Effective Date: 25 May 2018 Version: 1.0
About this Policy
1) The Heart Cells Foundation (“we”, “our”, “us”) respects your privacy and complies with all applicable privacy laws. This Policy sets out how we, as data controller, will collect and use personal data. Any complaints and/or requests to exercise data subject rights should be addressed to our Privacy Officer: firstname.lastname@example.org.
To whose personal data does this Policy apply?
2) This Policy describes our practices when using personal data in the context of relationships with our donors and supporters.
Personal data we collect
3) We collect certain personal data in the course of conducting our activities. We may collect personal data directly from donors and supporters through communications, applications or other forms, whether received in writing or electronically. This information can include:
(a) Contact information we use to communicate with donors and supporters, such as their names, positions, current and former addresses (private and/or professional), telephone number (private and/or professional), and/or email addresses (private and/or professional);
(b) Identity information we use to identify or authenticate individuals;
(c) Image capturing, such as photographs taken at events, videos, and CCTV footage;
(d) Website information captured in our web logs such as device information, unique identification numbers (such as an IP address or device ID), browser information (e.g. URL, browser type, pages visited, and/or date/time of access). This may also include information captured by any cookies and information captured on users of the website;
(e) Communications information including communications by email, telephone or post in the course of communicating with supporters, including recordings of telephone calls; and/or
(f) Relationship information that helps us to understand more about how to communicate with donors and supporters.
Where we collect personal data from
4) This Policy applies when we collect individuals’ personal data from third parties or when we collect it directly from the relevant individual. We may collect personal data from sources including:
(a) Barts Health NHS Trust and/or other hospitals and/or NHS Trusts with which we may have a relationship from time to time;
(b) Our donors and supporters; and
(c) Social media sites such as Facebook, LinkedIn and other public internet sites.
How and why we use personal data
5) We use the personal data we collect for the purposes of:
(a) sending communications by various methods, such as mail, email, telephone and/or other channels;
(b) maintaining and building upon relationships with donors and supporters;
(c) event management, including inviting individuals to events and organising and managing those events; and
(d) maintaining our systems, including resolving any issues and/or complaints as soon as possible.
6) We justify our processing of personal data on the following legal bases:
(a) performing a legal obligation to which we are subject, such as keeping proper records and accounts; and/or
(b) pursuing our legitimate interests and those of third parties. A legitimate interest will apply only where we consider that it is not outweighed by an individual’s interests or rights which require protection of his or her personal data.
7) Our legitimate interests include:
(a) the improvement and management of relationships with our donors and supporters;
(b) administering our website, investigating any complaints and improving the performance and user experience of our website;
(c) obtaining professional (including legal) advice in connection with our charitable objectives and activities; and
(d) sending communications (including marketing or other communications), where this is necessary to promote our activities to donors and supporters.
If you require further information regarding our legitimate interests as applied to your personal data, please use the contact details set out at 1 above.
8) We will keep our donors and supporters up-to-date with details of our services by email / post, etc. using the personal data that individuals have supplied or which we have obtained about them. Individuals can opt out of receiving marketing as detailed below.
9) We will ensure that any third parties assisting us in pursuing our charitable objectives and activities, or with whom we have marketing agreements, are under contractual obligations to protect the confidentiality of personal data, and to use it only to provide the services we have asked them to perform.
Who we share personal data about individuals with
10) We will disclose personal data of individuals to:
(a) third parties who:
(i) provide technical services, such as suppliers of IT systems, and print services, which we use to process that personal data;
(ii) manage our physical premises;
(iii) service or maintain our supporter contact database;
(iv) support our website; and/or
(v) provide services to us, such as our professional advisers (e.g. auditors and lawyers);
(b) a party representing a donor or supporter (for example, in response to legal process);
(c) competent authorities such as tax authorities, courts, regulators and other government agencies, security or police authorities where required or requested by law or where we consider it necessary (to the extent permitted by law); and/or
(d) subject to applicable law, to appropriate third parties if we are merged, sold, or if there is a transfer of some or all of our assets (including in bankruptcy), or another corporate change, in connection with such a transaction or event.
Where we will hold personal data
11) We may transfer and maintain personal information of individuals covered by this Policy on servers or databases outside the European Economic Area (EEA). These countries may not have the equivalent level of data protection laws as in the United Kingdom. If we need to transfer personal data outside the EEA, we will take steps to make sure your personal data is protected and safeguarded once it leaves the EEA, in particular, the use of Model Clauses approved by the European Commission and permitted under Article 46 of the GDPR. If you would like to obtain the details of such safeguards, you can request these by using the contact details set out above.
How long we will store personal data for
12) We will retain personal data of individuals covered by this Policy for as long as required to perform the purposes for which the data was collected, depending on the legal basis on which that data was obtained and/or whether additional legal/regulatory obligations require us to retain the personal data. In general terms, this will mean that personal data will be kept for the duration of our relationship with the individual and as long as may be necessary for individuals to be able to bring a claim against us and for us to be able to defend ourselves against any legal claims. This will generally be the length of the relationship plus the length of any applicable statutory limitation period under applicable law.
13) In certain circumstances, personal data may need to be retained for longer, for example, where we are in ongoing correspondence or there is a continuing claim or investigation.
Your rights in relation to your personal data
14) You will have certain rights in relation to your personal data. Some of these rights will only apply in certain circumstances. If you would like to exercise, or discuss, any of these rights, please submit your request by email to the Privacy Officer at email@example.com and provide sufficient information to allow us to understand the scope of the request.
(a) Consent: if our processing is based on consent, you can withdraw your consent at any time by contacting the Privacy Officer.
(b) Access: you can ask us if we are processing your personal data and, if we are, you can request access to your personal data. This enables you to receive a copy of the personal data we hold about you and certain other information about it.
(c) Correction: you can request that any incomplete or inaccurate personal data we hold about you is corrected.
(d) Erasure: you can ask us to delete or remove personal data in certain circumstances. In certain cases we may refuse a request for erasure, for example, where the personal data is required for compliance with law or in connection with claims.
(e) Restriction: you can ask us to suspend the processing of your personal data, for example if you want us to establish its accuracy or the reason for processing it.
(f) Transfer: you can request the transfer of your personal data to another third party in limited circumstances.
(g) Objection: where we are processing your personal data based on legitimate interests (or those of a third party) you may challenge this. However we may be entitled to continue processing personal data based on our compelling legitimate interests or where this is relevant to legal claims. You can also object if we are processing your personal data for direct marketing purposes.
(h) Automated decisions: you can contest any automated decision made about you where this has a legal or similarly significant effect and ask for it to be reconsidered.
(i) Supervisory Authority: you can lodge a complaint with a supervisory authority, in particular in the Member State in the European Union where you are habitually resident, where you work or where an alleged infringement of Data Protection Legislation has taken place.
Changes to this Policy
15) From time to time, we may change and/or update this Policy. If this Policy changes in any way, we will post an updated version on our website. If we change anything important about this policy (the personal data we collect, how we use it or why) we will highlight those changes at the top of the policy and provide a prominent link to it for a reasonable length of time before the change.
16) We recommend you regularly review our website to ensure that you are always aware of our data practices and any changes. Any changes to this Policy will go into effect on posting to this website.