As an organisation, we are committed to protecting the privacy and security of your personal data.
This Privacy Notice describes how we collect and use personal data, in accordance with the requirements of the General Data Protection Regulation (GDPR). It applies to all data subjects whom we have dealings with or provide services to.
We reserve the right to update this privacy notice at any time, and we will provide you with a new privacy notice when we make any substantial updates. We may also notify you in other ways from time to time about the processing of your personal data.
We are a ‘data controller’. This means that we are responsible for deciding how we hold and use personal data about you. We are required under data protection legislation to notify you of the information contained in this Privacy Notice.
It is important that you read this notice, together with any other Privacy Notice we may provide on specific occasions when we are collecting or processing personal data about you, so that you are aware of how and why we are using such data.
We will comply with data protection law which says that the personal data we hold about you must be:
1. Used lawful, fairly and in a transparent way.
2. Collected only for legitimate purposes and not used in any way that is incompatible with those purposes.
3. Relevant to the purposes for which it is processed and limited only to those purposes.
4. Accurate and kept up to date.
5. Kept no longer than is necessary for the purposes for which it is processed.
6. Stored and processed securely.
Personal data, or personal information, means any data or information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).
There are ‘special categories’ of more sensitive personal data which require a higher level of protection.
We will ensure that personal data is not kept longer than necessary, in accordance with our Data Retention Policy. When the data held in accordance with this policy and procedure is destroyed, we will ensure that the data is destroyed securely.
We occasionally collect personal data from our clients, and also data subjects whom we may have dealings with during the course of business.
Data is stored in a range of different places, including our information management system and in other IT systems (including our email system). All data storage is within the European Economic Area (EEA).
We need to process personal data to carry out our function as an organisation and therefore have a legitimate interest in processing personal data. Where we rely on legitimate interests as a reason for processing data, it has been considered whether or not those interests are overridden by your rights and freedoms, and we have concluded that they are not.
We may also use your personal data in the following situations, which are likely to be rare:
1. Where we need to protect your interests (or someone else’s interests).
2. Where it is needed in the public interest or for official purposes.
We will only process special categories of data (also known as sensitive data) where the data subject expressly consents to such processing or where one of the following conditions apply:
• The processing relates to personal data which has already been made public by the data subject;
• The processing is necessary for the establishment, exercise or defence of legal claims;
• The processing is specifically authorised or required by law;
• The processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent;
• Further conditions, including limitations based upon national law related to the processing of generic data, biometric data or data concerning health.
We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.
Please note that we may process your personal data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.
Your data will be shared internally to employees who need this data to carry out their duties, managers and IT staff if access to data is necessary for performance of their roles.
We will not transfer your data to countries outside of the European Economic Area.
We take the security of your data seriously. We have internal policies and controls in place to try to ensure that your data is not lost, accidently destroyed, misused or disclosed, and is not accessed except by our employees in the performance of their duties.
Where we engage with third parties to process personal data on our behalf we do so on the basis of written instructions. These third parties are under a duty of confidentiality and are obliged to implement appropriate technical and organisational measures to ensure the security of data.
We will obtain personal data only by lawful and fair means and, where appropriate, with the knowledge and consent of the individual concerned. Where a needs exists to request and receive the consent of an individual prior to collection, use or disclosure of their personal data, we are committed to seeking such consent.
We will, when required by applicable law, contract, or where we consider that it is reasonably appropriate to do so, provide data subjects with information as to the purpose of the processing of their personal data.
We use the personal data of individuals for the following broad purposes:
1. To provide services to our clients
2. The general running and management of the business
We will process personal data in accordance with all applicable laws and contractual obligations. More specifically, we will not process personal data unless at least one of the following requirements are met:
• The data subject has given consent to the processing of their personal data for one or more specific purposes;
• Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
• Processing is necessary for compliance with a legal obligation to which the data controller is subject;
• Processing is necessary in order to protect the vital interests of the data subject or of another natural person;
• Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller; or
• Processing is necessary for the purposes of the legitimate interests pursued by the data controller or by a third party.
We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
In some circumstances we may anonymise your personal data so that it can no longer be associated with you, in which case we may use such data without further notice to you.
It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes.
Under certain circumstances, by law you have the right to:
1. Request Access to your personal data (commonly known as a ‘data subject access request’). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.
2. Request Correction of the personal data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected.
3. Request Erasure of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us to continue processing it. You also have the right to ask us to delete or remove personal data where you have exercised your right to object to processing (see below).
4. Object to Processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. You also have the right to object where we are processing your personal data for direct marketing purposes.
5. Request the Restriction of Processing of your personal data. This enables you to ask us to suspend the processing of personal data about you, for example if you want us to establish its accuracy or the reason for processing it.
6. Request the Transfer of your personal data to another party.
If you want to review, verify, correct or request erasure of your personal data, object to the processing of your personal data, or request that we transfer a copy of your personal data to another party, please email firstname.lastname@example.org.
You will not normally have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request for access is clearly unfounded or excessive. Alternatively, we may also refuse to comply with the request in such circumstances.
We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is another appropriate security measure to ensure that personal data is not disclosed to any person who has no right to receive it.
In the limited circumstances where you may have provided your consent to the collection, processing and transfer of your personal data for a specific purpose, you have the right to withdraw your consent for that specific processing at any time. To withdraw your consent, please email email@example.com. Once we have received notification that you have withdrawn your consent, we will no longer process your data for the purpose or purposes you originally agreed to, unless we have another legitimate basis for doing so in law.
You have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues.
Working with and for CPUK will be a pleasure!