Privacy Notice – updated 28/11/2023
The Eddystone Trust is committed to protecting your privacy.
In accordance with the General Data Protection Regulation (GDPR), we have implemented this privacy notice to inform how we use and protect personal data that we process about you and tells you what to expect when Eddystone collects personal information. It applies to information we collect:
From people who contact us via our website, telephone, email or in person to enquire about our services, meet or receive support from us, provide feedback from our services, make a referral to us, donate to us or otherwise provide us with personal information
From third parties i.e. a referral from another organisation, or sign up through another website such as Eventbrite to attend our training
From people who sign up to our mailing lists
DATA PROTECTION PRINCIPLES
Under GDPR, all personal data obtained and held by us must be processed according to a set of core principles. In accordance with these principles, we will ensure that:
- processing is fair, lawful and transparent. We will ask you for your information and tell you what we are doing with it
- personal information is collected for specific, explicit, and legitimate purposes. Only information that we need will be collected
- we will ensure your personal information is kept accurate and up to date. Inaccurate or misleading data will be corrected as soon as possible
- personal information is not kept for longer than is necessary for its given purpose
- your personal information is processed in a manner that ensures appropriate security including protection against unauthorised or unlawful processing, accidental loss, destruction or damage by using appropriate technical and organisation measures
- we will provide you with a copy of your personal information on request
- we comply with the relevant GDPR procedures for international transferring of personal data
You have the following rights in relation to the personal data we hold on you:
the right to be informed about the data we hold on you and what we do with it;
the right of access to the data we hold on you. We operate a separate Subject Access Request policy and all such requests will be dealt with accordingly;
the right for any inaccuracies in the data we hold on you, however they come to light, to be corrected. This is also known as ‘rectification’;
the right to have data deleted in certain circumstances. This is also known as ‘erasure’;
the right to restrict the processing of the data;
the right to transfer the data we hold on you to another party. This is also known as ‘portability’;
the right to object to the inclusion of any information;
the right to regulate any automated decision-making and profiling of personal data.
In addition to the above rights, you also have the unrestricted right to withdraw consent, that you have previously provided, to our processing of your data at any time. Withdrawing your consent means that we will stop processing the data that you had previously given us consent to use. There will be no consequences for withdrawing your consent. However, in some cases, we may continue to use the data where so permitted by having a legitimate reason for doing so.
If you wish to exercise any of the rights explained above, please contact our appointed compliance officer listed at the end of this policy.
WHAT INFORMATION DO WE COLLECT?
We collect personal information from you when you enquire about our services or ask to engage with the work we do. This may include your name, address, post code and contact telephone and email details, date of birth and the nature of the enquiry. Normally the only information we hold comes directly from you. We will need to collect certain basic information dependant on the service you require however you do not have to provide us with any additional information unless you choose to. We may also collect sensitive information know as special category information such as sexual orientation, sex life, racial and ethnic data, health and medical information and generic and biometric data if this is required for the purpose you are involved with The Eddystone Trust and to review whether our services reach all sections of the community. We may also have a contractual obligation under any funding we receive to produce monitoring reports, but you will not be able to be identified by that information.
In some cases, we will collect data about you from third parties, such as a referral from partner agencies and health care professionals to enable us to provide the services that you have requested. We will always ensure that you have read a copy of the privacy statement that relates to the service you are receiving so that you understand what will happen to your personal and special category data.
You may access training and resources via our website and partner websites including Eventbrite or donate via a third- party website. We only use trusted partners who are GDPR compliant in their storing and processing of information.
HOW WE USE THE INFORMATION
We will use and store the information collected to provide a range of services and for monitoring and evaluation to enable us to continually review the services we offer. For people who have contacted us directly for any of our services or been referred to us by another organisation we only use the information provided for the purpose of the service that is relevant.
We will not share your personal information with other parties without your consent, however we may have a legal responsibility to share information if required to do so by law or to protect or defend or prevent or investigate possible wrongdoing in connection with our services. We will ask for your consent to share information outside of the organisation e.g. when you ask us to work with another organisation on your behalf. Some of the services we offer are funded or commissioned therefore we process your personal data on behalf of that organisation, for example a local council may pay us to provide support services for you. This means that should the contract end we are required to pass your information back to the funding organisation or to the new provider of the service that you are receiving. We also offer services that we directly fund so for those services we are controllers of your personal data and will process it in line with DGPR regulations. You will be informed at the point of access to a service which category the services comes under.
Because you may receive multiple services from us we rely on more than one lawful basis to process your personal data. These include;
Legal Obligation – this is used when the service is funded or commissioned by another organisation or local authority.
Legitimate Interests – this is used when the service is funded by Eddystone.
Consent – this is used when we wish to keep you updated via our newsletter or for marketing.
Please refer to our separate GDPR Data Policy HR
For JOB AND VOLUNTEER APPLICANTS
Please refer to our separate Privacy Notices for Job and Volunteer Applicants
YOUR CHOICES ON RECEIVING INFORMATION
If we have received consent from you to be added to our mailing list we will process your personal information to inform you of events, fundraising and campaign services. You can choose if you wish to be contacted by us for marketing purposes and you are able to decide which services you would like to be contacted for. You can change your mind at any time and change your subscription choices by contacting the relevant service.
ACCESS RIGHTS AND REQUESTS
You have the right to see what personal information we hold. (apart from a very few things which we may be obliged to withhold because they concern other people as well as you). Although a request may be made verbally, we would advise that a request may be dealt with more efficiently and effectively if it is made in writing. Usually, we will comply with your request without delay and at the latest within one month.
We may refuse to deal with your subject access request if it is manifestly unfounded or excessive, or if it is repetitive. Where it is our decision to refuse your request, we will contact you without undue delay, and at the latest within one month of receipt, to inform you of this and to provide an explanation. You will be informed of your right to complain to the Information Commissioner.
LAWFUL BASIS FOR PROCESSING INFORMATION
The law on data protection allows us to process your data for certain reasons only.
The information below categorises the types of data processing we undertake and the lawful basis we rely on.
PROTECTING YOUR DATA
We are aware of the requirement to ensure your data is protected against accidental loss or disclosure, destruction and abuse. We store your information securely on our computer system, we restrict access to those who have a need to know, and we train our staff in handling the information securely. We operate an electronic system where possible to minimise the risk of personal data being left unattended and operate duo security login systems. Any paper-based systems are held securely in lockable filing cabinets.
AUTOMATED DECISION MAKING
Automated decision-making means making decisions about you using no human involvement e.g. using computerised filtering equipment. No decision will be made about you solely on the basis of automated decision making (where a decision is taken about you using an electronic system without human involvement) which has a significant impact on you
DELETING PERSONAL DATA
We only keep personal data for the time necessary to carry out the relevant service unless you have consented for us to use or store the information for future use, i.e. an unsuccessful job applicant may consent for us to keep their details for a specific time in case of a future vacancy. Please see our Data Retention Policy for further details.
When we no longer require your personal information, we will delete or securely destroy your personal information by putting it “beyond use” as defined by Data Protection Information Commissioner’s Office guidelines. We may keep other information that doesn’t identify you personally but that we may need for monitoring or contractual reasons.
A cookie is a file containing an identifier (a string of letters and numbers) that is sent by a web server to a web browser and is stored by the browser. The identifier is then sent back to the server each time the browser requests a page from the server.
Cookie may be either “persistent” cookies or “session” cookies: a persistent cookie will be stored by a web browser and will remain valid until its set expiry date, unless deleted by the user before the expiry date; a session cookie, on the other hand, will expire at the end of the user session, when the web browser is closed.
Cookies do not typically contain any information that personally identifies a user, but personal information we store about you may be linked to the information stored in and obtained from cookies.
Please see section 11 on our Privacy Statement on our website to see the full list of cookies we use and what they are used for.
MAKING A COMPLAINT
If you think your data rights have been breached, you are able to raise a complaint with the Information Commissioner (ICO). You can contact the ICO at Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF or by telephone on 0303 123 1113 (local rate) or 01625 545 745.
DATA PROTECTION COMPLIANCE
Our appointed compliance officer in respect of our data protection activities is:
The Eddystone Trust, Redlake Trading Estate, Bittaford Nr Ivybridge PL210EZ