GDPR Privacy Notice
Purpose of this document
This notice is intended to provide information about how the Company will use (or process) personal data about individuals including: its staff; clients; partners and suppliers.
The information is provided because data protection law gives individuals rights to understand how their data is used. You are encouraged to read this notice and understand the Company’s obligations to its entire community.
The privacy notice applies alongside any other information the Company provide about use of personal data, for example, when collecting data online or in paper form.
Anyone who works for, or acts on behalf of, the Company should also be aware of and comply with this privacy notice, which also provides further information about how personal data about those individuals is used.
Who we are
Walfinch Ltd is a care agency who provide care to people in their own home. We are committed to protecting the privacy and security of your personal information. This notice sets out the basis on which we will collect, hold, and process any data that you share with us, or that we collect from you.
For the purposes of the General Data Protection Regulations (GDPR), Walfinch Ltd are a “Data Processor”. This means that we are responsible for deciding how we hold and use personal information.
Our Data Protection Nominee is Carla van Wyk who will deal with requests and enquiries regarding the use of personal data and endeavour to ensure that all personal data is processed in compliance with this policy and data protection law.
Data protection principles
The Company understands and agrees to abide by the data protection principles:
Principle 1: Lawfulness, Fairness and Transparency
Personal Data will only be collected for one of the purposes specified in the applicable Data Protection regulation and the method of processing that will occur will be thoroughly explained to the Data Subject.
Principle 2: Purpose Limitation
Personal Data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
Principle 3: Data Minimisation
Personal Data shall be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed.
Principle 4: Storage Limitation
In line with Principle 3, Personal Data shall be kept in a form which permits identification of a subject for no longer than necessary for the purposes outlined to the Subject.
Principle 5: Accuracy
Personal Data which needs to be stored for a defined period of time must be kept accurate and up to date, thus adhering to specified processes for identifying and addressing out of date and redundant personal Data. The Company will adopt all necessary measures to ensure that Personal Data collected and processed is complete and accurate and reflects the current situation of the Data Subject.
Principle 6: Integrity & Confidentiality
Personal Data shall be processed and stored in a manner that ensures appropriate security of said data, including protection against unauthorised processing and accidental loss, destruction, or damage.
Principle 7: Accountability
The Data Nominee shall be responsible for and be able to demonstrate compliance in accordance to the six previous Data Protection Principles.
The GDPR provides the certain rights for individuals, as outlined in our ‘Your Rights under GDPR’ document.
Why the Company needs to process personal data
The Company uses Personal Data for the purposes of; general running and business administration, to meet legal requirements in terms of employing and paying employees, carrying out pre-employment checks, providing services to our clients and ongoing administration and management of customer services.
The Company, and its partners will process Personal Data in accordance with all applicable laws and contractual obligations and Data will only be processed once Informed Consent is given.
We have reviewed our processes to ensure that it is necessary, selected the most appropriate lawful basis for each activity and documented this to demonstrate compliance.
We will only obtain Personal Data by lawful and fair means and with the knowledge and consent of the individual concerned. Where a need exists to request and receive the consent of an individual prior to collection or use of their Personal Data, the Company is committed
to seeking such consent.
The term ‘Informed Consent’ suggests that when applicable or reasonably appropriate to do so, the individual will provide Data Subjects with information as to the purpose of the processing of their Personal Data. Consent should be given in writing and retained.
To ensure fair processing, Personal Data will not be retained by the Company for longer than necessary in relation to the purposes for which it was originally collected. All Personal Data should be deleted or destroyed as soon as possible where it has been confirmed that there is no longer a reason to retain it. Our retention schedule is outlined on our Data Audit.
Data we collect and process
We collect data in the following ways from the following individuals:
- Via visits to our website
- Details obtained during recruitment projects i.e. applicants
- Our carers
- Our carers and their contacts
- Prospective clients and suppliers
- Our clients
- Our clients’ employees
- Our clients friends and family and other contacts
We may collect and process the following data:
- Information provided by filling in forms
- Information completed when entered onto our website
- Providing CVs or other information about yourself for specific purposes
- Details of your access to our online resources or other materials
- Information collected when you contact us; we may keep a copy of any correspondence you send to us, including, but limited to, your name, address, and email address
We may also collect information about your computer, including where available your IP address, operating system, and browser type, for system administration and to report aggregate information to our directors. This is statistical data about our users’ browsing actions and patterns and does not identify any individual.
We hold both personal and sensitive data, as outlined on our HR Data Record.
All the personal data we process is processed by our staff in the UK however for the purposes of IT hosting and maintenance this information is located on servers within the European Union. No 3rd parties have access to your personal data unless the law allows them to do so.
We do not use any kind of automated decision making in the running of our business.
How we keep your data secure
We use several methods to store data, which we have identified through our Data Audit. The data that we collect from you will not be transferred to, or stored at, a destination outside the European Economic Area (“EEA”).
What we do with data we gather
We gather and process data lawfully, in a transparent manner, and for the genuine needs of running our business.
Data protection principles
We will comply with data protection law. This says that the personal information we hold about you must be:
- Used lawfully, fairly and in a transparent way.
- Collected only for valid purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes.
- Relevant to the purposes we have told you about and limited only to those purposes.
- Accurate and kept up to date.
- Kept only as long as necessary for the purposes we have told you about.
- Kept securely.
We do not and have no intention of sharing your information with any organisations for marketing or any other purpose.
Personal Data Breaches
How we recognise and deal with breaches of personal data is detailed in our Data Breaches Policy and Procedure.
Questions or complaints
Complaints or questions should be referred to our Data Protection Nominee, Carla van Wyk.