The Purpose of this privacy statement is to explain how Dove Cottage processes all personal data to fulfil its data protection responsibilities. This statement will be supplemented by ‘specific to client’ privacy notices when needed. Brief definitions of data protection, personal data and processing can be found at the end of this statement.
The scope of this statement covers all related activities by the staff of Dove Cottage.
The Role of Dove Cottage in data protection terms is that of a data controller where it determines the purpose and use of personal data collected. Once received it becomes the responsibility of the Dove Cottage privacy manager (PM) to ensure that it is processed in accordance with the latest UK and EU data protection legislation.
The PM can be contacted by email at firstname.lastname@example.org or by writing to the UK office at Dove Cottage, West Court, Freeman Street, Wells-next-the-Sea, Norfolk NR23 1BA UK.
The sort of personal data processed by Dove Cottage will only be basic contact information for the purposes of replying to general enquiries.
Dove Cottage’ duty of confidentiality means that Dove Cottage staff will treat client and employee data with due respect and in confidence. It is only disclosed to staff that need to know it. Dove Cottage uses reasonable organisational and technical measures to ensure personal data is kept secure.
Dove Cottage also expects the same duty of confidentiality of all third parties with whom it shares personal data, including contractors. Sharing is kept to a minimum and reviewed regularly.
Dove Cottage processes personal data against a lawful basis and such instances are described below:
In all cases the processing of personal data by Dove Cottage shall be:
Dove Cottage will share personal data, but only when absolutely necessary, with some or all of the following third parties:
Dove Cottage will process your data in different places but mostly within the European Economic Area (EEA). First line personal data processing takes place in the UK, but it is backed up using reputable cloud service providers in the USA. Email is processed using a reputable web-based provider and mobile phone contacts are stored on both office IT equipment and mobile phones. The latter are backed up to Apple iCloud and/or Google. It should be noted that no personal data is stored on any of Dove Cottage’s website servers.
Dove Cottage safeguards all business and personal data in encrypted form, in so far that it is possible. Other than mobile phone contact data, all data in automated form is backed up with a cloud service provider certified to the ISO 27001 Information Security Management System (ISMS) standard.
Dove Cottage follows a retention schedule to determine the length of time it holds different types of personal data. The retention schedule is shown below:
At the end of the retention schedule Dove Cottage will either return, destroy or delete your personal data and any associated emails or relevant documentation. If it is technically impractical to delete electronic copies of personal data, it will put it beyond operational use. It should be noted that Dove Cottage allows up to 2 months after the retention schedule to complete the action.
Dove Cottage websites may link to appropriate websites for our interest. If these are used, the visitor should be aware that the Dove Cottage has no responsibility for the control, content or handling of personal data by these other websites.
The General Data Protection Regulation defines the rights that you have (although these do not apply in all situations), For convenience, these rights are shown below:
Further details on data subjects’ rights can be found on the Information Commissioner’s Office (ICO) website: https://ico.org.uk.
Raising concerns, exercising rights or making queries about Dove Cottage’s processing of personal data can be done by
What data protection, personal data and processing means
The term data protection, put simply, means the protection of personal data against misuse and abuse. Personal data means any information relating to an identified or identifiable natural person, also referred to as a ‘data subject’. Processing has a very wide interpretation and means any operation which is performed on personal data or on sets of personal data whether or not by automated means. This includes, inter alia, collection, recording, storage, adaptation, retrieval, actual use, dissemination or otherwise making available, restricting, erasure or destruction.