Caritas HR Limited (Caritas) protects your privacy by ensuring that any personal data is collected and used lawfully and transparently. When delivering professional services we are the Data Controller of the personal data that you supply to us under your contract with us.
This Privacy Notice explains:
• Who we are
• Personal data we collect
• Our legal basis for processing
• Who we may share information with and why
• Where we may transfer data
• How we keep information secure
• How long we may keep your data
• Your data privacy rights
• How to contact our DPO and the ICO
Who is Caritas?
Caritas specialises in the provision of HR advice and services to Registered Charities and the Third Sector in the UK.
When providing these services, we take very seriously our responsibilities regarding data protection and are bound by all applicable data protection laws in respect of the handling, processing and collection of data. All employees and associates who handle personal and business data are trained to ensure that the data is processed in line with the General Data Protection Regulations 2018 (GDPR) as well as the Data Protection Act 2018 (DPA 2018).
Personal Data
The type and frequency of any personal data collected depends on how our website and services are used. If you choose not to provide certain categories of personal data, you may not be able to use all of our services.
Personal Data
We use electronic and paper contact forms. These forms prompt users to input contact details so we can provide service quotes and respond to enquiries. You should keep us informed of any personal data changes during your relationship with us.
Personal Data collected by us
Where you invite us to provide services, we may require to process additional categories of personal data relating to you or other parties to provide informed HR advice.
Personal Data from other sources
We may receive information about you and/or your company from specific third parties as may be pertinent to the provision of our services.
Special Categories of Data
There may be circumstances where we need to process Special Category Data provided by you or other users of our services during the duration of our service. Special category data is more sensitive data which discloses insights about racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data or sexual orientation. We may also process data that relates to criminal and/or civil offences as well as child data in some very rare circumstance. Sensitive data collection only takes place where it is relevant to the provision of the services that we are contracted to provide. The fundamental rights of the data subjects are always assessed to ensure that the processing is fair, transparent and lawful.
Online Identifiers
When you visit our website, a record of your device’s IP address is retained and used anonymously in order to determine website and age visitors. For more information on how we use online identifiers or cookies please visit our cookies policy.
Our legal basis for processing
Before processing any personal data, we ensure that we meet at least one lawful basis under GDPR. We do not disclose personal data for any purpose other than for what the data was originally collected, unless there is an overriding legal basis that enables this processing.
We collect, hold, use and disclose the information collected to compile statistical data and to maintain our database; to develop and improve our website; respond to any queries; manage quality control and compliance; manage administration; provide you or your organisation with advice; notify you about important changes or developments to our services; contact you for your opinion on our services.
We also process your personal data in the following ways:
To Perform Our Service Under The Contract
We process information in order to support and maintain our existing or potential contractual relationships under the lawful basis ‘performance of a contract’. We may process data in order to support client services, take payments and make improvements to our website. The lawful basis on which we rely to process data for the duration of servicing on your account and for the decision to enter an initial or any subsequent contract is under the ‘legitimate interest’. Ensuring our administrative and IT systems are secure and robust against unauthorised access also falls under this basis.
For Fraud Prevention
Due to advice and services we offer to companies, we also have a ‘legal obligation’ to validate the status of organisations we work with which may involve identifying and verifying individual data subjects as part of our ‘legitimate interests’ to safeguard against criminal or fraudulent activities. We also must ensure that VAT and premium tax is paid.
To Defend Legal Issues
We have a ‘legitimate interest’ to process data which may help us in connection with establishing, exercising or defending legal claims.
To Process Sensitive Data
In some cases, where the processing is deemed high risk or highly sensitive, we may ask for your ‘consent’ before we undertake the processing. Where consent is used as the lawful basis for the processing, you will be entitled to withdraw that consent at any time as well as exercise your data privacy rights.
Data Sharing
Personal data will only be disclosed on a confidential basis to external service providers in order that they can provide services such as financial, technological or administrative assistance. When we share data with an external third party, these operations are governed by a Data Processing Agreement (DPA) and we perform regular due diligence on any external parties we work with to ensure that appropriate levels of data integrity are in place and maintained.
Where necessary, we may need to share data with external organisations such as law enforcement, regulatory bodies, fraud prevention agencies, partners or advisors. Before any data is shared, we ensure that all technical and organisational controls are firmly in place and a data protection impact assessment is undertaken, where applicable, if the sharing or transfer is considered high risk. We will not sell your data to any third parties.
Data Storage and Security
We have an IT Security Officer tasked with protecting our IT assets and to assist with data security and data loss prevention.
Data Retention
Caritas only keeps your data for as long as necessary, unless there is an overriding legal reason. We will not retain data if it is deemed unlawful to do so. Data may be held for purposes relating to the establishment, exercise or defence of legal claims which Caritas or our clients may face. Where we represent you in any legal case, we retain the data for seven years from the conclusion of the litigation case. We will keep data concerning your account for at least seven years from the date you end your contract with us. Some data may be deleted before this time period depending on the category of that data in line with our commercial legitimate interests.
Personal data that is no longer necessary is deleted securely in line with Caritas’s Data Disposal Policy. Our Data Retention and Data Disposal policies are available upon request.
All data subjects have individual rights. On a case by case basis, you have the following rights in relation to your personal data processed by Caritas:
• The right to be informed about how your personal data is collected and used
• The right to request access to a coy of any personal data we hold about you
• The right to erasure of any personal data; also known as ‘the right to be forgotten’
• The right to restrict further processing of your personal data
• The right to data portability where technology allows us to send personal data on to a new controller
• The right to object to the processing or certain processing activities
• Rights in relation to automated decision-making including profiling
As an organisation we do not use automated decision-making systems. Please be aware that the rights listed in this section only apply to individuals and cannot be used to request data relating to business entities. Please be aware that your rights of access do not entitle you to physical or digital copies of any documentation we hold.
Queries and Complaints
Caritas has a dedicated representative who can be approached for any questions, comments and requests regarding this privacy policy or our Data Privacy Management System.
Our Data Protection Officer welcomes communication around our policies and practices and can be directly contacted on the details below. You can also write to us at Caritas, Blackwell House, Guildhall Yard, London, EC2V 5AE.
GDPR Oversight Team: GDPR@caritas-hr.com
Data Protection Office: andrew.campbell@caritas-hr.com
If you’re not satisfied with our response, or believe we’re not processing your personal data in accordance with the law, you can contact the UK Regulator at www.ico.org.uk/concerns.
Additional Information
This version was last updated and reviewed December 2021.
We regularly review and monitor regulatory guidance for any industry changes which may impact our business operations or your rights and freedoms.
In this privacy notice, “personal data” means any information relating to an individual who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data or an online identifier.
We are legally known as Caritas HR Limited and our registered office is at Blackwell House, Guildhall Yard, London, EC2V 5AE. We are registered in England and Wales under company number 13683540.