privacy policy

Community Made Solutions Ltd is a company limited by guarantee registered in England and Wales, company number 5105212, registered address 15 Paternoster Row, Sheffield S1 2BX, UK.

Community Made Solutions Ltd acts as a data controller with respect to the collection and use of personal information. In some circumstances Community Made Solutions Ltd also acts as a data processor in the collection and processing of personal data on behalf of third parties.

We are committed to safeguarding your privacy. This Privacy Policy (“Policy”) sets out our data collection and processing practices and your options regarding how your personal data is used.

Our full privacy policy is explained below, but the main points to note are:

• We will only ever ask you for information that we really need to know.
• We will be transparent, honest and fair in our collection and use of your personal data.
• We will put appropriate security measures in place to protect personal data that you share.
• We will never sell your data.

We review this Policy from time to time. Any changes will be published at www.cmso.co.uk/privacy.

Please check our website occasionally to ensure you are happy with any changes. By consenting to our processing of your personal data, you agree to be bound by this Policy.

You can contact us at privacy@cmso.co.uk

1. Purposes for which collect personal information

We may use your information to:

• process requests that you have submitted;
• carry out our obligations arising from contracts you have entered into with us;
• provide you with services and support that you have requested from us;
• process an application for a job or a volunteering opportunity.
• Conduct research into the impact of our work;
• send you communications you have requested and that may be of interest to you.
• notify you of changes to our organisation;

2. Information that we collect

The type and amount of information we collect depends on why you are providing it.

We will usually ask you for your name and email address and we may request other information where it is appropriate and relevant, for example for the delivery of services and support.

This additional information might include:

(1) Your physical address and/or telephone number;

(2) Details of why you have decided to contact us;

(3) information about your computer and your visits to our website including your IP address;

(4) information about the services of interest to you or any communication preferences you give;

(5) if you are a beneficiary of services and support provided by us or our partners, information that you disclose to us in order to assist us in the provision of those services and support;

(6) If you are a job applicant the information you are asked to provide as set out in the application pack and necessary for the purposes of considering the application.

(7) any other information shared with us in relation to the different purposes set out at clause 1

Applicable law recognises certain categories of personal information as sensitive and therefore requiring more protection, including health information, ethnicity and political opinions. In limited cases, we may collect sensitive personal data about you. We would only collect sensitive personal data if there is a clear reason for doing so; and will only do so with your explicit consent.

3. Communications and marketing

Where you have provided us with your physical address, we may contact you by post; and where you have provided appropriate consent, also by telephone and e-mail, with targeted communications to let you know about our events and/or activities that we consider may be of particular interest; about the work that we do or the services we provide; or to ask for support.

4. Information sharing with others

(1) Third party service providers
We may pass your information to third-party service providers, agents, subcontractors, delivery partners and other associated organisations for the purposes of completing tasks and providing services to you on our behalf (for example, support services or to send you communications).
These third parties have access to your Personal Information only to perform these specific tasks on our behalf and are obligated not to disclose or use it for any other purpose.

(2) Funding and commissioning bodies
We may pass your information to funding or commissioning organisations, including public bodies, in the case and only to the extent that such entities require information as part of a contract or service delivery agreement. In such case we will inform you of the information that is required to be shared.

(3) We will disclose your information where required to do so by law or in accordance with an order of a court of competent jurisdiction, or if we believe it is necessary to comply with the law and the reasonable requests of law enforcement or to protect the security or integrity of our services.

5. Children’s data

We do not knowingly process data of any person under the age of 16. If we come to discover, or have reason to believe, that you are 15 and under and we are holding your personal information, we will delete that information within a reasonable period and withhold our services accordingly.

6. International transfer

Your information, including personal information, may be transferred to — and maintained on — computers located outside of your state, province, country or other jurisdiction where the data protection laws may differ from those in your jurisdiction. If you are located outside the United Kingdom and choose to provide information to us, please note that we transfer the information, including personal information, to the United Kingdom and process it there. Your consent to this Privacy Policy followed by your submission of such information represents your agreement to that transfer. In the event that a dispute arises with regards to the international transfer of data, you agree that the courts of England and Wales shall have exclusive jurisdiction over the matter.

7. Security of and access to your personal data

We endeavour to ensure that there are appropriate and proportionate technical and organisational measures to prevent the loss, destruction, misuse, alteration, unauthorised disclosure or of access to your personal information.

Your information is only accessible by appropriately trained staff, volunteers and contractors.

The security of your Personal Information is important to us but remember that no method of transmission over the Internet, or method of electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your Personal Information, we cannot guarantee its absolute security. As such we make no warranties as to the level of security afforded to your data, except that we will always act in accordance with the relevant UK and EU legislation.

Otherwise than as set out in this Privacy Policy, we will only ever share your data with your informed consent.

8. Your rights and how consent works

You have a choice about whether or not you wish to receive information from us. If you do not want to receive communications from us about the work we do, then you can select your choices by ticking the relevant boxes situated on the form on which we collect your information.
Where we rely on your consent to use your personal information, you have the right to withdraw that consent at any time. This includes the right to ask us to stop using your personal information for direct marketing purposes or to be unsubscribed from our email list at any time.

You also have the following rights:

(1) Right to be informed – you have the right to be told how your personal information will be used. This policy and other policies on our website and in our communications are intended to provide you with a clear and transparent description of how your personal information may be used.

(2) Right of access – you can write to us to ask for confirmation of what information we hold on you and to request a copy of that information. Provided we are satisfied that you are entitled to see the information requested and we have confirmed your identity, we will have 30 days to comply.

(3) Right of erasure – you can ask us for your personal information to be deleted from our records. In some cases we may propose to suppress further communications with you, rather than delete it.

(4) Right of rectification – if you believe our records of your personal information are inaccurate, you have the right to ask for those records to be updated.

(5) Right to restrict processing – you have the right to ask for processing of your personal data to be restricted if there is disagreement about its accuracy or legitimate usage.

(6) Right to data portability – to the extent required by the General Data Protection Regulations (“GDPR”) where we are processing your personal information (i) under your consent, (ii) because such processing is necessary for the performance of a contract to which you are party or to take steps at your request prior to entering into a contact or (iii) by automated means, you may ask us to provide it to you – or another service provider – in a machine-readable format.

To exercise these rights, please send a description of the personal information in question to privacy@cmso.co.uk. Where we consider that the information you have provided does not enable us to identify the personal information in question, we may ask you for (i) personal identification and/or (ii) further information. Please note that some of these rights only apply in limited circumstances.

You are also entitled to make a complaint to the Information Commissioner’s Office about the way we have processed your data.

9. Lawful processing

We process your personal information on the grounds of one or more of the following:

(1) Consent: where you have given clear consent for us to process your personal data for the purpose of marketing or communications from us and/or our partners.
(2) Contract: where we have a contract with you or are considering entering into a contract with you and the processing is necessary for the entering into or the implementation of the contract.
(3) Legal obligation: where the processing is necessary for us to comply with the law (not including contractual obligations).
(4) Public task: in circumstances we may act as a data processor on behalf of a public body who is the data controller and where we have established that processing is necessary to perform a task or function that is in the public interest and that the task or function has a clear basis in law.
(5) Legitimate interests: where the processing is necessary for our legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.

When we use your personal information, we will consider if it is fair and balanced to do so and if it is within your reasonable expectations. We will balance your rights and our legitimate interests to ensure we use your personal information in ways that are not unduly intrusive or otherwise unfair.

10. Data retention

In general, unless still required in connection with the purpose(s) for which it was collected and/or is processed, we will remove your personal information from our records five years after the date it was collected. If before that date (i) your personal information is no longer required in connection with such purpose(s) or (ii) we are no longer lawfully entitled to process it, we will remove it from our records at the relevant time. We are legally required to hold some types of information for longer periods to fulfil contractual or statutory obligations.

We review our retention periods for personal information on a regular basis. You can request to remove your personal information at any time by emailing info@cmso.co.uk

11. Policy amendments

We keep this Privacy Policy under regular review and reserve the right to update from time-to-time by posting an updated version on our website, not least because of changes in applicable law. We recommend that you check this Privacy Policy occasionally to ensure you remain happy with it. We may also notify you of changes to our privacy policy by email.

12. Third party websites

We link our website directly to other sites. This Privacy Policy does not cover external websites and we are not responsible for the privacy practices or content of those sites. We encourage you to read the privacy policies of any external websites you visit via links on our website.

13. Updating information

You can check the personal data we hold about you, and ask us to update it where necessary, by emailing us at privacy@cmso.co.uk

14. Contact

We are not required by law to have a “Data Protection Officer” – however we have a Data Protection Manager. Please let us know if you have any queries or concerns whatsoever about the way in which your data is being processed by either emailing the Data Protection Manager at privacy@cmso.co.uk or by writing to us at the following address:

Data Protection Manager
Community Made Solutions
15 Paternoster Row
Sheffield
S1 2BX

If you are not satisfied with the response or you need independent advice about data protection, privacy and data sharing you can find further information and/or contact the Information Commissioner’s Office at https://ico.org.uk/ or by telephone 0303 123 1113.