Effective 23rd May 2018
AtaLoss.org Privacy Notice
AtaLoss.org ("We") is committed to protecting and respecting your privacy.
The rules on processing of personal data are set out in the General Data Protection Regulation (the “GDPR”).
Data controller - A controller determines the purposes and means of processing personal data.
Data processor - A processor is responsible for processing personal data on behalf of a controller.
Data subject – Natural person, a living individual
Categories of data: Personal data and special categories of personal data
Personal data - The GDPR applies to ‘personal data’ meaning any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier (as explained in Article 6 of GDPR). For example name, passport number, home address or private email address. Online identifiers include IP addresses and cookies.
Special categories personal data - The GDPR refers to sensitive personal data as ‘special categories of personal data’ (as explained in Article 9 of GDPR). The special categories specifically include genetic data, and biometric data where processed to uniquely identify an individual. Other examples include racial and ethnic origin, sexual orientation, health data, trade union membership, and political opinions, religious or philosophical beliefs.
Processing - means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Third party - means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.
- Who are we?
AtaLoss.org is the data controller. This means we decide how your personal data is processed and for what purposes. Our contact details are: AtaLoss.org, 112 Salcott Road, London SW11 6DG. For all data matters contact our data protection officer on firstname.lastname@example.org .
- The purpose(s) of processing your personal data
We use your personal data for the following purposes:
- To keep you informed about the work of our charity
- To enable you to benefit from the services and activities we provide
- If you are a donor, to tell you how your funds have been spent and about further projects that you may wish to support or benefit from
- If you work for another charity or business, to tell you about opportunities that you may wish to work with us on or benefit from
- If you are working with us, we keep your data to enable us to provide proper employee support, whether you are a paid or an unpaid AtaLoss.org team member.
4. The categories of personal data concerned
With reference to the categories of personal data described in the definitions section, we process the following categories of your data:
- Personal data
- place of work;
- telephone number;
- a description (particularly relating to a specific project/area of interest);
- job title and sphere of responsibility;
- cultural, or social identity of that person;
- one or more factors specific to the physical, physiological, genetic, mental, economic (including: bank details) of an individual;
- online identifiers (IP address, email address).
- Special categories of data
Information about the religious beliefs, ethnicity, marital status, sexual orientation, disability status and gender of paid and unpaid staff is kept in the interests of equal opportunities monitoring.
5. What is our legal basis for processing your personal data?
- Personal data (article 6 of GDPR)
Our lawful basis for processing your general personal data:
x☐ Consent of the data subject;
Individual has provided their personal data to AtaLoss.org as an ‘employee or volunteer, as a donor or because they are interested in or wish to benefit from the organisation.
x☐ Processing necessary for the performance of a contract with the data subject or to take steps to enter into a contract
Employment, volunteer or provision of a service under a contract.
x☐ Processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
To develop the charity and increase the opportunities for raising its profile to benefit bereaved individuals
x☐ Processing necessary for the purposes of the legitimate interests of the data controller or a third party, except where such interests are overridden by the interests or fundamental rights or freedoms of the data subject
We need to process your data to help further the legitimate interest of the charity. We have carefully considered the options and we have chosen the least intrusive way of processing your data and deliver services to our beneficiaries.
Our lawful basis for processing your special categories of data:
x☐ Explicit consent of the data subject
Supporters and donors have provided their details and asked to be kept informed
x☐ Processing necessary for carrying out obligations under employment, social security or social protection law, or a collective agreement
We hold and process data about our paid and unpaid staff
x☐ Processing necessary for archiving purposes in the public interest, or scientific and historical research purposes or statistical purposes
Equal opportunities monitoring is collected anonymously to provide evidence that we are an equal opportunities employer.
6. Sharing your personal data
Your personal data will be treated as strictly confidential, and will be shared only with authorised staff within the charity.
We are required by law to report any security breaches involving personal data to the ICO and we will keep a record of those breaches.
8. How long do we keep your personal data?
Except where we are required to keep data records by law, we will keep your personal data for no longer than reasonably necessary and will annually review the data held and determine whether it should be retained or destroyed. Data subjects may request the removal or correction of their personal data at any time.
9. Providing us with your personal data
You are under no statutory or contractual requirement or obligation to provide us with your personal data. Failure to do so will mean we will be unable to communicate with you and keep you informed about the charity and its services.
If you are an employee (paid or unpaid) we require your personal data as it is a statutory requirement to enter into a contract. All the information you provide during the recruitment process will only be used for progressing your application, or to fulfil legal or regulatory requirements, and will not be shared with any third parties for marketing purposes or stored outside of the European Economic Area. The information you provide, whether electronic or physical, will be held securely by us. We will only use the provided contact details to progress your application. We do not collect more information than we need to fulfil our stated purposes and will not retain it for longer than necessary. The information we ask for is used to assess your suitability for employment. You do not have to supply it, but it might affect your application if you do not. Other information may be requested to enable us to monitor equal opportunities. You are not obliged to provide this information and withholding it will not affect your application. If you accept a final offer from us, some of your personnel records will be held on our internal HR records system.
10. Your rights and your personal data
Unless subject to an exemption under the GDPR, you have the following rights with respect to your personal data:
- The right to request a copy of the personal data which we hold about you;
- The right to request that we correct any personal data if it is found to be inaccurate or out of date;
- The right to request your personal data is erased where it is no longer necessary to retain such data;
- The right to withdraw your consent to the processing at any time, where consent was your lawful basis for processing the data;
- The right to request that we provide you with your personal data and where possible, to transmit that data directly to another data controller, (known as the right to data portability), (where applicable i.e. where the processing is based on consent or is necessary for the performance of a contract with the data subject and where the data controller processes the data by automated means);
- The right, where there is a dispute in relation to the accuracy or processing of your personal data, to request a restriction is placed on further processing;
- The right to object to the processing of personal data where applicable, (i.e. where processing is based on legitimate interests, or the performance of a task in the public interest/exercise of official authority or direct marketing and processing for the purposes of scientific/historical research and statistics).
Under the GDPR, we are required to verify the identity of anyone requesting copies or changes to personal data. Once this is established we will provide the data requested within the timeframes stipulated under the regulations.
11. Transfer of Data Abroad
Whenever we transfer your personal data out of the EEA, we will comply with applicable data protection law. Some of the mechanisms we may choose to use when undertaking an international transfer are:
- The transfer of your personal data is to a country that has officially been deemed to provide an adequate level of protection for personal data by the European Commission.
- We may use specific contracts approved by the European Commission which give personal data the same protection it has in Europe (called the “EU Model Clauses”).
Where we use providers based in the US eg. PayPal or Mailchimp, we may transfer data to them if they are part of the Privacy Shield which requires them to provide similar protection to personal data shared between Europe and the US. If the provider is not EU-US Privacy Shield certified, we may use the EU Model Clauses.
12. Automated Decision Making
We do not use any form of automated decision making in our charity.
13. Further processing
15. How to make a complaint
To exercise all relevant rights, queries or complaints please in the first instance contact our data protection officer on email@example.com
If this does not resolve your complaint to your satisfaction, you have the right to lodge a complaint with the Information Commissioners Office on 03031231113 or via email https://ico.org.uk/global/contact-us/email/ or at the Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, England.
Approved by the Board of AtaLoss.org: 23rd May 2018
Date of annual review: May 2019