Last Updated: 14th November 2019
|Data Controller||The Wise Owl Partnership|
|Address||Corfe Lodge, Corfe, Somerset, TA3 7AN|
General Data Protection Regulation (GDPR)
The Wise Owl Partnership is committed to safeguarding the privacy and personal data of our clients and business partners This is in compliance with the terms of the General Data Protection Regulation (GDPR) which comes into force within the European Union (including the UK) on 25th May 2018.
This Privacy Notice explains how we may collect, use, process, share, and store personal information about you, including through designated third-party service providers, and the choices that are available to you regarding this information. Please read this Privacy Notice carefully to understand what sort of personal information we may hold about you and how we will treat it.
Categories of Personal Data
When we provide a service to you, we will need to ask you for certain personal information depending on the type of service. Generally this will involve asking you for your name, telephone number, email address and postal address. If we are assisting you with registering your charity with the Charity Commission for England & Wales, we may also require your date of birth and charity’s bank account details.
For those clients who use our auditing and assessment services, we may also need details such as Disclosure & Barring Service (DBS) checks.
Cookies and Use of Our Website
Details of Transfers to Third Country and Safeguards
The GDPR imposes restrictions on the transfer of personal data outside the European Union, to third countries or international organisations.
Some of our services utilise software, such as Google Drive which may be held on servers outside of the EU. We will only use organisations outside of the EU who have a bona fide record of providing the highest level of data security. We will always inform you before you use one of our services, if your data is likely to be transferred outside of the EU and give you the option to not proceed with using that service.
If you are a citizen or resident of the EU then under GDPR you may have certain rights regarding your personal data. These are as follows:
The right to access the personal information we hold about you
The right to ensure that the personal data we hold about you is accurate and up to date
The right to Erasure of your personal data, commonly known as “the right to be forgotten”
The right to restrict the processing of your personal data
The right to Portability of your data, in other words to be able to move, copy or transfer your personal data from one IT environment to another
The right to Object to the processing of your personal data
Rights relating to automatic decision making including processing (please note that none of our services involve the use of automatic decision making or processing)
Purpose and Legal Basis for Processing Data
Your rights regarding your personal data depend on the Lawful Basis set out under GDPR upon which we have processed your data. The following table helps to explain this
|Lawful Basis for Processing Data||Individuals’ Rights Applicable|
All except Object (but can withdraw consent)
All except Object
All except Erasure, Portability & Object
All except Portability & Object
All except Erasure & Portability
All except Portability
*Note that you will always have the Right to Object to direct marketing
For the majority of the work that The Wise Owl Partnership undertakes, the lawful basis on which we process a client’s personal data will be Under Contract. In other words, when you commission a service from us, we will ask you only for relevant personal information in order to be able to fulfil our obligations under that contract.
If we believe that under the terms of the GDPR, we are not entitled to process your personal data Under Contract we will separately ask for your Consent to do so unless another Lawful Basis from the above table applies.
Subject Access Request
If you wish to invoke one of your rights, please refer to the table above to ensure that the right is not excluded under the lawful basis upon which we processed your data.
You should then either telephone, email or write to us (see contact details above) as part of a subject access request. We have a standard form which you may find convenient to complete to action your request.
We will aim to respond to you as soon as we can and at the latest within 1 calendar month of receipt of your request
If we ask for your Consent to process your personal data, we will ensure that we adhere to the following principles set out in the GDPR.
We will make the consent prominent and separate from our terms and conditions
We will ask you to positively “opt in” to providing your consent
We will never use tick boxes or any other type of default consent
We will use clear, plain language that is easy to understand
We will specify why we want the data and what we are going to do with it
We will give you individual (“granular”) options separately for different purposes and types of processing
We will name our organisation and any third party controllers who will be relying on the consent
We will advise you that you can withdraw your consent at any time
We will not make consent a pre-condition of our service
We will ensure that you can withdraw your consent without detriment
If you have given us your consent to process your information, you have the right to withdraw this consent at any time.
Other Recipients of Your Personal Data
Depending on the type of service we provide to you, we may need to share your personal data with other organisations. For example, if we are registering your charity with the Charity Commission for England and Wales, we will need to share certain information that you have given us with them. In this example, we would share your data Under Contract in order to be able to fulfil the terms of the contract that we have with you.
Some of our services are provided on behalf of third party organisations to whose members & clients we provide support. We may share some of your personal information with third party organisations under the terms of our agreement with them. If we share your personal data with third parties, we will always ensure that you are aware of this and have the option to decline to use the service if you so wish.
We will not retain your information longer than we consider necessary in relation to the service that we provide to you. The following table summarises our retention policy
|Type of Information||Retention Period|
|Electronic copies of telephone consultation requests||6 months from date of request|
|Paper notes from telephone conversations||1 week from date of conversation|
|Emails containing general advice not relating to commissioned work||6 months from date of email|
|Electronic correspondence with client relating to commissioned work||6 years from completion of commissioned work|
|Paper correspondence with client relating to commissioned work||6 years from completion of commissioned work|
We may be allowed to retain your personal data for a longer period if you have given us your consent to such processing as long as your consent has not been withdrawn. We may also be obliged to retain your personal data for a longer period whenever required to do so under a legal obligation, or upon the order of an authority. Once the retention period has expired, unless one of the aforementioned conditions applies, your personal data will be deleted. Therefore, the right to access, the right to erasure, the right to rectification and the right to data portability cannot be enforced after the retention period has expired.
We will always aim to handle your personal data sensitively and securely and in compliance with the terms of the GDPR. If you have any questions or concerns about the way in which we have handled your personal data, please contact us with details of your concerns at firstname.lastname@example.org
If you are dissatisfied with our response, you have the right to report your concerns to the Information Commissioners Office at the following address:
Tel 0303 123 1113 or 01625 545745
Alternatively you can report your concern via this link to theICO’s website