From 25th May 2018, the processing of personal data is governed by the General Data Protection Regulation (the “GDPR”), which has changed the previous laws applicable to the protection of data.
1. What is personal data?
Personal data is data that relates to a living individual which identifies that individual, either directly or indirectly (eg name, address, date of birth, email address, telephone numbers, bank account details, photographs etc).
2. Who is the ‘controller’ of personal data?
CityLife Community Projects is the controller of your personal data which means we are responsible for how it is used and for what purposes.
CityLife Community Projects is a charitable company limited by guarantee and registered in England and Wales; Company No. 05881513 and Charity No. 1117112; registered office: The Pavilion, 143-145 Oxford Road, Reading, RG1 7UY.
For details of our legal obligations, go to section 14.
3. How do we collect your personal data?
- We use different methods to collect data from and about you including when you give us your personal data by filling in forms (either in hard copy or via our website) and/or by corresponding with us for example by email, phone or post.
4. What will we use your personal data for?
- We will only use your personal data when the law allows us to.
- We may use your personal data for when we consider this to be in our ‘legitimate interests’. This is the legal basis for us processing your personal data under the GDPR without us needing to obtain your consent.
- Our ‘legitimate interests’ are to facilitate the day-to-day administration and management of CLCP including the following:
- administration, acknowledgement and processing of donations;
- informing beneficiaries under our various projects of donations made to them or the project they are involved in;
- maintenance of our accounts and records (including the processing of gift aid applications and for audit and tax purposes); and
- administering and protecting our business and this website (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data).
- We may also use your personal data where you have given your express consent (for example, by actively consenting to receive updates about one or more of our projects).
5. How will we treat your personal data?
- Except where permitted by law (for example where we are legally compelled to do so), we will treat all your personal data as private and confidential and will not disclose or share any of your personal data to or with anyone except as set out in this section or with your consent.
- We will not disclose any personal data about you to anyone other than those involved in the administration and management of CLCP which may include CLCP’s Directors and volunteers (or as required by law).
- We will ensure that anyone who has access to your personal data is trained in data protection and will only use your personal data in accordance with their duties as part of their role within CLCP.
- We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed.
- Any personal data supplied in paper form will be kept in a securely locked cabinet or cupboard in our office to which only CLCP’s Directors and volunteers will have access (on a ‘need to know’ basis).
- Any personal data which we store on our computers will be in password protected documents where the password will only be known by the CLCP’s Directors and those specifically authorised by the CLCP’s Directors.
- We have put in place procedures to deal with any suspected personal data breach and will notify you and the Information Commissioner’s Office of a breach where we are legally required to do so.
- We will not transfer your personal data outside the European Economic Area (EEA) without your consent.
6. How long do we keep your personal data?
- Where you have given consent for example, to use your email address so you can receive an update about one of our projects, we will endeavour to refresh your consent at appropriate intervals.
- Specifically, we retain gift aid declarations and associated paperwork for up to 7 years after the calendar year to which they relate.
- Otherwise, we will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including to satisfy any legal, accounting or reporting requirements.
7. New purposes
8. Changes to your personal data
It is important that the personal data we hold about you is accurate and current. Please tell us if any of your personal data changes so that it can be amended.
9. Your legal rights
- Under certain circumstances, you have rights under data protection laws in relation to your personal data:
- to request access to your personal data;
- to request correction of your personal data;
- to request deletion of your personal data;
- to request transfer of your personal data;
- to request restriction of processing your personal data;
- to object to processing of your personal data;
- a right to withdraw your consent;
- a right to lodge a complaint with the Information Commissioner’s Office.
- Please go to section 13 to find out more about these rights.
10. Rights to access your personal data
- You can ask for one copy of the personal data we hold about you free of charge. (If you ask for more than one copy, we are entitled to charge a fee based on the administrative cost of providing the information and also for certain other reasons.)
- If you wish to exercise this right, you can do this verbally but we would prefer it if you make the request in writing by sending us an email or a letter – see the Contact details below. A standard template for this should be available on the Information Commissioner’s Office (“ICO”) website at https://ico.org.uk/.
- We will provide the information requested without delay and at least within 1 month of receipt of your request unless there is good reason for delay. In such cases, the reason for delay will be explained in writing to the individual making the request.
11. Contact details
- To exercise a legal right, raise a query or make a complaint in relation to the use by us of your personal data, please email firstname.lastname@example.org (reference: Data Protection Issue) or send a letter to Data Protection Administrator, CityLife Community Projects, The Pavilion, 143-145 Oxford Road, Reading, RG1 7UY.
- Although you have the right to make a complaint at any time to the Information Commissioner’s Office, we would appreciate the chance to deal with your concerns before you approach them, so please contact us in the first instance.
12. Third-party links
- This website may include links to third party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third party websites and are not responsible for their privacy policies.
- When you leave our website, we encourage you to read the privacy notice of every website you visit.
13. Your legal rights
- You have the following rights with respect to the personal data which the Church holds about you:
- the right to access or request a copy of your personal data (also known as a Subject Access Request);
- the right to request that CLCP corrects any of your personal data if it is found to be inaccurate or out of date;
- the right to request your personal data is deleted where it is no longer necessary for CLCP to retain such data;
- the right to request that CLCP provides you or a third party with your personal data;
- the right, for example where there is a dispute in relation to the accuracy or use of your personal data, to request a restriction is placed on any further processing of your personal data by CLCP;
- the right to object to the processing of your personal data, where CLCP is relying on the ground of a legitimate interest where you feel processing on this ground impacts on your fundamental rights and freedoms;
- the right to withdraw your consent to the processing of your personal data at any time;
- the right to lodge a complaint about how we have handled your personal data with the Information Commissioner’s Office, the UK supervisory authority for data protection issues, (ico.org.uk).
- For further details on exercising these rights, go to section 11.
14. What are our legal obligations?
We will comply with our obligations under the GDPR including by processing personal data fairly and lawfully; by obtaining it for a specified and lawful purpose; by keeping it up to date; by storing and destroying it securely; by not collecting or retaining excessive amounts of data; by protecting personal data from loss, misuse, unauthorised access and disclosure and by ensuring that appropriate technical measures are in place to protect personal data.