- We will only collect and use your information where we have lawful grounds and legitimate business reasons to do so
- We will be transparent in our dealings with you and will tell you about how we will collect and use your information
- If we have collected your information for a particular purpose, we will not use it for anything else unless you have been informed and, where relevant, your permission obtained
- We will not ask for more information than we need for the purposes for which we are collecting it
- We will update our records when you inform us that your details have changed
- We will continue to review and assess the quality of our information
- We will implement and adhere to information retention policies relating to your information, and will ensure that your information is securely disposed of at the end of the appropriate retention period
- We will observe the rights granted to you under applicable privacy and data protection laws, and will ensure that queries relating to privacy issues are promptly and transparently dealt with
- We will train our staff on their privacy obligations
- We will ensure we have appropriate physical and technological security measures to protect your information regardless of where it’s held
- We will ensure that when we outsource any processes, the supplier has appropriate security measures in place and will contractually require them to comply with these Privacy Principles.
1. WHO WE ARE
1.1. We are The Confederation of Community Groups (CCG), a company limited by guarantee registered in Northern Ireland. Our registered office is Ballybot House, 28 Cornmarket, Newry BT35 8BG and registration number NI 22294. We are a charity recognised by the Inland Revenue (No. XR 40558) and registered with the Charity Commission for Northern Ireland (NIC 101359).
1.2. We are a sub-regional umbrella community development organisation which supports all sections of the community. We provide support, advice, information and services to the local community and services to the com/vol sector such as governance, networking, engagement, volunteering, education and provision of training programmes. We also own and manage Ballybot House and An Stóras which is recognised as a flagship social enterprise.
2. WHAT IS THIS NOTICE
2.1. At CCG we take your privacy seriously. In order to provide our Services, we may need to process Personal Data from time to time (that is information about someone who can be identified from the data). This Personal Data may be about you or other people. This notice aims to provide you with information on how we collect, use and store your personal information.
2.2. As part of our Services we may transfer Personal Data to other people. We’ve set out a list of who we might transfer Personal Data to at paragraph 6. This notice only deals with our use of Personal Data. Recipients not bound by this privacy notice.
2.3. We might need to change this privacy notice from time to time. If we do, we let you know. So please do keep an eye on our website / reminders and review the notice before giving us any Personal Data.
2.4. All of the defined terms in this notice are explained in paragraph 12 below. If you have any questions about this notice, feel free to send us an email to firstname.lastname@example.org
3. WHO WE HOLD PERSONAL DATA ABOUT
3.1. We hold Personal Data about the following groups of people (Data Subjects):
|Client Contacts||that is any party which has engaged us to provide services (including key contact data);|
|Membership||that is any party who or which has signed up to be a member of our organisation (including any individuals in their companies);|
|Supporters||that is anyone who has contacted us to find out about what we do or otherwise supported us, other than through Membership;|
|Beneficiaries||that is any individuals who receive our Services|
8. RETENTION OF PERSONAL DATA
4. WHEN WE COLLECT PERSONAL DATA AND WHAT TYPE OF DATA
4.1 We collect information (i) You give us (ii) information from your use of our products, services or our website, social media and (iii) information provided to us by third parties:
Completion of a form on our website Complete a survey or affiliation form Correspond with us by phone, e-mail or in writing Report a problem Sign up to receive our communications Create an Account with us Enter into a contract with us to receive products / services
TYPE of DATA may include: Contact and Identity data (eg. Name, postal address, email addresses, telephone/mobile numbers) Transaction data (eg. Business information, registration numbers, VAT details) Billing information (eg Credit card, billing address, Bank details) Traffic / Usage / Technical data (via website use) Financial details / financial circumstances CCTV at Ballybot House & An Stóras for the detection and prevention of crime (It operates continuously and recordings are held for one week) We may also take photographs at our events to use for general marketing and publicity.
It is likely that some of the Personal Data which we collect and store about Beneficiaries may include Special Categories of Personal Data. Special Categories of Personal Data includes details about an individual’s race or ethnicity, religious or philosophical beliefs, sexual orientation, political opinions, trade union membership, information about health and genetic and biometric data.
We may also collect, use and share Aggregated Data such as statistical or demographic data which we collect from interactions with IT providers and statutory agencies. Aggregated Data may be derived from Personal Data but since it cannot be used to identify an individual, it is not Personal Data.
5. HOW WE USE PERSONAL DATA AND THE LAWFUL BASIS FOR DOING SO
(i) We hold and process personal data as a Controller, which means we must have a ‘lawful basis’ for doing so. Contract delivery – we may use your personal data to fulfil your contract, or take steps linked to a contract. To provide products and/or services to you To communicate with you in relation to the provision of the contracted products and services To provide you with administrative support such as account creation, wage processing and responding to issues and taking payments.
(ii) Anywhere we are relying on legitimate interest we believe that such processing is necessary for the purposes of our legitimate interest, which in this case is to function as a social enterprise and community development organisation. We consider such use goes no further than the Data Subject would reasonable expect; is likely to align with the Data Subject’s interests (by enabling us to provide a sustainable business model) and is unlikely to be detrimental to the fundamental rights and freedoms of the Data Subject and as:
Required by law to respond to request by government or Law enforcement authorities, or for the prevention of crime or fraud Direct marketing / information dissemination providing you with newsletters, surveys, event and consultation information, promotions, related products/services which may be of interest to you.
6. WE MAY DISCLOSE PERSONAL DATA
6.1 We may share your personal data with trusted third parties including:
? Service providers contracted to us in connection with provision of products/services ? IT providers that assist us in the improvement and optimisation of our website and social media platforms ? Legal and other professional advisers, consultants and professional experts
We will ensure there is a contract in place with the categories of the recipients listed above which include obligations in relation to the confidentiality, security and lawful processing of any personal data shared with them. We take all reasonable steps to ensure that our staff protect your personal data and are aware of their information security obligations. We limit access to your personal data to those who have a genuine reason to need it.
If you have any questions about who your data might be transferred to please send us an email at email@example.com
7. SECURITY PROCEDURES IN PLACE
7.1 It is our policy to ensure that all Personal Data held by us is handled correctly and appropriately according to the nature of the information, the risk associated with mishandling the data, including the damage that could be caused to an individual as a result of loss, corruption and/or accidental disclosure of any such data, and in accordance with any applicable legal requirements.
7.2 Personal Information is stored either in hard copy or electronic format at our registered office.
Only CCG staff have access to and are authorised to view and process your personal data. Much of the data contained in “hard copy” is stored in a locked filing cabinet. We do not use cloud services at this time with data stored on an “on-premises” Microsoft server system. All computers are password protected and we use firewall and other advanced technology to prevent interference or access from outside intruders.
7.3 We only use servers in the EU. Our current Active Directory, File Storage and Email servers are on premises at our location. Our website which is regarded as brochure ware and contains no sensitive information is managed by ITS New Media based in Newry, N Ireland. The server itself is hosted in Koeln, Nordrhein-Westfalen, Germany. The only other service which is offsite is our email screen and clean, for which we use the services of “Spamtitan” to reduce the amount of spam coming into our system. This is hosted in Galway, Ireland.
8.1. Our retention schedule is determined by the type of data and the data subject group (see 3.1 above). We will retain personal data for as long as is required by law or for as long as we consider it necessary for our legitimate business purposes. General terms are as follows:
(a) we may store data related to financial transactions for up to 6 years to ensure that we have sufficient records from an accounting and tax perspective;
(b) we may archive data relating to negotiations, contracts agreed, payments made and disputes raised for up 6 years to protect ourselves in the event of a dispute arising between you and us;
(c) we may retain data which is held for marketing purposes for up to 2 years from the date of termination of our contract with you (unless the relevant Data Subject requests erasure of their data prior to that date);
(d) we may store aggregate data without limitation (on the basis that no individual can be identified from the data).
9. RIGHTS A DATA SUBJECT HAS ABOUT THE PERSONAL DATA WE COLLECT AND HOLD
9.1 Data Subjects have the following rights in respect of Personal Data relating to them which can be enforced against whoever is the Controller.
(a) Right to be informed: the right to be informed about what Personal Data the Controller collects and stores about you and how it’s used.
(b) Right of access: the right to request a copy of the Personal Data held, as well as confirmation of: (i) the purposes of the processing; (ii) the categories of personal data concerned; (iii) the recipients to whom the personal data has/will be disclosed; (iv) for how long it will be stored; and (v) if data wasn’t collected directly from the Data Subject, information about the source.
(c) Right of rectification: the right to require the Controller to correct any Personal Data held about the Data Subject which is inaccurate or incomplete.
(d) Right to be forgotten: in certain circumstances, the right to have the Personal Data held about the Data Subject erased from the Controller’s records.
(e) Right to restriction of processing: the right to request the Controller to restrict the processing carried out in respect of Personal Data relating to the Data Subject. You might want to do this, for instance, if you think the data held by the Controller is inaccurate and you would like to restrict processing the data has been reviewed and updated if necessary.
(f) Right of portability: the right to have the Personal Data held by the Controller about the Data Subject transferred to another organisation, to the extent it was provided in a structured, commonly used and machine-readable format.
(g) Right to object to direct marketing: the right to object where processing is carried out for direct marketing purposes (including profiling in connection with that purpose).
(h) Right to object to automated processing: the right not to be subject to a decision based solely on automated processing (including profiling) which produces legal effects (or other similar significant effects) on the Data Subject.
9.2 If you want to avail of any of these rights, you should contact us immediately at info@ ccgnewrycommunity.org. If we are not the Controller, we will need to transfer your request to the Controller – but we will only do so with your consent. If you do contact us with a request, we will also need evidence that you are who you say you are to ensure compliance with data protection legislation.
10. IF YOU NO LONGER WANT US TO PROCESS PERSONAL DATA ABOUT YOU
10.1 If we are holding Personal Data about you as a Controller, we will comply with your request unless we have reasons for lawfully retaining data about you.
10.2 If we are holding Personal Data about you and using that data for marketing purposes or for any other activities based on your consent, you may notify us at any time that you no longer want us to process Personal Data about you for particular purposes or for any purposes whatsoever and we will stop processing your Personal Data for that purpose. This will not affect your ability to receive our Services.
11. IF YOU ARE NOT HAPPY WITH HOW WE PROCESS PERSONAL DATA ABOUT YOU
11.1 If you have any questions or concerns about how we are using Personal Data about you, please contact our Data Control Officer immediately at our registered address (see paragraph 1.1 above) or by email to firstname.lastname@example.org.
11.2 If you wish to make a complaint about how we have handled Personal Data about you, you may lodge a complaint with the Information Commissioner’s Office by following this link: https://ico.org.uk/concerns/.
12. WHAT DO ALL OF THE DEFINED TERMS IN THIS PRIVACY NOTICE MEAN?
12.1 Throughout this notice you’ll see a lot of defined terms (which you can recognise because they’re capitalised). Where possible, we’ve tried to define them as we go, but we thought it might be useful to have a glossary at the end for you. Anywhere in this notice you see the following terms, they’ll have the following meanings:
Controller is a legal term set out in the General Data Protection Regulation (GDPR), it means the party responsible for deciding what Personal Data to collect and how to use it;
Data Subject means the individual who can be identified from the Personal Data;
Personal Data means data which can be used to identify a living individual. This could be a name and address or it could be a number of details which when taken together make it possible to work out who the information is about. It also includes information about the identifiable individual;
Processor is another legal term set out in the GDPR, it means the party who has agreed to process Personal Data on behalf of the Controller; and
Special Categories of Personal Data means details about an individual’s race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about health and genetic and biometric data.
What Information Do We Collect:
We collect information the following information:
Google Analytics Cookies:
We use Google Analytics to review our website and this lets us see information such as number of visitors how long they stay on and what pages they have viewed. Google Analytics does not provide any personally identifiable information about you. In order to run Google Analytics we use a Cookie which is a small piece of software that loads in your browser which will log your site visit and the pages visited. Google Analytics will store your IP Address and also records the pages you visit on our website and other information which is not personally identifiable to you. For more information on google analytics https://www.google.co.uk/analytics