An example is where a customer purchases third party Cloud service or other standard service (e.g. software support and maintenance) which are performed by the third party under a direct agreement with the customer. In this instance CMS only transacts the services, and would normally only process data as described. Any data processed by the service provider as part of the products or services will be subject to the terms agreed directly between the customers and the service provider, which is often contained in the End User License Agreement or similar terms. This clarifies that CMS is directed on how to process the personal data and therefore the under these circumstances the Data Processor.


Privacy Notice

Our privacy notice details the way in which we handle and use your personal data, and also applies to how we use contact information for marketing. If our customers’ individual employees consent to receive direct marketing from us then of course they are free to change their preferences or opt-out of receiving further marketing communications at any time.


Information Security

CMS recognises that ensuring the confidentiality, integrity and availability of information entrusted to CMS is vital. CMS maintains a formal Information Security framework that implements standards and controls aligned with industry standards and best practices to facilitate the proper measures of protection across the organisation.



For any queries please don’t hesitate to contact your relevant point of contact within CMS, or email