DATA PRIVACY NOTICE
The Sisters of the Cross and Passion, The Briery, 38 Victoria Avenue, Ilkley, West Yorkshire, BD29 9BW
Tel: 01943 607287 Email: firstname.lastname@example.org
Date: October 2018
- Your personal data – what is it?
Personal data relates to a living individual who can be identified from that data. Identification can be by the information alone or in conjunction with any other information in the data controller’s possession or likely to come into such possession. The processing of personal data is governed by the General Data Protection Regulation (the “GDPR”).
- Who are we?
The Briery, Ilkley, which is run by the Sisters of the Cross and Passion (registered charity number 1038483) is the data controller (contact details above). This means we decide how your personal data is processed and for what purposes.
How do we process your personal data?
We comply with our obligations under the “GDPR” by keeping personal data up to date; by storing and destroying it securely; by not collecting or retaining excessive amounts of data; by protecting personal data from loss, misuse, unauthorised access and disclosure and by ensuring that appropriate technical measures are in place to protect personal data.
We will only use your personal data as the law permits. Most commonly, this will be for one or more of the following lawful reasons:
- Where we need to perform a contract or agreement with you (or steps are taken by us prior to, but with a view to, entering into a contract or agreement with you) (“Agreement”).
- Where we need to comply with a legal obligation to which we are subject (“Legal Obligation”).
- Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights are protected and do not override those interests (“Legitimate Interests”).
- Where we have obtained your freely given, specific, informed and unambiguous consent by way of a statement or clear affirmative action (“Consent”).
We may also use your personal data in the following situations, which are likely to be rare:
- Where we need to protect your vital interests (or someone else’s vital interests) (“Vital Interests”).
- Where it is needed in the public interest (“Public Interests”).
We use your personal data for the following purposes in relation to which we have identified that some, or all of the above, will apply (please see paragraph 4 below: What is the legal basis for processing your data?). If you ask, we will tell you which of the above lawful reasons we rely on specifically:-
- To administer bookings;
- To promote the interests of the charity by sending our programme brochure;
- To care for our retreatants – this may involve using dietary requirement information, or information about mobility issues, etc.
- To manage our employees and volunteers – this may involve using dietary requirement information, or information about mobility issues, etc;
- To maintain our own accounts and records (including the processing of Gift Aid applications);
- To inform you of news, events, courses and retreats running at the Briery, Ilkley; and
- To pay invoices or send invoices and administer payments.
- What is the legal basis for processing your personal data?
- So that we can administer bookings for our retreats and courses we rely on Agreement and Legitimate Interests (to provide our retreats, courses and associated charitable activities).
- So that we can send to you our programme brochure and keep you informed about news, events, courses and activities we rely on Legitimate Interests (to promote our charity). However, please note that under the Privacy and Electronic Communications Regulations (“PECR”) we are not permitted to send such information to you on an unsolicited basis by electronic communication (such as email) unless you have “opted-in” to receive such communications (in which case we rely on Consent) or unless, to avoid inconveniencing you, we are able to “soft opt-in” you to receive such communications where you have previously had involvement in similar of our activities (in which case we rely on Legitimate Interests (to promote our activities)). In any event, we must give you the ability to opt-out of receiving such information by way of electronic communication.
- So that we can care for retreatants we rely on Agreement, Legitimate Interests (to provide our care and associated charitable activities), Public Interests and, depending on the circumstances, Vital Interests.
- So that we can manage our employees and volunteers we rely on Agreement, Legal Obligations and Legitimate Interests (we need the help of our employees and volunteers so that we can deliver our charitable activities).
- So that we can maintain our own accounts and records (including the processing of Gift Aid applications) we rely on Agreement, Legal Obligations and Legitimate Interests (so that we can respond to queries, requests and complaints).
- So that we can pay invoices or send invoices and administer payments we rely on Agreement, Legal Obligations and Legitimate Interests (to enable us to provide our charitable activities on a financially sound and prudent basis).
- Sensitive personal data
To the extent that we need to process your sensitive personal data (such as, and particularly information about your religious or philosophical beliefs or your mental or physical health), it is necessary for us to have your express consent, or another lawful reason, to be able to do so. Such other lawful reasons include:
- Processing is necessary for the purposes of carrying out obligations and exercising rights in the field of employment, social security or social protection law, or a collective agreement;
- Processing is necessary to protect your vital interests where you are physically or legally unable to give consent;
- Processing is carried out by us (a religious not-for-profit body) and the processing relates only to our members or former of our members (or those who have regular contact with us in connection with those purposes);
- Processing relates to personal data which has been made public;
- Processing is necessary for the establishment, exercise or defence of legal claims;
- Processing is necessary for reasons of substantial public interest;
- Processing is necessary for the purposes of preventative or occupational medicine, for the assessment of the working capacity of employees, medical diagnosis, the provision of health or social care or treatment of the management of health or social care systems and services.
Sharing your personal data
- Your personal data will be treated as strictly confidential and will not be shared with third parties unless we have your consent or another lawful reason.
- How long do we keep your personal data?
We keep data in accordance with our Retention Policy. (For further information about our Retention Policy please ask to see a copy).
- Your rights and your personal data
Unless subject to an exemption under the GDPR, you have the following rights with respect to your personal data which can be exercised in certain circumstances: –
- The right to request a copy of your personal data which we hold about you;
- The right to request that we correct any personal data if it is found to be inaccurate or out of date;
- The right to request your personal data is erased where it is no longer necessary for us to retain such data;
- The right to withdraw any consent you may have given to us, to enable us to undertake the processing at any time;
- The right to request that the data controller provide the data subject with his/her personal data (known as a subject access request) and where possible, to transmit that data directly to another data controller, (known as the right to data portability), (where applicable).
- The right, where there is a dispute in relation to the accuracy or processing of your personal data, to request a restriction is placed on further processing;
- The right to object to the processing of personal data, (where applicable); and
- The right to lodge a complaint with the Information Commissioners Office (www.ico.org.uk).
- Further processing
If we wish to use your personal data for a new purpose, not covered by this Data Protection Notice, then we will provide you with a new notice explaining this new use prior to commencing the processing and setting out the relevant purposes and processing conditions. Where and whenever necessary, we will seek your prior consent to the new processing.
- Contact Details
To exercise all relevant rights, queries of complaints please in the first instance contact the Administrator, The Briery (address above).
You can contact the Information Commissioners Office on 0303 123 1113 or via email https://ico.org.uk/global/contact-us/email/ or at the Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire. SK9 5AF.