Appropriate Policy Document

Latest Revision: March 2026

Introduction

The Development Bank of Wales (“DBW”, “we”, “us”, “our”) processes special category data and criminal offence data. 

For certain conditions related to the processing of these types of data, we are required to have an Appropriate Policy Document in place setting out and explaining our procedures and policies. This policy supplements the DBW Data Protection Policy & Privacy Notices and complies with our obligations under Schedule 1, Part 4 of the Data Protection Act 2018 (“DPA”).

Scope

This Appropriate Policy Document applies to the DBW Group and its subsidiaries. 

Specific Data Covered by This Document

This document covers the following types of data:

Special Category Data

Special category data as defined by Article 9 UK General Data Protection Regulation (“UK GDPR”), is personal data revealing:

  • Racial or ethnic origin

  • Political opinions

  • Religious or philosophical beliefs

  • Trade union membership 

  • Genetic data 

  • Biometric data for the purpose of uniquely identifying a natural person 

  • Data concerning health

  • Data concerning a natural person’s sex life or sexual orientation

Personal data relating to criminal offences (Criminal Offence Data)

‘Criminal Offence Data’, is an umbrella term used to describe data relating to:

  • Criminal offences

  • Allegations of offences

  • Legal proceedings (including sentencing)

  • Related security measures (e.g. police cautions, restraining orders etc.)

  •  Information relating to the absence of convictions.

Article 10(1) of the UK GDPR covers processing in relation to criminal convictions and offences or related security measures, while Section 11(2) of the DPA provides that personal data relating to criminal convictions and offences or related security measures includes personal data relating to alleged offences, legal proceedings for an offence or alleged offence, and sentencing. 

Purposes for Processing

DBW processes special category data and criminal offence data where necessary for DBW’s functions, including:

  • Recruitment and employment 

  • Assessment of applications submitted to us

  • Management of ongoing investments or funding provided to customers

  • Safety, security, compliance, and legal requirements 

  • Responding to requests or queries

  • Managing and investigating complaints

  • Making searches for the purposes of managing risk for us and our customers, using information which is publicly available

  • Carrying out identity checks and verifying the accuracy of information provided to us

  •  Equality, diversion, and inclusion monitoring 

  • Safeguarding the economic well-being of data subjects

  • Protecting vulnerable data subjects from harm

Schedule 1 conditions relied upon for processing Special Category Data

Special Category Data (Article 9 UK GDPR)

We rely on several Article 9 conditions of the UK GDPR to process special category data. Not all of these Article 9 conditions require an additional Schedule 1 condition, however some of them do. The conditions relied upon by us that require an additional Schedule 1 condition to process Special Category Data are explained below:

Conditions relating to Employment, Social Security and Social Protection - Article 9(2)(b)

Under Article 9(2)(b) UK GDPR, we may process special category data where it is necessary for purposes of carrying out obligations and exercising specific rights of the controller or data subject in the field of employment. Examples of this include checking individuals’ entitlement to work in the UK, and ensuring the safety and welfare of our employees. Section 10(2) DPA sets out that the processing meets the above requirement in Article 9(2)(b) only if it meets the conditions set out in Schedule 1, Part 1 of the DPA. Depending on the context, the processing will be required for the listed purpose below: 

  • Paragraph 1 (Employment, social security, and social protection)

Substantial Public Interest Conditions - Article 9(2)(g)

Under Article 9(2)(g) UK GDPR, we may process special category data where it is necessary for reasons of substantial public interest. This must be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject. 

Section 10(3) of the DPA sets out that the processing meets the above requirement in Article 9(2)(g) only if it meets a condition (or purpose) in Schedule 1, Part 2 of the DPA. Depending on the context, the processing will be required for one or more of the listed purposes below:

  • Paragraph 6 (Statutory and Government Purposes)

  • Paragraph 8 (Equality of opportunity or treatment)

  • Paragraph 9 (Racial and ethnic diversity at senior levels of organisations)

  • Paragraph 10 (Preventing or detecting unlawful acts)

  • Paragraph 11 (Protecting the Public Against Dishonesty)

  • Paragraph 12 (Regulatory Requirements relating to unlawful acts and dishonesty etc.)

  • Paragraph 14 (Preventing Fraud)

  • Paragraph 15 (Suspicion of Terrorist Financing and Money Laundering)

  • Paragraph 18 (Safeguarding of children and of individuals at risk)

  • Paragraph 19 (Safeguarding of economic well-being of certain individuals)

  • Paragraph 21 (Occupational Pensions)

  • Paragraph 24 (Disclosure to Elected Representatives)

Schedule 1 conditions relied upon for processing Criminal Offence Data

Under Article 10 UK GDPR, we may process personal data relating to criminal offences, allegations of criminal offences, legal proceedings, and related security measures when the processing is authorised under UK law providing for appropriate safeguards for the rights and freedoms of data subjects. Section 10(5) DPA sets out that the processing meets the above requirement in Article 10 UK GDPR only if it meets a condition in Part 1, 2 or 3 of Schedule 1 DPA.

DBW relies on the following conditions under Schedule 1, Part 1 of the DPA to process criminal offence data:

  • Paragraph 1 (Employment, social security, and social protection)

DBW relies on the following conditions under Schedule 1, Part 2 of the DPA to process criminal offence data:

  • Paragraph 6 (Statutory and Government Purposes)

  • Paragraph 10 (Preventing or detecting unlawful acts)

  • Paragraph 11 (Protecting the Public Against Dishonesty)

  • Paragraph 12 (Regulatory Requirements relating to unlawful acts and dishonesty etc.)

  • Paragraph 14 (Preventing Fraud)

  • Paragraph 15 (Suspicion of Terrorist Financing and Money Laundering)

  • Paragraph 18 (Safeguarding of children and of individuals at risk)

  • Paragraph 24 (Disclosure to Elected Representatives)

In addition to the relevant conditions in Parts 1 and 2 of Schedule 1 set out above, there are additional processing conditions for criminal offence data set out in Schedule 1, Part 3, of which we rely on the following:

  • Paragraph 29 (Consent)

  • Paragraph 32 (Personal Data in the Public Domain)

  • Paragraph 33 (Legal Claims) 

  • Paragraph 36 (Extension of Part 2 Conditions relating to Substantial Public Interest)

How we comply with the Data Protection Principles 

In accordance with the accountability principle, DBW maintains records of processing activities under Article 30 of the UK GDPR and section 61 of the DPA 2018. We conduct data protection impact assessments where appropriate in accordance with Articles 35 and 36 of the UK GDPR to ensure data protection by design and default.

DBW ensures compliance with the data protection principles set out in Article 5 of the UK GDPR as follows:

Principle 1 – Lawfulness, Fairness and Transparency 

Processing personal data must be lawful, fair, and transparent. It is only lawful if and to the extent it is based on law and either the data subject has given their consent for the processing, or the processing meets at least one of the conditions in UK GDPR or DPA. We provide transparency information (privacy notices) to all those who provide personal data to us, stating the lawful basis for processing and providing the purposes for processing special category personal data and criminal offence data where these relate to Schedule 1 of the DPA. In circumstances where we seek consent, we make sure that: 

  • The consent is unambiguous 

  • The consent is given by an affirmative action 

  • The consent is recorded as the condition for processing 

Principle 2 - Purpose Limitation

The purposes for which we process special category and criminal offence data where an appropriate policy document is required are detailed above. We may process personal data collected for any one of these purposes, providing it is necessary and proportionate to that purpose. If we are sharing data with another controller, we will document that they are legitimately processing the data for their purpose. We will not process personal data for purposes which are incompatible with the original purpose for which it was collected. 

Principle 3 - Data Minimisation 

We collect personal data necessary for the relevant purposes and ensure it is not excessive. The information we process is necessary for and proportionate to our purposes. Where we become aware that personal data provided to us or obtained by us is not relevant to our stated purposes, we will erase it. 

Principle 4 - Accuracy

Where we become aware that personal data is inaccurate or out of date, we will take every reasonable step to ensure that data is erased or rectified without delay. If we decide not to either erase or rectify it, we will document our decision. 

Principle 5 - Storage Limitation 

The information we process is retained for the periods set out in the DBW Retention Schedules and DBW Retention & Disposal Policy. Where a record is not listed on the Retention Schedules, the details of the retention period can be found on the related privacy notice. 

Principle 6 - Integrity and Confidentiality (Security)

Electronic information is processed within our secure network or managed by suppliers on solutions that have been security accredited. Hard copy information is processed in secure premises. Our electronic systems and physical storage have appropriate access controls applied. The measures to safeguard rights and interests of data subjects include the implementation of policies and procedures which include:

  • Acceptable Use Policy

  • Business Continuity Policy

  • CCTV Policy

  • Data Protection Policy

  • Information Security Policy

  • Physical Security Policy

Principle 7 - Accountability

DBW maintains records of processing activities under Article 30 of the UK GDPR and section 61 of the DPA 2018. We conduct data protection impact assessments where appropriate in accordance with Articles 35 and 36 of the UK GDPR to ensure data protection by design and default.

DBW has an appointed Data Protection Officer who reports directly to our highest management level, and we regularly review our accountability measures and update or amend them when required.

Further Information 

More information about how we process personal data, as well as key contacts, can be found in our Privacy Notices & Data Protection Policy. 

Review Period

This document will be reviewed and periodically updated.