Privacy Notice



Welcome to Social Firms Wales’s Privacy Notice. This Privacy Notice is designed to inform you comprehensively about how we collect, use and disclose your "Personal Data" when you engage with us, whether through our website or other means (such as when you are benefiting from our services). In section 1 below, we have capitalised certain terms and provided explanations for clarity.

Our dedication to data privacy really does drives everything we do, ensuring that your Personal Data is handled with the utmost care. Your trust is paramount to us, and we strive to be transparent about how we collect, use, and protect your Personal Data. If you have any questions or concerns about your privacy or our practices, please do not hesitate to contact our Chief Executive Officer, Rosie Cribb on [email protected]


1. What are the important terms you need to know?

To ensure our Privacy Notice is as clear as possible despite the complexity of legal terminology, we have included a brief glossary below to assist you in comprehending these terms.


  • Consent: refers to when an individual gives agreement which is freely given, specific, informed and is an unambiguous indication of their wishes. It is done by a statement or by a clear positive action in respect of the Processing of any Personal Data relating to them.


  • Criminal Convictions Data: refers to Personal Data relating to criminal convictions and offences and includes Personal Data relating to criminal allegations and proceedings.


  • Data Controller: refers to an organisation that determines when, why and how to Process Personal Data. It is responsible for establishing policies and procedures in line with Data Protection Law.


  • Data Processor: refers to an organisation that Processes Personal Data on behalf of a Data Controller. It is responsible for establishing policies and procedures in line with Data Protection Law.


  • Data Protection Law: refers to the UK GDPR, the Privacy and Electronic Communications (EC Directive) Regulations 2003 and any other applicable European Union legislation (such as the General Data Protection Regulation 2016/679) relating to Personal Data. The “UK GDPR” is the retained version of the General Data Protection Regulation 2016/679 as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 and as amended by Schedule 1 to the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (SI 2019/419). It sits alongside the Data Protection Act 2018.


  • Data Subjects: refers to a living, identified or identifiable individuals about whom we hold Personal Data.


  • European Economic Area (“EEA”): refers to the 27 countries in the European Union, Iceland, Liechtenstein and Norway.


  • Legitimate Interests: refers to when an organisation’s interests are legitimate (as they need to do something to operate) and these interests do not override an individual’s interests or fundamental rights and freedoms.


  • Personal Data: refers to any information identifying an individual or information relating to an individual that an organisation can identify (directly or indirectly) from that data alone or in combination with other identifiers that it Processes. Personal Data includes Special Category Data, Criminal Convictions Data and Pseudonymised Data. Personal Data excludes anonymous data or data that has had the identity of an individual permanently removed.


  • Pseudonymised Data: refers to Personal Data that has been altered so it can no longer directly identify an individual without additional information which is kept separately and securely.


  • Process or Processing: refers to any activity that involves the use of Personal Data. It includes obtaining, recording or holding the data, or carrying out any operation or set of operations on the data including organising, amending, retrieving, using, disclosing, erasing or destroying it. Processing also includes transmitting or transferring Personal Data to third parties.


  • Special Category Data: refers to information revealing racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership, physical or mental health conditions, sexual life, sexual orientation, biometric or genetic data of a Data Subject.


2. What important information should you know about us?

Our legal entity name is Social Firms Wales Limited and we are incorporated in England & Wales and have the registration number of 05569450 and the registered address of C/O Bevan Buckland LLP, Ground Floor Cardigan House, Castle Court, Swansea Enterprise Park, Swansea, Wales, SA7 9LA. While we are exempt from registering with the Information Commissioner’s Office (“ICO”) as we are a not-for-profit organisation, we still comply with all other requirements under Data Protection Law.

Data Protection Law define the roles of Data Controller and Data Processor. We function as a Data Controller, responsible for safeguarding your privacy and rights, and ensuring compliance with Data Protection Law.


3. How is our data protection compliance program structured?

We prioritise compliance with Data Protection Law not only as a legal requirement but also as a cornerstone of earning and upholding the trust of the of the Data Subjects we interact with in our business. Recognising the critical responsibility of protecting the confidentiality and integrity of Personal Data, we have established a data protection compliance program. This program includes notices, policies, procedures and technical security measures.

We adhere to all of principles under Data Protection Law including the following:

  • We only Process Personal Data lawfully, fairly and in a transparent manner.
  • We ensure that Personal Data that we collect and maintain is accurate and kept up to date.
  • We only collect Personal Data which is adequate, relevant and limited to what is necessary in relation to the purposes for which it is Processed.
  • We ensure that Personal Data is not kept in a form which permits identification of individuals for longer than is necessary.
  • We ensure that Personal Data is processed in a manner that ensures its security, using appropriate technical and organisational measures, to protect it against unauthorised Processing and against accidental loss, destruction or damage.


4. Do we have a data protection officer?

After conducting an evaluation of our organisation in accordance with Data Protection Law, we have concluded that currently there is no requirement to appoint a data protection officer. This decision stems from the fact that we do not engage in frequent or systematic monitoring of Data Subjects on a large scale, nor do we conduct extensive processing of Special Category Data. We will reassess this decision periodically and will appoint a data protection officer if deemed necessary.

While we do not have a designated data protection officer, it is crucial to highlight our unwavering commitment to ensuring the privacy and security of your Personal Data. Please contact our Chief Executive, Rosie Cribb on [email protected] if you have any questions or concerns.


5. What categories of Personal Data do we Process?

We collect, use, store and transfer different kinds of Personal Data depending on our relationship with you.

Examples of the Personal Data which we collect on Data Subjects (based on our relationship with you and the necessity of collecting such Personal Data) is outlined below.

  • Identity Data (e.g., first name, maiden name, last name, title, date of birth).
  • Contact Data (e.g., phone number, email address, home address, business address and billing address).
  • Profile Data (e.g., information about your professional background/organisation, agreements you've entered into with us).
  • Special Category Data (e.g., details concerning your racial or ethnic origin and mental and physical health).
  • Criminal Convictions Data (e.g., information on whether you have a criminal conviction or a caution).
  • Transaction & Financial Data (e.g., bank invoices and payment details).
  • Technical & Usage Data (e.g., internet protocol addresses, browser type and version, time zone settings, location and information about your interactions with our website).
  • Communications Data (e.g., your preferences regarding cookies).

We are dedicated to protecting the privacy and security of your Personal Data, especially when it involves sensitive Special Category Data and Criminal Convictions Data.

Please note that we aggregate data, such as statistical or demographic information, for research and analysis purposes. Aggregated data may be derived from your Personal Data but does not qualify as Personal Data under Data Protection Law as it does not reveal your identity, either directly or indirectly. For example, we may aggregate your Technical & Usage Data to analyse usage patterns. However, if we combine or link aggregated data with your Personal Data in a way that could identify you directly or indirectly, we will treat the combined data as Personal Data and handle it according to this Privacy Notice.

Furthermore, please be aware that we may anonymise your Personal Data for research or statistical purposes. Once anonymized, the data cannot be traced back to you, and we may use it without further notice.


6. What are the lawful grounds for which we Process your Personal Data?

Under Data Protection Law, there are several lawful grounds for Processing Personal Data. These are the justifications organisations must have to Process Personal Data legally. The lawful grounds that we tend to rely upon are outlined below.

  • Consent: This is where you have given clear and explicit consent for your Personal Data to be Processed for a specific purpose.
  • Contract: This is where the Processing is necessary in order to enter into or perform a contract.
  • Legitimate Interests: This is where the Processing is necessary for the purposes of our Legitimate Interests or those of a third party, except where such interests are overridden by your interests or fundamental rights.
  • Legal obligation: This is where the Processing is necessary for compliance with a legal obligation to which we are subjected to.


7. What are the categories of Data Subjects that we engage with?

In the course of our activities, we interact with the following categories of Data Subjects:

  • Website users.
  • Prospective employees.
  • Prospective and existing members.
  • Prospective and existing third-party suppliers.

We have made a chart below to provide key information to each category of Data Subjects:

Who are the Data Subjects?


What Personal Data do we collect?

How do we collect it?

What is our lawful basis?

Website users

  • Identity Data
  • Contact Data
  • Technical & Usage Data
  • Communications Data


We collect your Personal Data either automatically when you browse our website or when you provide it to us.

  • Consent


Prospective employees

  • Identity Data
  • Contact Data
  • Profile Data
  • Special Category Data
  • Criminal Convictions Data
  • Technical & Usage Data


We collect your Personal Data automatically when you browse our website and when you provide it to us directly. Additionally, we collect it when you consent to a third party sharing it with us.


  • Consent
  • Contract
  • Legal obligation

Prospective and existing members

  • Identity Data
  • Contact Data
  • Profile Data
  • Special Category Data
  • Criminal Convictions Data
  • Technical & Usage Data
  • Communications Data


We collect your Personal Data automatically when you visit our website. Additionally, we collect it during our direct interactions with you, such as when you use our support and benefit from our consultancy services.


  • Consent
  • Contract
  • Legal obligation

Prospective and existing third parties (including governmental organisations and grant providers and donors)

  • Identity Data
  • Contact Data
  • Profile Data
  • Transaction & Financial Data
  • Technical & Usage Data


We collect your Personal Data automatically when you browse our website and during our direct interactions with you. For example, we collect Personal Data on your staff that have engaged with us.


  • Contract
  • Legitimate Interests
  • Legal obligation


8. Who do we share your Personal Data with?

We share your Personal Data only when necessary and we have outlined the categories of third parties that we share your Personal Data with below.

  • Government agencies and regulators (e.g., the Welsh Government and Companies House with whom we need to engage with in order to operate our not-for-profit organisation).
  • Professional advisers (e.g., law firms, banks, pension providers, external Human Resources providers and accountancy firms in order to manage and support our not-for-profit organisation).
  • Potential owners (e.g., third parties to whom we may be in contact with to sell, transfer or merge parts of our organisation or assets.
  • Technology companies (e.g., providers of hardware and software including Microsoft).


9. What happens if you fail to provide us with your Personal Data?

You should note that if you fail to provide us with certain Personal Data when requested, we may not be able to perform the contract we have entered with you, or we may be prevented from complying with our legal obligation.


10. How do we protect your Personal Data?

We have implemented technical and organisational measures to protect your Personal Data against accidental loss, alteration, unauthorised access, disclosure or falsification. Access to your Personal Data is restricted to authorised personnel, including employees, contractors and relevant third parties, who require access for operational and functional purposes. In addition, we have established policies, plans and procedures to address any suspected or actual breaches of Personal Data, with a proactive aim to prevent such incidents. Furthermore, we enforce stringent criteria and contractual agreements with third parties to ensure compliance with Data Protection Law and adequate security measures for safeguarding your Personal Data against unauthorised access or misuse.


11. Do we transfer your Personal Data outside of the UK and/or the EEA?

We ensure that your Personal Data is transferred safely and securely at all times. Whenever your Personal Data is transferred outside of the UK and/or the EEA, we protect it by implementing one of the following safeguards:

  • We only transfer your Personal Data to organisations outside of the UK and/or the EEA if we have entered into specific contracts with them that ensure your Personal Data will receive the same level of protection as it does in the UK and/or the EEA.
  • We only transfer your Personal Data to countries that have been deemed to provide an adequate level of protection for Personal Data, as endorsed by the ICO and determined by the European Commission.


12. How long is your Personal Data retained?

We retain your Personal Data for as long as necessary to fulfil the purposes for which it was collected, including legal, regulatory, tax, accounting, or reporting requirements. When determining the appropriate retention period, we consider factors such as the data's volume, nature, sensitivity, potential risks of unauthorised use or disclosure, processing purposes, alternative means for achieving those purposes, and applicable legal obligations. In some cases, we may retain Personal Data for an extended period, such as handling complaints or potential litigation related to our relationship with you, although we aim to minimise such situations whenever feasible.


13. What are your rights regarding your Personal Data?

You have specific rights concerning the Personal Data we handle about you, as outlined below.

  • Right to access: You can request access to the information and obtain copies of the Personal Data we hold about you.
  • Right to rectification: You can ask us to correct any inaccuracies or incomplete information in your Personal Data.
  • Right to erasure: You can request the deletion of your Personal Data under certain circumstances, such as when the data is no longer necessary for its original purpose or Processing. However, complete deletion may not always be possible, especially if there is an ongoing contractual relationship or we are required due to our legal obligations to retain the data.
  • Right to restrict Processing: You can request that we restrict the Processing of your Personal Data under specific conditions, such as when we are reviewing the accuracy of the Personal Data or assessing the validity of a deletion request.
  • Right to object: You can object to the Processing of your Personal Data, particularly if the Processing is based on our Legitimate Interests or in respect of direct marketing.
  • Right to data portability: You can request to receive, transfer, or copy your Personal Data to another Data Controller. This right applies if we process your Personal Data based on your Consent or a contract, and the Processing is automated. At present, we do not conduct any automated Processing of Personal Data.


If you are dissatisfied with our practices or have concerns, you have the right to file a complaint with the ICO via While we strive to comply with evolving Data Protection Law and uphold best practices, we encourage you to contact us first to address any concerns about how we handle your Personal Data.

To exercise any of the rights mentioned above, please reach out to our Chief Executive Officer, Rosie Cribb on [email protected]. Accessing your Personal Data or exercising any of these rights is free of charge. However, if we determine that your request is clearly unfounded, repetitive or excessive, we reserve the right to either charge a reasonable fee or deny the request. We will, however, always explain our rationale and position clearly to you.

For security and to protect your interests, we may need to verify your identity by requesting specific information. Additionally, we may contact you for further details to expedite our response.

We aim to address all legitimate requests within one month. However, if your request is complex or involves multiple aspects, it may take longer. In such cases, we will keep you informed of any delay and the reasons for such a delay.


14. When was this Privacy Notice last updated?

This Privacy Notice was last updated on 26 June 2024 and is regularly kept under review and updated as and when necessary and at a minimum on annual basis. If you have any questions, please contact our Chief Executive Officer, Rosie Cribb on [email protected].


Stay connected with our social network

Twitter Feed

Newsletter Sign Up


cookies policy | privacy policy | sitemap

Copyright 2014. All Rights Reserved