Privacy Policy

How we use Personal Data

Who are we?
Creating Enterprise C.I.C. is a social enterprise and the wholly owned subsidiary of Cartrefi
Conwy, a Registered Social Landlord based in North Wales.

This notice explains how Creating Enterprise will collect, process and store information about
people (their personal data), the steps we take to make sure that it is protected, and also
describes the rights individuals have in regard to their personal data that we handle.

The use and disclosure of personal data is governed in the United Kingdom by the General Data
Protection Regulations and Data Protection Act 2018. For the purposes of this law, the Company
Secretary is registered with the Information Commissioner as a ‘data controller’ for Creating
Enterprise. As such he/she is obliged to ensure that the personal data we handle is done so in
accordance with Data Protection law.

1. WHY DO WE HANDLE PERSONAL DATA?

We collect, process, store and share personal data as relevant to the broad purpose of our
business activities. This includes;

  • Providing education, training, welfare and educational support services;
  • Providing property related services;
  • Maintaining our own accounts and records;
  • Support and management of our employees, volunteers and trainees.

2. WHOSE PERSONAL DATA DO WE HANDLE?

We only handle personal information where there is good reason to, In order to carry out our
business and the purposes described in Section 1. We may process personal data relating to a
wide variety of individuals including the following:

  • Employees including their family and other designated contacts, agency, temporary and
    casual workers
  • Volunteers
  • Members of the public to whom we provide services and their designated contacts
  • Professional experts and advisors
  • Board members
  • Business associates, suppliers and service providers
  • Sponsors and supporters
  • Complainants, enquirers and witnesses

3. WHAT TYPES OF PERSONAL DATA DO WE
HANDLE?

We only handle personal data that is relevant to our role and in order to carry

  • Lifestyle and social circumstances
  • Compliments and complaints
  • Education and employment details
  • Health, Safety and Security details
  • Visual images, personal appearance and behaviour

4. WHERE DO WE GET PERSONAL DATA FROM?

In order to carry out the purposes described in section 1 above, we may obtain personal data
from a wide variety of sources, including the following:

  • The data subject themselves
  • Current, past or prospective employers and work colleagues
  • Family, carers, associates and representatives of the person whose personal data we are
    processing
  • Educators and examining bodies
  • Suppliers and service providers
  • Financial organisations
  • Central government
  • Survey and research organisations
  • Other housing associations or trusts
  • Trade unions and associations
  • Health authorities
  • Enquirers and complainants
  • Security organisations
  • Health and social welfare organisations
  • Professional advisers and consultants
  • Probation services
  • Charities and voluntary organisations
  • The police and other law enforcement agencies
  • Courts and tribunals
  • Professional bodies
  • Employment and recruitment agencies
  • Credit reference agencies
  • Debt collection agencies
  • Landlords
  • Correspondence, emails and social media

5. HOW DO WE HANDLE PERSONAL DATA?

We have processes in place to make sure personal data is handled securely and lawfully. These
cover the information we handle internally as well as how we share information with other
relevant organisations.
When handling personal data, we will:

  • Tell you why we need your information and what we will use it for
  • Only use your personal information for what we have said we will use it for
  • Only keep what we need to provide services to you
  • Keep only the personal information we need to meet our legal obligations
  • Aim to make sure your personal information is accurate and up to date
  • Delete or destroy personal information about you when we no longer need it, using our procedures for keeping and deleting information.

6. HOW DO WE MAKE SURE THE PERSONAL DATA
IS KEPT SECURE?

We take the safety and security of all personal information we handle very seriously.
We make sure that appropriate policy, training, technical and procedural measures are in place,
including audit and inspection. This is to protect our manual and electronic information systems
from data loss and misuse and we will only permit access to them when there is a legitimate or
legal reason to do so. We have strict guidelines as to personal data is handled and these
procedures are continuously managed and enhanced to ensure up-to-date security.

7. WHO DO WE SHARE PERSONAL DATA WITH?

In order to carry out the purposes described in Section 1, we may share personal data with a
variety of organisations but only where there is clear reason to do so or we have consent. This
may include disclosures to:

  • our Parent Company (Cartrefi Conwy) and other companies from time to time being part of
    the Cartrefi Conwy group,
  • other organisations and individuals that may be appointed by or contract with Creating
    Enterprise for the supply of goods and services from and to Creating Enterprise,
  • Utility companies such as gas, electricity and water suppliers
  • Government Departments and Statutory agencies such HMRC, the Fire service, the Police
    and other law enforcement agencies,
  • Healthcare, pension providers and other organisations delivering employment related
    services
  • Other organisations or individuals where necessary to prevent abuse or harm to individuals.
    Disclosures of personal data will be made on a case by case basis, using the personal data
    appropriate to a specific purpose and circumstances, and with necessary controls in place.
    Some of the bodies or individuals to which we may disclose personal data may be situated
    outside of the European Union some of which do not have laws that protect data protection rights
    as extensively as in the United Kingdom. If we do transfer personal data to such territories, we
    will take proper steps to ensure that it is adequately protected as required by Data Protection
    law.
  • We will also disclose personal data to other bodies or individuals when required to do so by, or
    under, any act of legislation, by any rule of law, and by court order. This may include disclosures
    to the Child Support Agency, the National Fraud Initiative, the Home Office and to the Courts.
    We may also disclose personal data on a discretionary basis for the purpose of, and in
    connection with, any legal proceedings or for obtaining legal advice.

8. WHAT ARE THE RIGHTS OF THE INDIVIDUALS
WHOSE PERSONAL DATA WE HANDLE?

Data Protection law gives individuals various rights as detailed below. Any requests relating to
any of these rights should be sent to the Company Secretary whose contact details can be found
in Section 12 below.

THE RIGHT TO BE INFORMED

Individuals have the right to be informed about the collection and use of their personal data. This
privacy policy may be regarded as a generic over-arching ‘Privacy Notice’. Additional more specific privacy notices may appear in other circumstances such as on forms, policies, email
footers, or CCTV signage.

THE RIGHT OF ACCESS

Individuals have the right to access their personal data; this is commonly referred to as subject
access. You can make a subject access request verbally or in writing and we will have one
month to respond to a request.

THE RIGHT TO OBJECT

Subject to certain exemptions, an individual has the right to object to the processing of their
personal data in certain circumstances. This request can be in writing or verbally and we have
one calendar month to respond. This includes using their personal data for direct marketing
purposes and covers communication by any means (e.g. mail, email, telephone, door-to-door
canvassing) of any advertising or marketing material directed at particular individuals.

RIGHTS IN RELATION TO AUTOMATED DECISION-TAKING

Subject to certain exemptions, an individual has the right to require that we ensure that no
decision that would significantly affect them is taken by or on our behalf purely using automated
decision-making software. If there is a human element involved in the decision-making the right
does not apply.

RIGHT TO RECTIFICATION

An individual has the right to have inaccurate personal data rectified, or completed if it is
incomplete. They can make a request for rectification verbally or in writing and we have one
calendar month to respond to a request.

RIGHT TO ERASURE

An individual has the right to have personal data erased however the right is not absolute and
only applies in certain circumstances. The right to erasure is also known as ‘the right to be
forgotten’. Individuals can make a request for erasure verbally or in writing and we have one
month to respond to a request.

RIGHT TO RESTRICT PROCESSING

An individual has the right to request the restriction or suppression of their personal data
however this is not an absolute right and only applies in certain circumstances. When processing
is restricted, we are permitted to store the personal data, but not use it. An individual can make a
request for restriction verbally or in writing and we have one calendar month to respond to a
request.

RIGHT TO TAKE ACTION FOR COMPENSATION IF THE
INDIVIDUAL SUFFERS DAMAGE BY ANY CONTRAVENTION OF
THE ACT BY DATA CONTROLLERS

Any individual who believes they have suffered damage and/or distress as a result of any
contravention of the requirements of Data Protection law may be entitled to compensation from
Cartrefi Conwy where the Association is unable to prove that it had taken such care as was
reasonable in all the circumstances to comply with the relevant requirement. Any claim for compensation arising from this provision may be sent to the Company Secretary (see section 12
below).

RIGHT TO REQUEST THE INFORMATION COMMISSIONER TO
ASSESS A DATA CONTROLLER’S PROCESSING

Any person can request the Information Commissioner to make an assessment if they believe
that they are/have been adversely affected by our handling of personal data. Such requests
should be made direct to the Information Commissioner whose contact details can be found
below.

Generally if individuals have any concerns regarding the way their personal data is handled by
Creating Enterprise or the quality (accuracy, relevance, non-excessiveness etc.) of their personal
data they are encouraged to raise them with the Company Secretary (see section 12 below).
The Information Commissioner is the independent regulator responsible for enforcing Data
Protection law; its office in Cardiff provides a local point of contact for members of the public and
organisations based in Wales.

The Information Commissioner’s Office may be contacted using the following:
Information Commissioner’s Office – Wales 2nd Floor, Churchill House, Churchill Way, Cardiff,
CF10 2HH Telephone: 016 2554 5297 Email: wales@ico.org.uk
or alternatively, The Information Commissioner’s Office,
Wycliffe House, Wilmslow, Cheshire, SK9 5AF
Telephone: 0303 123 1113 Website: www.ico.gov.uk

9. HOW LONG DO WE HOLD PERSONAL DATA
FOR?

We keep personal data for only as long as is necessary for the particular purpose or purposes for
which it is held. Personal information is retained, reviewed and deleted in accordance with
agreed retention periods. This may be varied from time to time relevant to the needs of the
business. When we destroy or delete information we do so securely.

10. MONITORING

We may monitor or record and retain telephone calls, texts, emails and other electronic
communications received and sent in order to assist the purposes described under section 1
above, and deter, prevent and detect inappropriate behaviour.
We do not place a pre-recorded ‘fair processing notice’ on all telephone lines because of the
inconvenience that may be caused through the delay in response to the call.

11. COOKIES

Cookies are small data files which are stored on a user’s computer or mobile phone by a website
and stored on the hard drive of the user’s device. They are helpful because they help to make a
website work and often allow the website owners to direct specific content to the user.
On our website, users can manage and/or delete cookies as they wish, however, some cookies
are required by the website to function correctly and therefore, not allowing them may prevent
the performance and layout of the site.

1. ABOUT COOKIES

A cookie is a small amount of data (which often includes a unique identifier) that is sent to a
user’s computer or mobile phone from a website and is stored on the hard drive of a device.
Each website can send its own cookies to your browser if your browser’s preferences allow it.
Many websites do this whenever a user visits their website in order to report on website
traffic and frequency of individual’s navigation. Your browser only permits a website to
access the cookies it has already sent to you, not the cookies sent to you by other websites.

2. HOW CREATING ENTERPRISE USES COOKIES

Cookies on the Creating Enterprise website are used in a number of ways. Information
supplied by cookies helps Creating Enterprise to analyse the profile of visitors to the website
pages and provide them with a better experience. Information on those used can be seen in
the list below.

  • THIRD-PARTY COOKIES

Third-party cookies are not set directly by Creating Enterprise, but by third-party service
or functionality providers. Creating Enterprise uses Google Analytics who set cookies on
the Creating Enterprise website in order to deliver the services that they are providing (for
example, website analytics). Creating Enterprise does not control the dissemination of
these cookies.

  • ANALYTICS

Analytics cookies store information about what pages people visit, how long they are on
the site, how they got there and what they click on. Analytics cookies do not collect or
store users’ personal information (for example, names or addresses), so this information
cannot be used to identify individuals.
Creating Enterprise uses Google analytics to collect information about how people use
our site. This helps us make sure our website meets users’ needs and to find out how we
can improve.

  •  GOOGLE ANALYTICS

Stores the information collected by the cookie on servers in the United States. Google
may also transfer this information to third parties where required to do so by law, or
where such third parties process the information on Google’s behalf. Google will not
associate your IP address with any other data held by Google. How to reject or delete
this cookie http://www.google.com/intl/en/privacypolicy.html

3. STORING YOUR USABILITY AND ACCESSIBILITY SETTINGS

Our website provides settings that allow you to resize text or view different colour options. If
you switch them on, we store the settings in a cookie, so that they apply to each page you
look at.

12. CONTACT US

Any individual with concerns over the way Creating Enterprise handles their personal data may
contact the Company Secretary as below:
The Company Secretary, Creating Enterprise,
Units 12 & 14 Cartrefi Conwy Business Park,
Station Road, Mochdre, Conwy, Wales, LL28 5EF
Tel: 01492 588977