Privacy and Data Protection Policy
1.Who to speak to
GDPR classes Cavendish Media as a Data Controller - a body that determines the purposes and means of processing personal data - to oversee our data operations.
For queries regarding your privacy and data protection with Cavendish Media, write to:
43-45 East Smithfield, E1W1AP London
Or email: firstname.lastname@example.org
2. The personal data We collect
a. What is personal data?
Personal data includes things like your name, address, and email address. This might be recorded on paper, or it could be an electronic version that is saved on a computer or cloud-based storage systems.
The GDPR says your personal data is your private property.
So, if We wrongly pass on your data, or misuse it, We may have breached your privacy if it identifies you, directly or indirectly.
The GDPR says that personal data includes:
- Email addresses.
- Location data.
- Online identifiers like usernames.
- Employment details.
b. Who do We collect personal data from?
Enquirers, who complete enquiry forms.
Employees and contractors.
Accrediting bodies and other organisations that We work with.
c. Special category data
Special category data is personal data which the GDPR says is more sensitive, and so needs more protection.
If We process special category data, We must meet an extra condition for processing.
The GDPR defines special category data as:
Racial or ethnic origin.
Political opinions. Cavendish Media Ltd Religious or philosophical beliefs.
Trade union membership.
Data concerning health.
Data concerning someone’s sex life or sexual orientation.
Information on an individual’s criminal activities.
e. Categories of Data Subjects
Our Data Subjects typically fall under one of the following categories:
3. Our lawful basis for processing personal data
a. Processing of personal data is only lawful if at least one of these legal conditions, as listed in Article 6 of the GDPR, is met:
The processing is necessary for a contract with the Data Subject.
The processing is necessary for us to comply with a legal obligation.
The processing is necessary to protect someone’s life (this is called “vital interests”).
The processing is necessary for us to perform a task in the public interest, and the task has a clear basis in law.
If none of the above legal conditions apply, the processing will only be lawful if the Data Subject has given their clear Consent.
b. Processing of “special categories” of personal data is only lawful when, in addition to the conditions above, one of the extra conditions, as listed in Article 9 of the GDPR, is met. These conditions include situations where:
The processing is necessary for carrying out our obligations under employment and social security and social protection legislation.
The processing is necessary for safeguarding the vital interests (in emergency, life or death situations) of an individual, and the Data Subject is incapable of giving Consent.
The processing is carried out during our legitimate activities and relates only to our members or persons with whom We are in regular contact in connection with our purposes.
The processing is necessary for pursuing legal claims. Cavendish Media Ltd If none of the above legal conditions apply, the processing will only be lawful if the Data Subject has given their explicit Consent.
4. Our intended purposes for processing personal data
We use information held about our Data Subjects in the following ways: a. Information given to us by Data Subjects We will use this information to:
Fulfil requests for:
Information about promotions and discounts
Returning phone calls.
Process payments and verify financial transactions.
Record any contact We have with people.
Communicate with our service users.
Provide people with information, promotions and discounts that We think may be of interest to them, if Consent is obtained.
Provide our services to people and Organisations who purchase them.
We may share your personal information with any member of our group, which includes our subsidiaries, and our ultimate holding company and its subsidiaries, as defined in section 1159 of the UK Companies Act 2006.
a. We may share your information with selected third parties under these conditions:
If We are legally required to do so, for example by a law enforcement agency legitimately exercising a power, or if compelled to by an order of the Court.
If We believe it is necessary to protect or defend our rights, property or the personal safety of our people or visitors to our premises or websites.
If We are working with a carefully-selected partner which is carrying out work on ourbehalf.
With analytics and search engine providers which assist us in the improvement and optimisation of our website.
If We sell or buy any business or assets, We may disclose your personal data to the prospective seller or buyer of such business or assets.
If We or substantially all of our assets are acquired by a third party, personal data held by us about our customers will be one of the transferred assets. Cavendish Media Ltd
We never sell or share your information to other organisations to use for their ownpurposes.
We will use appropriate measures to keep personal data secure at all points of the processing. Keeping data secure includes protecting it from unauthorised or unlawful processing, or from accidental loss, destruction or damage.
We will implement security measures which provide a level of security that is appropriate to the risks involved in the processing.
Measures will include technical and organisational security measures. In assessing which measures are the most appropriate, We will consider the following and anything else that is relevant:
The quality of the security measure.
The costs of implementation.
The nature, scope, context and purpose of processing.
The risk (of varying likelihood and severity) to the rights and freedoms of Data Subjects.
The risk which could result from a data breach. Measures may include:
Technical systems security.
Measures to restrict or minimise access to data.
Measures to ensure that our systems and data remain available or can be easily restored in the case of an incident.
Physical security of information and of our premises.
Organisational measures, including policies, procedures, training and audits.
Regular testing and evaluation of the effectiveness of securitymeasures.
We may also store information in non-electronic forms, for which We have security procedures in place to protect it, in line with the GDPR.
7. How We erase data upon expiry of retention period
We will not keep personal data longer than necessary for the purposes for which it was collected. We will comply with official guidance issued to our sector on retention periods for specific records. Further information can be found in our Data Retention Schedule.
Personal data stored electronically will be permanently deleted from our local files, and from our cloudbased storage systems.
Documentation containing personal data stored or archived in physical files will be shredded upon expiry of the retention period.
8. Data Subject rights
The GDPR brings new legal rights for individuals whose personal data is processed.
We will process personal data in line with these rights to:
Be informed that your personal information is being collected – at the point of collection – and the purposes for which it is being processed, the retention periods, and who it will be sharedwith.
Access personal data held and processed by us.
Rectify any personal data that is inaccurate or incomplete.
Erase, or to set as “be forgotten”, if your data is no longer necessary for the purpose for which it was collected, and Consent is the lawful basis for processing.
Data portability, which means to receive your data, or some of your data, in a format that can be easily used by another person (including the Data Subject themselves) or organisation.
Object to processing in certain circumstances, including preventing the use of your data for direct marketing.
We will act on all valid requests as soon as possible and at the latest within one calendar month unless We have reason to and can lawfully extend the timescale. This can be extended by up to two months in some circumstances.
Any information provided to Data Subjects will be concise and transparent, with the use of clear and plain language.
Margherita Moccagatta, Cavendish Media, 43-45 East Smithfield, E1W1AP London.
The processing of your personal data may involve us disclosing your details to regulatory bodies or other third parties.
If you do not wish your personal data to be disclosed in this manner, you should make this clear by sending us an appropriately worded email.
Privacy and Data Protection Policy v18.02
The content of this policy was updated on 21 April 2020.