Cherryleaf Data Privacy Notice V001
Date: 24th May 2018
The GDPR (General Data Protection Regulation) obliges any organisation that stores personal data about natural living persons to ensure that those people understand: what data is being stored about them; why it is being stored and what is done with it.
This privacy notice explains what Cherryleaf’s data processing activities are. It explains what information is stored about you and for what that data is used for.
Cherryleaf only collects and store data for which we have a legitimate and proportional use.
We will undertake to store personal data securely in accordance with UK Law and EU data security principles.
Data controller and data processors
Cherryleaf is the Data Controller of data pertaining to: customers, suppliers, subscribers to our newsletters and staff (hereafter “you”, “your”). Cherryleaf Ltd (hereafter “we”, “our”) may make use of third-party service providers (processors) such as online databases, online forums, email management services, course and content delivery services, financial systems, print and mailing houses and online backup/storage facilities.
Using these processors may require the transfer your personal information outside of the UK or EU. We are required to ensure that when we need to do this we comply fully with all aspects of the GDPR to ensure your data is suitably protected.
Information Commissioners Office
We recognise the Information Commissioner’s Office (ICO) in the UK as our regulatory body. Cherryleaf is registered with the ICO as a data controller reg No: Z7333738
Our legal bases for processing your data are:
1) Fulfilment of contract. By agreeing to use our consultancy, recruitment or training services, you have entered into a contract with us. We may store relevant data prior to this in the process of negotiating a contract.
2) Legal Obligation. As a UK Limited company and VAT registered entity, we are bound by law to hold suitable records of transactions, and make these available to relevant authorities on request.
3) Consent. You will be asked to consent to us storing your data. You will be informed of the data we store and the purpose for which it is used at the time. You may withdraw this consent at any time. If we wish to use this data for another reason, we will contact you to explain this change and ask you to renew this consent.
4) Legitimate interest. We may share your details with 3rd parties should we need to recover monies or goods etc., or to defend any legal action.
You have the following rights:
- The right to be informed (this is the purpose of this document along with any consent you give).
- The right of access (you may request a copy of your data. We will deliver this within 30 days unless your request is very complex. We will inform you if this is the case).
- The right to rectification (you may ask us to correct your data at any time).
- The right to erasure (where consent is the legal basis of processing).
- The right to restrict processing (you may ask us not to process your data but not erase it).
- The right to data portability (you may ask us for a copy of the data in an appropriate format).
- The right to object (where data is not being processed for legal obligation or legitimate interests).
- Rights in relation to automated decision making and profiling. (We do not engage in this).
We will erase your data in a timely fashion, subject to UK legislation and guidance from UK government agencies in respect of company record retention.
Why we need your data
We use data collected to: deliver consultancy, training courses, job adverts, applications; place orders; collect monies due; and maintain contact electronically and via printed publications.
We may, on occasion, process and produce anonymised data for the purposes of statistical analysis for our own uses or to make public.
Sources of data
Most of the data we collect will be given by you, but we may also record data such as event attendances, as well as decisions made by us or another client concerning your suitability for a job role.
Who we share data with
Prospective employers: To help place you in a job, we need to process CV and contact details. We will tell before we do this.
Dropbox Inc: We use Dropbox to securely transfer data between officers of the company. Dropbox has no access to this data.
Mad Mimi email marketing platform: We use this platform to manage our emails to you. We receive performance information based on you opening or forwarding any emails sent via this method.
Microsoft Inc: We use MS Office 365, including SharePoint and OneDrive for data storage.
Google Drive: We make use of Google Drive to host surveys, documents, questionnaires and other forms.
We use a hosted accounting package to process records of sales ledger and bought ledger, as well as related financial transactions. We will provide details of the specific company to clients on request.
Akismet: This website uses Akismet to reduce spam. Learn how your comment data is processed.
Legal representatives and collections agencies: We may, on occasion, share specific and proportional data in order to pursue our legitimate interests.
Your right to complain
If we fail to comply with any of your requests within the prescribed time limits, you may complain to the ICO.
We have appointed a data protection officer (DPO) who will be the point of contact for data privacy related enquiries. Our DPO can be reached at firstname.lastname@example.org, or by writing to us at: Cherryleaf Ltd, 31 Arlington Road, Ashford, Middlesex. TW15 2LS. We may take steps to ensure your identity before responding to you. Normal updates and requests may still be directed to the relevant contacts at Cherryleaf.