GDPR: DATA PRIVACY NOTICE & POLICY
Dated: 25.5.18
Introduction
The Kurt and Magda Stern Foundation (KMSF) takes privacy very seriously, and we are committed to protecting your privacy. We hold honesty and transparency amongst our core values, and we are committed to being transparent about how we collect and use personal data to meet our obligations under the General Data Protection Regulation (GDPR). This policy sets out the basis on which any data we collect from you, or that you provide to us, will be processed by us.
The basic principles guiding our collection and processing of data are as follows:
- We will only ever collect data for the purposes we really need it.
- We will collect and use personal data transparently, honestly and fairly.
- We will respect your choices around the data we hold about you.
- We will use appropriate security measures to protect personal data.
- We will never share personal data externally without explicit consent.
- We will never sell your personal data.
Definitions
Data Controller – determines the purposes and means of processing personal data.
Data Processor – is responsible for processing personal data on behalf of the controller.
Personal data – any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier (as explained in Article 6 of GDPR). For example name, home address or private email address. Online identifiers would include IP addresses and cookies.
Special categories personal data – The GDPR refers to sensitive personal data as ‘special categories of personal data’ (as explained in Article 9 of GDPR). The special categories specifically include genetic data, and biometric data where processed to uniquely identify an individual. Other examples include racial and ethnic origin, sexual orientation, health data, trade union membership, political opinions, religious or philosophical beliefs.
Processing – means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Third party – means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.
What personal data might we collect?
KMSF may collect and process the following information:
- Personal and contact details, such as names, addresses, telephone numbers, email addresses.
- Bank account details you provide to us.
- Information gathered from business and social media sources within the public domain.
Do we automatically collect any data from visitors to our website?
- KMSF does not use cookies on its website, nor do we hold visitor data or track user interaction.
Do we collect and process any “special categories” sensitive personal information?
- KMSF does not collect sensitive personal data.
Why do we collect and process your personal information?
KMSF collects and processes personal information for reasons that include:
- Communicating for charitable purposes.
- Keeping a record of your relationship with us.
- Administration and monitoring of our funding.
- Development of our funding initiatives.
We will only collect and process personal information when:
- it is necessary for our legitimate interests in connection with carrying out our charitable business, as long as, in each case, these interests are in line with applicable law and your legal rights; and/or
- where you have provided explicit consent; and/or
- where this is necessary for legal obligations which apply to us.
How long do we store personal information for?
It is our policy to retain your personal information for the length of time required for the specific purpose or purposes for which it was collected, which are set out in this Privacy Policy. However, on occasion we may be obliged to store some data for a longer time, for example, where a longer time period is required by applicable laws. In this case, we will ensure that your personal data will continue to be treated in accordance with this Privacy Policy.
Who has access to your data?
The designated Data Processor and Controller is the Chair of the Trustees (who can be contacted at our registered address).
Your information may be shared internally between KMSF trustees, and their associates as stated below.
We may occasionally have to share your data with third parties such as professional advisers. An up to date list of all our professional advisers can be found online at the Charity Commission and Companies House, within our latest Annual Report and Accounts. We may also share your information with authorities such as HMRC, or with third parties where required by law, where it is necessary to administer our relationship with you, or where we have another legitimate interest.
We require third parties to respect the security of your data and treat it in accordance with the law.
Occasionally we may share information about your funding with another funder if your programme or project is also being supported by that other funder, or another potential funder.
If KMSF wish to use your personal data for a new purpose, not covered by this Privacy Policy, then KMSF will provide you with a new notice explaining this new use prior to commencing the processing and setting out the relevant purposes and processing conditions.
How do we keep your data safe?
We have appropriate security measures in place to prevent personal information from being accidentally lost, or used or accessed in an unauthorised way. Data is stored on password or PIN protected devices. We limit access to your personal information to those who have a permitted cause to need to know it. Those processing your information will do so only in an authorised manner and are subject to a duty of confidentiality.
What are your rights?
Under the General Data Protection Regulation you have a number of important rights:
- Where data processing is based on consent, you may revoke this consent at any time by contacting us at our registered office (Third Floor, 95 The Promenade, Cheltenham, Gloucestershire GL50 1HH), or by email kmsternfoundation@btinternet.com
- You also have the right to ask for rectification and/or deletion of your information.
- You have the right of access to your information.
- You have the right to lodge a complaint with the Information Commissioner if you feel your rights have been infringed.
A full summary of your legal rights over your data can be found on the Information Commissioner’s website.
For further information on each of those rights, including the circumstances in which they apply, see the Guidance from the UK Information Commissioner’s Office (ICO) on individuals’ rights under the General Data Protection Regulation.
If you are unhappy with the way that we have handled your Personal Information, you can make a complaint to the Information Commissioners Office (ICO) which is the UK authority responsible for data protection.
Tamsin Hoare (Chair of the Trustees), September 2023