About this policy
We are a Data Controller for the purposes of the Data Protection Act (DPA) 1998 and the EU General Data Protection Regulation (GDPR). This means that we are responsible for, and control the processing of, your personal information.
Any questions about the operation of this policy or any concerns that the policy has not been followed should be referred in the first instance to the Data Protection Officer, Your Park Bristol & Bath, St George’s Community Centre, Church Road, Bristol, BS5 8AA or firstname.lastname@example.org.
Why we hold and processes personal data
- To administer our charitable services and the specific requirements of those who use them
- To process donations
- To claim Gift Aid on donations
- To confirm receipt of donations, to thank donors and to provide details of how donations may be or have been used
- To enable us to maintain a record of beneficiaries’ and supporters’ relationships with the organisation
- For analysis leading to the production of management information relating to income generation and supporter development
- In relation to correspondence entered into with the charity by any offline or online channel
- To send supporters information about the organisation’s work, fundraising activities and appeals where the organisation has obtained consent or is otherwise allowed to, e.g. by claiming legitimate interest based on existing relationships.
- To keep beneficiaries’ and supporters’ data up to date
- To implement any instructions received from beneficiaries and supporters with regard to withdrawing consent to send information
All supporter e-mails contain an unsubscribe link. We commit to giving people at least two opportunities to opt out of postal contact per year. Individuals can update or withdraw their consent at any time, for individual channels of communication, or for all channels, by contacting
In the event that Your Park needs to contact or enter into correspondence with supporters regarding administrative issues that do not fall into the GDPR definition of ‘direct marketing’, the use of an e-mail address or telephone number provided by the individual is permissible for the specific purpose of resolving the issue.
What information do we collect and how do we use it?
We collect information from you in two ways; directly through information that you provide to us on various pages and forms on mohammedr7.sg-host.com, indirectly through our website’s technology, on paper, in person or by telephone.
When you log onto our website we register your Internet Protocol (IP) Address – this enables us to send and receive information to and from you over the internet. We also collect data on visitor patterns by using cookies.
Cookies are small files of information which save and retrieve information about your visit to mohammedr7.sg-host.com – for example how you entered the site, how you navigated through the site and what information was of interest. The cookies identify you merely as a number, no individual is identified. Cookies do not damage your system; they cannot read data off your hard disk or read cookie files created by other sites. We also analyse this information to determine the most effective parts of our site and where we need to improve it which over time will help us tailor mohammedr7.sg-host.com to make it more user friendly and effective. All research is compiled on an aggregated and anonymous basis. (If you are uncomfortable about cookie use, remember that you can disable cookies on your computer by changing the settings in the preferences or options menu in your browser.)
- We collect the personal and contact information that you provide when you register with us, attend services, make an enquiry, make a donation or purchase goods or services.
- We use your information to fulfil your needs, process payments or donations and to provide you with material that you have requested.
- We may also use your personal data to tell you about how we use the donations we receive and other ways you can support us.
- We may also use data for other purposes, which we will describe to you at the point we collect the information.
- We manage all personal data on a secure server and store it on a secure database, taking appropriate steps to maintain the levels of security required of us by law.
- For the purposes of project participation, we may also request sensitive personal data about your physical and mental health to ensure that we meet our charitable aims, are inclusive and provide the correct support and accessibility options.
Unfortunately, no data transmission over the internet can be guaranteed as 100% secure so where forms include sensitive personal data you may prefer to print off a form and send the completed copy in the post to Your Park’s office.
We claim legitimate interest as per the General Data Protection Regulation (2018) and the Data Protection Act (2018) to contact prospects, beneficiaries and supporters by mail. Please see our legitimate interest statement for more information.
We will not contact you with marketing messages by e-mail, phone or SMS unless you have given us permission to do so.
Individual contacts in business to business marketing and corporate relationships
Your Park Bristol & Bath is claiming legitimate interest to keep in touch, using their business addresses, with named individual business to business and corporate partnership contacts with whom the organisation already had a relationship prior to the introduction of the General Data Protection Regulation on 25 May 2018.
For new relationships in these categories created with named individuals after 25 May 2018, consent for future contact is sought and managed in compliance with the General Data Protection Regulation.
To whom might we disclose your personal data?
We may pass your personal information to anyone who needs the information in order to fulfil your request (for example our Park Activators) or for the processing of any payment or donation.
Except as set out above, we will not disclose your personal information unless we are obliged to do so or allowed to do so, by law, or where we need to do so in order to run our business (for instance where we outsource services or other people process data for us).
Is my data held securely?
Your Park Bristol & Bath ensures there are appropriate controls in place to protect personal details provided to the organisation. Online forms are encrypted and the organisation’s database is held on secure servers.
Your Park Bristol & Bath’s database is only accessible by approved staff, contractors and suppliers and paper-based information is stored securely as required by GDPR.
Will we share your information with outside parties?
We never sell or swap personal information and will share it only with people who need it in order to fulfil an event, process a payment or donation, or process data.
We sometimes use external companies to process personal data on our behalf, for example to produce direct marketing materials or help us manage our events. In these circumstances, with reference to GDPR, Your Park Bristol & Bath is the Data Controller and these suppliers are Data Processors.
The security practices of supplier companies are checked before Your Park Bristol & Bath appoints them. We put contracts in place that set out our expectations and requirements, especially regarding how suppliers securely store and process the personal data provided by us.
Third party marketing
We will not, under any circumstances, share personal data with any third party organisations for their use or sell it to them for their own marketing purposes, and individuals will not receive marketing communications from any other companies, charities or other organisations as a result of providing their details.
We will comply with legal requests where disclosure is required or permitted by law and a written request is received, for example, to government bodies for tax purposes or law enforcement agencies for the prevention and detection of crime.
What are my legal rights?
Subject access requests
Individuals have the right to request at any time the information Your Park Bristol & Bath holds about them, as subject access requests. Such requests should be submitted by e-mailing email@example.com. Please provide as much information as possible.
Depending on the nature of the request, we may seek a form of identification to verify the identity of the person making it. The information will be supplied within 30 calendar days of the request or the verification, whichever is the later. There may also be a charge to cover administrative time.
If individuals believe the information Your Park Bristol & Bath holds about them is incorrect or incomplete, they have the right to ask the organisation to correct it. Your Park Bristol & Bath must respond within one month of the request being received. Requests can be made by e-mailing firstname.lastname@example.org.
Individuals have the right to ask Your Park Bristol & Bath to stop processing their personal data. In this situation, we can continue to store the data to ensure the request can be respected in the future, but all processing must cease, unless there is a legal purpose. Requests can be made by e-mailing email@example.com.
Where they have given consent to us processing their data, individuals have the right to ask Your Park Bristol & Bath to provide their personal details to another organisation via commonly used open format such as a CSV file. Requests can be made by e-mailing firstname.lastname@example.org.
Individuals have a right to have personal data erased and to prevent processing by Your Park Bristol & Bath in the following circumstances:
- Where the personal data is no longer necessary in relation to the purpose for which it was originally collected/processed
- When the individual withdraws consent
- When the individual objects to the processing and there is no overriding legitimate interest for continuing the processing
- The personal data was unlawfully processed (i.e. otherwise in breach of the GDPR)
- The personal data has to be erased in order to comply with a legal obligation
- The personal data is processed in relation to the offer of services to a child.
- We can refuse to comply with a request for erasure where the personal data is processed for legal reasons or other scenarios that may be in the public interest as specified by the ICO.
Erasure requests can be made by e-mailing email@example.com.
If individuals believe they have suffered damage because Your Park Bristol & Bath has behaved in breach of Data Protection law, they are entitled to claim compensation. This right can be enforced through the courts.
The law allows us to defend a claim for compensation on the basis that the organisation took all reasonable care in the circumstances to avoid the breach, that is, by complying with Data Protection legislation when processing data.
Querying automated decisions
Individuals can ask Your Park Bristol & Bath not to make automated decisions based on their personal data; expect to be advised and asked for permission if the organisation plans to use automated processes to make such decisions; and challenge the results of automated decisions they believe them to be inaccurate.