DATA PRIVACY NOTICE (as at 21 May 2018)

Dumbarton Road Corridor Environment Trust (DRCET) is providing this information so you know what data we hold for you and why, and how we keep your data protected in compliance with the General Data Protection Regulation (GDPR).

Your personal data – what is it?

Personal data relates to a living individual who can be identified from that data. Identification can be by the information alone or in conjunction with any other information in the data controller’s possession or likely to come into such possession. The processing of personal data is governed by the General Data Protection Regulation 2016/679 (the “GDPR”) 

Who are we?

Dumbarton Road Corridor Environment Trust (DRCET) is the data controller (contact details above). This means it decides how your personal data is processed and for what purposes. We will usually collect basic personal data about you like your name, organisation information, postal address, telephone number and email address.

Why are we collecting this information?

We collect your personal data in connection with specific activities, such as applications to become a member of DRCET, eNews requests, campaign updates, event registration, surveys and to allow us to evaluate our services.

The information is either needed to fulfil your request or to enable us to provide you with a more personalised service. You don’t have to disclose any of this information, however, if you choose not to supply certain information, we may not be able to provide you with certain services (for example if, when becoming a member, you do not give an email address, we will not be able to send you our monthly eNews)

Sometimes we will process your personal data to provide you with information about our work or our activities that you have requested or are expecting. On other occasions, we may process personal data when we need to do this to fulfil a contract (for example employment contracts with our employees) or where we are required to do this by law or other regulations.

DRCET also processes your data when it is in our legitimate interests to do this and when these interests do not override your rights. Those legitimate interests include providing our membership with information about our services and other relevant activities.

How are we collecting this information?

We may collect your personal data in a number of ways and from a variety or stakeholders including members, other supporters and interested parties. We may also receive information about you from third parties, for example, another member or other third party organisation who refers you to DRCET.

With your consent, data you provided to become a DRCET member is transferred from our online system to our mailing lists and external mailing software. On an annual basis we will also ask you to renew your membership which will include updating your contact details.

The host of our online content management system provides a back up system for a period of three months, which means that if your details are amended or deleted on our system it may remain in its original form for this period after any changes are actioned.

With your consent, data you provided to sign up to our eNews is transferred from our online system to our external mailing software. Every two years we will ask you to renew your interest in the eNews.

Your details may be transferred to third party providers and held there e.g. events, surveys and for eNews purposes. We only use third party systems to store and process your data for which we have completed an assessment exercise to ensure your data is secure.

What information are we collecting?

We collect your contact details, organisational information, information on your interests that relate to events and services offered by DRCET, and information related to your charitable donations to DRCET.

How do we process your personal data?

DRCET complies with its obligations under the GDPR by keeping personal data up to date;

  • by storing and destroying it securely; by not collecting or retaining excessive amounts of data;
  • by protecting personal data from loss, misuse, unauthorised access and disclosure and by ensuring that appropriate technical measures are in place to protect personal data.
  • We use your personal data for the following purposes: –
    • To enable us to provide a membership services;
    • To administer membership records;
    • To fundraise and promote the interests of DRCET;
    • To manage our employees and volunteers;
    • To maintain our own accounts and records.
    • To operate the DRCET website and deliver the services that individuals have requested.
    • To inform individuals of news, events, activities or services running at DRCET
    • To facilitate the establishment of networking groups
    • To facilitate the establishment of connectivity between members and external parties
    • To process gift aid applications.
    • To contact individuals via surveys to conduct research about their opinions of current services or of potential new services that may be offered.

What is the legal basis for processing your personal data?

Depending on the activity your data is used for, we will rely on one of the following conditions for processing: a legitimate interest; a legal obligation; or your consent to process your data, as explained below.

“GDPR Article 6(1)(a) – Consent of the data subject”

We will only email you, phone you or send you direct mail about our events, services and opportunities which are relevant to DRCET and our activity if we have your express consent to do so.

“GDPR Article6 (1)(c) – Processing is necessary for compliance with a legal obligation”

If you make or have made a charitable donation to DRCET, we will process your name, address, and donation information under 6(1)(c) of the GDPR for the purpose of administering your donation.

“GDPR Article 6(1)(f) – Necessary for the purposes of legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests, rights or freedoms of the data subject.”

We will hold data relating to any activity you participated in as a DRCET member or service user, including your name, activity details, and dates of attendance under 6(1)(f) of the GDPR for the purpose of monitoring our activity and to provide you with the information e.g. attendance and participation in DRCET.

When we use your personal information, we will always consider if it is fair and balanced to do so, and if it is within your reasonable expectations. We will balance your rights and our legitimate interests to ensure that we use your personal information in ways that are not unduly intrusive or unfair.

Sharing your personal data

Your personal data will be treated as strictly confidential, and will be shared only with your consent, in relation to DRCET activity and only with:

  • DRCET funding requirements
  • Recognised DRCET partners and stakeholders if you are involved with a project or activity
  • External services used by DRCET such as MailChimp, Survey Monkey, IT and software providers

We will not disclose your data without your consent to third parties, except where they are acting as authorised agents for DRCET for the above purposes or where we are permitted or required to do so by DRCET.

How long do we keep your personal data?

Membership

We keep your personal data for no longer than reasonably necessary for a period of the applicable membership, which is renewed annually, in order to provide membership services. Membership and data will be renewed on an annual basis.

eNews

For those who sign up to our eNews, email addresses are retained for a period of two years. The eNews database will be renewed every two years.

Your rights and your personal data

Unless subject to an exemption under the GDPR, you have the following rights with respect to your personal data: –

  • The right to request a copy of your personal data which the DRCET holds about you;
  • The right to request that the DRCET corrects any personal data if it is found to be inaccurate or out of date;
  • The right to request your personal data is erased where it is no longer necessary for DRCET to retain such data;
  • The right to withdraw your consent to the processing at any time
  • The right to request that DRCET provides the data subject with his/her personal data and where possible, to transmit that data directly to another data controller, (known as the right to data portability), (where applicable)
  • The right, where there is a dispute in relation to the accuracy or processing of your personal data, to request a restriction is placed on further processing;
  • The right to object to the processing of personal data, (where applicable)
  • The right to lodge a complaint with the Information Commissioners Office. https://ico.org.uk/global/contact-us/
  • The right if your personal data is to be transferred to countries or territories outside the EU for detail of how the data will be protected.

Will my data be used for automated decision making?

No.

Further processing

If you would like to know more about your rights under the data protection law see the Information Commissioners Office website https://ico.org.uk/ . Remember, you can change the way you hear from us or withdraw your permission for us to process your personal data at any time.

If we wish to use your personal data for a new purpose, not covered by this Data Protection Notice, then we will provide you with a new notice explaining this new use prior to commencing the processing and setting out the relevant purposes and processing conditions.

Where and whenever necessary, we will seek your prior consent to the new processing.

If an individual contacts the company to:

  • Ask what information the company holds about them and why
  • Ask how to gain access to it
  • Be informed how to keep it up to date
  • Be informed how the company is meeting its data protection obligation

this is called a subject access request.

DRCET will aim to respond as soon as possible and at the latest within one month of receipt. If the request is complex or numerous we may look to extend the period of compliance by a further two months. If this is the case, we will inform the individual within one month of the receipt of the request and explain why the extension is necessary.

DRCET will always verify the identity of anyone making a subject access request before handing over any information.

Storage and Security of Personal Information

DRCET will use all reasonable endeavours to ensure that you provide personal information in a secure and confidential environment and when the information is no longer needed it will be destroyed or permanently rendered anonymous.

To prevent unauthorised access, maintain data accuracy, and ensure the correct use of information, we have put in place appropriate physical, electronic, and managerial procedures to safeguard and secure the information we collect.

Contact Us

If you wish to discuss this further, exercise all relevant rights, raise a complaint please in the first instance, contact us at:

In writing to DRCET, Heart of Scotstoun Community Centre, 64 Balmoral Street, Glasgow G14 0BL

Or email: neil@dumbartonroad.com