Privacy notice relating to the processing of personal data by the South West Wales Corporate Joint Committee (SWWCJC)
South West Wales Corporate Joint Committee
The South West Wales Corporate Joint Committee is the legal entity and remains the data controller and the responsible statutory body.
The SWWCJC comprises the 4 local authority areas covering South West Wales – City and County of Swansea, Neath Port Talbot, Carmarthenshire and Pembrokeshire. Both Brecon Beacons National Park and Pembrokeshire Coast National Park authorities are members in relation to Strategic Development Planning
About this privacy notice
This privacy notice is intended to provide information about how the SWWCJC will use (or ‘process’) personal data about individuals for the purpose of undertaking the day-to day business of the SWWCJC.
The Data Controller
The SWWCJC is the controller for the personal data it processes.
Whose personal data we process
We process personal data relating to:
• Consultees
• Prospective and current employees
• Individuals attending events
• Businesses
• Correspondence with members of the public
The categories of personal data we process
We process the following categories of personal data:
• Personal details – name, address
• Contact details – telephone number, email address.
Why we process the personal data
We process the personal data in order to fulfil our statutory obligations relating to the day-to-day functions of SWWCJC. This includes but is not limited to the following activities:
• Managing applications or enquiries related to funding programmes
• Investment enquiries
• Responding to requests for information (e.g. Freedom of Information, Data Protection)
• Undertaking surveys
• Undertaking consultations
• Corresponding in respect of public meetings
• Reviewing and responding to Complaints and feedback
Our lawful bases for processing the personal data
Under the General Data Protection Regulation (GDPR), our lawful bases for processing personal data to undertake our statutory functions is:
• Consent (a): The data subject has given consent to the processing of his or her personal data for one or more specific purposes
• Performance of a Contract (b): Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
• Legal Obligation (c) – processing is necessary for compliance with a legal obligation to which the controller is subject.
• Public Task – Article 6 (e) – processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
• Substantial public interest – Article 9 (2) (g) – processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.
The lawful basis for processing special categories of data is as follows:
• Article 9(2)a: The data subject has given explicit consent to the processing of those personal data for one or more specified purposes, except where domestic law provides that the prohibition referred to in paragraph 1 may not be lifted by the data subject.
Who or where we get the personal data from
We may receive the personal data from the following individuals or organisations:
• Consultees
• Funding applicants
• Individuals attending training or events
• Business contacts
• Members of the public requesting information from us
Organisations that we may share your personal data with
From time to time we will share your personal data with partner organisations and service providers so that they can help us carry out our duties, rights and discretions in relation to the services we provide. Some of those organisations will simply process your personal data on our behalf and in accordance with our instructions. In each case we will only share data to the extent that we consider the information is reasonably required for these purposes.
Any Personal Information we hold will be disclosed, with reasonable purpose to:
• Our staff – where the information is vital and required for their work.
• The Courts – under the direction of a Court Order.
• Welsh Government – in line with statutory requirements or where we administer a scheme on their behalf.
• Public Sector Fraud Authority – for the prevention and detection of fraud.
• Our partners – strictly in line with agreed procedures and lawfully in compliance with UK GDPR.
Where we rely upon your consent to process data you have the right to withdraw this consent to the processing at any time by notifying the Data Protection Officer in writing.
Under the Digital Economy Act 2017, we may share personal data provided to us with other public authorities for the purposes of fraud, crime detection/prevention, to improve public service delivery, statistical research.
The SWWCJC has a duty to protect the public fund it manages. Therefore, the information that you have provided to us may be used for the prevention and detection of fraud or shared with officers responsible for auditing or administering public funds.
Where requested or if we consider that it is reasonably required, we may also provide your data to government bodies and dispute resolution and law enforcement organisations, including those listed above and Her Majesty’s Revenue and Customs (HMRC). They may then use the data to carry out their legal functions.
In some cases these recipients may be outside the UK. This means your personal data may be transferred outside the EEA to a jurisdiction that may not offer an equivalent level of protection as is required by EEA countries. If this occurs, we are obliged to verify that appropriate safeguards are implemented with a view to protecting your data in accordance with applicable laws. Please use the contact details below if you want more information about the safeguards that are currently in place.
How long we retain the personal data
We will retain your information in line with the period outlined at the time the data is collected and only for as long as it is necessary to do so.
Legislation tells us how long we need to keep some information.
Your data protection rights
Under data protection law, you have rights we need to make you aware of. The right available to you depend on our reason for processing the information.
Your right of access
You have the right to ask us for copies of your personal information. This right always applies. There are some exemptions, which means you may not always receive all the information we process. You can read more about this right on the ICO’s website.
Your right to rectification
You have the right to ask us to rectify information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete. This right always applies.
Your right to erasure
You have the right to ask us to erase your personal information in certain circumstances. You can read more about this right on the ICO’s website.
Your right to restriction of processing
You have the right to ask us to restrict the processing of your information in certain circumstances. You can read more about this right on the ICO’s website.
Your right to object to processing
You have the right to object to processing if we are able to process your information because the process forms part of our public tasks or is in our legitimate interests. You can read more about this right on the ICO’s website.
Your right to data portability
This only applies to information you have given us. You have the right to ask that we transfer the information you gave us from one organisation to another or give it to you. The right only applies if we are processing information based on your consent or under, or in talks about entering a contract and the processing is automated. You can read more about this right on the ICO’s website.
You are not required to pay any charge for exercising your rights. We have one month to respond to your request from the date your request is validated. We may extend this period by a further two months if the request is complex or we receive a number of requests from you.
Please contact the Data Protection lead if you wish to make a request.
Your right to make a data protection complaint
You have the right to complain to the SWWCJC if you believe we have not handled your personal data responsibly and in line with good practice.
If you have a concern, we encourage you to contact the Data Protection Lead in the first instance. Most concerns can be resolved relatively quickly through a simple phone call or email. Should you wish to make a formal complaint please refer to the Complaints Policy on our website (insert link) or contact insert link
You can also complain to the ICO if you are unhappy with how we have used your data, but we encourage you to contact us first. The ICO’s contact information is:
Address: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Helpline number: 0303 123 1113
Website: https://www.ico.org.uk