General Data Protection Policy

Introduction

Rinova Ltd is committed to ensuring that all personal data collected about staff, partners, and programme participants is handled responsibly and in compliance with data protection legislation.

This policy outlines how we comply with the requirements of the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018 (DPA 2018), and the Data (Use and Access) Act 2025. This summary outlines how we collect, use, store, and protect personal data, and the rights individuals have under data protection law.

DEFINITIONS

Personal Data: Any information relating to an identified, or identifiable, individual.

Special categories of personal data: Personal data which is more sensitive and so needs more protection, including information about an individual’s such as racial or ethnic origin,     political opinions, religious or philosophical beliefs

Processing: Anything done to personal data, such as collecting, recording, organising, structuring, storing, adapting, altering, retrieving, using, disseminating, erasing or destroying.

Processing can be automated or manual.

Data subject: The identified or identifiable individual whose personal data is held or processed.

Data controller: A person or organisation that determines the purposes and the means of processing of personal data.

Data processor: A person or other body, other than an employee of the data controller, who processes personal data on behalf of the data controller.

Personal data breach: A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data.

DATA PROTECTION PRINCIPLES

Personal data must be:

  • Processed lawfully, fairly and in a transparent manner
  • Collected for specified, explicit and legitimate purposes
  • Adequate, relevant and limited to what is necessary to fulfil the purposes for which it is processed
  • Accurate and, where necessary, kept up to date
  • Kept for no longer than is necessary for the purposes for which it is processed
  • Processed securely to protect against unauthorised access, loss or damage
  • Handled in a way that allows the data controller to demonstrate compliance with these principles

ROLES AND RESPONSIBILITIES

This policy applies to all members of staff employed by Rinova, and to external organisations or individuals working on our behalf.

Directors of Rinova

Directors of Rinova have overall responsibility for ensuring that Rinova complies with all relevant data protection obligations.

Data protection officer

The data protection officer (DPO) is responsible for overseeing the implementation of this policy, monitoring our compliance with data protection law, and developing related policies and guidelines where applicable.

The DPO is also the first point of contact for individuals whose data the company processes and for the ICO.

Employees

Members of staff are responsible for:

  • Handling personal data in line with the policy.
  • Contacting the Data Protection Officer (DPO) if:
    • They have questions about data protection or this policy.
    • They’re unsure about lawful data use.
    • They suspect a data breach.
    • They start a new activity that could impact privacy.
    • They need help with contracts or sharing data externally.

COLLECTING PERSONAL DATA

Rinova processes personal data only where a lawful basis exists under data protection law, including:

  • Contractual necessity
  • Legal obligation
  • Vital interests (e.g. protecting life)
  • Legitimate interests (balanced against individual rights)
  • Consent

Special category data is processed only under specific conditions set out in the UK GDPR and DPA 2018.

Whenever we first collect personal data directly from individuals, we provide individuals with all required information.

SHARING PERSONAL DATA

We do not routinely share personal data, but we may do so where:

  • To protect staff safety
  • With partners or agencies (with consent where needed)
  • With suppliers/contractors who meet data protection standards and have appropriate agreements in place

We may also share data with law enforcement or government bodies when legally required, including for crime prevention, legal proceedings or safeguarding.

In emergencies, we may share data with emergency services or local authorities. International transfers are made in accordance with UK GDPR standards.

DATA SUBJECT RIGHTS AND REQUESTS

Individuals may submit a written subject access request to view personal data held by Rinova. This includes:

  • Confirmation of processing
  • Access to the data
  • Purpose, categories, and recipients
  • Retention period or criteria
  • Data source (if not the individual)
  • Any automated decision-making and its impact

USE OF PHOTOGRAPHS AND VIDEOS

As part of Rinova’s activities, we may take photographs and record images of individuals/ participants at our events.

We will obtain written consent from individuals for photographs and videos to be taken for communication, marketing and promotional materials. We will clearly explain how the photograph and/or video will be used.  Consent can be withdrawn at any time.

DATA SECURITY AND STORAGE OF RECORDS

We protect personal data and keep it safe from unauthorised or unlawful access, alteration, processing or disclosure, and against accidental or unlawful loss, destruction or damage. In particular:

  • Paper records and devices are stored securely
  • Passwords protect digital systems
  • Staff follow strict procedures for handling data
  • Regular training and audits ensure compliance

DISPOSAL OF RECORDS

Personal data that is no longer needed, inaccurate, or outdated will be securely disposed of.

DATA BREACHES

Rinova makes all reasonable endeavours to ensure that there are no personal data breaches.  If a data breach occurs, the following actions should be taken:

  •  Investigate and contain the issue
  • Notify affected individuals if necessary
  • Report to the ICO within 72 hours if required
  • Document all incidents and review procedures

CONTACT US

For any data protection queries or to exercise your rights, please contact:

Mamta Dave – Data Protection Officer (DPO) – 0203 874 4410 – m.dave@rinova.co.uk

This policy applies to all organisations within the Rinova Group. For the avoidance of doubt, where ‘Rinova Ltd’ is referenced this shall be understood to also apply to Rinova Community CIC and Rinova Malaga S.L. 

Date Created: 01/12/2015

Last Review: 01/09/2025

Next Review: 01/09/2026

This policy has been reviewed and approved by the Board of Rinova Ltd.Richard Parkes, Chair and Director.