Privacy Policy

The Mary Roxburghe Trust (“The Charity”) is committed to protecting your personal data.  Personal data is defined as any information about a living person.   We will ensure your personal data is only used for the purposes it has been provided.

The Director of the Charity is the person responsible for ensuring personal data processed for all the activities of The Charity is carried out in accordance with current legislation. The registered address of the Charity is West Horsley Place, Epsom Road, West Horsley, Leatherhead, Surrey KT24 6AN (Registered Charity Number 1164840).  If you have any questions about this privacy policy please contact the Executive Assistant at [email protected]or by post at the address above.

This privacy policy covers the Charity and its trading company, West Horsley Place Ltd (Company Number 10315041), with the address and contact details the same as above for both. A separate privacy notice applies to employees, volunteers and job applicants and is available from the Executive Assistant at [email protected].  This policy is kept under continuous review.  

Processing of personal data refers to collection, retention, use, access and disclosure as required, up to and including the destruction of data. In all cases we collect only what we need.   For all data processing we use the appropriate lawful basis and, additionally for special categories of data, we use the appropriate Article 9 condition.  The Charity will process data in accordance with the General Data Protection Regulations and the Data Protection Act (2018) and will refer regularly to updated guidance from the Information Commissioners Office.

What types of personal information do we collect from you and about you?

We gather personal information so your interactions and relationship with the Charity are well-managed, productive and enjoyable.  We collect information from about you whenever you have direct contact with us or have any involvement with us. In particular, we gather your personal information to:

  • Provide you with the services or information you have requested;
  • Provide further information about our work, services and activities;
  • Process payments, donations and Gift Aid declarations from supporters;
  • Find out more about your preferences and interests so we may better serve you;
  • Fulfil sales made online;
  • Invite voluntary participation in research or surveys to improve our work;
  • Register and administer your participation in events and activities;
  • analyse and improve our work, services, activities or information (including analysing visitor behaviour on our website) to personalise the way information is presented to you;
  • carry out any contractual obligations with you;
  • maintain organisational records to ensure how and if you wish to be contacted;
  • prevent fraud and credit risk;
  • ensure your safety and well being when on our premises;
  • report any accident or incident on our premises which may involve you.

We gather your personal data over the telephone, via our website, face-to-face and through third parties where you have given your consent for your details to be shared, including social media platforms such as FaceBook, LinkedIn, Instagram or Twitter.

Photographs and video

We take photographs and video at events with the express purpose of promoting the Charity and its aims. Photographs and images are considered sensitive personal data and therefore we only record and use images and video with your consent.  Consent for children and vulnerable adults will be requested from parents or guardians.   

Health and disability

We may also process sensitive data about your health if there is a need for us to consider making reasonable adjustments for you to access our site over and above what is already in place.

Cookies

In common with most websites, ours uses “cookies” to ensure a smoother user experience.   Most cookies are session cookies, lasting only for the duration of your visit and are deleted when you close your browser.  No personal data is collected during this process.   Our website also uses Google Analytics to allow us to track visitor numbers, user behaviour and analyse the popularity of specific pages.   Google Analytics uses a cookie to help track this information and in doing so uses your computer’s IP address to determine your location and to track your page visits within the site.  You will be asked to provide your consent to use cookies when visiting our website by clicking ‘Accept’. You can modify your browser setting to decline or delete cookies if you prefer, although this may prevent you from taking full advantage of the website. 

Anonymisation of data

Wherever possible we use anonymised data for our purposes such as analysing broader demographic data about groups of supporters and visitors.

How do we keep your personal information up to date?

We endeavour to act on changes to your personal information you provide to us as soon as reasonably possible. If you believe we are holding data about you which is inaccurate, please contact the Executive Assistant at [email protected]or by telephone at 01483 282032 with your updated information.

What is our legal basis for processing your information?

For initial enquiries from you about our facilities or services, to support us or any other initial enquiry, we rely on your consent to contact you to provide further information to you.   You may withdraw your consent at any time.

We like to stay in touch with our supporters, visitors and clients and we do so in our legitimate interests based on your expressed interests and involvement with us in the past. 

If you do not wish to hear from us in future, please contact the Executive Assistant on 01483 282032 or by email [email protected].  For electronic communications such as newsletters you will be provided with an unsubscribe button which you can use to opt out at any time.    

The Charity gathers personal information in our legitimate interests about demographics, interests and behaviour of our users and supporters through our website provider and through surveys to help us gain a better understanding of them to enable us to improve our services and further our charitable aims. 

The Charity also carries out research for and about our Charity in our legitimate interests using data available from publicly accessible sources.

The Charity carries out Legitimate Interests Assessments (LIA) for all data processed on this basis to ensure we are balancing the legitimate needs of the Charity with that of our visitors, clients and supporters.   

Where we have entered into a contract for services with a client or with our suppliers, we process personal data on the lawful basis of contract to ensure we can fulfil that contract. Where information is not needed for the fulfilment of the contract but for some other purpose, we state clearly the purpose and lawful basis.  Suppliers are required to adhere to our Data Protection Policy.

The Charity processes personal data on the basis of legal obligations for compliance reasons in order to meet our statutory and legal obligations.  This includes but is not limited to H&S reporting, financial reporting and other statutory reporting.  

Privacy and Electronic Communications Regulations

For electronic communications and cookies the Charity also adheres to the relevant guidance in the Privacy and Electronic Communications Regulations (PECR).

Who do we share your personal information with?

In limited cases and only where necessary we transfer data to third parties.   In all cases we ensure that data is transferred by the most secure means possible and is covered by our and the third party’s privacy policy.  

Statutory and government bodies

To meet our legal and statutory obligations we transfer personal data to government and statutory bodies including but not limited to HMRC and the Health and Safety Executive.  

Professional advisers

We transfer personal data as necessary in our legitimate interests to our insurers as well as our legal and financial advisers.

Website provider

Our website provider collects limited personal information about demographics, interests and behaviours of our users in order to help the Charity gain a better understanding of you so we can continually improve our services.  

Cloud storage

Personal data may also be held on Cloud based IT devices, which means that personal data may be transferred outside of the EU. Where this is the case, the Cloud based IT device has confirmed that it has appropriate safeguards in place. For example, we use Dropbox for our general files and Donorfy for recording supporter details. Donorfy uses the cloud system Microsoft Azure.  Both Dropbox and Microsoft Azure transfer data to the US where the cloud systems are based. Dropbox and Microsoft Azure are both certified under the EU-US Privacy Shield Framework. This means that the country to which your personal data is transferred (the US) is deemed to provide an adequate level of protection for your personal information, which meets both the requirements of the GDPR and Data Protection Act (2018). 

What do we do with sensitive data?

Sensitive data is considered ‘special categories’ under the Data Protection Act 2018 (“The DPA”). The DPA defines special categories of data as data which may pose risks to an individuals’ fundamental rights and freedoms and therefore is personal data which needs additional protection.  Special categories of data include race; ethnic origin; politics; religion; trade union membership; genetics; biometrics (where used for ID purposes); health and sexual orientation.  

For data which is deemed special categories, we process data on the appropriate lawful basis and also on one of the following Article 9 conditions:

(a) the data subject has given explicit consent to the processing of those personal data for one or more specified purposes, except where Union or Member State law provide that the prohibition referred to in paragraph 1 may not be lifted by the data subject;

(e) processing relates to personal data which are manifestly made public by the data subject;

(j)  processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) based on Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.

Under 16s

We encourage supporters of all ages. If you are under 16, do please let us know when you sign up for events and ensure you have the consent of a parent or guardian before giving us your details.

How long do we keep your personal information?

In all cases, personal information (data) will be kept only for the length of time necessary to process it:

  • Data based on consent will be kept for as long as agreed with the data subject;
  • Data processed based on fulfilment of a contract will be processed for the duration of the contract and to meet any reporting or audit requirements thereafter;
  • Data processed based on legal obligation will be processed only for the length of time required by that legal obligation;
  • Data processed based on legitimate interests will be kept for as long as needed to ensure that legitimate interest is met.

How do we keep your personal information safe?

The Charity is committed to privacy by design and default as laid out in the GDPR.  This means that with all data processing, consideration will be given to the safest method of processing the data before processing begins.  Every reasonable precaution is taken to keep your personal data secure.

  • Access to the building(s) is by keys held by the Director and Head of Operations;
  • Personal data in hard copy is kept in locked file cabinets with access limited to only those staff who need access to the information to carry out work for the Charity;
  • The Charity has a ‘clean desk’ policy which means personal data is not left on desks overnight;
  • Personal data and special categories of personal data in hard copy is disposed of by shredding or incineration;
  • Personal data in electronic form is secured on Dropbox;
  • user passwords are changed regularly;
  • all Charity devices are password protected;
  • antivirus software is run on all Charity devices;
  • Only phones and devices issued by the Charity are used to process personal data on behalf of the Charity.

What are your rights?

The DPA and GDPR collectively includes significantly enhanced rights for data subjects in order to ensure they have more control over their personal data.  It is important to note that not all rights are absolute and will depend on the lawful basis for processing.   In all instances, should you wish to exercise your rights below the request should be made in writing to the Executive Assistant by email at [email protected], by post to our registered address at West Horsley Place, Epsom Road, West Horsley, Leatherhead, Surrey KT24 6AN or by telephone at 01483 282032.  You will receive a response without undue delay and within 30 days.  In the exceptional and very limited cases where this is not possible, you will receive an explanation in writing of why the 30-day period has been extended.

The rights which are available to you are as follows:

Right to be informed

You have the right to be informed of how, why and for how long your personal data will be processed.  

Right of access

You have the right to make a subject access request to see what personal data we hold about you. Some information may be redacted if it involves the personal data of other persons or references to commercially sensitive data.   

Right to erasure

You have the right to request your personal data is erased.  Data still required to meet our legal obligations will not be erased and some data required for legitimate interests may also be retained for example an email address on a ‘no contact’ list.

Right to rectification

You have the right to request we correct data the Charity holds about you if it is inaccurate. 

Right to object

You have the right to object to the processing of your personal data. This right is not absolute and only applies when your data is being processed based on legitimate interests.

Right to restrict processing

You have the right to request we restrict processing if you have requested your data be rectified until you have verified the accuracy of the personal data.

You have the right to request we restrict processing where you have objected to processing based on legitimate interests and the Charity is considering whether its legitimate grounds are more compelling than your reasons for us not processing your data. 

You have the right to request we restrict processing if the Charity does not need the personal data but you require the data to establish, exercise or defend a legal claim.

Right to data portability

This applies to electronic data only and only applies to data processed based on consent or contract.  For more information please see the ICO website at www.ico.org.uk.

Rights related to automated decision-making including profiling

We do not carry out automated decision making for employee personal data. 

Right to complain to a supervisory authority

If you are unhappy with how your data has been processed by The Charity, speak to the Director in the first instance.  If you feel you have a complaint that cannot be resolved by the Director, please contact the Information Commissioners’ Office(ICO) at Wycliffe House, Water Lane, Wilmslow Cheshire SK9 5AF or telephone 0303 123 1113(local rate) or 01625 545745(national rate.  The ICO website address is as above.