Do We Share Your Information?
We do not share your information with any third parties other than:
- specific organisations who provide us with grants and who require us to submit certain information about the young people who have benefited from their grant
- software providers whose systems we use but who are subject to contractual obligations related to data protection
- tax, legal or accounting professional advisers
- our Website and Software developers.
- email marketing suppliers such as Mailchimp
- we will also comply with requests where disclosure is required by law, for example, we may disclose your personal information to the government for tax investigation purposes, or to law enforcement agencies for the prevention and detection of crime. We may also share your information with the emergency services if we reasonably think there is a risk of serious harm or abuse to you or someone else.
Keeping Your Information Safe
We’ve implemented appropriate physical, technical and employee measures to help us protect the personal information we have, both on and off-line, from improper access, use, alteration, destruction and loss.
How Long Do We Keep Your Information?
We only keep your information if it’s reasonable and necessary for either organisational or legal purposes. For details, see above.
You have the:
- Right of access to personal data – You have a right to request a copy of the personal data we hold about you.
- Right to rectification – If you believe the personal data we hold about you is incorrect, you can contact us to request for any incomplete or inaccurate data that we hold about you to be corrected. However, we may need to verify the accuracy of the new information you provide to us.
- Right to erasure – You have the right to request the deletion or removal of personal data we hold about you where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to us holding your information, where we may have processed your information unlawfully or where we are required to erase your personal data to comply with law. Although we will consider every request for erasure on its merits, we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at that time of your request.
- Right to object to processing – You have a right to object to the processing of your personal data where we are using it for the purpose of our legitimate interests. If we agree that your objection is justified, we will stop using your information for those purposes. Alternatively, we will explain why we still need to use your information.
- Right to restrict processing of your personal data – You have a right to request us to suspend the processing of your personal data in the following situations:
– for the period it takes us to rectify any inaccurate data about you;
– where our use of the data is unlawful but you do not want us to erase it;
– where you want to prevent us from deleting your data at the end of the retention period in the event that – you need it to establish, exercise or defend a legal claim;
– where you have objected to our use of your data, but we need to verify whether we (or a third party) have overriding legitimate grounds to use it.
- Right to request the transfer of your personal data to you or to a third party – You have the right to ask us to transfer certain information we hold about you to a third party you have chosen, or directly to you. Where your request is valid, we will provide you with your personal data in a structured, commonly used, machine-readable format.
Just contact us using the contact details provided at the top of this notice.
- Finally, you have a right to complain to the relevant data protection authority. In the UK this is the Information Commissioner’s Office. You can contact them:
by Telephone: 0303 123 1113 or 01625 545 745
or in writing to: Information Commissioner’s Office (ICO)
or via their website: https://ico.org.uk/
Sharing Information Outside the UK
We will transfer your information outside the UK as some of our servers are held within the EU. Our database is hosted in the Republic of Ireland by a subsidiary of Apple Inc.
We will only share personal data with others outside the UK when we are legally permitted to do so, namely where:
- If the UK government has decided that the relevant country has adequate protective rules in relation to data protection in place (an “adequacy decision”);
- If we have entered into the relevant “standard contractual clauses” with the recipient of your personal data (these are a set of obligations about how your data is protected and used); or
- If we can rely on another basis under the law such as having to share the personal data because this is necessary for the purpose of a court case, investigation or to protect our legal rights.
Third Party Access to Data
Under no circumstance will the Charity share with, sell or otherwise make available to Third Parties any personal data except where it is necessary and unavoidable to do so in pursuit of its charitable objects as authorised by the Data Controller.
Whenever possible, data subjects will be informed in advance of the necessity to share their personal data with a Third Party in pursuit of the Charity’s objects.
Before sharing personal data with a Third Party the Charity will take all reasonable steps to verify that the Third Party is, itself, compliant with the provisions of the GDPR and confirmed in a written contract. The contract will specify that:
- The Charity is the owner of the data;
- The Third Party will hold and process all data shared with it exclusively as specified by the instructions of the Data Controller;
- The Third Party will not use the data for its own purposes;
- The Third Party will adopt prevailing industry standard best practice to ensure that the data are held securely and protected from theft, corruption or loss;
- The Third Party will be responsible for the consequences of any theft, breach, corruption or loss of the Charity’s data (including any fines or other penalties imposed by the Information Commissioner’s Office) unless such theft, breach, corruption or loss was a direct and unavoidable consequence of the Third Party complying with the data processing instructions of the Data Controller
- The Third Party will not share the data, or the results of any analysis or other processing of the data with any other party without the explicit written permission of the Data Controller;
- The Third Party will securely delete all data that it holds on behalf of the Charity once the purpose of processing the data has been accomplished.
- The Charity does not, and will not, transfer personal data out of the EU.
In the event of any data breach coming to the attention of the Data Controller the Trustees will immediately notify the Information Commission’s Office.
In the event that full details of the nature and consequences of the data breach are not immediately accessible (eg: because Data Processors do not work on every normal weekday) the Trustees will bring that to the attention of the Information Commissioner’s Office and undertake to forward the relevant information as soon as it becomes available.
Notification Of changes To This Privacy Notice
This Privacy Notice may change from time-to-time. For example, we will continue to update it to reflect new legal requirements. This version was last updated on 27/02/2021.