1. What is your personal data and how does the law regulate our use of it?
“Personal data” is information relating to you as a living, identifiable individual. We refer to this as “your data”.
The UK-GDPR and Data Protection Act 2018, (DPA 2018) requires End Stigma Surrey as data controller for your data to:
- process your data in a lawful, fair and transparent way;
- only collect your data for explicit and legitimate purposes;
- only collect data that is relevant, and limited to the purpose(s) we have told you about;
- ensure that your data is accurate and up to date;
- ensure that your data is only kept as long as necessary for the purpose(s) we have told you about;
- ensure that appropriate security measures are used to protect your data.
2. Information about you
We may collect personal information from you when you:
- register as a Lived Experience Champion;
- request or share information through the Website;
- register for any of our mailing lists; and/or
- contact us through the Website, App, or any other channel.
This personal information may include but is not limited to the following information about you:
- your name (including your first name(s) and surname);
- your email address;
- your address;
- your phone number;
- your date of birth
- other details about you that you or others provide to us.
3. How we use this information
(a) Your personal information will only be used by us to:
- respond to your questions or comments;
- provide or administer services, such as magazine delivery, e-newsletters, or training materials;
- display your comment on the website ;
- provide you with information relating to End Stigma Surrey, or that we feel may be of interest to you;
- maintain our organisational records; or
- ensure you are on the correct and most age-appropriate mailing list(s) and that we have parental consent where required by law.
(b) When you subscribe to our e-newsletter we ask you for consent to store your information and to contact you. We will only send you our newsletter for as long as you continue to consent.
(c) If you do not want to receive information from us, contact us by email at firstname.lastname@example.org with the word “unsubscribe” in the subject field.
(d) End Stigma Surrey will not share your personal details with third parties, except where companies are providing services on our behalf, such as processing donations or orders. For example, when you make an online donation via JustGiving, you are going through to a partner company and the information you give, such as your credit card number and contact information, is provided so that the transaction can take place.
5. Your rights under Data Protection Law
You have the following rights under Data Protection Law:
- The right to access – You have the right to request us to give you copies of the personal information we have about you.
- The right to rectification – If the information we hold for you is incomplete or wrong, you have the right to request a correction.
- The right to erasure – Where we have no overruling legal basis or legitimate reason to carry on processing your personal information, you may ask that we delete your personal information.
- The right to restrict processing – You have the right to ask that we restrict the processing of your personal information, under certain conditions.
- The right to object to processing – You have the right to object to processing if we can process your information because the processing is part of our public tasks or is in our legitimate interests.
- The right to data portability – This only applies to information you have given us. You have the right to ask that we transfer the information you gave us from one organisation to another or give it to you. The right only applies if we are processing information based on your consent or under, or in talks about entering into a contract and the processing is automated.
If you make a request, we have one month to respond to you. If you would like to exercise any of these rights, please contact us at: email@example.com
Further guidance on your rights is available from the Information Commissioner’s Office.
6. The lawful basis on which we process your data
The UK-GDPR and DPA 2018 require that we provide you with information about the lawful basis on which we process your personal data, and for what purpose(s).
The lawful basis for processing your personal data is contained within Article 6 of the UK-GDPR which states:
Processing shall be lawful only if and to the extent that at least one of the following applies:
- The data subject has given consent to the processing of his or her personal data for one or more specific purposes;
- Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
- Processing is necessary for compliance with a legal obligation to which the controller is subject;
- Processing is necessary in order to protect the vital interests of the data subject or of another natural person;
- Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
- Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
7. Sharing your data
We do not, and will not, sell your data to third parties. We will only share it with third parties if we are allowed or required to do so by law.
Examples of bodies to whom we are required by law to disclose certain data include, but are not limited to:
UK agencies with duties relating to the prevention and detection of crime, apprehension and prosecution of offenders, safeguarding, or national security.
We may share data with government departments, crime prevention and law enforcement agencies when required or considered appropriate in the circumstances and with the proper consideration of your rights and freedoms (in cases where the law places a duty on us to report).
Where personal information is shared with third parties, we will seek to share the minimum amount of information necessary to fulfil the purpose.
8. Data retention
We retain your personal information for as long as necessary to fulfil the purposes we collected it for, including for the purpose of satisfying any legal, accounting, regulatory, disciplinary or reporting requirements.
We adopt data collection, storage and processing practices and security measures to protect against unauthorised access, alteration, disclosure or destruction of your personal information, username, password, transaction information and data stored with respect to our Site. Data that we have collected is held on protected devices, including where it is held as part of a back-up version. We use layered security software to prevent unauthorised access, alteration, disclosure or destruction of the data. Our security system is subject to regular audit and testing.