PramaFoundation

Group Privacy Policy

The Prama Foundation

GROUP PRIVACY POLICY

The Prama Foundation (which includes PramaCARE, PramaLIFE, PramaTRAVEL and PramaTRADE) treats the privacy

of its customers and website users very seriously and we take the appropriate security measures to safeguard your

privacy. This Policy explains how we protect and manage any personal data* you share with us and that we hold

about you, including how we collect, process and share that data.

*Personal data means any information that may be used to identify an individual, including, but not limited to, a first

and last name, a home or other physical address and an email address or other contact information, whether at work

or at home.

How we obtain your personal data

Information provided by you

You provide us with personal data in many ways:- when you register for care or the brain injury service, attend one of

our many groups or pop in clubs, make a donation, sign up for gift aid, book a show or group at the Barrington, book

a room, become a volunteer, sign up for a coach tour or holiday, attend one of our conferences or events we put on,

or even work for us. This can include your name, address, date of birth, email address, payment details and any other

information that we need in order to deliver the particular service or aspect of our work you have signed up for. We

use this data only to deliver our service to you, administer our service and, if you have consented, to keep you informed

of all of the many things we are involved in.

We may also keep information contained in any correspondence you may have with us by post or email.

We may obtain sensitive medical information at times directly from your GP in relation to the delivery of care. The

provision of this data is subject to you having given us express consent. If you do not provide this consent we may not

be able to safely deliver the care you or your loved one requires. The provision of personal data is essential for us to

be able to deliver our services, collect payment and administer our various operations. This means that the legal basis

that we are holding your personal data is for the performance of a contract.

Information we get from other sources

We only obtain information from third parties if this is permitted by law. We may also use legal public sources to

obtain information about you, for example, to verify your identity or to carry out a DBS check.

This information (including name, address, email address, date of birth etc.), as relevant, will only be obtained from

reputable third-party companies that operate in accordance with the General Data Protection Regulation (GDPR). You

will have already submitted your personal data to these companies and specifically given permission to allow them to

pass this information to other companies for the specified purpose or there is a legal reason for them to be able to

process and pass on information to us.

2

How we use your personal data

We use your personal data to manage and administer our services. We also act as controller and processor in regard

to delivering Care in line with CQC guidelines and assessment and the processing of your Direct Debit instructions,

payment instructions, show ticketing and coach tours. We undertake always to protect your personal data, including

your health and financial details where used, in a manner which is consistent with our responsibility as a registered

CQC operation and the requirements of the General Data Protection Regulations (GDPR) concerning data protection.

We also take the appropriate security measures to protect any historical personal data we hold on you in archive

storage.

Do we use your personal data for marketing purposes?

Any information that you choose to give us will not be used for marketing purposes by us unless you have given us

express consent to use your data for this purpose. We will only use your data in accordance with the purposes you

have given us express permission for and in order to deliver the particular service that you are using.

Sharing Information

We will keep information about you confidential and we will from time to time share your information across the

Prama Foundation group where this is essential for our service delivery to you and where this is required for audit and

compliance monitoring. We will only disclose your information to other third parties where we have a legal obligation

to or you have given us your express consent.

Categories of third parties

Depending on the service you are using from Prama we may disclose your data to the following third parties:

• Care Quality Commission (CQC);

• government monitoring (National Minimum Dataset for Social Care);

• referencing agencies;

• any mailing agents, contractors and advisors that provide a service to us or act as our agents on the

understanding that they keep your information confidential;

• anyone to whom we may transfer our rights and duties under any agreement we have with you;

• any legal or crime prevention agencies and/or to satisfy any regulatory request (including recognised

practitioner bodies) if we have a duty to do so or if the law allows us to do so.

Transfer of your personal data outside of the European Economic Area (EEA)

We do not currently transfer your personal data outside of the EEA. If in the future we transfer your personal data, in

accordance with the terms of this Policy outside of the EEA, we will make sure that the receiver agrees to provide the

same level of personal data protection and use as is required by the General Data Protection Regulations (GDPR) and

this will be a contractual requirement.

If you require further information regarding such transfers please write to the Data Protection Officer, Prama

Foundation, Moran House, 1 Holes Bay Park, Sterte Avenue West, Poole, Dorset, BH15 2AA or email

DPO@pramacare.co.uk

How long do we keep this information about you?

We only keep your personal data for the length of time to manage and administer the service that we provide to

you. The retention period will also take into account our need to meet any legal, statutory and regulatory

obligations. These reasons can vary from one piece of information to the next. In all cases our need to use your

personal information will be reassessed on a regular basis and information that is no longer required will be disposed

of in a secure way.

3

Data Subject rights

Subject access requests

The General Data Protection Regulation (GDPR) grants you (hereinafter referred to as the “data subject”) the right to

access the personal data that we hold about you. This is referred to as a subject access request. We shall respond

promptly, and certainly within one month from the point of receiving the request and all of the necessary

information from you to enable us to proceed with your subject access request. Our formal response shall include

details of the personal data we hold about you.

Right to rectification

You, the data subject, shall have the right to obtain from us, without undue delay, the rectification of inaccurate

personal data we hold concerning you. Taking into account the purpose of the processing, you, the data subject,

shall have the right to have incomplete personal data completed, including by means of providing a supplementary

statement.

Right to erasure

You the data subject, shall have the right to obtain from us the erasure of personal data concerning you without

undue delay providing there are not legal, statutory or regulatory reasons why we are unable to.

Right to restriction of processing

Subject to exemptions, you, the data subject, shall have the right to obtain from us restriction of processing where

one of the following applies:

a) the accuracy of the personal data is contested by you, the data subject, and is restricted until the accuracy of

the data has been verified;

b) the processing is unlawful and you, the data subject, oppose the erasure of the personal data and instead

request the restriction in use;

c) we no longer need the personal data for the purpose of processing, but it is required by you, the data

subject, for the establishment, exercise or defence of legal claims;

d) you the data subject, have objected to processing of your personal data pending the verification whether

there are legitimate grounds for us to override these objections.

Notification obligation regarding rectification or erasure of personal data or restriction of

processing

We shall communicate any rectification or erasure of personal data or restriction of processing as described above to

each recipient to whom personal data has been disclosed, unless this proves impossible. We shall provide you the

data subject, with information about those recipients if you request it.

Right to data portability

You, the data subject, shall have the right to receive your personal data, which you have provided to us, in a

structured, commonly used and machine-readable format and have the right to transmit this data to another

controller, without hindrance from us.

Right to Object

You, the data subject, have the right to object, on grounds relating to your particular situation, at any time to the

processing of personal data concerning you, including any personal profiling; unless this relates to processing that is

necessary for the performance of a task carried out in the public interest or an exercise of official duty vested in us.

We shall no longer process the personal data unless we can demonstrate compelling legitimate grounds for the

4

processing, which overrides the interests, rights and freedoms of you, the data subject, or for the establishment,

exercise or defence of legal claims.

Right to not be subject to decisions based solely on automated processing

We do not carry out any automated processing, which may lead to an automated decision based on your personal

data.

Invoking your rights

If you would like to invoke any of the above data subject rights with us, please write to the Data Protection Officer,

Moran House, 1 Holes Bay Park, Sterte Avenue West, Poole, Dorset, BH15 2AA or email DPO@pramacare.co.uk

Accuracy of information

In order to provide the highest level of customer service possible, we need to keep accurate personal data about

you. We take reasonable steps to ensure the accuracy of any personal data or sensitive information we obtain. We

ensure that the source of any personal data or sensitive information is clear and we carefully consider any challenges

to the accuracy of the information. We also consider when it is necessary to update the information, such as name

or address changes and you can help us by informing us of these changes when they occur.

Important information

Questions and Queries

If you have any questions or queries which are not answered by this Privacy Policy, or have any potential concerns

about how we may use the personal data we hold, please write to the Data Protection Officer, Moran House, 1 Holes

Bay Park, Sterte Avenue West, Poole, Dorset, BH15 2AA or email DPO@pramacare.co.uk

Policy Changes

This Privacy Policy is regularly reviewed. This is to make sure that we continue to meet the highest standards and to

protect your privacy. We reserve the right, at all times, to update, to modify or amend this Policy. We suggest that

you review this Privacy Policy from time to time to ensure you are aware of any changes we may have made;

however, we will not significantly change how we use information you have already given to us without your prior

agreement. The latest version of this policy can be found on our website www.pramafoundation.org.uk

If you have a complaint

If you have a complaint regarding the use of your personal data or sensitive information then please contact us in

writing to the Data Protection Officer, Moran House, 1 Holes Bay Park, Sterte Avenue West, Poole, Dorset, BH15 2AA

or email DPO@pramacare.co.uk and we will do our best to help you.

If your complaint is not resolved to your satisfaction and you wish to make a formal complaint to the Information

Commissioner’s Office (ICO), you can contact them on 01625 545745 or 0303 1231113. You also have the right to

judicial remedy against a legally binding decision of the ICO where you consider that your rights under this regulation

have been infringed as a result of the processing of your personal data. You have the right to appoint a third party to

lodge the complaint on your behalf and exercise your right to seek compensation.