Who we are
CMA Bentley is a confidential, free, face-to-face debt advice centre working in association with Community Money Advice (CMA). CMA Bentleyis authorised and regulated by the Financial Conduct Authority (FCA). CMA Bentley is committed to protecting and respecting your privacy and complies with the requirements of the General Data Protection Regulation (GDPR).
This Privacy Notice explains how we collect, use and store your personal data. It sets out the basis on which any personal information provided will be processed.
The person responsible for Data Control within CMA Bentley is:
Abigail Clarke, 01302 637336 abbey.c@cmabentley.org
What is personal data?
Personal data is defined as any information relating to an identified or identifiable natural person (the ‘data subject’). The processing of personal data is governed by the GDPR.
Cookies
Our website only uses cookies that are necessary for you visit. We do not use marketing cookies, or use your personal information to present you with particular content.
Clients
If you choose to become a client of CMA Bentley,
We collect personal data in order to be able to offer the best advice for your circumstances. We will only use any personal information you have chosen to provide to us, for the purpose that you provided it for. We will also sometimes collect additional information from third parties, with your consent, in order to provide the best advice for your circumstances. For example, credit reference agencies, creditors and debt recovery agencies.
We will not use your personal data for any other purpose without your consent. We will not disclose your personal data to any third parties without your consent, except where we are required to do so by law. We will never sell or receive payment for licensing or disclosing your personal information.
Statistics gathered to monitor the service for the purposes of identifying any policy issues and to support funding applications will be anonymised to prevent identification of individual users.
Data protection principles
We comply with our obligations under the GDPR by keeping personal data up to date; by storing and destroying it securely; by not collecting or retaining excessive amounts of data; by protecting personal data from loss, misuse, unauthorised access and disclosure and by ensuring that appropriate measures are in place to protect personal data. You can find more information about how we protect and store your personal data in our Security Policy and File Retention and Destruction Policy.
Our purpose for processing your personal data including special category data
In order to comply with the Financial Conduct Authority’s Consumer Credit Sourcebook Regulations we are required to obtain all relevant data in order to be able to offer you the best advice based on your circumstances. This may include processing Special Category Data such as health information or other data of a sensitive nature.
We will only collect Special Category Data if there is a clear reason for doing so, such as where we need this information to ensure that we provide appropriate advice or support to you. We will only use sensitive information for the purposes for which it is provided.
The lawful basis for processing your personal data
All organisations need a lawful basis to collect and use personal data. In accordance with GDPR, we can legally process your personal information because you have given us your consent to collect, process and store your personal data by signing a contract with us.
Who we share your data with
Your personal data will be treated as strictly confidential and will only be shared with CMA Bentley staff/volunteers and members of the Community Money Advice (CMA) team who are responsible for reviewing client files for audit purposes. Your personal data will only be sent to third parties with your consent. The only exception to this is if information is requested for legal reasons. We will never share your information with third parties for the purposes of direct marketing.
How long we retain your data
We remove personal data from our systems in line with the data retention periods shown in the table below. The length of time each category of data will be retained will vary on how long we need to process it, the reason it is collected, and in line with any statutory requirements. After this point the data will either be deleted or rendered anonymous.
Data Retention Periods | ||
Data | Retention period | Notes |
Call Log | 3 months | We keep a record of calls made to our service so that we can return calls and handle any enquiries. We will keep details on our call log for a maximum of 3 months unless the individual becomes a client. |
Service user enquiries | 3 months | If anyone contacts us to enquire about our service with a view to making an appointment, we will keep their personal data for a maximum of 3 months unless the individual becomes a client. This is to ensure we are able to respond to their enquiry and manage any missed appointments or subsequent actions, and for audit purposes. |
Referrals from third parties | 3 months | We receive personal information about potential service users from third parties who wish to refer individuals to us for support. We will hold the information we are given for a maximum 3 months unless the individual becomes a client. This is to ensure we are able to respond to their enquiry and manage any missed appointments or subsequent actions, and for audit purposes. |
Client records | 6 years after case closure (12 years for mortgage arrears) | This is to ensure we can provide further assistance if a client subsequently needs our help again, and for regulatory and audit reasons to ensure that we are able to manage any future complaints or enquiries. |
Staff and volunteer records | 6 years | If someone becomes a member of our team, we will keep their personnel records for a maximum of 6 years after they cease working/volunteering for us in order to comply with employment regulations and for audit purposes. |
Supporter/Marketing records | See note | We will keep the contact details of those who have consented to receiving news and updates from us until they tell us that they no longer which to receive such information. |
Recruitment records | 6 months | Where you provide personal data and sensitive personal data when applying for a job or volunteering opportunity, such as the information on your CV, we will process, store and disclose this personal data to support the recruitment process. CVs and application details will be stored for a period of 6 months for audit purposes before being deleted, unless the individual becomes an employee. |
What rights you have over your data
Under data protection law, you have rights we need to make you aware of. The rights available to you depend on our reason for processing your information.
a) Your right of access
You have the right to ask us for copies of your personal information. There are some exemptions, which mean you may not always receive all the information we process. You can read more about this on the ICO website: https://ico.org.uk/your-data-matters/your-right-of-access/
b) Your right to get your data corrected
You have the right to ask us to correct any information we hold about you which you think is inaccurate. This is also known as the ‘right to rectification.’ You also have the right to ask us to complete information you think is incomplete. You can read more about this right here: https://ico.org.uk/your-data-matters/your-right-to-get-your-data-corrected/
c) Your right to erasure
You have the right to ask us to erase your personal information in certain circumstances. This is known as the right to erasure. This is also known as the ‘right to be forgotten’. You can read more about this right here: https://ico.org.uk/your-data-matters/your-right-to-get-your-data-deleted/
d) Your right to restriction of processing
You have the right to ask us to restrict the processing of your information in certain circumstances. You can read more about this right here: https://ico.org.uk/your-data-matters/your-right-to-limit-how-organisations-use-your-data/
e) Your right to object to processing
You have an absolute right to stop the processing of your personal data for direct marketing purposes. However, we may still be able to legitimately continue using your data for other purposes. You can read more about this right here: https://ico.org.uk/your-data-matters/the-right-to-object-to-the-use-of-your-data/
f) Your right to data portability
You have the right to ask that we transfer the information you gave us to another organisation, or give it to you. This right to only applies to electronically held data that you have provided to us and we are processing with your consent. You can read more about this right here: https://ico.org.uk/your-data-matters/your-right-to-data-portability/
Your right to withdraw consent
Where we are using your personal information based on your consent, you have the right to withdraw that consent at any time by contacting our Data Controller, verbally or in writing.
Your right to complain
You have the right to be confident that we will handle your personal information responsibly and in line with good practice. If you have concerns about the way we are handling your information, please contact our Data Controller Abigail Clarkein the first instance as we have a dedicated complaints procedure.
If you are unhappy with how your complaint has been handled by us or if we have failed to resolve your information rights concern, you can raise the matter with the Information Commissioner’s Office by calling them on 0303 123 1113 or via email https://ico.org.uk/global/contact-us/email/ or by writing to the ICO, Wycliffe House, Water Lane, Wilmslow, Cheshire. SK9 5AF.
Exercising your rights
You will not have to pay a fee to access your personal information (or to exercise any of the other rights). However, we may charge a reasonable fee if your request for access is considered to be ‘manifestly unfounded or excessive’. Alternatively, we may refuse to comply with the request in such circumstances. You will be informed of this in writing, where this is the case.
We have one month to respond to your request. In certain circumstances we may need extra time to consider your request and can take up to an extra two months. If we are going to do this, we will let you know within one month that we need more time and why.
Please contact our Data Controller, Abigail Clarke, if you wish to make a request to access your personal informational held by CMA Bentley.