Service Users



This privacy notice sets out the standards that you can expect from Dewis C.I.L when we request or hold personal information (‘personal data’) about you; how you can get access to a copy of your personal data; and what you can do if you think the standards are not being met.

Our Data Protection Policy and procedures are governed by the Data Protection Act 1998 and the EU General Data Protection Regulation 2018.

What is personal data?

Personal data relates to a living individual who can be identified from that data. Identification can be by the information alone or in conjunction with any other information in the data controller or data processor’s possession or likely to come into such possession.

Personal information is any information that may identify a living individual.  We collect personal information such as:

  • Your full name
  • Postal address
  • Your Email address
  • Contact telephone number
  • Your date of birth
  • Your Region/Location
  • Your impairment

We may collect, use and store sensitive personal information (so called special categories of data, such as medical conditions, religious beliefs, ethnicity). If you provide us with any sensitive personal information by whatever means, we will treat that information with care and confidentiality and always in accordance with this policy.

How we collect your information

In the first instance, we would receive a referral from the Local Authority in which you reside. This would contain much of your personal information, full name, address, personal circumstances around your impairment, and so forth. This allows us to make contact with you and support you through your Direct Payment journey.

As the information comes to Dewis CIL via Social Services and your Social Worker, we are not the Data Controllers of the information, we are the Data Processors. 

To enable Dewis CIL to work with you and support you with your Direct Payment, it is necessary for the organisation to continue to make notes as appropriate.

Who are we?

Dewis C.I.L is the data processor when referring to the information received from your Local Authority and subsequently collected through your Direct Payment journey.

How do we process personal data?

Dewis C.I.L complies with its obligations under the GDPR by keeping personal data securely; by not collecting or retaining excessive amounts of data; by protecting personal data from loss, misuse, unauthorised access and disclosure and by ensuring that appropriate technical measures are in place to protect the personal data.

We only collect, use and store your information where we have lawful grounds and legitimate reasons for doing so.  Personal information is used in order deliver the services we are required to deliver under the contract with your Local Authority.

What is the legal basis for processing your data?

The legal grounds upon which we might rely for justifying why we are using your personal information are:

·        Consent of the data subject: You will have agreed with your Local Authority, to be referred to Dewis CIL’s Direct Payment Support Service and will have confirmed this by signing the original referral form. This means that you have given your explicit consent to the processing of your personal information by your Local Authority and then Dewis CIL.

·        Withdraw consent: You may withdraw your consent at any time by contacting us at [email protected] or by phoning 01443 827 930 and speaking with a manager.  If you do so, your personal data will be removed from the Dewis CIL database but you will no longer be able to receive Dewis CIL’s support services.


·        Compliance with a legal obligation: processing is necessary for compliance with a legal obligation to which we are subject.


·        For our legitimate interests where these do not cause you undue harm: processing is necessary for the purposes of the legitimate interests pursued by us or by a third party, except where such interests are overridden by your interests or fundamental rights and freedoms which require protection of personal information. Our main legitimate interests for using your personal information are:

·         To enable us to provide advice, guidance, payroll processing, payment of Agency invoices and other appropriate services to vulnerable adults.

·         To promote our services.

Special category personal data (sensitive personal data)?

When we use your sensitive personal information (e.g. impairment, sexual orientation, etc.,) we must be able to rely on an additional legal ground.  The additional legal grounds that we may rely on are:

·        Substantial public interest: Processing is necessary for safeguarding purposes.


·        For legal claims: processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity.


·        For archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) based on Union or Member State Law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.


·        Vital interest: Processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent.


Sharing your information

We will never share your personal information with organisations so that they can contact you for marketing activities.

Dewis CIL may be required to share your data with other agencies for legal reasons, an example being for a court order or with other organisations if we believe that you are at risk or at harm or may harm someone else.

We rely on your explicit consent to share your information with any third party or refer to other agencies or services in order to progress your case or act on your behalf. If you are legally or physically unable to give such consent we rely on legitimate interests where these do not cause you undue harm.

For how long does Dewis CIL hold your information?

Personal data held within the client managed system will be held until you cease to receive our services or you have withdrawn your consent for the Organisation to hold such information.

Your rights

You have various rights in respect of the personal information we hold about you as set out in the table below. If you wish to exercise any of these rights or make a complaint you can do so by contacting our Data Protection Officer at Dewis C.I.L, No 1 & 2 Melin Corrwg, Upper Boat, Pontypridd, CF37 5BE, by email at [email protected] and by phone on 01443 827 930.  You can also make a complaint to the data protection supervisory authority, the Information Commissioner’s Office





To be informed

This Privacy Notice provides the information you are entitled to receive


You have the right to request access to a copy of the personal information that we hold about you, along with information on what personal information we use, why we use it, who we share it with, how long we keep it for and whether it has been used for automated decision making.

You can make a request free of charge.  Please make all requests for access in writing and provide us with evidence of your identity.

Erasure or right to be forgotten

You can ask us to delete your personal information where it is no longer necessary for us to use it, you have withdrawn consent or where we have no lawful basis for keeping it.

Not to be subject to automated decision-making including profiling

We do not use any automated decision-making.

Please note, some of these rights only apply in certain circumstances and we may not be able to fulfil every request.