Introduction and purpose of this Compliance Statement and Privacy Notice
Cambio: House of Social Change Ltd (Cambio) is a registered company, number 14873391. This Compliance Statement and Privacy Notice together set out the steps that Cambio takes to comply with Data Protection Act 2018 (DPA) and the UK General Data Protection Regulation (GDPR). The Privacy Notice is in a form that may be made publicly accessible.
Cambio is a consultancy company that provides support to organisations wishing to become more sustainable and socially entrepreneurial and enterprising. We hold basic personal data about potential/current clients, including their names and email addresses, in order to: both assess their feasibility as clients and work with them in that capacity should the relationship more forwards.
The data we collect and hold on organisations and projects is provided to us directly by those entities or collected from publicly available sources (e.g. the organisation’s website, annual accounts, etc).
Contact details provided to us are not used for any purpose other than to discuss or appraise the work of an organisation and we do not allow any other individual or entity access to the data.
Compliance Statement
Cambio is committed to protecting and respecting your privacy, using robust security processes and being transparent about how we use your personal information.
Privacy Notice
Cambio is a registered company, number 14873391. This Privacy Notice tells you how and why we use your personal information, the conditions under which we may disclose it to others and how we keep it secure.
You can contact us directly here: Peter@cambioconsultancy.uk
Who looks after your personal information
Cambio is what is known as the data controller. When used in this Notice the terms “we”, “us” or “our” refers to Cambio.
The personal information we hold about you must be accurate and current. Please keep us informed if your personal information changes during our relationship with you.
What type of personal information do we collect?
Personal data, or personal information means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).
We collect personal information to assess client prospects, as highlighted above.
We may collect, use, store and transfer different kinds of personal information about you, such as identity data (including your name), contact data (including your telephone number, email address, and the name and contact details of your organisation) and financial data (including business bank account details).
This list is not exhaustive, and, in specific instances, we may need to collect additional data for the purposes set out in this Privacy Policy.
We may also collect personal information from third parties who have your consent to pass your details to us, or from publicly available sources.
There are some “Special Categories” of more sensitive personal data which require a higher level of protection (these include details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health, and genetic and biometric data). We do not collect any of these special categories of personal data about you, nor do we collect any information about criminal convictions and offences.
If you provide any personal information about another person (for example, the name of another employee at your organisation) you are responsible for bringing this privacy policy to their attention at the time of sharing the data with us. We will ensure that their information is held in accordance with our privacy policy.
Where do we collect personal information from?
Most of the information we hold comes directly from you. This includes information you give us when:
- We engage with you as a potential client;
- We begin working with you as a client;
- You interact with us in person, through correspondence, by phone or email, or by social media channels;
- You give us feedback or contact us; or
- You update your information.
We might also collect or receive information about you from third parties, that we contract to work with you, from legal or regulatory bodies and sources of publicly available information (e.g. the media).
How will we use your information?
We will only use your personal information when the law allows us to do so. The law on data protection sets out a number of different reasons for which an organisation may collect and process your personal information.
When collecting your personal information, we will always make it clear to you which information is necessary in connection with the particular activity.
Most commonly we will use your personal information in the following circumstances:
- Where you have consented before the processing;
- Where we need to perform a contract we are about to enter or have entered with you;
- Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests;
- For reasons of substantial public interest; or
- Where we need to comply with a legal or regulatory obligation.
Whenever you have given us your consent to use your personal information, you have the right to change your mind at any time and withdraw that consent. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. Also, if we are not relying on consent as the lawful basis for processing your personal data then we may still continue to process it.
In certain circumstances, we need your personal information to comply with our contractual obligations or to pursue our legitimate interests in a way which might be reasonably expected as part of running our business. For example, in order to deliver products or services to you, we need to use the information you provide to us.
We also use your information when we need to contact you or respond to you if you contact us.
What will we do with your information?
When we are in touch with you as either a prospective or existing client, the personal information you provide to us will be transferred to and held in our file sharing, document management and customer relationship management (CRM) systems.
All the personal information we collect may be processed by Cambio’s employees and freelance contractors in the UK, or internationally.
Who will see your information / sharing your information with other third parties?
We sometimes share your personal information with trusted third parties. We will never sell the personal information or any other data processed. The third parties we may share personal data with are:
- Freelance contracts whom we contract to undertake parts of our work;
- Third party consultants or other service providers (such as IT support) to us;
- Any other person or organisation in accordance with our contractual and legal requirements.
We may also publish the names of organisations that have worked with us in our impact reports and accounts.
We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.
How long will we hold information?
We will only retain your personal information for as long as is necessary for the purpose or purposes for which we have collected it.
Information security
We believe that we have appropriate policies, rules and technical measures to protect the personal information which we have under our control (having regard to the type and amount of that information), from unauthorised access, improper use or disclosure, unauthorised modification, unlawful destruction or accidental loss.
All of our employees and freelance contractors who have access to, and are associated with, the processing of your personal information are obliged to respect the confidentiality of your information. We ensure that your information will not be disclosed to other third parties without your consent except if required by law or when requested to by regulatory bodies.
Data is also held on the phones, laptops and desktop computers of all employees and freelance contractors where they are included in the body of, or attachment to, an email. All devices are password-protected.
Contact details may also be stored on a cloud-based storage repository and a CRM database for the purpose of easily managing contacts. Access to both is password protected and only contact details provided to Cambio are held here.
Please be aware that communications over the Internet, such as emails / webmails are not secure unless they have been encrypted. We cannot accept responsibility for any unauthorised access or loss of personal information that is beyond our control.
Your rights
You have certain rights when it comes to your personal information and there are various requests you can make. Your rights include:
The right to access your information: You can ask us for a copy of any information we hold on you. This is called a Data Subject Access Request (DSAR). When we provide you with a copy of your personal information, we will also provide an explanation of how it is being used.
The right to rectify your information: You have the right to ask us to correct information that you feel is inaccurate and/or incomplete. If you change your name, address, phone number or email address, please let us know straight away.
The right to erasure: You have the right to request that your personal information be deleted; including if we no longer need it for the purpose we collected it, you withdraw your consent or you object to its processing. However, you should note that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.
The right to restrict how we use your information: You have the right to request that we restrict the processing of your personal information. This enables you to ask us to suspend the processing of your personal information if you want us to establish the data’s accuracy, where our use of the data is unlawful but you do not want us to erase it, where you need us to hold the data even if we no longer require it as you need to establish, exercise or defend legal claims or you have objected to our use of your data but we need to verify whether we have an overriding legitimate ground to use it.
The right to object to how we use your information
In certain circumstances, you have the right to object to the way we process your information for reasons connected to your individual situation (e.g. if you feel that our use of your information is causing you such a level of damage or distress that you would like us to stop). We must then do so unless we believe we have a legitimate overriding reason to continue processing your personal information.
The right to transfer your information
In certain circumstances, you have the right to ask us to transfer a copy of some of your information to you or to a third party (e.g. another charitable trust).
The right to human intervention
In certain circumstances, you have the right to not be subject to solely automatic decisions (i.e. decisions that are made about you by computer without any human input) in relation to any processes that have a legal or similarly significant effect on you.
You can submit a request for any of your rights by writing to: peter@cambioconsultancy.uk
Right to withdraw your consent
Where we are relying on your consent to process any of your information, you have a right to withdraw that consent at any time. This will not affect any use we have made of the information before you withdrew your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent.
The right to complain to the regulator
If you wish to raise a complaint on how we have handled your personal information, you can contact the Information Commissioner’s Office (ICO – http://www.ico.org.uk/). However, we would appreciate the chance to deal with your concerns before you approach the ICO, so please contact our office in the first instance and we will investigate to resolve the matter. If you are not satisfied with our response or believe we are not processing your personal information in accordance with the law you can complain to the ICO. Their contact details are:
Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
SK9 5AF
Telephone: 0303 123 1113
Review and amendments
This policy will be reviewed annually by Cambio, who may also make amendments to the policy at any time.
How to contact us
If you want to request information about our privacy policy you can email us at: Peter@cambioconsultancy.uk