HOW WE USE PERSONAL DATA
Who are we?
Creating Loyalty is a project run by Creating Enterprise. Creating Enterprise is a social enterprise and the wholly owned subsidiary of Cartrefi Conwy, a Registered Social Landlord based in North Wales. This notice explains how Creating Enterprise will collect, process and store information about people (their personal data), the steps we take to make sure that it is protected, and also describes the rights individuals have in regard to their personal data that we handle. The use and disclosure of personal data is governed in the United Kingdom by the General Data Protection Regulations and Data Protection Act 2018. For the purposes of this law, the Company Secretary is registered with the Information Commissioner as a ‘data controller’ for Creating Enterprise. As such he/she is obliged to ensure that the personal data we handle is done so in accordance with Data Protection law.
1. WHY DO WE HANDLE PERSONAL DATA?
We collect, process, store and share personal data as relevant to the broad purpose of our business activities. This includes:
- Providing education, training, welfare and educational support services;
- Providing property related services;
- Maintaining our own accounts and records;
- Support and management of our employees, volunteers and trainees.
2. WHOSE PERSONAL DATA DO WE HANDLE?
We only handle personal information where there is good reason to, in order to carry out our business and the purposes described in Section 1. We may process personal data relating to a wide variety of individuals including the following:
- Employees including their family and other designated contacts, agency, temporary and casual workers;
- Members of the public to whom we provide services and their designated contacts;
- Professional experts and advisors;
- Board members;
- Business associates, suppliers and service providers;
- Sponsors and supporters;
- Complainants, enquirers and witnesses.
3. WHAT TYPES OF PERSONAL DATA DO WE HANDLE?
We only handle personal data that is relevant to our role and in order to carry out our business and the purposes described in Section 1, including:
- Lifestyle and social circumstances;
- Compliments and complaints;
- Education and employment details;
- Health, Safety and Security details;
- Visual images, personal appearance and behaviour.
4. WHERE DO WE GET PERSONAL DATA FROM?
In order to carry out the purposes described in section 1 above, we may obtain personal data from a wide variety of sources, including the following:
- The data subject themselves;
- Current, past or prospective employers and work colleagues;
- Family, carers, associates and representatives of the person whose personal data we are processing;
- Educators and examining bodies;
- Suppliers and service providers;
- Financial organisations;
- Central government;
- Survey and research organisations;
- Other housing associations or trusts;
- Trade unions and associations;
- Health authorities;
- Enquirers and complainants;
- Security organisations;
- Health and social welfare organisations;
- Professional advisers and consultants;
- Probation services;
- Charities and voluntary organisations;
- The police and other law enforcement agencies;
- Courts and tribunals;
- Professional bodies;
- Employment and recruitment agencies;
- Credit reference agencies;
- Debt collection agencies;
- Correspondence, emails and social media.
5. HOW DO WE HANDLE PERSONAL DATA?
We have processes in place to make sure personal data is handled securely and lawfully. These cover the information we handle internally as well as how we share information with other relevant organisations.
When handling personal data, we will:
- Tell you why we need your information and what we will use it for ;
- Only use your personal information for what we have said we will use it for;
- Only keep what we need to provide services to you;
- Keep only the personal information we need to meet our legal obligations;
- Aim to make sure your personal information is accurate and up-to-date;
- Delete or destroy personal information about you when we no longer need it, using our procedures for keeping and deleting information.
6. HOW DO WE MAKE SURE THE PERSONAL DATA IS KEPT SECURE?
We take the safety and security of all personal information we handle very seriously. We make sure that appropriate policy, training, technical and procedural measures are in place, including audit and inspection. This is to protect our manual and electronic information systems from data loss and misuse and we will only permit access to them when there is a legitimate or legal reason to do so. We have strict guidelines as to how personal data is handled and these procedures are continuously managed and enhanced to ensure up-to-date security.
7. WHO DO WE SHARE PERSONAL DATA WITH?
In order to carry out the purposes described in Section 1, we may share personal data with a variety of organisations but only where there is clear reason to do so or we have consent. This may include disclosures to:
- Our Parent Company (Cartrefi Conwy) and other companies from time to time being part of the Cartrefi Conwy group;
- Other organisations and individuals that may be appointed by or contracted with Creating Enterprise for the supply of goods and services from and to Creating Enterprise;
- Utility companies such as gas, electricity and water suppliers;
- Government Departments and Statutory agencies such HMRC, the Fire service, the Police and other law enforcement agencies;
- Healthcare, pension providers and other organisations delivering employment related services;
- Other organisations or individuals where necessary to prevent abuse or harm to individuals.
Disclosures of personal data will be made on a case by case basis, using the personal data appropriate to a specific purpose and circumstances, and with necessary controls in place. Some of the bodies or individuals to which we may disclose personal data may be situated outside of the European Union some of which do not have laws that protect data protection rights as extensively as in the United Kingdom. If we do transfer personal data to such territories, we will take proper steps to ensure that it is adequately protected as required by Data Protection law.
We will also disclose personal data to other bodies or individuals when required to do so by, or under, any act of legislation, by any rule of law, and by court order. This may include disclosures to the Child Support Agency, the National Fraud Initiative, the Home Office and to the Courts. We may also disclose personal data on a discretionary basis for the purpose of, and in connection with, any legal proceedings or for obtaining legal advice.
8. WHAT ARE THE RIGHTS OF THE INDIVIDUALS WHOSE PERSONAL DATA WE HANDLE?
Data Protection law gives individuals various rights as detailed below. Any requests relating to any of these rights should be sent to the Company Secretary whose contact details can be found in Section 12 below.
THE RIGHT TO BE INFORMED
THE RIGHT OF ACCESS
Individuals have the right to access their personal data. This is commonly referred to as subject access. You can make a subject access request verbally or in writing and we will have one month to respond to a request.
THE RIGHT TO OBJECT
Subject to certain exemptions, an individual has the right to object to the processing of their personal data in certain circumstances. This request can be in writing or verbally and we have one calendar month to respond. This includes using their personal data for direct marketing purposes and covers communication by any means (e.g. mail, email, telephone, door-to-door canvassing) of any advertising or marketing material directed at particular individuals.
RIGHTS IN RELATION TO AUTOMATED DECISION-TAKING
Subject to certain exemptions, an individual has the right to require that we ensure that no decision that would significantly affect them is taken by or on our behalf purely using automated decision-making software. If there is a human element involved in the decision-making the right does not apply.
RIGHT TO RECTIFICATION
An individual has the right to have inaccurate personal data rectified, or completed if it is incomplete. They can make a request for rectification verbally or in writing and we have one calendar month to respond to a request.
RIGHT TO ERASURE
An individual has the right to have personal data erased however the right is not absolute and only applies in certain circumstances. The right to erasure is also known as ‘the right to be forgotten’. Individuals can make a request for erasure verbally or in writing and we have one month to respond to a request.
RIGHT TO RESTRICT PROCESSING
An individual has the right to request the restriction or suppression of their personal data. However this is not an absolute right and only applies in certain circumstances. When processing is restricted, we are permitted to store the personal data, but not use it. An individual can make a request for restriction verbally or in writing and we have one calendar month to respond to a request.
RIGHT TO TAKE ACTION FOR COMPENSATION IF THE INDIVIDUAL SUFFERS DAMAGE BY ANY CONTRAVENTION OF THE ACT BY DATA CONTROLLERS
Any individual who believes they have suffered damage or distress as a result of any contravention of the requirements of Data Protection law may be entitled to compensation from Cartrefi Conwy where the Association is unable to prove that it had taken such care as was reasonable in all the circumstances to comply with the relevant requirement. Any claim for compensation arising from this provision may be sent to the Company Secretary (see section 12 below).
RIGHT TO REQUEST THE INFORMATION COMMISSIONER TO ASSESS A DATA CONTROLLER’S PROCESSING
Any person can request the Information Commissioner to make an assessment if they believe that they are/have been adversely affected by our handling of personal data. Such requests should be made direct to the Information Commissioner whose contact details can be found below.
Generally if individuals have any concerns regarding the way their personal data is handled by Creating Enterprise or the quality (accuracy, relevance, non-excessiveness etc.) of their personal data they are encouraged to raise them with the Company Secretary (see section 12 below). The Information Commissioner is the independent regulator responsible for enforcing Data Protection law; its office in Cardiff provides a local point of contact for members of the public and organisations based in Wales.
The Information Commissioner’s Office may be contacted using the following:
Information Commissioner’s Office – Wales, 2nd Floor, Churchill House, Churchill Way, Cardiff, CF10 2HH Telephone: 016 2554 5297 Email: firstname.lastname@example.org
The Information Commissioner’s Office, Wycliffe House, Wilmslow, Cheshire, SK9 5AF Telephone: 0303 123 1113 Website: www.ico.gov.uk
9. HOW LONG DO WE HOLD PERSONAL DATA FOR?
We keep personal data for only as long as is necessary for the particular purpose or purposes for which it is held. Personal information is retained, reviewed and deleted in accordance with agreed retention periods. This may be varied from time to time relevant to the needs of the business. When we destroy or delete information we do so securely.
We may monitor or record and retain telephone calls, texts, emails and other electronic communications received and sent in order to assist the purposes described under section 1 above, and deter, prevent and detect inappropriate behaviour. We do not place a pre-recorded ‘fair processing notice’ on all telephone lines because of the inconvenience that may be caused through the delay in response to the call.
Cookies are small data files which are stored on a user’s computer or mobile phone by a website and stored on the hard drive of the user’s device. They are helpful because they help to make a website work and often allow the website owners to direct specific content to the user. On our website, users can manage and/or delete cookies as they wish, however, some cookies are required by the website to function correctly and therefore, not allowing them may prevent the performance and layout of the site.
A cookie is a small amount of data (which often includes a unique identifier) that is sent to a user’s computer or mobile phone from a website and is stored on the hard drive of a device. Each website can send its own cookies to your browser if your browser’s preferences allow it. Many websites do this whenever a user visits their website in order to report on website traffic and frequency of individuals' navigation. Your browser only permits a website to access the cookies it has already sent to you, not the cookies sent to you by other websites.
Cookies on the Creating Loyalty website are used in a number of ways. Information supplied by cookies helps Creating Enterprise to analyse the profile of visitors to the website pages and provide them with a better experience. Information on those used can be seen in the list below.
Third-party cookies are not set directly by Creating Enterprise, but by third-party service or functionality providers. Creating Enterprise uses Google Analytics who set cookies on the Creating Loyalty website in order to deliver the services that they are providing (for example, website analytics). Creating Enterprise does not control the dissemination of these cookies.
Analytics cookies store information about what pages people visit, how long they are on the site, how they got there and what they click on. Analytics cookies do not collect or store users’ personal information (for example, names or addresses), so this information cannot be used to identify individuals. Creating Enterprise uses Google analytics to collect information about how people use our site. This helps us make sure our website meets users’ needs and to find out how we can improve.
Stores the information collected by the cookie on servers in the United States. Google may also transfer this information to third parties where required to do so by law, or where such third parties process the information on Google’s behalf. Google will not associate your IP address with any other data held by Google. How to reject or delete this cookie: http://www.google.com/intl/en/privacypolicy.html
STORING YOUR USABILITY AND ACCESSIBILITY SETTINGS
Our website provides settings that allow you to resize text or view different colour options. If you switch them on, we store the settings in a cookie, so that they apply to each page you look at.
12. CONTACT US
Any individual with concerns over the way Creating Enterprise handles their personal data may contact the Company Secretary as below:
The Company Secretary, Creating Enterprise, Units 12 & 14, Cartrefi Conwy Business Park, Station Road, Mochdre, Conwy, Wales, LL28 5EF Tel: 01492 588977