Please also add this statement at the top of each document as well - This document is reviewed annually each October or sooner if legislation or our operations change. The latest version will always be available at www.cavfo.com
This policy explains how Cavendish Family Office (London) Limited (“Cavendish”) obtains, manages, and records consent for the collection and use of personal data in accordance with the UK General Data Protection Regulation (UK GDPR).
It applies to all employees, consultants, contractors, and third-party providers who handle or process personal data on behalf of Cavendish.
Questions about this policy should be directed to the Data Protection Officer at mark@cavfo.com.
Consent is a core element of privacy law. Cavendish recognises that genuine consent must be:
• Freely given, specific, informed, and unambiguous.
• Obtained through a clear affirmative action (an opt-in).
• Separate from other terms and conditions.
• Easy to withdraw at any time.
Pre-ticked boxes or implied consent are not acceptable. Cavendish provides individuals with clear information about why their data is being collected, how it will be used, and their right to refuse or withdraw consent without detriment.
All employees must respect an individual’s right to determine what happens to their personal information
Cavendish will:
• Keep written or electronic records showing when, how, and why consent was obtained.
• Regularly review all existing consents to ensure they remain valid.
• Provide clear and accessible methods for withdrawing consent.
• Act promptly on any withdrawal requests and cease processing immediately where appropriate.
Cavendish recognises that not all data processing requires consent. Where consent is not appropriate, processing may occur under one of the lawful bases in Article 6 UK GDPR, including:
• Contract – processing necessary for a contract with the individual.
• Legal obligation – processing necessary to comply with the law.
• Vital interests – processing necessary to protect someone’s life.
• Public task – processing necessary for a public or official function.
• Legitimate interests – processing necessary for legitimate business purposes, unless overridden by the individual’s rights.
Sensitive (“special category”) data, such as health or racial information, requires both a lawful basis under Article 6 and an additional condition under Article 9 UK GDPR, such as:
• Explicit consent.
• Legal rights or obligations in employment or social protection.
• Vital interests of the individual.
• Data manifestly made public by the individual.
• Legal claims or substantial public interest.
• Public health or medical care.
If employees are unsure which basis applies, they must seek guidance from the Data Protection Officer before processing.
A child’s confidentiality must be respected in the same way as an adult’s. Where a child lacks capacity to consent, decisions about disclosure must balance privacy with safeguarding obligations. Information may be shared without consent only if necessary to prevent significant harm.
Information about criminal convictions or offences may only be processed under both a lawful basis (Article 6) and an official authority or legal authorisation (Article 10 UK GDPR). Cavendish does not keep criminal-records data unless required by law or in connection with regulatory or contractual due-diligence checks.
All Cavendish employees and third-party processors must:
• Verify the individual’s capacity to consent before collecting data.
• Provide information in accessible formats (for example, large print or translation where necessary).
• Record all consent decisions in the appropriate register or system.
• Ensure withdrawal requests are actioned promptly and logged.
• Seek advice from the Data Protection Officer if any doubt exists.
Any breach of this policy will be investigated. Serious breaches may constitute gross misconduct and could result in dismissal or termination of contract. Breaches also expose Cavendish to reputational and financial penalties, including potential fines of up to £17.5 million or 4 % of global turnover under the UK GDPR.
All concerns or incidents must be reported immediately to the Data Protection Officer in accordance with the Data Breach Policy
When requesting consent, Cavendish ensures that:
• Consent is the correct lawful basis.
• The request is clear, specific, and separate from other terms.
• No pre-ticked boxes or default options are used.
• The language is plain and understandable.
• Individuals can easily refuse or withdraw consent.
• All third-party controllers are named.
• Online services offered to children comply with parental-consent rules.
Consent records are reviewed and refreshed as necessary to ensure continued validity.
