Empty

Total: £0.00

CO3

Log In

Twitter YouTube   

CO3 Privacy Notice

CO3 is a ‘Data Controller’ in the definition of the General Data Protection Regulations which came into effect across the UK on 25 May 2018.  This means it uses and stores personal data, like its members email addresses and telephone numbers, to carry out its work.

Its identity and contact details as a Data Controller is:

CO3, 34 Shaftesbury Square, Beflast, BT2 7DB, Tel 028 90245356, email info@co3.bz

The person to contact about Data Protection and privacy queries is the Data Protection  Champion:

Rachel Cooley, CO3, 34 Shaftesbury Square, Belfast, BT2 7DB, Tel 028 90245356, email rachel@co3.bz

 

Why CO3 processes personal data and the legal basis for it to do so

 

There are five different types of stakeholder whose personal data may be stored and processed by CO3 from time to time:

  • Existing members of the CO3 network, including Chief Officers, Associate Members, members of the Trustee Network, members of the Interim Chief Executive Panel and any future category of membership to be introduced

 

Contact details, CV information and subject preferences are retained for this category of Data Subject or ‘natural person’.  This data:

  1. Is necessary for performance of contract - represented by the provision of services by CO3 to network members.
  2. Is with the consent of the natural person - in that it is explicit when signing up to CO3’s services that CO3 needs to communicate to the Data Subject about those services.
  3. Is in the legitimate interests of the controller, or a third party, except when overridden by the interests or fundamental rights and freedoms of the natural person – in that these data are needed by CO3 in order to fulfil the delivery of the agreed services, including the provision of event information, to its network members.

 

  • Prospective members and job applicants using CO3’s recruitment service

Contact details, CV information and completed recruitment application forms are held for this category of Data Subject. This data:

 

  1. Is necessary for performance of contract - represented by the provision of services by CO3 to its recruitment clients.
  2. Is with the consent of the natural person – in that it is explicit from sharing contact details with CO3 (e.g. by handing over a business card) or from supplying a completed recruitment application form that the Data Subject expects communication from CO3.

 

  • Staff and volunteers

Contact details, CV information, completed recruitment application forms, medical information and bank details are held for this category of Data Subject.  This data:

 

  1. Is necessary for performance of contract - represented by the provision of labour by staff to CO3 and pay and benefits in return.
  2. Is in compliance with legal obligation – in order for CO3 to fulfil its employment and welfare obligations to staff.
  3. Is with the consent of the natural person - in that it is explicit that these data are required to process pay and benefits and manage welfare issues.
  4. Is in the legitimate interests of the controller, or a third party, except when overridden by the interests or fundamental rights and freedoms of the natural person – in that these data are needed by CO3 in order to fulfil the delivery of the agreed pay, benefits and welfare services to its staff.

 

  • Delivery Partners of CO3

Contact details, completed programme application forms. This data:

 

  1. Is necessary for performance of contract - represented by the fulfilment of services to clients jointly by CO3 and its partners.
  2. Is with the consent of the natural person - in that it is explicit that these data are required for the services to be provided to the Data Subject.
  3. Is in the legitimate interests of the controller, or a third party, except when overridden by the interests or fundamental rights and freedoms of the natural person – in that these data are needed by CO3 in order to fulfil the delivery of services to its clients jointly with its partners.

 

  • Suppliers to CO3

Contact details and bank account details are held for this category of Data Subject. This data:

 

  1. Is necessary for performance of contract - represented by the fulfilment of services to staff and contractors jointly by CO3 and its partners.
  2. Is with the consent of the natural person - in that it is explicit that these data are required for services to be provided to the Data Subject e.g. payroll and pension administration.
  3. Is in the legitimate interests of the controller, or a third party, except when overridden by the interests or fundamental rights and freedoms of the natural person – in that these data are needed by CO3 in order to fulfil the delivery of pay, benefits and employment welfare to its clients jointly with its partners.

 

 

The categories of personal data CO3 may store or process from time to time

 

Data revealing racial or ethnic origin

Health data

Location data

Political opinions

Basic personal identifiers, eg name, contact details

Genetic or biometric data

Religious or philosophical beliefs

Identification data, eg usernames, passwords

Criminal convictions, offences

Trade union membership

Economic and financial data, eg credit card numbers, bank details

 

Sexual orientation data

Official documents, eg driving licences

 

 

Transfers to third countries and safeguards

 

CO3 does not store or process data outside of the European Union (EU).

Providers of its ICT ‘cloud’ storage and data processing software, including storage providers like ‘Google Drive’ or Survey Distribution suppliers like Mailchimp, are certified as storing data in the EU.  This is a condition of CO3 working with these suppliers.

 

Your rights as a ‘Data Subject’

 

People whose data CO3 has enjoy a range of rights under a range of legislative measures presented under the aegis of the GDPR regulations.  They include:

  • The right for people to withdraw their consent for CO3 to use their personal data, where relevant at any time.
  • The right to lodge a complaint about CO3’s data protection and privacy measures with a supervisory authority like the Information Commissioner’s Office.
  • The right to ask for the source of the data CO3 holds on an individual, including if it came from a publicly accessible source.
  • The right to know whether an individual’s personal data is stored or processed as part of a statutory or contractual requirement, and what the consequences would be to the individual if CO3 failed to obtain the personal data.

 

Note that CO3 does not process personal data using any  ‘automated decision-making’ tools. For example, it does not use software to ‘profile’ job candidates or shortlist people.

CO3 has a policy to let people know about this privacy notice at the time that they themselves first engage with it.   If we contact you using contact details that we first obtained from a source in the public domain, like a website, we will let you know where we got it in our first communication with you.  CO3 will not ever disclose your contact details, unless we get your permission first.