GDPR Policy

UK GDPR Data Protection Policy and Processes Introduction

The Community Council of Devon, its board of trustees and its senior management is
committed to protecting the rights and freedoms of data subjects and safely and securely
processing their data with all of our legal obligations in accordance with all UK Data
Protection Legislations, as well as to safeguarding the "rights and freedoms" of individuals
whose information those forementioned entities may process pursuant to the Data
Protection, Privacy and Electronic Communications Regulation 2020, the UK GDPR and The
Data Protection Act 2018 (DPA) along with any other data protection applicable
legislation. All policies, procedures and staff guidance developed by Community Council
of Devon are strictly followed to ensure such processing is lawfully implemented,
maintained, and periodically reviewed and where required amended.
We hold personal data about our employees, clients, suppliers and other individuals for a
variety of business purposes.
This policy sets out how we seek to protect personal data and ensure that our staff
understand the rules governing their use of the personal data to which they have access
in the course of their work. In particular, this policy requires staff to ensure that the Data
Protection Lead be consulted before any significant new data processing activity is
initiated to ensure that relevant compliance steps are addressed.
The purposes for which personal data may be used by us:
Personnel, administrative, financial, regulatory, payroll and
business development purposes.
Business purposes include the following:
 - Compliance with our legal, regulatory and corporate
governance obligations and good practice
 - Gathering information as part of investigations by regulatory
Business bodies or in connection with legal proceedings or requests

  • To support the aims and objectives and its legitimate interests
  • to process personal data
  •  To demonstrate accountability for such processing in accordance with Article 5(2) of the UK GDPR
  • To safeguard the personal data of its donors, supporters and clients of Community Council of Devon with which is works along with any other individuals for which it may process personal data
  • To ensure data protection is built into the design of new projects or products which include the processing of data, so that data privacy is evidenced by default
  • Ensuring business policies are adhered to (such as policies covering email and internet use)
  • Operational reasons, such as recording transactions, training and quality control, ensuring the confidentiality of commercially sensitive information, security vetting, credit scoring and checking
  • Investigating complaints
  • Checking references, ensuring safe working practices, monitoring and managing staff access to systems and facilities and staff absences, administration and assessments
  • Monitoring staff conduct, disciplinary matters
  • Marketing our business
  • Improving services

‘Personal data’ means any information relating to an identified or identifiable
natural person (‘data subject’); an identifiable natural person is one who can
be identified, directly or indirectly, in particular by reference to an identifier
such as a name, an identification number, location data, an online identifier
or to one or more factors specific to the physical, physiological, genetic,
data mental, economic, cultural or social identity of that natural person.
Personal data we gather may include: individuals' phone number, email
address, educational background, financial and pay details, details of
Data processor
‘Processor’ means a natural or legal person, public authority, agency or other body,
which processes personal data on behalf of the controller.
certificates and diplomas, education and skills, marital status, nationality, job title,
and CV.
Supervisory authority
This is the national body responsible for data protection. The supervisory authority for our
organisation is the Information Commissioners Office (ICO).
Special categories of personal data Special categories of data include information about an individual's racial
or ethnic origin, political opinions, religious or similar beliefs, trade union membership (or non-membership), physical or mental health or condition, criminal offences, or related proceedings, and genetic and biometric information —any use of special categories of personal data should be strictly controlled in accordance with this policy.

‘Data controller’ means the natural or legal person, public authority, agency or other
body which, alone or jointly with others, determines the purposes and means of the
processing of personal data; where the purposes and means of such processing
are determined by law
Data controller ‘Processing’ means any operation or set of operations which is performed on personal data
or on sets of personal data, whether or not by automated means such as collection,
recording, organisation, structuring storage, adaption or alternation, retrieval,
consultation, use, disclosure by transmission, dissemination or otherwise making available,
alignment or combination, restriction, erasure or destruction Scope
This policy applies to all staff, who must be familiar with this policy and comply with its
This policy supplements our other policies relating to internet and email use. We may
supplement or amend this policy by additional policies and guidelines from time to
time. Any new or modified policy will be circulated to staff before being adopted.
Who is responsible for this policy?
As we have no legal responsibility to have a data protection officer (DPO), we have a
named data protection lead (DPL), which is Geraldine Addo-Adamu. Geraldine has overall
responsibility for the day-to-day implementation of this policy. You should contact the
DPL for further information about this policy if necessary.
The principles
The Community Council of Devon shall comply with the principles of data protection (the
principles) enumerated in the Data Protection, Privacy and Electronic Communications
regulation 2020, the UK GDPR. We will make every effort possible in everything we do to
comply with these principles. The principles are:
1. Lawful, fair and transparent
Data collection must be fair, for a legal purpose and we must be open and transparent
as to how the data will be used in accordance with Community Council of Devon Data
Protection policies.
Policies and notices made available to data subjects and published in the public domain
must also be clear, drafted using clear and plain language and written in a way that
everyone may understand the content and therefore intended purpose for processing.
We may use several different lawful grounds for processing personal data in accordance
with UK GDPR Article 6. These include Consent, legitimate Interest and where we may
have a Legal or Contractual Obligation.
Where we use consent to process data we ensure that the individual knows exactly what
they are consenting. No subsequent processing will be undertaken that is not compatible
with the consent we have gathered. The individual has the right to withdraw their consent
Processing at any time. If consent is withdrawn all personal data that may identify that individual
will be deleted unless we have a legal or professional obligation to retain it.
Where we use Legitimate Interest to process personal data, such processing will most
likely be undertaken with the reasonable expectation of the individual. There will be no
other feasible way for us to achieve our objective. Most importantly, in most
circumstances, the individuals will give notice that they may object to the processing
activity and where such an objection is received the processing will stop. We may use our
Legitimate Interest to processing personal data which may include photographs and video
footage and other categories of regular types of data. We may process special categories
of data such as health data using our Legitimate Interests as long as we have a UK GDPR
Article 9 exemption. We may also require an exemption from the Data Protection Act
2018, an appropriate Policy Document (APD) and a identified law upon which we are
relying. For further details please see below.
2. Limited for its purpose
Data can only be collected for a specific purpose or purposes and legal basis for
3. Data minimisation
Any data collected must be necessary and not excessive for its purpose. Data is to be
collected only if it is absolutely necessary to complete the performance of the
objectives as a charity.
4. Accurate
The data we hold must be accurate and kept up to date.
5. Retention
We cannot store data longer than necessary.
6. Integrity and confidentiality
The data we hold must be kept safe and secure and anonymised where appropriate.
Accountability and transparency
We must ensure accountability and transparency in all our use of personal data. We must
show how we comply with each Principle. You are responsible for keeping a written record
of how all the data processing activities you are responsible for comply with each of the
Principles. This must be kept up to date and must be approved by the DPL.
To comply with data protection laws and the accountability and transparency Principle of UK
GDPR, we must demonstrate compliance. You are responsible for understanding your
particular responsibilities to ensure we meet the following data protection obligations:
 Maintain all relevant documentation regarding its processes and operations
 appoint an accountable person or data protection lead (DPL)
 ensure you are registered as a data controller with the ICO
 implement proportionate security measures
 train staff in data protection awareness
 ensure is has, and continues to have, up to date data processor and data
sharing agreements in place
 carry our data protection impact assessments (DPIAs) and implement the outcome
 comply with prior notification requirements
 seek the approval of relevant regulatory bodies
 appoint a data protection officer if deemed necessary
 seek the opinion of a data protection practitioner where necessary
 publish an accountability statement in the public domain
Our procedures
Fair and lawful processing
We must process personal data fairly and lawfully in accordance with individuals’ rights
under the first Principle. This generally means that we should not process personal data
unless the individual whose details we are processing has consented to this happening.
If we cannot apply a lawful basis (explained below), our processing does not conform to
the first principle and will be unlawful. Data subjects have the right to have any data
unlawfully processed erased
Controlling vs. processing data
The Community Council of Devon is classified as both data controller and data processor
As a data processor, we must comply with our contractual obligations and act only on the
documented instructions of the data controller. If we at any point determine the purpose
and means of processing out with the instructions of the controller, we shall be
considered a data controller and therefore breach our contract with the controller and
have the same liability as the controller. As a data processor, we must:
 Not use a sub-processor without written authorisation of the data controller
 Co-operate fully with the ICO or other supervisory authority
 Ensure the security of the processing
 Keep accurate records of processing activities
 Notify the controller of any personal data breaches
If you are in any doubt about how we handle data, contact the DPL for clarification.
Lawful basis for processing data
We must establish a lawful basis for processing data. Ensure that any data you are
responsible for managing has a written lawful basis approved by the DPL prior to collection
of the information. It is your responsibility to check the lawful basis for any data you are
working with and ensure all of your actions comply the lawful basis. At least one of the
following conditions must apply whenever we process personal data:

1. Consent
We hold recent, clear, explicit, and defined consent for the individual’s data to be
processed for a specific purpose.
This may be when a client, donor or supporter opens an account or enrols in a project or
service or indicates that they wish to receive information from Community Council of
Devon. For example, by completing our consent form or by giving their contact details
including their email address. Consent is used to promote the aims and objectives of the
charity clients and its own services and to deal with contractual arrangements or to
answer a request for information about a product or service Community Council of Devon
Community Council of Devon understands that Consent is for the time being, and always
ensures the data subject is informed of their right to opt-out of future communications
whenever they wish.
2. Contract
The processing is necessary to fulfil the performance of a contract when a data subject
enters into a contract with Community Council of Devon. For example, a contract may be
made a client purchases a ticket to one of the events held by Community Council of
3. Legal obligation
We have a legal obligation to process the data (excluding a contract). This condition
will be used where it is required by law.
4. Vital interests
Processing the data is necessary to protect a person’s life or in a medical situation.
5. Public function
Processing necessary to carry out a public function, a task of public interest or the
function has a clear basis in law, for example, where a data subject needs medical help
when attending one of Community Council of Devon events.
6. Legitimate interest
Community Council of Devon is an independent charity engaged in a wide range of
projects and services that support the vision of dynamic Community Council of Devon
shaping its own futures.
Its focuses is inspiring, upskilling, training, supporting and advising groups and individuals
to make changes and achieve positive outcomes for its communities.
Working with a broad range of people, from rural and coastal communities to more
urban centres, and support them across a wide variety of areas including community
buildings, community resilience, affordable housing, entrepreneurship, neighbourhood
and community plans, sport and play, health and wellbeing and much more - it is
designed to help communities help themselves.

Community Council of Devon uses Legitimate Interest as a condition for processing data,
and always consider the potential impact on any data subjects whom they may
communicate with. The three-stage process that has been implemented is;
We measure whether the data subject might reasonably expect us to process their data.
For example, if we have had a previous engagement or sent a previous communication with
or to the data subject, we believe this might in many cases mean they would expect us to
process their data unless they told us not to in the past. This assumes that they did not
Opt-out of future communications, or object to our marketing or fundraising efforts.
However, we also believe that there are occasions other than this where data subjects
might understand we would Legitimately process their data using this condition.
We look carefully to understand whether our Legitimate Interest might impact adversely
on the data subject. For example, if a data subject was a person at risk or in a vulnerable
circumstance, we would not process their data for marketing purposes. However, we would
process their data to provide important information they may require about our services.
We have a procedure for ensuring data subjects such as these are suppressed on our data
base or forgotten where necessary.
Thirdly, we carefully consider whether any safeguards should be in place to protect data
subjects against harm when we process their data. We do this by completing a Legitimate
Interest balancing test. The test measures whether the interests of the organisation
outweigh the rights of the data subjects concerned. The outcome of such a test in
documented in the activity log.
Deciding which condition to rely on
If you are assessing the lawful basis, you must first establish that the processing is
necessary. This means the processing must be a targeted, appropriate way of achieving
the stated purpose. You cannot rely on a lawful basis if you can reasonable achieve the
same purpose by some other means.
Remember that more than one basis may apply, and you should rely on what will best fit
the purpose, not what is easiest.
Consider the following factors and document your answers:
 What is the purpose for processing the data?
 Can it reasonably be done in a different way?
 Is there a choice as to whether or not to process the data?
 Who does the processing benefit?
 After selecting the lawful basis, is this the same as the lawful basis the
data subject would expect?
 What is the impact of the processing on the individual?
 Are you in a position of power over them?
 Are they a vulnerable person?
 Would they be likely to object to the processing?
 Are you able to stop the processing at any time on request, and have you
factored in how to do this?
Our commitment to the first Principle requires us to document this process and show that
we have considered which lawful basis best applies to each processing purpose, and fully
justify these decisions.

We must also ensure that individuals whose data is being processed by us are informed of
the lawful basis for processing their data, as well as the intended purpose. This should
occur via a privacy notice. This applies whether we have collected the data directly from
the individual, or from another source.
If you are responsible for assessing the lawful basis and implementing the privacy
notice for the processing activity, you must have this approved by the DPL.
Special categories of personal data
What are special categories of personal data?
Previously known as sensitive personal data, this means data about an individual, which is
more sensitive, so requires more protection. This type of data could create more
significant risks to a person’s fundamental rights and freedoms, for example by putting
them at risk of unlawful discrimination. The special categories include information about
an individual’s:
 Race
 ethnic origin
 politics
 religion
 trade union membership
 genetics
 biometrics (where used for ID purposes)
 health
 sexual orientation
In most cases where we process special categories of personal data we will require the
data subject's explicit consent to do this unless exceptional circumstances apply or we are
required to do this by law (e.g. to comply with legal obligations to ensure health and
safety at work). Any such consent will need to clearly identify what the relevant data is,
why it is being processed and to whom it will be disclosed.
The condition for processing special categories of personal data must comply with the
law. If we do not have, a lawful basis for processing special categories of data that
processing activity must cease.
Our responsibilities
 Analysing and documenting the type of personal data we hold
 Checking procedures to ensure they cover all the rights of the individual
 Identify the lawful basis for processing data
 Ensuring consent procedures are lawful
 Implementing and reviewing procedures to detect, report and investigate
personal data breaches
 Store data in safe and secure ways
 Assess the risk that could be posed to individual rights and freedoms should data
be compromised
Your responsibilities
 Fully understand your data protection obligations
 Check that any data processing activities you are dealing with comply with our
policy and are justified
 Do not use data in any unlawful way
 Do not store data incorrectly, be careless with it or otherwise cause us to
breach data protection laws and our policies through your actions
 Comply with this policy at all times
 Raise any concerns, notify any breaches or errors, and report anything suspicious
or contradictory to this policy or our legal obligations without delay
Responsibilities of the Data Protection Lead
 Keeping the board updated about data protection responsibilities, risks and issues
 Reviewing all data protection procedures and policies on a regular basis
 Arranging data protection training and advice for all staff members and those
 included in this policy
 Answering questions on data protection from staff, board members and
other stakeholders
 Responding to individuals such as clients and employees who wish to know which
data is being held on them by us
 Checking and approving with third parties that handle the company’s data
any contracts or agreement regarding data processing
Responsibilities of the Chief Executive / Deputy Chief Executive
 Approving data protection statements attached to emails and other marketing copy
 Addressing data protection queries from clients, target audiences or media outlets
 Coordinating with the DPL to ensure all marketing initiatives adhere to
data protection laws and the company’s Data Protection Policy
Responsibilities of the Service Delivery Lead
 Ensure all HR and Finance polices are maintained and adhered to
 Coordinating with the DPL to ensure all HR and Finance policies and procedures
adhere to data protection laws and the company’s Data Protection Policy
 Ensure all systems, services, software and equipment meet acceptable security
 standards
 Checking and scanning security hardware and software regularly to ensure it
is functioning properly
 Researching third-party services, such as cloud services the company is
 considering using to store or process data
Accuracy and relevance
We will ensure that any personal data we process is accurate, adequate, relevant and not
excessive, given the purpose for which it was obtained. We will not process personal data
obtained for one purpose for any unconnected purpose unless the individual concerned
has agreed to this or would otherwise reasonably expect this.

Individuals may ask that we correct inaccurate personal data relating to them. If you
believe that information is inaccurate, you should record the fact that the accuracy of
the information is disputed and inform the DPL.
Data security
You must keep personal data secure against loss or misuse. Where other organisations
process personal data as a service on our behalf, the DPL will establish what, if any,
additional specific data security arrangements need to be implemented in contracts
with those third party organisations.
Storing data securely
 In cases when data is stored on printed paper, it should be kept in a secure place
where unauthorised personnel cannot access it
 Printed data should be shredded when it is no longer needed
 Data stored on a computer should be protected by strong passwords that
are changed regularly or with restricted permission to the folders.
 Data stored memory sticks must be password protected and locked away securely
when they are not being used
 The DPL must approve any cloud used to store data
 Servers containing personal data must be kept in a secure location, away
from general office space
 Data should be regularly backed up in line with the company’s backup procedures
 Data should never be saved directly to mobile devices such as laptops, tablets
or smartphones
 Data should only be saved directly to mobile devices such as laptops, tablets or
smartphones where absolutely necessary. Data should be saved on mobile devices
with the same regulations as on a main server.
 All servers containing sensitive data must be approved and protected by security
 All possible technical measures must be put in place to keep data secure
Data retention
We must retain personal data for no longer than is necessary. What is necessary will
depend on the circumstances of each case, taking into account the reasons that the
personal data was obtained, but should be determined in a manner consistent with our
data retention guidelines. We have a data retention schedule for each type of data we
In general, records containing information about individuals are kept for the
timescales required by project funders. If there are no externally set requirements,
The Community Council of Devon will retain information on individuals for 12 months
from their last contact with the organisation. Information on qualifications achieved
and learning programmes completed will be kept indefinitely.
Staff In general, electronic staff records containing information about individual members of
staff are kept for the term of employment plus 7 years. Information relating to Income
Tax, Statutory Maternity Pay etc. will be retained for the statutory time period (between
3 and 6 years).
Information relating to unsuccessful applicants in connection with recruitment to a post
will be kept for 3 months from the interview date.
Disposal of Records
Personal data must be disposed of in a way that protects the rights and privacy of data
subjects (e.g., shredding, disposal as confidential waste, secure electronic deletion).
It is recognised that there might be occasions when data subjects request that their
personal details in some of these categories remain confidential or are restricted to
internal access. In such instances, The Community Council of Devon should comply
with the request and ensure that appropriate action is taken.
Transferring data internationally
There are restrictions on international transfers of personal data. You must not transfer
personal data abroad, or anywhere else outside of normal rules and procedures without
express permission from the DPL.
Rights of individuals
Individuals have rights to their data, which we must respect and comply with, to the best of
our ability. We must ensure individuals can exercise their rights in the following ways:
1. Right to be informed
 Providing privacy notices which are concise, transparent, intelligible and
easily accessible, free of charge, that are written in clear and plain language,
particularly if aimed at children.
 Keeping a record of how we use personal data to demonstrate compliance with
the need for accountability and transparency.
2. Right of access
 Enabling individuals to access their personal data and supplementary information
 Allowing individuals to be aware of and verify the lawfulness of the
processing activities
Please refer to "Subject Access Request policy and procedure" for more information.
3. Right to rectification
 We must rectify or amend the personal data of the individual if requested because
it is inaccurate or incomplete.
 This must be done without delay and no later than one month. This can
be extended to two months with permission from the DPL.
4. Right to erasure
 We must delete or remove an individual’s data if requested and there is
no compelling reason for its continued processing.
5. Right to restrict processing
 We must comply with any request to restrict, block, or otherwise suppress
the processingof personal data.
 We are permitted to store personal data if it has been restricted, but not process
it further. We must retain enough data to ensure the right to restriction is
respected in the future.
6. Right to data portability
 We must provide individuals with their data so that they can reuse it for their
own purposes or across different services.
 We must provide it in a commonly used, machine-readable format, and send it
directly to another controller if requested.
7. Right to object
 We must respect the right of an individual to object to data processing based
on legitimate interest or the performance of a public interest task.
 We must respect the right of an individual to object to direct marketing, including
 We must respect the right of an individual to object to processing their data for
scientific and historical research and statistics.
8. Rights in relation to automated decision making and profiling
 We must respect the rights of individuals in relation to automated decision
making and profiling.
 Individuals retain their right to object to such automated processing, have
the rationale explained to them, and request human intervention.
Privacy notices
When to supply a privacy notice
Under Article 13 and 14 of the UK GDPR it is obligatory to have a privacy notice on
Community Council of Devon's website and in the public domain so it is always available to
data subjects. A privacy notice must be supplied at the time the data is obtained if
obtained directly from the data subject. If the data is not obtained directly from the data
subject, the privacy notice must be provided within a reasonable period of having
obtained the data, which mean within one month.
If the data is being used to communicate with the individual, then the privacy notice
must be supplied at the latest when the first communication takes place.
If disclosure to another recipient is envisaged, then the privacy notice must be supplied
prior to the data being disclosed.

What to include in a privacy notice
Privacy notices must be concise, transparent, intelligible, easy to understand
by everyone, and easily accessible. They are provided free of charge and must
be written in clear and plain language, particularly if aimed at children
The following information must be included in a privacy notice to all
data subjects:
 Identification and contact information of the data controller and the data
 protection lead / accountable person
 The purpose of processing the data and the lawful basis for doing so
 The legitimate interests of the controller or third party, if applicable
 The right to withdraw consent at any time, if applicable
 The category of the personal data (only for data not obtained directly from the
 data subject) and detailed information about the use of special category data (if
 Any recipient or categories of recipients of the personal data
 Detailed information of any transfers to third countries and safeguards in place
 The retention period of the data or the criteria used to determine the retention
 period, including details for the data disposal after the retention period
 The right to lodge a complaint with the Information Commissioners Office (ICO),
giving information on how to contact the ICO and internal complaint procedures
 The source of the personal data, and whether it came from publicly available
sources (only for data not obtained directly from the data subject)
 Any existence of automated decision making, including profiling and information
about how those decisions are made, their significances and consequences to the
data subject
 Whether the provision of personal data is part of a statutory of contractual
requirement or obligation and possible consequences for any failure to provide the
data (only for data obtained directly from the data subject)
Subject Access Requests
What is a subject access request?
An individual has the right to receive confirmation that their data is being processed,
access to their personal data and supplementary information which means the information
which should be provided in a privacy notice.
How we deal with subject access requests
We must provide an individual with a copy of the information the request, free of charge.
This must occur without delay, and within one month of receipt. We endeavour to provide
data subjects access to their information in commonly used electronic formats, and
where possible, provide direct access to the information through a remote accessed
secure system.
If complying with the request is complex or numerous, the deadline can be extended by
two months, but the individual must be informed within one month. You must obtain
approval from the DPL before extending the deadline.

We can refuse to respond to certain requests, and can, in circumstances of the request
being manifestly unfounded or excessive, charge a fee. If the request is for a large
quantity of data, we can request the individual specify the information they are
requesting or a 'scope'. This can only be done with express permission from the DPL.
Once a subject access request has been made, you must not change or amend any of the
data that has been requested. Doing so is a criminal offence.
Please see "Subject Access Request (SAR) Policy and Procedure" for more information on
how to fulfil an SAR.
Data portability requests
We must provide the data requested in a structured, commonly used and machinereadable
format. This would normally be a CSV file, although other formats are
acceptable. We must provide this data either to the individual who has requested it, or to
the data controller they have requested it be sent to. This must be done free of charge
and without delay, and no later than one month. This can be extended to two months for
complex or numerous requests, but the individual must be informed of the extension
within one month and you must receive express permission from the DPL first.
Employee Information Notice
The Community Council of Devon can be contacted by all employees about their personal
details via the HR Manager. We will process information on our employees in the following
 We will maintain all personal details required for the duty of care to our
employees. Personal data shall be processed in accordance with the rights of data
subjects under the Data Protection Legislation.
 We will share details with third parties only where absolutely necessary i.e. Payroll
and Pension providers.
 All data will be stored under the data protection and UK GDPR guidelines for
the term of employment and then 7 years after the employment contract has
been terminated.
Right to erasure
What is the right to erasure?
Individuals have a right to have their data erased and for processing to cease in
the following circumstances:
 Where the personal data is no longer necessary in relation to the purpose for which
it was originally collected and / or processed
 Where consent is withdrawn
 Where the individual objects to processing and there is no overriding
legitimate interest for continuing the processing
 The personal data was unlawfully processed or otherwise breached data protection
 To comply with a legal obligation

The processing relates to a child
How we deal with the right to erasure
We can only refuse to comply with a right to erasure in the following circumstances:
 To exercise the right of freedom of expression and information
 To comply with a legal obligation for the performance of a public interest task or
exercise of official authority
 For public health purposes in the public interest
 For archiving purposes in the public interest, scientific research, historical research
or statistical purposes
 The exercise or defence of legal claims
If personal data that needs to be erased has been passed onto other parties or
recipients, they must be contacted and informed of their obligation to erase the
data. If the individual asks, we must inform them of those recipients.
The right to object
Individuals have the right to object to their data being used on grounds relating to
their particular situation. We must cease processing unless:
 We have legitimate grounds for processing which override the interests, rights and
freedoms of the individual.
 The processing relates to the establishment, exercise or defence of legal claims.
We must always inform the individual of their right to object at the first point of
communication, i.e. in the privacy notice. We must offer a way for individuals to object
The right to restrict automated profiling or decision making
We may only carry out automated profiling or decision making that has a legal or
similarly significant effect on an individual in the following circumstances:
 It is necessary for the entry into or performance of a contract.
 Based on the individual’s explicit consent.
 Otherwise authorised by law.
In these circumstances, we must:
 Give individuals detailed information about the automated processing.
 Offer simple ways for them to request human intervention or challenge any
decision about them.
 Carry out regular checks and user testing to ensure our systems are working
as intended.
Third parties
Using third party controllers and processors

As a data controller and data processor, we must have written contracts in place with
any third party controllers and data processors. The contract must contain specific
clauses which set out our and their liabilities, obligations and responsibilities.
As a data controller, we must only appoint processors who can provide sufficient
guarantees under UK GDPR and that the rights of data subjects will be respected
and protected.
As a data processor, we must only act on the documented instructions of a controller.
We acknowledge our responsibilities as a data processor under UK GDPR and we will
protect and respect the rights of data subjects.
Our contracts must comply with the standards set out by the ICO and, where possible,
follow the standard contractual clauses which are available. Our contracts with [data
controllers (and/or) data processors] must set out the subject matter and duration of
the processing, the nature and stated purpose of the processing activities, the types of
personal data and categories of data subject, and the obligations and rights of the
At a minimum, our contracts must include terms that specify:
 Acting only on written instructions
 Those involved in processing the data are subject to a duty of confidence
 Appropriate measures will be taken to ensure the security of the processing
 Sub-processors will only be engaged with the prior consent of the controller and
under a written contract
 The controller will assist the processor in dealing with subject access requests and
allowing data subjects to exercise their rights under UK GDPR
 The processor will assist the controller in meeting its UK GDPR obligations in
relation to the security of processing, notification of data breaches and
implementation of Data Protection Impact Assessments
 Delete or return all personal data at the end of the contract
 Submit to regular audits and inspections, and provide whatever information
necessary for the controller and processor to meet their legal obligations.
 Nothing will be done by either the controller or processor to infringe on UK GDPR.
Criminal offence data
Criminal record checks
Any criminal record checks are justified by law. Criminal record checks cannot be
undertaken based solely on the consent of the subject. We cannot keep a comprehensive
register of criminal offence data. All data relating to criminal offences is considered to be
a special category of personal data and must be treated as such. You must have approval
from the DPL prior to carrying out a criminal record check.
Audits, monitoring and training
Data audits

Regular data audits to manage and mitigate risks will inform the data register. This
contains information on what data is held, where it is stored, how it is used, who is
responsible and any further regulations or retention timescales that may be relevant. You
must conduct a regular data audit as defined by the DPL and normal procedures.
Everyone must observe this policy and the Data Protection Introduction Policy. The DPL
has overall responsibility for this policy. The Community Council of Devon will keep this
policy under review and amend or change it as required. You must notify the DPL of any
breaches of this policy. You must comply with this policy fully and at all times.
You will receive adequate training on provisions of data protection law specific for your
role. It is expertly advised that data protection training should be undertaken on an
annual basis. You must complete all training as requested. If you move role or
responsibilities, you are responsible for requesting new data protection training
relevant to your new role or responsibilities.
If you require additional training on data protection matters, contact the DPL.
Reporting breaches
Any breach of this policy or of data protection laws must be reported as soon as
practically possible. This means as soon as you have become aware of a breach. The
Community Council of Devon has a legal obligation to report any data breaches to the
Information Commissioner Office (ICO) within 72 hours.
All members of staff have an obligation to report actual or potential data protection
compliance failures. This allows us to:
 Investigate the failure and take remedial steps if necessary
 Maintain a register of compliance failures
 Notify the ICO of any compliance failures that are material either in their own right
or as part of a pattern of failures
Any member of staff who fails to notify of a breach, or is found to have known or
suspected a breach has occurred but has not followed the correct reporting procedures
will be liable to disciplinary action.
Please refer to our Information Security Policy for our reporting procedure.
Failure to comply
We take compliance with this policy very seriously. Failure to comply puts both you
and the organisation at risk.
The importance of this policy means that failure to comply with any requirement may
lead to disciplinary action under our procedures which may result in dismissal.