We treat privacy and conﬁdentiality very seriously. We are a charity with relationships with fundraisers, volunteers, supporters and service users so we use personal information on a day to day basis in order to fulﬁl our mission to achieve rights, equality and independent living of disabled people in Wales. Our use of personal information allows us to make better decisions, fundraise more eﬃciently and, ultimately, helps us to achieve our vision.
We have developed this privacy notice in order to be as transparent as possible about the personal information we collect and use.
We comply with all aspects of the UK’s data protection legislative framework, which includes the UK General Data Protection Regulation (GDPR) and the UK’s other legislation, including the Data Protection Act 2018.
Please ensure you read this notice carefully and contact us if you have any questions or concerns about our privacy practices.
2. Who we are?
We have appointed a dedicated Data Protection Lead to ensure appropriate oversight of our data processing activities. The Data Protection Lead, is the Finance and Compliance Manager who can be contacted by telephone on 029 20887325 or by email email@example.com and can provide any clarity that you may need about this privacy notice.
3. What this NoticeCovers
We ask that you read this privacy notice carefully as it contains important information about:
- how we collect your personal information
- the personal information that we collect and use
- the lawful bases we rely on to collect and use personal information
- why we collect and use personal information
- sharing your personal information
- when we transfer personal information outside the EEA
- how long we keep information
- how we ensure personal information is secure; and
- your privacy rights
You should ensure that you read this general privacy notice alongside any speciﬁc privacy notice we may issue to you, from time to time, in relation to your information.
4. How we collect information
We collect information in the following ways:
- You may give us your information in order to complete a contact form, to sign up for one of our events, sign up for a newsletter, make a donation, register as a volunteer for us, join our member network or mailing list, apply for funding, use our services or otherwise communicate with us.
- In addition, in accordance with common website practice, we will receive information about the type of device you’re using to access our website or apps and the settings on that device may provide us with information about your device, including what type of device it is, what speciﬁc device you have, what operating system you’re using, what your device settings are, and why a crash has happened. Your device manufacturer or operating system provider will usually have more details about what information your device makes available to us.
If you wish to give us personal information about another person, please speak to us to ensure that you are legally entitled to give us the information and for advice on informing that person.
Your information may be shared with us by third parties, for example:
- professional fundraising agencies;
- independent event organisers, for example fundraising sites like Just Giving;
- if you sign up as a volunteer for us through an external volunteering website;
- if your information is shared with us by partners with whom we are running projects jointly.
5. Social Media
Depending on your settings or the privacy policies for social media and messaging services like Facebook, WhatsApp or Twitter, you might give us permission to access information from these services, for example when you publicly tag us in an event photo.
6. Categories of Personal Information that we hold
The personal information that we collect includes:
- your name
- your contact details (including postal address, telephone number, e-mail address and/or social media identity)
- your date of birth
- your gender
- your bank details where you provide these for us to make a payment to you
- if you volunteer for us or apply for a job with us, information necessary for us to process these applications and assess your suitability (which may include things like employment status, previous experience depending on the context, as well as any unspent criminal convictions or pending court cases you may have)
- if you apply for funding, information necessary to process your application, details of which will be given on a funding application form
- information about your activities on our website(s) and about the device you use to access these, for instance your IP address and geographical location
- information about events, activities and products which you have shown an interest in,
- information relating to your health, for example if (and in what context) you identify as a disabled person,
- information you may choose to share with us about your experience of life as a disabled person,
- information you may choose to share with us where you have left us a legacy, any information regarding next of kin with which you may have provided us to administer this,
- information as to whether you are a taxpayer to enable us to claim Gift Aid,
- age, sexual orientation, disability and nationality and ethnicity information for monitoring purposes; after collection we anonymise this personal information so that you can no longer be identified from it
- any other personal information you provide to us.
Certain types of personal information are in a special category under data protection laws, as they are considered to be more sensitive. Examples of this type of data include information about health, race, religious beliefs, political views, trade union membership, sex life or sexuality and genetic/biometric information.
We only collect this type of information about you to the extent that there is a clear reason for us to do so or where you make it public or volunteer it to us. Wherever it is practical for us to do so, we will make why we are collecting this type of information clear and what it will be used for.
7. The Personal Data of Children and Adults at Risk
We are very careful when we collect personal information about children under the age of 13 and adults at risk.
Where we are collecting personal information about children under the age of 13, we provide a privacy notice to their parents or guardians for approval, and where necessary consent.
If you have any concerns please raise these with our Data Protection Lead.
8. The lawful basis for processing personal information
We rely on the following legal bases to process your personal information:
|Performance of a contract
|This applies where we need to collect and use your personal information in order to takes steps to enter into a contract with you or to perform our obligations under a contract with you
|This applies where we need to collect and use your personal information to comply with applicable laws and regulatory requirements
|We may collect and use your personal information to further our legitimate business interests. We only do this where we are satisﬁed that your privacy rights are protected satisfactorily. We’re committed to putting you in control of your data and you’re free at any time to opt out from any activity we’re undertaking based on this legal basis.
|We may (but usually do not) need your consent to use your personal information. You can withdraw your consent by contacting us (see below).
|Although we are not a public body, we do collect and use some personal information where this is necessary to perform tasks that are in the public interests.
|This only applies in the rare instance where we need to process personal data in order to protect someone’s life.
When we use special category personal information (please see the “What personal information we collect” section above), we require an additional legal basis to do so under data protection laws, so will either do so on the basis of your explicit consent or another route available to us at law for using this type of information (for example if you have made the information manifestly public, we need to process it for employment, social security or social protection law purposes, your vital interests, or, in some cases, if it is in the public interest for us to do so).
9. Why do we collect and use personal information?
We collect and use personal information for the following purposes, relying on the speciﬁc lawful bases set out in the table below:
|To provide you with the services, products or information you asked for
|Consent Contract Legitimate interests
|To administer your donation or support your fundraising, including processing Gift Aid.
|Legitimate interests Legal obligation
|To keep a record of your relationship with us
|Legitimate interests Legal obligation
|To respond to or fulﬁl any requests, complaints or queries you make to us.
|Legitimate interests Legal obligation
|To better understand how we can improve our services, products or information by conducting analysis and market research.
|To manage our events.
|Contract Legitimate interests Legal obligation
|To send you correspondence and communicate with you, including updating your contact details (see “Keeping your information up to date” below).
|[Consent] Legitimate interests
|To undertake analysis and proﬁling of our supporters using personal information we already hold
|To administer our websites and to troubleshoot, perform data analysis, research, generate statistics and surveys related to our technical systems.
|To generate reports on our work, services and events.
|Legitimate interests Legal obligation
|To safeguard our staﬀ and volunteers.
|To monitor website use to identify visitor location, guard against disruptive use, monitor website traﬃc and/or personalise information which is presented to you.
|Consent Legitimate interests
|To process your application for a job or volunteering position
|Contract Legitimate interests
|To audit and administer our accounts.
|To meet our legal obligations to regulators, government and/or law enforcement bodies.
|Legal obligation Legitimate interests
|To undertake background checks including checking identity and checks undertaken for anti-money laundering, anti-terrorism reasons, ﬁnancial and reputational checks. We do not undertake any automated decision making, but we may use credit reference and fraud prevention agencies who may do so.
|Legal obligation Legitimate interests Public interest
|To manage and administrate our relationships with suppliers of good and services to us
|Legal obligation Legitimate interests
|To otherwise carry out the day-to-day operations of our organisation eﬃciently including managing our ﬁnancial position, capability, planning, communications, corporate governance and audit
|Legal obligation Legitimate interests Public interest
|To train and develop our staﬀ and volunteers
|Performance of a Contact Legal obligation Legitimate interests
|To prevent and respond to actual or potential fraud or illegal activities
|Legal obligation Public interest
|To establish, exercise or defend our legal rights or for the purpose of legal proceedings in which we may be involved
|Establish, exercise or defend legal rights
10. Sending marketing communications
Our marketing communications include information about our work, campaigns and requests for donations or other support. Occasionally, we may include information from partner organisations or organisations who support us in these communications.
We operate an ‘opt-in only’ communication policy for electronic communications. This means that, except as set out below, we will only send electronic marketing communications to those that have explicitly stated that they are happy for us to do so for example by becoming members or signing up for our newsletter. You may opt out at any time by unsubscribing or e-mailing us at firstname.lastname@example.org.
We may use information you have given us directly, for example the record of your previous donations to and/or relationship with us, your location and demographics, as well as the type of activity you have been involved with, to tailor our communications with you about future activities.
11. Events and fundraising
When you have asked for details of one of our events, we will send you information including, where relevant, ideas for fundraising and reminders on key information about the activity.
Where you have signed up for an event with a third party and told the event organiser that you wish to fundraise for us, we may contact you with information and support for your fundraising for that event.
12. Managing your contact preferences
We make it easy for you to tell us how you want us to communicate, in a way that suits you.
Our forms have clear marketing preference questions and we include information on how to opt out when we send you marketing. If you don’t want to hear from us, that’s ﬁne, and you can change your preferences at any time. Just let us know when you provide your data or contact us at email@example.com or calling 029 20887325.
If you’ve decided you don’t want to be contacted for marketing purposes, we may still need to contact you for administrative purposes. This may include where we are processing a donation you’ve made and any related Gift Aid, thanking you for a donation or participation in an event, or keeping in touch with you about volunteering activities you are doing for us.
13. Sharing your personal information
A number of third parties may have access to your personal information or we may share or send it to them. This includes:
- business partners, suppliers and sub-contractors who may process information on our behalf;
- if you are a legacy giver, we may share information with co-beneﬁciaries;
- marketing agencies that we use
- analytics and search engine providers
- our professional advisers and auditors
- IT service providers.
We may also be required to share personal information with regulatory authorities, government agencies and law enforcement agencies. We will use reasonable endeavours to notify you before we do this, unless we are legally restricted from doing so.
We do not sell, rent or otherwise make personal information commercially available to any third party.
We reserve the right to disclose your personal information to third parties:
- if we sell or buy any business or assets, in which case we may disclose your personal information to the prospective seller or buyer of such business or assets; and/or
- if substantially all of our assets are acquired by a third party, personal information held by us may be one of the transferred assets.
- For administering our electronic mailing lists we use Hubspot Client Relationship Management (CRM) system. This will contain your personal data and their privacy notice can be found here: https://legal.hubspot.com/privacy-policy
- We use email marketing software, Mailchimp to manage our mailing lists and track clicks, opens and email preferences. Our mailing lists contain your personal data, please see Mailchimp’s privacy notice to find out how they use your data can be found here: https://www.intuit.com/privacy/statement/
- We use Excellence IT to manage our IT infrastructure, which includes having access to your personal data, their privacy notice can be found here: https://excellence-it.co.uk/privacy-policy/
- We use Microsoft 365 to manage our file storage, which includes having access to your personal data, their privacy notice can be found here: https://privacy.microsoft.com/en-gb
- We use Promo Cymru to manage our website, which includes having access to your personal data, their privacy notice can be found here: https://www.promo.cymru/privacy-policy/
- We use SurveyMonkey for monitoring, evaluation and collecting data. This will occasionally involve processing your personal data. Please see SurveyMonkey’s privacy notice to find out how they use your data can be found here: https://www.surveymonkey.co.uk/mp/legal/privacy/
- We use Xero to store and process accounting transactions. This may involve processing your personal data. Please see Xero’s privacy notice to find out how they use your data can be found here: https://www.xero.com/uk/legal/privacy/
14. Transfers Outside the European Economic Area (EEA)
We prefer not to send personal data outside the EEA, however some of the service providers we use to help us run our businesses are based outside of the EEA. This means that your data may be transferred outside of the EEA. Where this is the case we consider the safeguards the provider has in place for providing adequate protection or approved transfer mechanisms, for example, by entering into the European Commission’s Standard Contractual Clauses. Further information is contained in the third party providers’ privacy policies, links to which are contained in the section above.
15. Keeping your information updated
We really appreciate it if you let us know if your contact details change, but to ensure that the information we have is as up to date and accurate as possible, we may use information from external sources such as the post oﬃce national change of address database and/or the public electoral roll to identify when we think you have changed address so that we can update our records and stay in touch. We only use sources where we are conﬁdent that you’ve been informed of how your information may be shared and used.
We do this so we can continue to contact you where you have chosen to receive marketing messages from us and contact you if we need to make you aware of changes to our terms or assist you with problems with donations.
This activity also prevents us from having duplicate records and out of date preferences, so that we don’t contact you when you’ve asked us not to.
16. How long we keep personal information
Our policy is to not hold personal information for longer than is necessary. We have established data retention timelines for all of the personal information that we hold based on why we need the information. The timelines take into account any statutory or regulatory obligations we have to keep the information, our ability to defend legal claims, our legitimate business interests, best practice and our current technical capabilities. We have developed a Data Retention Policy that captures this information. We delete or destroy personal information securely in accordance with the Data Retention Policy.
17. How we ensure personal information is secure
We are strongly committed to information security and we take reasonable and appropriate steps to protect your personal information from unauthorised access, loss, misuse, alteration or corruption. We have put in place physical, electronic, and managerial procedures to safeguard and secure the information you provide to us including the use of encryption and pseudonymisation.
18. Your privacy rights
You have a number of rights in relation to your personal data which we have. Not all of the rights apply in all circumstances. If you wish to exercise any of the rights, please contact us in the ways detailed below:
- You have a right of access to the personal information we hold about you
- You have the right to ask us to correct any information we hold about you that you think is wrong or incomplete
- You have the right to object to any processing of your personal information where we are relying on a legitimate interest to do so and you think that your rights and interests outweigh our own and you wish us to stop. There may, however, be legal or other legitimate reasons why we need to keep or use your information. If this is the case, we will consider your request and explain why we cannot comply with it. You can ask us to restrict the use of your personal information while we are considering your request.
- You have the right to object if we process your personal data for the purposes of direct marketing. If you no longer want to receive communications from us, please contact us. We will stop sending you communications, but will continue to keep a record of you and your request not to hear from us. If we deleted all of your information from our direct marketing databases, we would have no record of the fact that you have asked us not to communicate with you and it is possible that you may start receiving communications from us at some point in the future, if we obtain your details from a diﬀerent source.
- You have the right to ask us to delete your information. This is also known as the right to be forgotten or to erasure. We will not always agree to do this in every case as there may be legal or other legitimate reasons why we need to keep or use your information. If this is the case, we will consider your request and explain why we cannot comply with it. You can ask us to restrict the use of your personal information while we are considering your request.
- Where our processing of your personal information is based on your consent, you have the right to withdraw it at any time. Please contact us if you want to do so.
- You may have a right to obtain the personal information that you have given us in a format that be easily re-used and to ask us to pass this personal information on in the same format to other organisations. Please contact us to ﬁnd out if this right applies to you.
19. How to Complain
Please let us know if you are unhappy with how we have used your personal information. You can contact us the following ways:
- By E-mail to firstname.lastname@example.org
- By Post to Disability Wales, Spark, Maindy Road, Cardiff, CF24 4HQ
- By Phone 029 20887325
You also have the right to complain to the Information Commissioner’s Oﬃce. Find out on their website how to report a concern: Information Commissioner’s Office (ICO)
20. Changes to this Privacy Notice
This privacy notice was last updated on 17th May 2023. We keep this privacy notice under regular review and may change it from time to time by updating this page in order to reﬂect changes in the law and/or our privacy practices. We would encourage you to check this privacy notice for any changes on a regular basis.