This policy explains when and why we collect personal information about you, how we use it, the conditions under which we may disclose it to others, how we keep it safe and secure and your rights and choices in relation to your information.
Should we ask you to provide certain information by which you, or others, can be identified when using this website, you can be assured that it will only be used in accordance with this privacy statement.
Any questions regarding this policy and our privacy practices should be sent by email to enquiries@careandrepair.org.uk or by writing to the Corporate Services Manager, Care & Repair Cymru, First Floor, Mariners House, Trident Court, East Moors Road, Cardiff, CF24 5TD. Alternatively, you can telephone 02920 107580.
Controller
Care & Repair Cymru is the controller and responsible for your personal data (collectively referred to as we, us or our in this privacy notice).
Who are we?
We are Care & Repair Cymru, a national charitable body and actively works to ensure that all older people have homes that are safe, secure and appropriate to their needs.
We are registered with the Charity Commission under charity number 1163542 and our registered office is First Floor, Mariners House, East Moors Road, Cardiff, CF24 5TD .
We are also registered with the Information Commissioner’s Office under registration number Z6847123.
Changes to the Privacy Notice and your Duty to Inform us of Changes
It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us.
Third-Party Links
This website may include links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements. When you leave our website, we encourage you to read the privacy notice of every website you visit.
In addition, if you linked to our website from a third party site, we cannot be responsible for the privacy policies and practices of the owners and operators of that third party site and recommend that you check the privacy policy of that third party site.
How we collect information about you
We may collect your personal information when you:
- Donate to us
- Make an enquiry though our contact us page
- Sign up to receive our newsletter
- Become a Commercial Member or Partner
- Become a Friend of Care & Repair
- Register to take part in one of our events
- Fundraise on our behalf
- Book a room at our office
- Complete a gift aid declaration form
- Contact us via email, phone, social media, post or our websites
We may also collect information about your visit to our websites. This data is not personal to you and is used to help us better understand how visitors use our site, analyse the website performance and develop the website effectively
What personal information we collect
The personal information we collect, store and use might include:
- your name and contact details (including postal address, email address and telephone number);
- your date of birth;
- information about your activities on our website and about the device used to access it, for instance your IP address and geographical location;
- your bank or credit card details. If you make a donation online or make a purchase, your card information is not held by us, it is collected by our third party payment processors, who specialise in the secure online capture and processing of credit/debit card transactions;
- information as to whether you are a UK taxpayer so we can claim gift aid; and
- marketing preference when you become a Friend of Care & Repair or sign up to receive our newsletter
Data protection laws recognise certain categories of personal information as sensitive and therefore requiring greater protection, for example information about your health, ethnicity and religion.
We do not usually collect sensitive data about you unless there is a clear and valid reason for doing so and data protection laws allow us to. Where appropriate, we will make it clear why we are collecting this type of information and what it will be used for.
Our legal basis for processing your information
In certain instances, we collect and use your personal information by relying on Art.6(1)(f), legitimate interest legal basis. In broad terms, our ‘legitimate interests’ means our interest in being able to run Care & Repair Cymru as a charitable entity effectively.
This includes:
- Sending our regular supporter newsletter, In Touch, to keep supporters informed of our work and progress towards our goals.
- Sending direct marketing material to supporters by post for fundraising purposes
- Measure and understand how our audiences respond to a variety of marketing and communications activity so we can ensure our activities and services are well targeted, relevant and effective
- Processing donations
- Administering events
However ‘legitimate interests’ can also include your interests, such as when you have requested information or certain goods/services from us, and those of third parties
If we rely on the ‘legitimate interests’ basis to use your personal information, we will only use the information in accordance with the purposes described in this policy.
When we legitimately process your personal information in this way, we also consider and balance any potential impact on you (both positive and negative), and your rights under data protection laws. We will not use your personal information for activities where our interests are overridden by the impact on you, for example where collection and use of your information would be excessively intrusive (unless, for instance, we are otherwise required or permitted to by law).
If we decide we need to use Art.6(1)(a) consent, to process your data we will contact you separately about this.
We collect and use your personal information when we enter into a partnership arrangement or you become a commercial member. In this instance we process your data under Art.6(1)(b), processing is necessary in order to enter into or perform a contract.
If we believe there is another legal basis for processing your personal data we will advise you of this at the time we collect the data from you.
How and why is your information used?
We may use our information for a number of different purposes, which may include
- Keeping a record of your relationship with us
- To respond to an enquiry you have sent us
- To send you our quarterly newsletter which you have signed up to receive
- Providing you with the services or information you asked for
- Sending you communications which you have requested and that may be of interest to you. These may include information about campaigns, fundraising appeals and activities and promotions of goods and services;
- To process your donations or regular payment agreements, to claim Gift Aid on your donations
- To support you with fundraising activities.
Who has access to your information.
We never sell or share any information about you to other organisations for their own marketing purposes.
Employees at Care & Repair Cymru are able to access your data but it is restricted to those that only require it to perform their day to day duties.
Your details may be shared with one of our agencies when you submit an enquiry though our contact us page. If you submit your enquiry through our contact us page, we will either provide you with your local agency contact details or forward your information to them on your behalf. We will then remove your details as there is no longer a need for us to hold them. The agency will use your details to contact you regarding your query.
We use several data processors, which provide services to us and help us to process your data. We have contracts in place with these processors which means that they will only use your data in ways we have instructed them to do so. They will not share your personal information and will only retain it for as long as we instruct. The processors which we use include:
- Eventbrite, SurveyMonkey, Blackbaud, JustGiving, Tocyn, Stripe Inc.
Eventbrite, Stripe Inc and SurveyMonkey operate outside of the EU but they are signed up to the EU-US Privacy Shield, and are therefore considered as ‘adequate data processors’. These data processors will not use your data but will merely collect and store it for our uses. After transferring this data to our own systems, any data stored on Eventbrite and Surveymonkey will be deleted after up to a period of 3 years.
Your personal information may also be shared with third party organisations to comply with legal or regulatory obligations. An example organisation is HM Revenue and Customs who require certain information for Gift Aid claim processing.
How long is your information kept for?
We keep your information for no longer than is necessary for the purposes it was collected for. The length of time we retain your personal information for is determined by operational and legal considerations. For example, we are legally required to hold some types of information to fulfil our statutory and regulatory obligations (e.g. health/safety and tax/accounting purposes).
We review our retention periods on a regular basis.
How does the organisation protect data?
The organisation takes the security of your data seriously. The organisation has internal policies and controls in place to try to ensure that your data is not lost, accidentally destroyed, misused or disclosed, and is not accessed except by its employees in the performance of their duties.
We will ensure that we have in place appropriate technical and organisational measures to prevent unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of your personal information.
The security measures applied include:
- hard copy records and manual files are kept to a minimum, where required these will be kept in locked filing cabinets
- electronic records are kept in an electronic filing system with access restricted to staff who require access to carry out their role
- appropriate cyber security measures, including accreditation to relevant cyber security standards.
When we use third party organisations to process information on our behalf we ask them to demonstrate their compliance with GDPR / relevant Data Protection legislation and work to instructions with regards to what information they process and what they do with this, as agreed in the contracts we have with them
Non-sensitive details (your email address etc.) are transmitted normally over the internet, and this can never be guaranteed to be 100% secure. As a result, while we strive to protect your personal information, we cannot guarantee the security of any information you transmit to us, and you do so at your own risk. Once we receive your information, we make our best effort to ensure its security on our systems.
Your Rights
Under UK data protection law, you have certain rights over the personal information that we hold about you. Here is a summary of the rights that we think apply:
Rights of access
You have a right to request access to the personal data that we hold about you.
You also have the right to request a copy of the information we hold about you, and we will provide you with this unless legal exceptions apply.
If you want to access your information, please send a description of the information you would like to see and proof of your identity by post to the address provided below.
Right to have your inaccurate personal information corrected
You have the right to have inaccurate or incomplete information we hold about you corrected. The accuracy of your information is important to us so we’re working on ways to make it easier for you to review and correct the information that we hold about you. In the meantime, if you change email address, or if you believe any of the other information we hold is inaccurate or out of date, please contact us via email or post (see below). Alternatively, you can telephone 029 2010 7580.
Right to restrict use
You have a right to ask us to restrict the processing of some or all of your personal information if there is a disagreement about its accuracy, or we’re not lawfully allowed to use it.
Right of erasure
You may ask us to delete some or all of your personal information and in certain cases, and subject to certain exceptions; we will do so as far as we are required to. In many cases, we will anonymise that information, rather than delete it.
Right for your personal information to be portable
If we are processing your personal information (1) based on your consent, or in order to enter into or carry out a contract with you, and (2) the processing is being done by automated means, you may ask us to provide it to you or another service provider in a machine-readable format.
Right to object
If you want to exercise any of the above rights, please email us at enquiries@careandrepair.org.uk or write to Corporate Services Manager, Care & Repair Cymru, First Floor, Mariners House, Trident Court, East Moors Road, Cardiff, CF24 5TD. We may be required to ask for further information and/or evidence of identity. We will endeavour to respond fully to all requests within one month of receipt of your request, however if we are unable to do so we will contact you with reasons for the delay.
Please note that exceptions apply to a number of these rights, and not all rights will be applicable in all circumstances. For more details we recommend you consult the guidance published by the UK’s Information Commissioner’s Office.
How to make a complaint
If you would like to make a complaint about the processing of your data, please contact us at the address above. If you are not satisfied with our response, you can complain to the Information Commissioners Office (ICO) by calling their helpline on 0303 123 1113 or via their website https://ico.org.uk/concerns/
Review of this Policy
We keep this policy under regular review. This policy was last reviewed and updated in June 2019.