top of page
Safe Key

Data Protection Policy (GDPR)

 

  1. INTRODUCTION
     

According to the terms of UK Government Data Protection Act of 2018, “Personal data”

refers to the information that can be used to identify an individual, such as name, address, or

credit card number. A "data subjec" refers to any living individual whose personal data is

collected, stored, or processed by an organisation.

The controller of personal data at Resettlement CIC is Oliver Welzen-James, contactable at

owjames@resettlement.org.uk.

 

 2. RETENTION OF PERSONAL DATA 

 

To volunteer with us, we will need to collect and store certain personal information, including:

● Name

● Email address

● Phone number

● Address

● Date of Birth

● DBS Certificate

Please note that this list is not exhaustive, and we may collect additional information as

needed to support your role as a volunteer. However, we do not store any sensitive data

about our volunteers.

We are committed to protecting your personal information. We regularly review the data we

store to ensure it remains accurate, relevant, and secure. Our data protection practices are

designed to keep your information safe and to comply with all applicable privacy laws and

regulations.

 3. USAGE OF HELD PERSONAL DATA

 

The data we collect will be used solely for the purpose it was provided. We will never sell

client or supplier data to third parties.

 

 4. DISPOSAL OF PERSONAL DATA

 

On an annual basis, an exercise will be undertaken to ensure that personal data which is no

longer necessary for our legitimate core activities is removed and a record shall be kept that

this exercise has taken place and what data has been disposed of.

 

 5. SHARING OF PERSONAL DATA

 

Personal data will be kept strictly confidential and will only be shared with Resettlement CIC

staff and volunteers for activities directly related to the organisation. For example, if a

volunteer needs to be in contact with the team or for a volunteer to be in contact with

individuals they are supporting through a Resettlement CIC project.

We will only share data with third parties outside the charity under the following

circumstances:

● With the individual's consent

● If legally required, such as during a police investigation

● In accordance with our safeguarding policy

 

 6. DATA PROTECTION PRINCIPLES

 

Your personal data will be collected and processed according to the following principles:

a) Data should be processed in a legal, fair, and transparent way, ensuring individuals

understand how their data is being used.

b) Data should be collected for clear, specific, and legitimate reasons, and not used in ways

that are incompatible with those reasons. Exceptions apply if the data is used for public

interest archiving, research, or statistical purposes.

c) The data collected should be adequate, relevant, and limited to what is necessary for its

intended purpose.

d) Data should be accurate and updated as needed. Steps must be taken to correct or

delete any inaccurate data promptly.

e) Data should only be kept in a form that allows identification of individuals for as long as it

is necessary for its intended purpose. Data may be stored longer if used solely for archiving,

research, or statistical purposes, provided that appropriate safeguards are in place.

f) Data must be processed with appropriate security measures to protect it from

unauthorised access, unlawful use, and accidental loss, destruction, or damage.

 

 7. THE RIGHTS OF DATA SUBJECT

 

The below outlines the legal responsibilities of Resettlement CIC and the rights of data

subjects under the GDPR, ensuring transparency and protection of personal data. Under the

UK Government Data Protection Act of 2018, the “data subject” is entitled to:

(A) The Right to Be Informed

Organisations must inform individuals about what personal data is being collected,

how it will be used, the duration of its retention, and whether it will be shared with

third parties. This information must be provided clearly and in straightforward

language.

(B) The Right of Access

Individuals have the right to submit a subject access request, requiring organisations

to provide a copy of the personal data they hold about them. Organisations have one

month to comply, with certain exceptions for requests that are unfounded, repetitive,

or excessive.

(C) The Right to Rectification

If an individual identifies inaccuracies or incompleteness in the personal data held by

an organisation, they can request corrections. The organisation has one month to

make the necessary changes, subject to the same exceptions as the right of access.

(D) The Right to Erasure

Also known as "the right to be forgotten" this right allows individuals to request the

deletion of their data under specific circumstances, such as when the data is no

longer necessary, was processed unlawfully, or the individual withdraws consent.

(E) The Right to Restrict Processing

Individuals can request that an organisation limit how it processes their personal

data. This may be an alternative to erasure when, for example, the accuracy of the

data is disputed or when the data is no longer needed for its original purpose but is

required for legal claims.

(F) The Right to Data Portability

This right allows individuals to obtain and reuse their personal data across different

services. It applies only to data provided to a controller based on consent or a

contract.

(G) The Right to Object

Individuals can object to the processing of their personal data when it is collected for

legitimate interests or public tasks. Organisations must cease processing unless they

can demonstrate compelling legitimate grounds that override the individual’s

interests, rights, and freedoms or if the processing is required for legal claims.

(H) Rights Related to Automated Decision-Making and Profiling

The GDPR regulates decisions made without human intervention, such as profiling

based on personal data. Individuals have the right to challenge and request a review

of automated processing if they believe the rules are not being followed.

 8. RECTIFICATION OF DATA

Individuals have the right to request the correction of inaccurate personal data or the

completion of incomplete data. This request can be made either in writing or verbally. Upon

receiving such a request, Resettlement CIC will rectify the information without delay, and no

later than one calendar month. This period may be extended by up to two additional months

if the request is complex or if multiple requests have been made.

However, if the request is clearly unfounded or excessive, particularly if it is repetitive,

Resettlement CIC reserves the right to refuse the request.

We will verify the identity of the individual making the request through reasonable methods.

If incorrect data has been shared with other organisations, we will notify them of the

correction where possible.

9. RIGHT OF ERASURE

You can request the deletion of your personal data, known as the "right to be forgotten"

either verbally or in writing. Resettlement CIC will delete the data within one month, or within

up to two additional months for complex requests. We will verify your identity using

reasonable means.

You also have the right to ask Resettlement CIC to stop processing your data if it is causing

or is likely to cause significant damage or distress. Notify any team member with details of your

concern, and we will respond within one month, explaining our decision and actions.

Requests for erasure may be refused in cases where it is necessary to:

● Uphold freedom of expression and information

● Comply with legal obligations

● Establish, exercise, or defend legal claims

10. BREACH

In the rare event of a personal data breach, Resettlement CIC will notify the Information

Commissioner’s Office (ICO) within 72 hours of discovering the breach. A personal data

breach refers to a security incident leading to the accidental or unlawful destruction, loss,

alteration, unauthorised disclosure, or access to personal data. If the breach is likely to

impact an individual’s rights or freedoms, we will also inform the affected individuals.

Resettlement CIC will maintain a record of all personal data breaches.

Examples of breaches include:

● Improper disposal of equipment or documents

● Lost or stolen unprotected equipment or documents

● Ineffective access controls, including physical security

● Poor data governance, such as improper filing or outdated data

● Inadequate defence against cyber threats, including viruses and phishing

● Unprotected data transmissions, such as via email or video conferences

● Lack of policies, procedures, or controls

● Equipment failure

● Negligence or malicious actions by poorly trained employees

10. FURTHER INFORMATION

Further information regarding your rights can be found on the Information Commissioner's

Office website: https://ico.org.uk/.

Last reviewed: 25/09/24

bottom of page