Group Privacy Policy
The Prama Foundation
GROUP PRIVACY POLICY
The Prama Foundation (which includes PramaCARE, PramaLIFE, PramaTRAVEL and PramaTRADE) treats the privacy
of its customers and website users very seriously and we take the appropriate security measures to safeguard your
privacy. This Policy explains how we protect and manage any personal data* you share with us and that we hold
about you, including how we collect, process and share that data.
*Personal data means any information that may be used to identify an individual, including, but not limited to, a first
and last name, a home or other physical address and an email address or other contact information, whether at work
or at home.
How we obtain your personal data
Information provided by you
You provide us with personal data in many ways:- when you register for care or the brain injury service, attend one of
our many groups or pop in clubs, make a donation, sign up for gift aid, book a show or group at the Barrington, book
a room, become a volunteer, sign up for a coach tour or holiday, attend one of our conferences or events we put on,
or even work for us. This can include your name, address, date of birth, email address, payment details and any other
information that we need in order to deliver the particular service or aspect of our work you have signed up for. We
use this data only to deliver our service to you, administer our service and, if you have consented, to keep you informed
of all of the many things we are involved in.
We may also keep information contained in any correspondence you may have with us by post or email.
We may obtain sensitive medical information at times directly from your GP in relation to the delivery of care. The
provision of this data is subject to you having given us express consent. If you do not provide this consent we may not
be able to safely deliver the care you or your loved one requires. The provision of personal data is essential for us to
be able to deliver our services, collect payment and administer our various operations. This means that the legal basis
that we are holding your personal data is for the performance of a contract.
Information we get from other sources
We only obtain information from third parties if this is permitted by law. We may also use legal public sources to
obtain information about you, for example, to verify your identity or to carry out a DBS check.
This information (including name, address, email address, date of birth etc.), as relevant, will only be obtained from
reputable third-party companies that operate in accordance with the General Data Protection Regulation (GDPR). You
will have already submitted your personal data to these companies and specifically given permission to allow them to
pass this information to other companies for the specified purpose or there is a legal reason for them to be able to
process and pass on information to us.
2
How we use your personal data
We use your personal data to manage and administer our services. We also act as controller and processor in regard
to delivering Care in line with CQC guidelines and assessment and the processing of your Direct Debit instructions,
payment instructions, show ticketing and coach tours. We undertake always to protect your personal data, including
your health and financial details where used, in a manner which is consistent with our responsibility as a registered
CQC operation and the requirements of the General Data Protection Regulations (GDPR) concerning data protection.
We also take the appropriate security measures to protect any historical personal data we hold on you in archive
storage.
Do we use your personal data for marketing purposes?
Any information that you choose to give us will not be used for marketing purposes by us unless you have given us
express consent to use your data for this purpose. We will only use your data in accordance with the purposes you
have given us express permission for and in order to deliver the particular service that you are using.
Sharing Information
We will keep information about you confidential and we will from time to time share your information across the
Prama Foundation group where this is essential for our service delivery to you and where this is required for audit and
compliance monitoring. We will only disclose your information to other third parties where we have a legal obligation
to or you have given us your express consent.
Categories of third parties
Depending on the service you are using from Prama we may disclose your data to the following third parties:
• Care Quality Commission (CQC);
• government monitoring (National Minimum Dataset for Social Care);
• referencing agencies;
• any mailing agents, contractors and advisors that provide a service to us or act as our agents on the
understanding that they keep your information confidential;
• anyone to whom we may transfer our rights and duties under any agreement we have with you;
• any legal or crime prevention agencies and/or to satisfy any regulatory request (including recognised
practitioner bodies) if we have a duty to do so or if the law allows us to do so.
Transfer of your personal data outside of the European Economic Area (EEA)
We do not currently transfer your personal data outside of the EEA. If in the future we transfer your personal data, in
accordance with the terms of this Policy outside of the EEA, we will make sure that the receiver agrees to provide the
same level of personal data protection and use as is required by the General Data Protection Regulations (GDPR) and
this will be a contractual requirement.
If you require further information regarding such transfers please write to the Data Protection Officer, Prama
Foundation, Moran House, 1 Holes Bay Park, Sterte Avenue West, Poole, Dorset, BH15 2AA or email
DPO@pramacare.co.uk
How long do we keep this information about you?
We only keep your personal data for the length of time to manage and administer the service that we provide to
you. The retention period will also take into account our need to meet any legal, statutory and regulatory
obligations. These reasons can vary from one piece of information to the next. In all cases our need to use your
personal information will be reassessed on a regular basis and information that is no longer required will be disposed
of in a secure way.
3
Data Subject rights
Subject access requests
The General Data Protection Regulation (GDPR) grants you (hereinafter referred to as the “data subject”) the right to
access the personal data that we hold about you. This is referred to as a subject access request. We shall respond
promptly, and certainly within one month from the point of receiving the request and all of the necessary
information from you to enable us to proceed with your subject access request. Our formal response shall include
details of the personal data we hold about you.
Right to rectification
You, the data subject, shall have the right to obtain from us, without undue delay, the rectification of inaccurate
personal data we hold concerning you. Taking into account the purpose of the processing, you, the data subject,
shall have the right to have incomplete personal data completed, including by means of providing a supplementary
statement.
Right to erasure
You the data subject, shall have the right to obtain from us the erasure of personal data concerning you without
undue delay providing there are not legal, statutory or regulatory reasons why we are unable to.
Right to restriction of processing
Subject to exemptions, you, the data subject, shall have the right to obtain from us restriction of processing where
one of the following applies:
a) the accuracy of the personal data is contested by you, the data subject, and is restricted until the accuracy of
the data has been verified;
b) the processing is unlawful and you, the data subject, oppose the erasure of the personal data and instead
request the restriction in use;
c) we no longer need the personal data for the purpose of processing, but it is required by you, the data
subject, for the establishment, exercise or defence of legal claims;
d) you the data subject, have objected to processing of your personal data pending the verification whether
there are legitimate grounds for us to override these objections.
Notification obligation regarding rectification or erasure of personal data or restriction of
processing
We shall communicate any rectification or erasure of personal data or restriction of processing as described above to
each recipient to whom personal data has been disclosed, unless this proves impossible. We shall provide you the
data subject, with information about those recipients if you request it.
Right to data portability
You, the data subject, shall have the right to receive your personal data, which you have provided to us, in a
structured, commonly used and machine-readable format and have the right to transmit this data to another
controller, without hindrance from us.
Right to Object
You, the data subject, have the right to object, on grounds relating to your particular situation, at any time to the
processing of personal data concerning you, including any personal profiling; unless this relates to processing that is
necessary for the performance of a task carried out in the public interest or an exercise of official duty vested in us.
We shall no longer process the personal data unless we can demonstrate compelling legitimate grounds for the
4
processing, which overrides the interests, rights and freedoms of you, the data subject, or for the establishment,
exercise or defence of legal claims.
Right to not be subject to decisions based solely on automated processing
We do not carry out any automated processing, which may lead to an automated decision based on your personal
data.
Invoking your rights
If you would like to invoke any of the above data subject rights with us, please write to the Data Protection Officer,
Moran House, 1 Holes Bay Park, Sterte Avenue West, Poole, Dorset, BH15 2AA or email DPO@pramacare.co.uk
Accuracy of information
In order to provide the highest level of customer service possible, we need to keep accurate personal data about
you. We take reasonable steps to ensure the accuracy of any personal data or sensitive information we obtain. We
ensure that the source of any personal data or sensitive information is clear and we carefully consider any challenges
to the accuracy of the information. We also consider when it is necessary to update the information, such as name
or address changes and you can help us by informing us of these changes when they occur.
Important information
Questions and Queries
If you have any questions or queries which are not answered by this Privacy Policy, or have any potential concerns
about how we may use the personal data we hold, please write to the Data Protection Officer, Moran House, 1 Holes
Bay Park, Sterte Avenue West, Poole, Dorset, BH15 2AA or email DPO@pramacare.co.uk
Policy Changes
This Privacy Policy is regularly reviewed. This is to make sure that we continue to meet the highest standards and to
protect your privacy. We reserve the right, at all times, to update, to modify or amend this Policy. We suggest that
you review this Privacy Policy from time to time to ensure you are aware of any changes we may have made;
however, we will not significantly change how we use information you have already given to us without your prior
agreement. The latest version of this policy can be found on our website www.pramafoundation.org.uk
If you have a complaint
If you have a complaint regarding the use of your personal data or sensitive information then please contact us in
writing to the Data Protection Officer, Moran House, 1 Holes Bay Park, Sterte Avenue West, Poole, Dorset, BH15 2AA
or email DPO@pramacare.co.uk and we will do our best to help you.
If your complaint is not resolved to your satisfaction and you wish to make a formal complaint to the Information
Commissioner’s Office (ICO), you can contact them on 01625 545745 or 0303 1231113. You also have the right to
judicial remedy against a legally binding decision of the ICO where you consider that your rights under this regulation
have been infringed as a result of the processing of your personal data. You have the right to appoint a third party to
lodge the complaint on your behalf and exercise your right to seek compensation.