About this notice:
RRC understands that privacy is very important and utmost care need to be taken in how personal data is used. We respect and value the privacy of all staff, agents, sub-contractors (which includes freelance and independent workers), or other parties working on behalf of the Company, regarding data protection and the rights of clients, service users, commissioners, partners, business contacts and customers (“data subjects”) in respect of their personal data in ways that are described here, and in a way that is consistent with our obligations and your rights under the law.
1. Who we are
The Company responsible for the processing of personal information is RRC (RRCONSULTANCY) LTD (Company registration number 8411279) of PO Box 959, Bradford, BD1 9EB. This means that we are a ‘data controller’ under the Data Protection Act 1998 (and, once in force, to the General Data Protection Regulation (also known as the GDPR)). Our registration number with the Information Commissioner’s Office is ZA055384. Our Data Protection Officer can be contacted at email@example.com or 0844 5672697.
2. What this notice covers
This Privacy Information explains how we use personal data: how it is collected, how it is held, and how it is processed. It also explains your rights under the law relating to your personal data.
3. Personal Data
Personal data is defined by the General Data Protection Regulation (EU Regulation 2016/679) (the “GDPR”) as ‘any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier’.
Personal data is, in simpler terms, any information about you that enables you to be identified. Personal data covers obvious information such as your name and contact details, but it also covers less obvious information such as identification numbers, electronic location data, and other online identifiers.
The personal data that we use is set out in Part 5, below.
4. Your Rights
Under the GDPR, you have the following rights, which we will always work to uphold:
- The right to be informed about our collection and use of your personal data. This Privacy Notice should tell you everything you need to know, but you can always contact us to find out more or to ask any questions using the details in Part 12.
- The right to access the personal data we hold about you. Part 11 will tell you how to do this.
- The right to have your personal data rectified if any of your personal data held by us is inaccurate or incomplete. Please contact us using the details in Part 12 to find out more.
- The right to be forgotten, i.e. the right to ask us to delete or otherwise dispose of any of your personal data that we have. Please contact us using the details in Part 11 to find out more.
- The right to restrict (i.e. prevent) the processing of your personal data.
- The right to object to us using your personal data for a particular purpose or purposes.
For some of our work we may rely on a legitimate interest as a lawful basis for holding and processing personal data. This may be in situations where we need to perform a specific task in the public interest that is set out in law. This is most relevant to public authorities, but it can apply to any organisation that exercises official authority or carries out tasks in the public interest. Where our work involves processing personal data and relies on legitimate interests, we will assess this carefully and document our decision making.
For more information about our use of your personal data or exercising your rights as outlined above, please contact us using the details provided in Part 12.
Further information about your rights can also be obtained from the Information Commissioner’s Office or your local Citizens Advice Bureau.
If you have any cause for complaint about our use of your personal data, you have the right to lodge a complaint with the Information Commissioner’s Office.
5. The Personal Data we collect
We may collect some or all of the following personal data (this will vary according to your relationship with us):
Personal or sensitive data could include but not limited to names and addresses, contact details, payment information, health and social care information, employment, education, training and accommodation information, offending history, legal information pertaining to service users or others for whom they have a legal responsibility. The information may be provided in conversation or in written form, for example on reports, correspondence or other documentation and can be in (but not limited to) electronic, audio, video or paper formats.
Your personal data is obtained either directly from you or organisations and individuals that you have authorised to provide us with your personal data.
6. Monitoring and recording of communications
We may in some cases, subject to applicable laws, record calls, emails, text messages and other communications in relation to our relationship with you. Where recording of calls takes place this will usually be to assist in note taking of what has been said.
7. How we use Personal Data
Under the GDPR, we must always have a lawful basis for using personal data. This may be because the data is necessary for our performance of a contract with you, delivery of a service to you, because you have consented to our use of your personal data, or because it is in our legitimate business interests to use it. Your personal data may be used for one or more of the following purposes:
- Conducting administrative services such as payments
- Providing our services to you; your personal details are required in order for the performance of our duties and delivering a service to you
- Communicating with you; this may include responding to emails or calls from you.
- Supplying you with information by email, post or telephone that you have requested.
The Company does not hold or collect information for any marketing purposes.
8. How long we keep Personal Data
Under the GDPR, personal data shall be kept in a form which permits the identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed. In certain cases, personal data may be stored for longer periods where that data is to be processed for archiving purposes that are in the public interest, for scientific or historical research, or for statistical purposes (subject to the implementation of the appropriate technical and organisational measures required by the GDPR to protect that data).
In addition, the GDPR includes the right to erasure or “the right to be forgotten”. Data subjects have the right to have their personal data erased (and to prevent the processing of that personal data) in the following circumstances:
- Where the personal data is no longer required for the purpose for which it was originally collected or processed;
- When the data subject withdraws their consent;
- When the data subject objects to the processing of their personal data and the Company has no overriding legitimate interest;
- When the personal data is processed unlawfully (i.e. in breach of the GDPR);
- When the personal data has to be erased to comply with a legal obligation; or
- Where the personal data is processed for the provision of information society services to a child.
Full details of the retention period can be found in the Company’s Data Retention Policy.
9. How and where we store or transfer Personal Data
The Company shall ensure that the following measures are taken with respect to the storage of personal data:
All electronic copies of personal data should be stored securely using password protected devices and / or encrypted systems;
All hardcopies of personal data, along with any electronic copies stored on physical, removable media should be stored securely in a locked box, drawer, cabinet, or similar;
All personal data stored electronically should be backed up at least weekly with backups stored on or offsite. All backups should be encrypted;
Personal data may only be transferred to devices belonging to agents, contractors, or other parties working on behalf of the Company where the party in question has agreed to comply fully with the letter and spirit of RRC’s Data Protection Policy and of the GDPR (which may include demonstrating to the Company that all suitable technical and organisational measures have been taken).
We will where possible only store your personal data within the European Economic Area (the “EEA”). The EEA consists of all EU member states, plus Norway, Iceland, and Liechtenstein. This means that your personal data will be fully protected under the GDPR or to equivalent standards by law.
The Company may from time to time store personal data in countries outside of the EEA. The storage of personal data in a country outside of the EEA shall take place only if one or more of the following applies:
The storage is in a country, territory, or one or more specific sectors in that country (or an international organisation), that the European Commission has determined ensures an adequate level of protection for personal data;
The storage is in a country (or international organisation) which provides appropriate safeguards in the form of a legally binding agreement between public authorities or bodies; binding corporate rules; standard data protection clauses adopted by the European Commission; compliance with an approved code of conduct approved by a supervisory authority (e.g. the Information Commissioner’s Office); certification under an approved certification mechanism (as provided for in the GDPR); contractual clauses agreed and authorised by the competent supervisory authority; or provisions inserted into administrative arrangements between public authorities or bodies authorised by the competent supervisory authority.
10. Sharing Personal Data
We will not share any of your personal data with any third parties for any purposes, subject to one important exception.
In some limited circumstances, we may be legally required to share certain personal data, which might include yours, if we are involved in legal proceedings or complying with legal obligations, a court order, or the instructions of a government authority.
11. How to access your Personal Data
In a situation where the Company is the “Data Controller” and not the “Data Processor”, data subjects may make subject access requests (“SARs”) at any time to find out more about the personal data which the Company holds about them, what it is doing with that personal data, and why. In all circumstances the Data Owner will be consulted when any SARs are received.
Anyone wishing to make a SAR should do so using a Subject Access Request Form that can be requested from and returned to the Company’s Data Protection Officer at firstname.lastname@example.org
Responses to SARs shall normally be made within one month of receipt, however this may be extended by up to two months if the SAR is complex and/or numerous requests are made. If such additional time is required, the data subject shall be informed.
All SARs received shall be handled by the Company’s Data Protection Officer.
The Company does not charge a fee for the handling of normal SARs. The Company reserves the right to charge reasonable fees for additional copies of information that has already been supplied to a data subject, and for requests that are manifestly unfounded or excessive, particularly where such requests are repetitive.
12. How to contact us
To contact us about anything to do with your personal data and data protection, including to make a subject access request, please use the following details:
For the attention of: Data Protection Officer
Email address: email@example.com
Telephone number: 0844 567 2697
Postal Address: PO Box 959, Bradford, BD1 9EB
13. Changes to this Privacy Notice
We may change this Privacy Notice from time to time. This may be necessary, for example, if the law changes, or if we change our business in a way that affects personal data protection.
Any changes will be made available on the Company’s website or on request to firstname.lastname@example.org