It is important to us that you understand and are happy with how we use your information.
Please take time to read this policy in full.
Data Subjects
This Privacy Policy applies to all trustees, volunteers, and staff of Spiral.
Purpose of the processing and the lawful basis for the processing
The charity will only hold and process personal data on bases which are lawful.
The same personal data may be held and processed for different purposes and, therefore, under different lawful bases, as identified on the form used to collect the data from the subject.
The lawful bases and purposes under which personal data may be processed by the charity are as follows.
Legal Obligation {LO}
Spiral holds and processes the personal data, identified as LO, to enable the charity to comply with relevant legislation regarding the identity of persons who have a significant role in the governance of the charity.
Date held under legal obligation will only be processed for the relevant purposes as is required by law and will only be shared with other organisations (eg: Charity Commission; HM Revenue & Customs) as is allowed by law and which are compliant with the General Data Protection Regulation. This will include the sharing of personal data which are, by law, destined for the public domain (eg: the names of trustees to be held and displayed in the Charity Commission’s public Register of Charities).
Legitimate Interest {LI}
Spiral legitimately needs to hold the personal data, identified as LI, about its trustees for the purpose of administering the charity efficiently, effectively and economically in pursuit of its charitable purposes.
This will include, but is not limited to, the communication of information relevant to the governance and administration of the charity to and between trustees, and the sharing of knowledge and expertise between trustees specifically to further the legitimate interests of the Board of Trustees for the benefit of the charity.
Subject Consent {SC}
In your wider role as a member/supporter of Spiral we may, subject to your consent, use your personal data to keep you informed of the wider activities of Spiral, particularly those in which you have special experience and/or expertise or in which you have expressed a particular interest. This will include providing you with information relating to any fundraising activities which the charity undertakes.
Spiral will not share your personal data with any other individual, group or organisation for any purpose other than those which are directly related to the activities and charitable purposes of the charity.
The right to withdraw consent at any time
You have the right to withdraw your consent for the charity’s use of your personal data which are provided by you with your consent for use by the charity for promoting its general activities and purposes.
You do not have the right to withdraw your consent for the charity’s use of your personal data when the lawful basis for the charity holding and processing the data is either “Legal Obligation” or “Legitimate Interest”.
The right to require the erasure of your data (right to be forgotten)
You have the right to require the charity to erase any or all of your personal data which are held by the charity for processing on the lawful basis of Legitimate Interest or Subject Consent.
You do not have the right to require the charity to erase any of your personal data held by the charity when the charity’s lawful basis for holding and processing the data is “Legal Obligation”.
The right to restrict processing
You have the right to require the charity to stop processing your data if you reasonably believe that there are significant inaccuracies in the data that we hold or that the way in which we process your data produces inaccurate results
The right to portability
You have the right to require the charity to provide you with a printed or computer-readable copy (ie: in a standard format which will allow the data to be transferred to another computer) of your personal data that it holds for processing on the basis of Legitimate Interest.
You do not have the right to require the charity to provide you with portable copies of data which it holds for the lawful purposes of Legal Obligation or Subject Consent.
The legitimate interests of the controller or third party, where applicable
Legitimate interests of the controller
The legitimate interests of the Controller (on behalf of the trustees of the charity) are:
To ensure that the human resources available to the charity – both volunteers (including trustees) and employees – are used effectively, efficiently and economically to pursue the purposes of the charity for the public benefit;
To promote and facilitate communication, cooperation and the sharing of experience and expertise between trustees, other volunteers, employees, beneficiaries and donors
Legitimate interest of third parties
The legitimate interests of third parties are to ensure that the interests and well-being of the data subject are properly met when the charities activities are carried out by the third party (eg: providing transport to/from events, providing food and accommodation).
Any recipient or categories of recipients of the personal data
We may share your personal data:
- with the Charity Commission, HM Revenue & Customs, the Police, local authorities, the Courts and any other central or local government bodies where they request it and we may lawfully disclose it, for example for the prevention and detection of crime.
- with Spiral’s professional advisors (eg: our lawyers, accountants) when they need it to provide appropriate advice on the charity’s activities. We will seek your permission before sharing your personal data in this way.
- where we are legally obliged to do so, eg: to comply with a court order.
- with other people who make a reasonable subject access request to us, provided that we are allowed to do so by law.
Retention period or criteria used to determine the retention period
Your personal data processed on the basis of Legal Obligation and shared with HM Revenue & Customs are retained for the prevailing statutory period (currently 6 years).
Your personal data processed on the basis of Legal Obligation and shared with the Charity Commission are retained for 5 years after you cease (insurance guidelines)
Your personal data processed on the basis of Legitimate Interest are retained for 2 years after you cease.
Your personal data processed on the basis Subject Consent are retained for 1 year after you cease.
Details of transfers to third country and safeguards
The Charity does not transfer any personal data to third countries.
The existence of each of data subject’s rights
Other than the right to withdraw consent and the right to erasure you have all the data subject rights, as prescribed by the General Data Protection Regulation, namely: The rights:
- to be informed about the way your personal data held by the Charity, the purpose(s) for which they are held; the manner in which they are processed; the recipients (if any) of the data;
- to be given access to your personal data;
- to rectification – the correction of any error in the data and/or the completion of any incomplete data;
- to restrict processing – while you have legitimate justifiable concerns about the accuracy, validity or legality of data held by the Charity or the way in which the data are being processed. Data process may be resumed once either the cause(s) of the concern has(have) been rectified or your concerns are demonstrated to be unjustified.
- to object to processing – while you have reasonable grounds relating to their impact on your particular circumstances and where the legal basis of the processing is Public Task or Legitimate Interest. However, the processing of your data can be resumed if Spiral can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or for the establishment, exercise or defence of legal claims;
The source the personal data originates from and whether it came from publicly accessible sources
Your personal data are not obtained from anyone other than yourself.
Whether the provision of personal data is part of a statutory or contractual requirement or obligation and possible consequences of failing to provide the personal data
The provision of your personal data for this is a statutory requirement under UK taxation and charity legislation.
Failure to provide the data, or the provision of data which are inaccurate or late, render both you and the Charity to significant penalties or legal action.
The existence of automated decision making, including profiling and information about how decisions are made, the significance and the consequences.
Spiral does not use any automated decision-making software in the processing of your personal data. Nor will the charity make your personal data available to any other organisation for such purposes.
The right to lodge a complaint with a supervisory authority
You have the right to lodge a complaint with the Information Commissioner’s Office, the supervisory authority for the UK, if you are dissatisfied with the way that the Charity is collecting, holding, processing and using your personal data and you feel that your reasonable attempts to raise the issues and get them addressed have failed.
Is your information secure?
We take the security of your information very seriously.
We comply with the relevant prevailing legislation which requires us to have in place appropriate security measures at all times, including where we share your information with others.
What additional information do we collect and when?
In addition to the statutory information that we collect, hold and process for the purpose of managing the charity’s legal obligations and legitimate interests and affairs we also collect and hold:
- All information you choose to submit to us when you communicate to us by post, e-mail, messaging, or other form of image-based (eg: photographs), sound-based (eg: sound files) or text-based communication, whether physical (eg: ink & paper) or electronic.
- Copies of any notes that we take, whether physical (eg: ink & paper) or electronic, during verbal communications between us (eg: telephone; Skype®; Hangouts®).
- Information on what we communicate to you by post, e-mail, messaging, or other form of image-based or text-based communication whether physical (eg: ink & paper) or electronic, including information in all ancillary materials (eg: attachments, images, brochures).
Updates to this policy
We will need to update this policy from time to time as our services change.
We will endeavour to tell you in advance by sending a service message to you if we hold your email address. Otherwise, please check the Small Charity Support website for notifications of significant changes to this policy.
If you do not notify us that you wish the information that we hold on you to be deleted (ie: to have no further contact with us) we will take it that you accept the changes.