DATA PROTECTION POLICY AND PRIVACY NOTICE
INTRODUCTION

The Considered ASK collects and processes personal data relating to its various business contacts and associates, including but not limited to charities, donors and personal clients (collectively referred to as ‘clients’), in order to manage its relationship with them. We are committed to being transparent about how we collect and use that data and to meeting our data protection obligations.

DATA PROTECTION PRINCIPLES

We process personal data in accordance with the following data protection principles:

We process personal data lawfully, fairly and in a transparent manner.
We collect personal data only for specified, explicit and legitimate purposes.
We process personal data only where it is adequate, relevant and limited to what is necessary for the purposes of processing.
We keep accurate personal data and takes all reasonable steps to ensure that inaccurate personal data is rectified or deleted without delay.
We keep personal data only for the period necessary for processing.
We adopt appropriate measures to make sure that personal data is secure, and protected against unauthorised or unlawful processing, and accidental loss, destruction or damage.
Where we rely on legitimate interests as a reason for processing data, we have considered whether or not those interests are overridden by the rights and freedoms of clients and have concluded that they are not.

Where we process special categories of personal data, such as information about health or medical conditions, this is done with explicit consent, which can be withdrawn at any time by notifying us in writing. Clients are entirely free to decide whether or not to provide such data and there are no consequences of failing to do so.

WHO HAS ACCESS TO DATA?
Personal information will be shared internally with any employee who legitimately needs to access it to effectively operate the business.

We may share such data with third parties that process data on our behalf in connection with making payments.

We will not transfer client data to countries outside the UK.

HOW DO WE PROTECT DATA?
We take the security of personal data seriously. We have internal controls in place to try to ensure that data is not lost, accidentally destroyed, misused or disclosed, and is not accessed except by its employees in the performance of their duties.

Where we engage third parties to process personal data on our behalf, they do so on the basis of written instructions, are under a duty of confidentiality and are obliged to implement appropriate technical and organisational measures to ensure the security of data.

FOR HOW LONG DO WE KEEP DATA?
We will hold your personal data for the duration of the business relationship with the client and for a period of up to six years afterwards.

CLIENT RIGHTS
As a data subject, clients have a number of rights. They can:

access and obtain a copy of any data held on request
require us to change incorrect or incomplete data
require us to delete or stop processing their data, for example where the data is no longer necessary for the purposes of processing
object to the processing of their data where we is relying on its legitimate interests as the legal ground for processing
ask us to stop processing data for a period if data is inaccurate or there is a dispute about whether or not their interests override our legitimate grounds for processing data.
If a client would like to exercise any of these rights, please contact Rosie Hoare, Chief Executive.

If a client believes that we have not complied with data protection rights, a complaint can be made to the Information Commissioner.