GDPR POLICY

Overview of the
General Data Protection Regulation

Note: Post-Brexit, throughout this document, references to the General Data Protection Regulation (GDPR) are references to the original EU GDPR incorporating the amendments set out in the Keeling Schedule.

The Charity will ensure that all personal data that it holds will be:

processed lawfully, fairly and in a transparent manner;
collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
adequate, relevant and limited to what is necessary;
accurate and kept up to date;
kept in a form which permits identification of data subjects for no longer than is necessary;
Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage.

Contents

1. Introduction. 3

2. Definitions {précised from Art:4}. 3

3. Principles of the GDPR { précised from Art:5}. 3

4. Lawful Processing. 4

4.1 By Consent. 4

4.2 By Contract. 4

4.3 By Legal Obligation. 4

4.4 By Vital Interest. 5

4.5 By Public Task. 5

4.6 Legitimate Interest. 5

5. Individual Rights. 5

5.1 The right to be informed {précised from Arts 12-14}. 5

5.2 The right of access {Art:15}. 6

5.3 The right to rectification {précised from Art:16}. 6

5.4 The right to erase {The right to be forgotten} {précised from Art:17}. 6

5.5 The right to restrict processing {précised from Art:18}. 6

5.6 The right to data portability {précised from Art:20}. 6

5.7 The right to object {Art:21}. 7

5.8 Rights in relation to automated decision making and profiling. {précised from Art:22}. 7

6. Data Controller and Data Protection Office. 7

6.1 Data Controller {précised from Art:24}. 7

6.2 Data Protection Officer {précised from Art:37}. 7

7. Privacy Policy. 7

7.1 Identity and contact details of the controller. 8

7.2 Data Subjects. 8

7.3 Purpose of the processing and the lawful basis for the processing. 8

7.4 The right to withdraw consent at any time. 8

7.5 The right to require the erasure of your data (right to be forgotten) 8

7.6 The legitimate interests of the controller or third party, where applicable. 8

7.7 Any recipient or categories of recipients of the personal data. 8

7.8 Retention period or criteria used to determine the retention period. 9

7.9 Details of transfers to third country and safeguards. 9

7.10 The existence of each of data subject’s rights. 9

7.11 The source the personal data originates from and whether it came from publicly accessible sources. 9

7.12 Whether the provision of personal data is part of a statutory or contractual requirement or obligation and possible consequences of failing to provide the personal data. 9

7.13 The existence of automated decision making, including profiling and information about how decisions are made, the significance and the consequences. 9

7.14 The right to lodge a complaint with a supervisory authority. 10

7.15 What additional information do we collect and when?. 10

7.16 Is your information secure?. 10

7.17 Updates to this policy. 10

7.18 About us. 10

Data Protection Policy

Note: Throughout this document, references to the General Data Protection Regulation (GDPR) are references to the original EU GDPR incorporating the post-Brexit, amendments set out in the Keeling Schedule.

This example document IS NOT – and is not intended to be – a definitive statement of the current GDPR as they apply in the UK (ie: as amended in the Keeling Schedule). It is ONLY a starting point to help charity trustees to create a Policy which is specific for, and relevant to, a charity’s individual requirements.
Therefore charities using this example MUST always refer back to the current legislation, and guidance from the Information Commissioner’s Office
https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/
and seek professional advice from an appropriately qualified lawyer in the event of any query or uncertainty.

1.Introduction

Under the EU General Data Protection Regulations (GDPR) Verozi Foundation (herein after referred to as “the Charity”) is required to comply with the GDPR and undertakes to do so.

Throughout this policy document, numbers prefixed by “Art: “in brackets (e.g.: {Art: 5}) refer to the relevant Article(s) in the GDPR.
For ease of access, full extracts of relevant GDPR Articles incorporating the Keeling Schedule amendments are contained in the Appendix to this Policy.

2.Definitions {précised from Art:4}

The definitions of terms used in this policy are the same as the definitions of those terms detailed in Article-4 of the GDPR.

Data Subject

A data subject is an identifiable individual person about whom the Charity holds personal data.

Contact Information

For the purposes of this Policy, “Contact Information” means any or all of the person’s:
full name (including any preferences about how they like to be called);
full postal address;
telephone and/or mobile number(s);
e-mail address(es);
social media IDs/Usernames (e.g.: Facebook, Skype, Hangouts, WhatsApp)

3.Principles of the GDPR {précised from Art: 5}

The Charity will ensure that all personal data that it holds will be:

processed lawfully, fairly and in a transparent manner in relation to individuals;
collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;
adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals; and
Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

4.Lawful Processing

The Charity will obtain, hold and process all personal data in accordance with the GDPR for the following lawful purposes.

In all cases the information collected, held and processed will include Contact Information (as defined in 2 above).

4.1By Consent

People who are interested in, and wish to be kept informed of, the activities of the Charity.
Subject to the person’s consent, this may include information selected and forwarded by the Charity on activities relevant to those of the Charity by other organisations.
Note: this will not involve providing the person’s personal data to another organisation.

The information collected may additionally contain details of any particular areas of interest about which the person wishes to be kept informed.

The information provided will be held and processed solely for the purpose of providing the information requested by the person.

4.2By Contract

People who sell goods and/or services to, and/or purchase goods and/or services from the Charity.

The information collected will additionally contain details of:

The goods/services being sold to, or purchased from the Charity;
Bank and other details necessary and relevant to the making or receiving of payments for the goods/services being sold to, or purchased from the Charity.

The information provided will be held and processed solely for the purpose of managing the contract between the Charity and the person for the supply or purchase of goods/services.

4.3By Legal Obligation

People where there is a legal obligation on the Charity to collect process and share information with a third party – e.g.: the legal obligations to collect process and share with HM Revenue & Customs payroll information on employees of the Charity.

The information provided will be held, processed and shared with others solely for the purpose meeting the Charity’s legal obligations.

Employees (Human Resources)

Taxation (HM Revenue & Customs)

For the purpose of managing an employee’s PAYE and other taxation affairs the information collected will additionally contain details, as required by HM Revenue & Customs, of:

The person’s National Insurance Number;
The person’s taxation codes;
The person’s salary/wages, benefits, taxation deductions & payments;
Such other information as may be required by HM Revenue & Customs.

Pensions

For the purpose of managing an employee’s statutory pension rights the information collected will additionally contain details, as required by the Charity’s pension scheme (National Employees Savings Trust, NEST), of:

The person’s National Insurance Number;
The person’s salary/wages, benefits, taxation & payments;
Such other information as may be required by the NEST scheme.

4.4By Vital Interest

The Charity undertakes no activities which require the collection, holding and/or processing of personal information for reasons of vital interest.

4.5By Public Task

The Charity undertakes no public tasks which require the collection, holding and/or processing of personal information.

4.6Legitimate Interest

Volunteers

Closed Circuit TV (CCTV) Recording

The Charity collects video CCTV images of people entering and moving around its premises in order to safeguard its collection from theft and vandalism, as required by its insurers.

The information collected is only processed and, where appropriate, shared with other authorities (e.g.: the Police) where it is necessary to investigate a potential crime.

5.Individual Rights

Note: The following clauses are taken primarily from the guidance provided by the Office of the Information Commissioner,
https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-be-informed/

5.1The right to be informed {précised from Arts 12-14}

When collecting personal information the Charity will provide to the data subject free of charge, a Privacy Policy written in clear and plain language which is concise, transparent, intelligible and easily accessible containing the following information:

Identity and contact details of the controller
Note: where the organisation has a controller’s representative and/or a data protection officer, their contact details should also be included
Purpose of the processing and the lawful basis for the processing
The legitimate interests of the controller or third party, where applicable
Categories of personal data
Not applicable if the data are obtained directly from the data subject
Any recipient or categories of recipients of the personal data
Details of transfers to third country and safeguards
Retention period or criteria used to determine the retention period
The existence of each of data subject’s rights
The right to withdraw consent at any time, where relevant
The right to lodge a complaint with a supervisory authority
The source the personal data originates from and whether it came from publicly accessible sources
Not applicable if the data are obtained directly from the data subject
Whether the provision of personal data is part of a statutory or contractual requirement or obligation and possible consequences of failing to provide the personal data
Not applicable if the data are NOT obtained directly from the data subject
The existence of automated decision making, including profiling and information about how decisions are made, the significance and the consequences.

In the case of data obtained directly from the data subject, the information will be provided at the time the data are obtained.

In the case that the data are not obtained directly from the data subject, the information will be provided within a reasonable period of the Charity having obtained the data (within one month), or,
if the data are used to communicate with the data subject, at the latest, when the first communication takes place; or
if disclosure to another recipient is envisaged, at the latest, before the data are disclosed.

5.2The right of access {Art: 15}

The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him/her are being processed, and, where that is the case, access to his/her personal data and the information detailed in the Charity’s relevant Privacy Policy:

5.3The right to rectification {précised from Art:16}

The data subject shall have the right to require the controller without undue delay to rectify any inaccurate or incomplete personal data concerning him/her.

5.4The right to erase {The right to be forgotten} {précised from Art:17}

Except where the data are held for purposes of legal obligation or public task (4.3 or 4.5) the data subject shall have the right to require the controller without undue delay to erase any personal data concerning him/her.
Note: This provision is also known as “The right to be forgotten”.

5.5The right to restrict processing {précised from Art: 18}

Where there is a dispute between the data subject and the Controller about the accuracy, validity or legality of data held by the Charity the data subject shall have the right to require the controlled to cease processing the data for a reasonable period of time to allow the dispute to be resolved.

5.6The right to data portability {précised from Art:20}

Where data are held for purposes of consent or contract (4.1 or 4.2) the data subject shall have the right to require the controller to provide him/her with a copy in a structured, commonly used and machine-readable format of the data which he/she has provided to the controller, and have the right to transmit those data to another controller without hindrance.

5.7The right to object {Art:21}

The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him/her which is based Public Task or Legitimate Interest (4.5 or 4.6), including profiling based on those provisions. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.
Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him/her for such marketing, which includes profiling to the extent that it is related to such direct marketing.
Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.
At the latest at the time of the first communication with the data subject, the right referred to in paragraphs a) and d) shall be explicitly brought to the attention of the data subject and shall be presented clearly and separately from any other information.

5.8Rights in relation to automated decision making and profiling. {Précised from Art:22}

Except where it is: a) based on the data subject’s explicit consent, or b) necessary for entering into, or performance of, a contract between the data subject and a data controller; the data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him/her or similarly significantly affects him/her.

6.Data Controller and Data Protection Office

6.1Data Controller {précised from Art:24}

A Data Controller will be appointed by the Board of Trustees.

In the absence of the Data Controller (e.g.: on holiday or on sick leave) the Chair of the Trustees will act as the Data Controller.

The Data Controller shall implement appropriate technical and organisational measures to ensure and be able to demonstrate that processing is performed in accordance with this Regulation. {Arts-24 & 25}

Those measures shall be reviewed and updated where necessary.

6.2Data Protection Officer {précised from Art:37}

The scale and scope of the data collected and processed by the Charity does not justify the appointment of a Data Protection Officer.

7.Privacy Policy

The Charity will have a Privacy Policy which it will make available to everyone on whom it holds and processes personal data, in accordance with 5.1.

Clauses are generic and apply to all Privacy Policies
Clauses are specific to the nature of the data being collected, held and processed.
Alternative versions of clauses can be found in the Appendices.

In the case of data obtained directly from the data subject, the information will be provided at the time the data are obtained.

It is important to us that you understand and are happy with how we use your information.
Please take time to read this policy in full.

7.1Contact details of the controller.

The Charity’s Data Controller can be contacted via email:

data@verozifoundation.org

7.2Data Subjects

This Privacy Policy applies to employees of the Charity and all other persons from whom the Charity is legally required to collect process and share personal data for the purposes of compliance with UK taxation legislation.

7.3Purpose of the processing and the lawful basis for the processing

The purpose of processing is to manage your PAYE, NIC, pension and other statutory taxation relevant to your employment with the Charity.

The lawful basis for the processing is “Legal Obligation”

7.4The right to withdraw consent at any time

You do not have the right to withdraw consent to the use of your personal data as the lawful basis for holding and processing the data is “Legal Obligation”.

7.5The right to require the erasure of your data (right to be forgotten)

You do not have the right to require the erasure, of your personal data as the lawful basis for holding and processing the data is “Legal Obligation”.

7.6The legitimate interests of the controller or third party, where applicable

None applicable for lawful basis processing.

7.7Any recipient or categories of recipients of the personal data

Relevant PAYE & NIC data calculated by the Data Controller on the basis of your salary and benefits are forwarded securely to HM Revenue & Customs via the HMRC PAYE Government Gateway site.

Relevant pension contributions calculated by the Data Controller on the basis of your salary are forwarded securely to the National Employee Savings Trust through its encrypted website.

From time-to-time we may need to share the information we collect with the Charity’s professional advisors (eg: our lawyers, accountants) when they need it to provide advice. We will seek your permission before sharing your personal information in this way.

The Police, local authorities, Her Majesty’s Revenue and Customs (HMRC), the Courts and any other central or local government bodies where they request it and we may lawfully disclose it, for example for the prevention and detection of crime.

We also may share the information we collect where we are legally obliged to do so, eg: to comply with a court order.

Other people who make a reasonable subject access request to us, provided that we are allowed to do so by law.

7.8Retention period or criteria used to determine the retention period

Your personal data are retained for the prevailing statutory period (currently 6 years) as prescribed by HMRC and NEST.

7.9Details of transfers to third country and safeguards

The Charity does not transfer any personal data to third countries.

7.10The existence of each of data subject’s rights

Other than the right to withdraw consent (see 7.4) and the right to erase (see 7.5)) you have all the data subject rights, as prescribed by the General Data Protection Regulation, namely: The rights:

to be informed about the your personal data held by the Data Controller on behalf of the Charity, the purpose(s) for which they are held; the manner in which they are processed; the recipients (if any) of the data;
to be given access to your personal data;
to rectification – the correction of any error in the data and/or the completion of any incomplete data;
To restrict processing – while you have legitimate justifiable concerns about the accuracy, validity or legality of data held by the Charity or the way in which the data are being processed. Data process may be resumed once either the cause(s) of the concern has(have) been rectified or your concerns are demonstrated to be unjustified.
To object to processing – while you have reasonable grounds relating to their impact on your particular circumstances and where the legal basis of the processing is Public Task or Legitimate Interest. However, the processing of your data can be resumed if the Data Controller can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or for the establishment, exercise or defence of legal claims;

7.11The source the personal data originates from and whether it came from publicly accessible sources

Only your personal tax code data originates directly from HM Revenue & Customs and is not available from publicly accessible sources

7.12Whether the provision of personal data is part of a statutory or contractual requirement or obligation and possible consequences of failing to provide the personal data

The provision of your personal data for this is a statutory requirement under UK taxation and pension’s legislation.

Failures to provide the data or the provision of data which are inaccurate or late render both you and the Charity to significant penalties or legal action.

7.13The existence of automated decision making, including profiling and information about how decisions are made, the significance and the consequences.

The Charity does not use any automated decision-making software in the processing of your personal data.

7.14The right to lodge a complaint with a supervisory authority

You have the right to lodge a complaint with the Information Commissioner’s Office, the supervisory authority for the UK if you are dissatisfied with the way that the Charity is collecting, holding, processing and using your personal data and you feel that your reasonable attempts to raise the issues and get them addressed have failed.

7.15What additional information do we collect and when?

In addition to the statutory information that we collect, hold and process for the purpose of managing you taxation and pension affairs we also collect and hold:

All information you choose to submit to us when you communicate to us by post, e-mail, messaging, or other form of image-based (eg: photographs), sound-based (eg: sound files) or text-based communication, whether physical (eg: ink & paper) or electronic.
Copies of any notes that we take, whether physical (eg: ink & paper) or electronic, during verbal communications between us (eg: telephone; Skype®; Hangouts®).
Information on what we communicate to you by post, e-mail, messaging, or other form of image-based or text-based communication whether physical (eg: ink & paper) or electronic, including information in all ancillary materials (eg: attachments, images, brochures).

7.16Is your information secure?

We take the security of your information very seriously.

We comply with the relevant prevailing legislation which requires us to have in place appropriate security measures at all times, including where we share your information with others.

7.17Updates to this policy

We will need to update this policy from time to time as our services change.

We will endeavour to tell you in advance by sending a service message to you if we hold your email address. Otherwise, please check the Verozi Foundation website for notifications of significant changes to this policy.

If you do not notify us that you wish the information that we hold on you to be deleted (ie: to have no further contact with us) we will take it that you accept the changes.

7.18About us

7.19Further details about Verozi Foundation and the services it provides can be found on its website: www.verozifoundation.org

4 The Potteries, Roman Road, Middlesbrough, TS5 6DQ

GDPR POLICY

GDPR Policy