GDPR: DATA PRIVACY NOTICE & POLICY
The Kurt and Magda Stern Foundation (KMSF) takes privacy very seriously, and we are committed to protecting your privacy. We hold honesty and transparency amongst our core values, and we are committed to being transparent about how we collect and use personal data to meet our obligations under the General Data Protection Regulation (GDPR). This policy sets out the basis on which any data we collect from you, or that you provide to us, will be processed by us.
The basic principles guiding our collection and processing of data are as follows:
- We will only ever collect data for the purposes we really need it.
- We will collect and use personal data transparently, honestly and fairly.
- We will respect your choices around the data we hold about you.
- We will use appropriate security measures to protect personal data.
- We will never share personal data externally without explicit consent.
- We will never sell your personal data.
Data Controller – determines the purposes and means of processing personal data.
Data Processor – is responsible for processing personal data on behalf of the controller.
Personal data – any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier (as explained in Article 6 of GDPR). For example name, home address or private email address. Online identifiers would include IP addresses and cookies.
Special categories personal data – The GDPR refers to sensitive personal data as ‘special categories of personal data’ (as explained in Article 9 of GDPR). The special categories specifically include genetic data, and biometric data where processed to uniquely identify an individual. Other examples include racial and ethnic origin, sexual orientation, health data, trade union membership, political opinions, religious or philosophical beliefs.
Processing – means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Third party – means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.
What personal data might we collect?
KMSF may collect and process the following information:
- Personal and contact details, such as names, addresses, telephone numbers, email addresses.
- Bank account details you provide to us.
- Information gathered from business and social media sources within the public domain.
Do we automatically collect any data from visitors to our website?
Do we collect and process any “special categories” sensitive personal information?
- KMSF does not collect sensitive personal data.
Why do we collect and process your personal information?
KMSF collects and processes personal information for reasons that include:
- Communicating for charitable purposes.
- Keeping a record of your relationship with us.
- Administration and monitoring of our funding.
- Development of our funding initiatives.
We will only collect and process personal information when:
- it is necessary for our legitimate interests in connection with carrying out our charitable business, as long as, in each case, these interests are in line with applicable law and your legal rights; and/or
- where you have provided explicit consent; and/or
- where this is necessary for legal obligations which apply to us.
How long do we store personal information for?
Who has access to your data?
The designated Data Processor and Controller is the Chair of the Trustees (who can be contacted at our registered address).
Your information may be shared internally between KMSF trustees, and their associates as stated below.
We may occasionally have to share your data with third parties such as professional advisers. An up to date list of all our professional advisers can be found online at the Charity Commission and Companies House, within our latest Annual Report and Accounts. We may also share your information with authorities such as HMRC, or with third parties where required by law, where it is necessary to administer our relationship with you, or where we have another legitimate interest.
We require third parties to respect the security of your data and treat it in accordance with the law.
Occasionally we may share information about your funding with another funder if your programme or project is also being supported by that other funder, or another potential funder.
How do we keep your data safe?
We have appropriate security measures in place to prevent personal information from being accidentally lost, or used or accessed in an unauthorised way. Data is stored on password or PIN protected devices. We limit access to your personal information to those who have a permitted cause to need to know it. Those processing your information will do so only in an authorised manner and are subject to a duty of confidentiality.
What are your rights?
Under the General Data Protection Regulation you have a number of important rights:
- Where data processing is based on consent, you may revoke this consent at any time by contacting us at our registered office (Third Floor, 95 The Promenade, Cheltenham, Gloucestershire GL50 1HH), or by email email@example.com
- You also have the right to ask for rectification and/or deletion of your information.
- You have the right of access to your information.
- You have the right to lodge a complaint with the Information Commissioner if you feel your rights have been infringed.
A full summary of your legal rights over your data can be found on the Information Commissioner’s website.
For further information on each of those rights, including the circumstances in which they apply, see the Guidance from the UK Information Commissioner’s Office (ICO) on individuals’ rights under the General Data Protection Regulation.
If you are unhappy with the way that we have handled your Personal Information, you can make a complaint to the Information Commissioners Office (ICO) which is the UK authority responsible for data protection.
Tamsin Hoare (Chair of the Trustees), September 2023