GDPR Privacy Policy 2023

 

1. About our Privacy Policy
 

1.1 What is the purpose of this Privacy Policy?

Endelsham Hall is a “data controller” which means we have to tell you certain information when processing your personal information. We may collect information from you in person or we may ask you to fill in paper forms or input information into other systems that the charity uses. 

This Privacy Policy relates to your use of the Services and tells you: 

  • What personal information we collect about you when you use the Services

  • How we collect your personal information in the Services

  • How we use your personal information

  • Who we may share your personal information with

  • Any transfer of personal information outside of the EEA

  • How long we keep your personal information

  • What we do to protect your personal information

  • What choices you have in relation to your personal information

2. Personal Information we process about you
 

2.1 What information we process about you

We may collect the following information about you: 

  • Your name and address

  • Your mobile phone number

  • Your email address

  • Your education and employment

  • To carry out a DBS check

  • The result of a DBS check

  • Information about your use of the Services (e.g. when you have logged in, what pages you visited)

  • Payment details when booking events

  • Donations to the charity

  • Any information you provide to us

2.2 Sensitive Personal Information

We may also collect, store and use the following “special categories” of sensitive personal information (if you give us this information):

  • Information about your health, including any mental or physical conditions that you notify us about

  • Any criminal record

2.3 Personal Information you give us

We may collect personal information from you when you attend an event hosted by the charity and speak to us in person. You may also fill in one of our paper forms, a form available in a different electronic system.  
 

3. How we use your Personal Information
 

3.1 Our legal basis for using your information

The law only allows us to use your personal information in certain limited circumstances. We have listed these below and what information they allow us to process. 

1) Where it is necessary for our legitimate interests

The GDPR specifically states that a charity may use legitimate interests to process personal information relating to people attending events hosted by the charity or people accessing its services

We consider that this is the most appropriate condition for us to administer your information as you would reasonably expect that we would might have to process your personal information in order to provide you with information, so that you can take full advantage of all our services. 

We have put safeguards into place to ensure that your personal information is protected and that your fundamental rights and freedoms are not overridden.

2) Where you have consented to us using your personal information

Examples of how we may use your information with consent:

  • We may ask for your consent to send marketing communications out to you, including information about our events and other marketing materials.

  • We may also ask for consent where you have given us information as part of our pastoral care and asked us to use it for a certain purpose.

3) Where we need to perform the contract we have entered into with you

Examples of how we may use your information in order to comply with a contract that we have entered into with you:

  • To buy tickets for events

  • To administer the Services (such as troubleshooting, data analysis, research)

  • To tell you about changes to our website

  • To help us (or the software developers) improve the Services

4 ) Where we need to comply with a legal obligation

Examples of how we may use your information to fulfil a legal obligation:

  • Keeping records for gift aid purposes

  • To prevent and detect fraud

  • To protect children and vulnerable adults

  • To get your feedback on the Services

3.2 How we use sensitive personal information

“Special categories” of particularly sensitive personal information require higher levels of protection.We need to have further justification for collecting, storing and using this type of personal information. 

We may process special categories of personal information in the following circumstances: 

  • In limited circumstances, with your explicit consent recorded in writing (e.g. where you tell us information in order to obtain support and pastoral care from us – for example this could relate to physical or mental health).

  • Where we need to carry out our legal obligations (e.g. ensure DBS checking is done where appropriate)

  • Where it is needed in the public interest and in line with our data protection policy

  • Where It Is needed In connection with our children and vulnerable adults protection policy

Less commonly, we may process this type of information where it is needed to protect your interests (or someone else’s interests) and you are not capable of giving your consent, or where you have already made the information public.

What this means in practice

We may use your sensitive personal information in the following ways: 

  • your mental or physical health, racial origin, sexual orientation or criminal record in order to provide you with support and pastoral care. We may also use this information to help you access support and benefits if appropriate and requested by you

  • your DBS check (which may contain information relating to criminal offences or presence on a register) to decide your suitability for roles in the charity

In all cases where we require consent, we will seek your written consent or record you consent in writing to allow us to process certain sensitive data. If we do so, we will provide you with full details of the information that we would like and the reason we need it, so that you can carefully consider whether you wish to consent. You should be aware that it is not a condition of your contract with us that you agree to any request for consent from us. 

3.3 Information about Children

Whilst information relating to children is not considered to be special category information, it is information that is given specific protection. In cases where we work with the data of children under the age of 16, we will always ask for the consent of a parent or guardian.

4. Sharing your Personal Information
 

4.1 Other third parties

We may share your information with certain third parties including:

  • Support services and benefits providers (e.g. local authorities, your doctor)

  • Our suppliers for the performance of any contract we enter into with them or you

  • Our software providers who need to see your information in order to keep our website up and running

  • Analytics and search engine providers who analyse information about your use of our website and help us to tailor the product and offers that we offer to you and other users

We work with the following organisations: 

  • HMRC (for claiming of Gift Aid)

  • WorldPay (for processing of Card Donations)

  • Dropbox

  • Squarespace

  • JustGiving

4.2 Legal Requirements and Law Enforcement

We may also disclose your personal information to third parties if we are required by law, or in order to enforce or apply our terms of use. This includes exchanging information with other organisations such as law enforcement agencies.


4.3 Third Party Privacy Policies

The Services may contain links to websites owned by other organisations. If you follow a link to another website, these websites they will have their own privacy policies. We suggest that you check the policies of any other websites before giving them your personal information as we cannot accept responsibility for any other website.

5. Keeping your Personal Information
 

5.1 How we store your personal information

The security of your personal information is important to us. 

  • We use appropriate technical and organisational measures to safeguard personal information and encryption technology where appropriate to enhance privacy and help prevent information security breaches.

  • Any personal information that we provide to you will be held within the EEA.

  • All third parties who provide services to us or our software provider are required to sign a contract requiring them to have appropriate technical, administrative and physical procedures in place to ensure that your information is protected against loss or misuse.

  • All information you provide to us is stored on our secure servers or on secure servers operated by a third party. Information on our third-party providers can be found above.

5.2 Retention of information

We only hold your personal information for as long as necessary for the purposes for which we collected your information. 

We have a retention policy which lays down timescales for the retention of information. The retention policy can be found here.

We have set these timescales in accordance with any applicable legislation and where none exists then we will keep your information for the duration of any contract that you have entered into with us and then for a period of 7 years after which time it will be deleted. 


5.3 Emails

If you chose to send us information via email, we cannot guarantee the security of this information until it is delivered to us.

6. Your rights
 

6.1 Access to information

You have the right to access information that we hold about you. If you wish to receive a copy of the information that we hold, please contact us at office@endleshamhall.org or write to us at 48 Endlesham Road, London SW12 8JL.
 

6.2 Changing or deleting your information

You can ask us at any time to change, amend or delete the information that we hold about you or ask us not to contact you with any further marketing information. You can also ask us to restrict the information that we process about you. 

You can request that we change, amend, delete your information or restrict our processing by emailing us at office@endleshamhall.org
 

6.3 Right to prevent Automated decision making

You have a right to ask us to stop any automated decision making. We do not intentionally carry out such activities, but if you do have any questions or concerns we would be happy to discuss them with you and you can contact us at office@endleshamhall.org
 

6.4 Transferring Personal Information

You have the right to request that your personal information is transferred by us to another organisation (this is called “data portability”). Please contact us at office@endleshamhall.org with the details of what you would like us to do and we will try our best to comply with your request. It may not be technically feasible, but we will work with you to try and find a solution.
 

6.5 Complaints

If you make a request to us under this Privacy Policy and you are unhappy with the response, you can ask for the request to be reviewed under our internal complaints procedure. Our internal complaints procedure allows your request to be reviewed by our trustees who will do their best to try and resolve the issue. 

If you have been through the internal complaints procedure and are still not happy with the result, then you have the right to complain to the Information Commissioner’s Office. They can be contacted as follows: 

Online
www.ico.org.uk

Telephone
0303 123 1113 

Address
Information Commissioners Office
Wycliffe House
Water Lane, Wilmslow
Cheshire SK9 5AF 

7. Changes to our Privacy Policy

We review our Privacy Policy on a frequent basis to check that it accurately reflects how we deal with your information and may amend it if necessary. You should check this page regularly to see the most up to date information. 

We last updated this Privacy Policy on 13th July 2023.

8. How to Contact us

We welcome questions, comments and requests regarding this Privacy Policy. 

If you have any queries about this Privacy Policy or how we use your personal information, please contact us at 48 Endlesham Road, London SW12 8JL. Our Data Protection Lead is Rosemary Potter who can be contacted at the above address or email at office@endleshamhall.org

You can also get in touch via our contact page.

© Probert Legal Limited 2018