CPUK Group Data Protection Policy

Data Protection Policy

We are committed to a policy of protecting the rights and privacy of individuals, including our employees, clients, and other data subjects as applicable, in accordance with the General Data Protection Regulation 2018 (GDPR).

This policy applies to all personal data processed by us. Our Privacy Notice’s compliment this policy and are published on our website. We also have a specific data protection policy for our employees which we have published on our staff-access intranet.

This policy will be reviewed periodically by our leadership team, and if necessary updated.

Data Protection Principles

We will process personal data in accordance with our responsibilities as a data controller under GDPR, using the following data protection principles:

1. Process personal data lawfully, fairly and in a transparent manner;

2. Collect personal data only for specified, explicit and legitimate purposes;

3. Process personal data only where it is adequate, relevant and limited to what is necessary for the purposes of processing;

4. Keep accurate personal data and take all reasonable steps to ensure that inaccurate personal data is rectified or deleted without delay;

5. Keep personal data only for the period necessary for processing; and

6. Adopt appropriate measures to make sure that personal data is secure, and protected against unauthorised or unlawful processing, and accidental loss, destruction or damage.

We will inform you of the reasons for processing your personal data, how we use such data and the legal basis for processing in our Privacy Notices. We will not process personal data of individuals for other reasons. Where we rely on legitimate interests as the basis for processing data, we will carry out an assessment to ensure that those interests are not overridden by the rights and freedoms of individuals.

We will update your personal data promptly if you advise us that your information has changed or it is inaccurate.

We keep a record of our processing activities in respect of personal data in accordance with the requirements of the General Data Protection Regulation (GDPR).

We will ensure that personal data is not kept longer than necessary. We have a register in place to record what data should or must be retained, for how long and why we must retain the data. When the data held in accordance with this policy and procedure is destroyed, we will ensure that the data is destroyed securely.

Consent and Conditions for Processing Data

We will obtain personal data only by lawful and fair means and, where appropriate, with the knowledge and consent of the individual concerned. Where a needs exists to request and receive the consent of an individual prior to collection, use or disclosure of their personal data, we are committed to seeking such consent.

We will, when required by applicable law, contract, or where we consider that it is reasonably appropriate to do so, provide data subjects with information as to the purpose of the processing of their personal data.

We use the personal data of individuals for the following broad purposes:

1. The general running and management of the business, and business administration; and

2. To provide services to our clients.

We will process personal data in accordance with all applicable laws and contractual obligations. More specifically, we will not process personal data unless at least one of the following requirements are met:

  • The data subject has given consent to the processing of their personal data for one or more specific purposes;
  • Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
  • Processing is necessary for compliance with a legal obligation to which the data controller is subject;
  • Processing is necessary in order to protect the vital interests of the data subject or of another natural person;
  • Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller; or
  • Processing is necessary for the purposes of the legitimate interests pursued by the data controller or by a third party.
  • Special Categories of Data

    We will only process special categories of data (also known as sensitive data) where the data subject expressly consents to such processing or where one of the following conditions apply:

  • The processing relates to personal data which has already been made public by the data subject;
  • The processing is necessary for the establishment, exercise or defence of legal claims;
  • The processing is specifically authorised or required by law;
  • The processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent; or
  • Further conditions, including limitations based upon national law related to the processing of generic data, biometric data or data concerning health.
  • Individual Rights

    As a data subject, you have a number of rights in relation to your personal data.

    Subject access requests

    You have the right to make a subject access request. If you make a subject access request, we will inform you:

  • Whether or not your data is processed and if so why, the categories of personal data concerned and the source of the data if it is not collected from you;
  • To whom your data may be disclosed, including recipients located outside the European Economic Area (EEA) and the safeguards that apply to such transfers;
  • For how long your personal data is stored (or how that period is decided);

  • Your rights to rectification or erasure of data, or to restrict or object to processing;
  • Your right to complain to the Information Commissioner if you think we have failed to comply with your data protection rights; and
  • Whether or not we carry out automated decision-making and the logic involved in such decision-making.
  • We will also provide you with a copy of the personal data undergoing processing. This will normally be in electronic form if you have made a request electronically, unless you request otherwise.

    To make a subject access request, you should send the request to sophie.mullen@cpukgroup.co.uk and use our form for making a subject access request. We will ask you for proof of identification before the request can be processed. We will inform you which documents are acceptable to verify your identification.

    We will normally respond to a request within one month from the date the Subject Access Request Form is received, along with proof of identity as requested. In some cases, such as where we might be processing large amounts of your data, we may take up to three months to respond to the request. If this is the case, we will write to inform of this.

    If a subject access request is manifestly unfounded or excessive, we are not obliged to comply with it. Alternatively, we may agree to respond but will charge a fee, which will be based on the administrative cost of responding to the request. A subject access request is likely to be manifestly unfounded or excessive where it repeats a request to which we have already responded. If you submit a request that is unfounded or excessive, we will notify you that this is the case and let you know whether or not it will be responded to.

    Other rights

    You also have a number other rights in relation to your personal data. You can require us to:

  • Rectify inaccurate data;
  • Stop processing or erase data that is no longer necessary for the purposes of processing;
  • Stop processing or erase data if your interests override our legitimate grounds for processing data (where we rely on its legitimate interests as a reason for processing data);
  • Stop processing or erase data if processing is unlawful; and
  • Stop processing data for a period if data is inaccurate or if there is a dispute about whether or not your interests override our legitimate grounds for processing data.
  • To ask us to take any of these steps, please send a request to sophie.mullen@cpukgroup.co.uk./

    Data Security

    We take the security of personal data seriously. We have internal policies and controls in place to protect personal data against loss, accidental destruction, misuse or disclosure, and to ensure that data is not accessed, except by our employees in the proper performance of their duties.

    Impact Assessments

    Some of the processing that we carry out may result in risks to privacy. Where processing would result in a high risk to your rights and freedoms, we will carry out a data protection impact assessment to determine the necessity and proportionality of processing. This will include considering the purposes for which the activity is carried out, the risks for individuals and the measures that can be put in place to mitigate those risks.

    Data Breaches

    If we discover that there has been a breach of personal data that poses a risk to your rights and freedoms, we will report this to the Information Commissioner within 72 hours of discovery. We will also record all data breaches regardless of their effect.

    If the breach is likely to result in a high risk to your rights and freedoms, we will inform you of the breach and provide you with information about its likely consequences and the mitigation measures we have taken.

    Data Transfers

    We may transfer personal data to internal or third party recipients where one of the transfer scenarios listed below applies:

    The data subject has given consent to the proposed transfer;

  • The transfer is necessary for the performance of a contract with the data subject;
  • The transfer is necessary for the implementation of pre-contractual measures taken in response to the data subject’s request;
  • The transfer is necessary for the conclusion or performance of a contract concluded with a third party in the interest of the data subject;
  • The transfer is legally required on important public interest grounds;
  • The transfer is necessary for the establishment, exercise or defence of legal claims; or
  • The data transfer is necessary in order to protect the vital interests of the data subject.
  • Policy and Ownership Details;
    Document Name: Data Protection Policy
    Effective From: September 2018
    Version Number: 1.0
    Author: Sophie Mullen
    Owner: Steve Burke
    Document Control: All printed versions of this document are classified as uncontrolled. A controlled version of this document is available on our website or intranet.
    Revision History
    Release Number: DP1
    Date September: 2018
    Revision Description: 1st draft of new policy incorporating new legislation
    Author: Sophie Mullen

    News Highlights

    Working with and for CPUK will be a pleasure!