Your personal data – what is it?
Personal data relates to a living individual who can be identified from that data. Identification can be by the information alone or in conjunction with any other information in the data controller’s possession or likely to come into such possession. The processing of personal data is governed by the Data Protection Act 2018 and the United Kingdom General Data Protection Regulation (the “UK GDPR”). These in turn are based on the European Union General Data Protection Regulation (EU) 2016/679.
Who are we?
Fellowship Afloat Charitable Trust, hereafter FACT is the data controller. This means we decide how your personal data is processed and for what purposes. Within the context of this policy, ‘we’, ‘us’, ‘our’ or, ‘the charity’ refers to FACT. We can be contacted at FACT, The Sail Lofts, Woodrolfe Road, Tollesbury, Essex CM9 8SE // email@example.com //01621 868 113 - Charity No. 1059143
How do we process your personal data?
FACT complies with its obligations under the UK GDPR by keeping personal data up to date; by storing and destroying it securely; by not collecting or retaining excessive amounts of data; by protecting personal data from loss, misuse, unauthorised access and disclosure and by ensuring that appropriate technical measures are in place to protect personal data.
We use your personal data, which you or your guardian have provided to us, for the following purposes where applicable: -
- to administer bookings and facilitate visits to us;
- to provide services requested from us;
- to manage our employees and volunteers;
- to fundraise and promote the interests of the charity;
- to maintain our own accounts and records;
- our processing also includes the use of CCTV systems for the prevention of crime;
- to operate our website (www.fact.org.uk) and deliver the services that individuals have requested;
- to inform individuals of news, events, activities or services available at FACT;
- to process gift aid applications.
We may obtain personal information about you from others and use it for the following purposes: -
- to provide bookings, facilities or services requested on your behalf;
- you are a minor and your parent or legal guardian provides us with information about you on your behalf;
- to take up references for you or seek verification of any of your qualifications from any referee you may have put forward;
- to undertake pre-employment/pre-volunteering checks involving any criminal records searches, which are conducted on our behalf by a registered ‘Disclosure & Barring Service’ umbrella body.
We may collate or acquire personal information in the course of your interaction with us, including: -
- history of your bookings with us
- history of your volunteering with us
- history of your donations to us
- history of your correspondence with us
- history of your employment including sick leave, annual leave and performance details, specifics of your contract etc with us
- qualifications etc gained with us
What is the legal basis for processing your personal data?
The legal basis for processing your information will vary according to what data you have provided to us and for what purpose. We will only use your information to fulfil the relationship we hold with you and not for any other purpose. At the point of collection, we will explain why we are collecting the information and how it will be used.
The following are the various legal bases under which we may process your personal data, in accordance with Article 6 of the UK GDPR: -
- Consent of the data subject so that we can keep you informed about news, events, activities, services and opportunities (this does not apply to our annual postal mailing - see legitimate interests below) and, to process your gift aid donations;
- Processing is necessary for the performance of a contract with the data subject or to take steps to enter into a contract, e.g. booking a course, employment etc;
- Processing is necessary for compliance with a legal obligation such as providing information to HMRC;
- Processing is necessary to protect the vital interests of a data subject or another person, e.g. ensuring health and dietary needs are met when visiting the centre;
- Processing is necessary to protect the legitimate interests of the data controller or a third party, except where such interests are overridden by the interests, rights, or freedoms of the data subject, e.g. the promotion of the charity (especially but not exclusively, with regards to our annual postal mailing) or, the maintenance of the charity’s ethos.
The following are the legal bases under which we may process your special category personal data (i.e. sensitive personal data) in accordance with Article 9 of the UK GDPR: -
- Explicit consent of the data subject e.g. to process medical information to ensure safety;
- Processing is necessary for carrying out obligations under employment, social security or social protection law, or a collective agreement, e.g. pre-employment criminal records checks
- Processing is carried out by FACT, as a faith based charitable body in relation only to volunteers, trustees or employees (current, former or prospective); and there is no disclosure to a third party without consent. e.g. for the maintenance of the charity’s religious ethos.
How we protect your personal data
We will not transfer your personal data outside the UK unless either: you have given us your explicit informed consent or, it is to a third country, territory or international organisation that has been assessed by the Secretary of State as meeting adequacy regulations, ensuring an adequate level of protection and in the case of the U.S., they are certified with the EU-U.S. Privacy Shield. i.e. they themselves comply with the UK GDPR.
We have implemented generally accepted standards of technology and operational security in order to protect personal data from loss, misuse, or unauthorised alteration or destruction. Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted to us; any transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access.
Sharing your personal data
We will never sell your personal data. We will not share your personal data with any third parties without your prior consent (which you are free to withhold) except where required to do so by law or as set out below.
We may share your information with third parties who are service providers, agents and subcontractors to us for the purposes of completing tasks, fulfilling the contract between us and providing services to you on our behalf (e.g. to print newsletters, send mailings, administer payroll & pensions). However, we disclose only the personal data that is necessary for the third party to deliver the service and we have a contract in place that requires them to keep your information secure and not to use it for their own purposes.
How long do we keep your personal data?
We will hold your personal data on our systems for as long as required to fulfil any contracts we have with you, and for as long afterwards as is necessary to comply with our legal obligations. We will review your personal data every year to establish whether we are still entitled to process it. If we decide that we are not entitled to do so, we will stop processing your personal data except that we will retain your personal data in an archived form in order to be able to comply with future legal obligations, e.g. compliance with tax requirements and exemptions, and the establishment exercise or defence of legal claims.
We securely destroy all financial information once we have used it and no longer need it.
Your rights and your personal data
Unless subject to an exemption under the UK GDPR, you have the following rights with respect to your personal data:-
- The right to request a copy of your personal data which FACT holds about you;
- The right to request that FACT corrects any personal data if it is found to be inaccurate or out of date;
- The right to request your personal data is erased where it is no longer necessary for FACT to retain such data;
- The right to withdraw your consent to the processing at any time;
- The right to request that the data controller provide the data subject with his/her personal data and where possible, to transmit that data directly to another data controller, (known as the right to data portability) where applicable.
- The right, where there is a dispute in relation to the accuracy or processing of your personal data, to request a restriction is placed on further processing;
- The right to object to the processing of personal data (where applicable);
- The right to lodge a complaint with the Information Commissioner’s Office.
To exercise all relevant rights, queries or complaints, please in the first instance contact the Data Protection Officer in writing at firstname.lastname@example.org or at our postal address: FACT, The Sail Lofts, Woodrolfe Road, Tollesbury, Essex CM9 8SE. We may make a small charge for this service. We will typically respond within one month of receiving your correspondence but, in all instances in line with the GDPR and the guidance of the Information Commissioner’s Office.
You can contact the Information Commissioner’s Office at https://ico.org.uk/concerns or on 0303 123 113 or at the Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF.