Stefania Foundation
GDPR Policy to enable compliance with the General Data Protection Regulations
The Stefania Foundation collects, processes, stores and uses information about identifiable individuals as a fundamental aspect of the delivery of its charitable purposes and intends to comply fully with the General Data Protection Regulations (GDPR).
1. What is personal data?
Stefania Foundation collects information relating to its volunteers and beneficiaries who are natural persons (“data subjects”) who:
- can be identified or who are identifiable, directly from the information in question; or
- who can be indirectly identified from that information in combination with other information.
Thus, although Stefania Foundation policy is to know the name and address and other contact details of all its data subjects, the lack of a name for an individual will not avoid the need to comply with GDPR: requirement of a location at which its charitable activities will be provided negates this possibility.
2. What is data processing?
Put simply, data processing is the collection, processing, storing, using and destruction of personal data. Thus, the noting of an individual’s name and address on a piece of paper by a BCB volunteer and the transfer of that data to the data controller is data processing.
3. Data controller
Stefania Foundation (SF) is a data controller under, and has prime responsibility to comply with, GDPR. Although SF is a corporate body, its Trustees recognise that they can become liable for an offence under GDPR if it is proved to have been committed with the consent or connivance of or to be attributable to neglect on the part of—
(i) a director, manager, secretary or similar officer of the body corporate, or
(ii) a person who was purporting to act in such a capacity.
All SF employees and volunteers who collect or have access to data will be made aware of their responsibilities.
We will not share any data with third parties.
4. Privacy notices
We provide all data subjects with all the following privacy information:
- The name and contact details of our organisation
- The purposes of the processing
- The lawful basis for the processing
- The categories of personal data obtained (if the personal data is not obtained from the individual it relates to)
- The retention periods for the personal data
- The rights available to data subjects in respect of the processing, namely:
- access to personal data
- rectification of personal data, and
- erasure of personal data or the restriction of its processing
- The right to withdraw consent
- The right to lodge a complaint with a supervisory authority
- The source of the personal data (if the personal data is not obtained from the individual it relates to)
We provide data subjects with privacy information at the time we collect their personal data from them. If we obtain personal data from a source other than the individual it relates to, we provide them with privacy information:
- within a reasonable period of obtaining the personal data and no later than one month;
- if we plan to communicate with the individual, at the latest, when the first communication takes place; or
- if we plan to disclose the data to someone else, at the latest, when the data is disclosed.
We provide the information in a way that is:
- concise;
- transparent;
- intelligible;
- easily accessible; and
- uses clear and plain language.
We regularly review and, where necessary, update our privacy information. If we plan to use personal data for a new purpose, we update our privacy information and communicate the changes to individuals before starting any new processing.
We will undertake an information audit every xxx to find out what personal data we hold and what we do with it. We put ourselves in the position of the people we’re collecting information about.
5. The GDPR principles
The six data protection principles are set out in the Appendix. We comply with the principles in the following way:
- by collecting and processing personal data only for the lawful purposes of SF, i.e. to manage employees and volunteers and to provide charitable services to our beneficiaries
- by only handling people’s data in ways they would reasonably expect, or we can explain why any unexpected processing is justified
- by not deceiving or misleading people when we collect their personal data
- by being open and honest, and complying with the transparency obligations of the right to be informed
- by recording our purposes as part of our documentation obligations and specifying them in our privacy information for individuals
- by ensuring the personal data we are processing is:
- adequate – sufficient to properly fulfil your stated purpose;
- relevant – has a rational link to that purpose; and
- limited to what is necessary
The processing of personal data must be lawful and fair. The processing of personal data is lawful only if and to the extent that it is based on law and either—
(a) the data subject has given consent to the processing for that purpose, or
(b) the processing is necessary for the performance of a task carried out for that purpose by a competent authority.
Condition (b) does not apply to SF so all our data processing proceeds on the consent of every data subject.
The definition of consent reads:
“any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or a clear affirmative action, signifies agreement”
We include on all our data collection forms, both electronic and physical, an invitation to the data subject to give their consent to BCB processing their data.
6. The data collected
We will collect from our employees and volunteers the following information:
- name, address and contact details
- Skills and interested areas to help
- References/DBS
The only data we collect from our beneficiaries is their:
- name, address and contact details.
7. Security
We comply with GDPR by:
- storing and destroying all personal data securely
- by not collecting or retaining excessive amounts of data
- by protecting personal data from loss, misuse, unauthorised access and disclosure and
- by ensuring that appropriate technical measures are in place to protect personal data.
All personal data is kept on central IT systems and is not stored or transported on portable electronic devices.
We undertake an analysis of the risks presented by our processing, and use this to assess the appropriate level of security we need to put in place. When deciding what measures to implement, we take account of the state of the art and costs of implementation. We understand the requirements of confidentiality, integrity and availability for the personal data we process.
We make sure that we regularly review our information security policies and measures and, where necessary, improve them.
8. Data processors
We use only those data processors who provide guarantees to implement appropriate technical and organisational measures that are sufficient to secure that the processing will comply with GDPR and ensure the protection of the rights of the data subject.
No processor used by SF may engage another processor without SF’s prior written authorisation.
APPENDIX 1 - Personal data
APPENDIX 2 - Privacy Notice
APPENDIX 3 - Website privacy notice
APPENDIX 1
Personal data shall be:
- processed lawfully, fairly and in a transparent manner in relation to the data subject;
- collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (‘purpose limitation’);
- adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);
- accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);
- kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’);
- processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).
The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’).
APPENDIX 2 - Privacy Notice
Stefania Foundation Privacy Notice
Our contact details
Charitable Incorporated Organisation: Stefania Foundation
Contact name: Constantine Johnson
Address: 6 Poles Hill, Chesham HP5 2QP, United Kingdom
E-mail: [email protected]
What type of information we have
We currently collect and process the following information:
- Name, address, email and mobile number
How we get the information and why we have it
All the personal information we process is provided to us directly by you for one of the following reasons:
- for the purposes of responding to your enquiry
- to provide you with one or more of our charitable services
Under the General Data Protection Regulation (GDPR), the lawful bases we rely on for processing this information are:
(a) your consent. You are able to remove your consent at any time. You can do this by contacting xx as shown above
(b) we need it to perform a public task.
(c) we have a legitimate interest.
What we do with the information we have
We use the information that you have given us in order to:
- provide you with one or more of our charitable services
- to update you on our current and future activities and services
We do not share this information with any other person or organisation.
How we store your information
Your information is securely stored electronically.
We keep your name, address and contact details for up to one year after we have provided a service to you. We will then dispose of your information by deleting all electronic records.
Your data protection rights
Under data protection law, you have rights including:
- your right of access - you have the right to ask us for copies of your personal information
- your right to rectification - you have the right to ask us to rectify information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete
- your right to erasure - you have the right to ask us to erase your personal information in certain circumstances
- your right to restriction of processing - you have the right to ask us to restrict the processing of your information in certain circumstances
- your right to object to processing - you have the right to object to the processing of your personal data in certain circumstances
- your right to data portability - You have the right to ask that we transfer the information you gave us to another organisation, or to you, in certain circumstances.
- you are not required to pay any charge for exercising your rights. If you make a request, we have one month to respond to you.
Please contact us at xxx if you wish to make a request.
How to complain
You can also complain to the ICO if you are unhappy with how we have used your data. The ICO’s address:
Information Commissioner’s Office
APPENDIX 3 - Website privacy notice
Stefania Foundation Website Privacy Notice
At Stefania Foundation we respect your privacy and are committed to protecting your personal data. This “privacy notice” explains what we do with your personal data, why we want to use it, how we protect it, and what rights you have to control our use of it.
It applies not just to use of our website, but also personal data that we process through other interactions with individuals in the course of running our organisation and delivering our services. Our website and services are not intended for children and we do not knowingly collect data relating to children.
Please read it carefully. We may change this policy. We will post any changes on this page, so please check back frequently.
Information about us
This privacy notice is for the Stefania Foundation (referred to as “Stefania Foundation “ “we”, “us” or “our” in this privacy notice). We collect, use and are responsible for certain personal data about you. When we do so we are regulated under the General Data Protection Regulation (“GDPR”), which applies across the European Union (including the United Kingdom) and we are responsible as “data controller” of that personal information for the purposes of the law.
By using our website, you’re agreeing to the conditions outlined in this policy. If you want to contact us about any of the points on this notice, or just generally about how we protect your privacy, please email us at [email protected]
Your personal data
Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).
We use personal data from different categories of individual for several different purposes and each with its own lawful basis. This section describes these in detail and, although it’s technical, we’re required by law to explain this to you.
If you visit our website
We use various methods to help us personalise our website for you, remember your preferences, understand how users are using our websites, and help customise our marketing offerings including cookies, referrers’ IP addresses, how you interact with our website and environment variables. We do this on the basis that it is necessary for our legitimate interests in monitoring and improving our website. By visiting our website, you agree to the use of cookies and similar technologies for the purposes described in this Statement.
If you fill in a contact form
We will store the data you enter (name and contact details) for the purposes of responding to your enquiry. We do this on the basis that it is necessary for our legitimate interests in promoting our charity to interested parties. We store your data for as long as we need to interact with you for these purposes. In all cases if you would like us to update or delete your information, please send us an email (see “How to contact us” below) or use the unsubscribe links on marketing emails.
Our use of website cookies
We may also store information about you using cookies, which we can access when you visit our site in future. Cookies are small files, which are sent by us to your computer or other access device, that track, save and store information about your interactions and usage of our website. Overall, cookies help us provide you with a better service by enabling us to monitor which pages you find useful and which you do not.
How to control cookie settings
Most web browsers allow you to control cookies through their settings preferences, however if you limit the ability of websites to set cookies, you may impact your overall user experience. Below you can learn about how to control cookie settings on popular web browsers:
- Google Chrome
- Internet explorer
- Safari
- Firefox
What type of information we have
We currently collect and process the following information:
- Name, address and contact details
How we get the information and why we have it
All of the personal information we process is provided to us directly by you for one of the following reasons:
- for the purposes of responding to your enquiry
- to provide you with one or more of our charitable services
Under the General Data Protection Regulation (GDPR), the lawful bases we rely on for processing this information are:
(a) your consent. You are able to remove your consent at any time. You can do this by contacting your District Data Administrator
(b) we need it to perform a public task.
(c) we have a legitimate interest.
What we do with the information we have
We use the information that you have given us in order to:
- provide you with one or more of our charitable services
- to update you on our current and future activities and services
We do not share this information with any other person or organisation.
How we store your information
Your information is securely stored electronically. We keep your name, address and contact details for up to one year after we have provided a service to you. We will then dispose of your information by deleting all electronic records.
Data processors
We currently do not use service providers (acting as ‘data processors’). Your personal data is not stored by any other organisation unless in the normal way when an online card payment is made.
Your data protection rights
Under data protection law, you have rights including:
- your right of access - you have the right to ask us for copies of your personal information
- your right to rectification - you have the right to ask us to rectify information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete
- your right to erasure - you have the right to ask us to erase your personal information in certain circumstances
- your right to restriction of processing - you have the right to ask us to restrict the processing of your information in certain circumstances
- your right to object to processing - you have the the right to object to the processing of your personal data in certain circumstances
- your right to data portability - You have the right to ask that we transfer the information you gave us to another organisation, or to you, in certain circumstances.
- you are not required to pay any charge for exercising your rights. If you make a request, we have one month to respond to you.
Please contact us at xxxx if you wish to make a request.
How to complain
You can also complain to the ICO if you are unhappy with how we have used your data. The ICO’s address:
Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire SK9 5AF
Helpline number: 0303 123 1113
https://ico.org.uk/concerns/
How to contact us
If you have any questions, concerns or just want some more information about our privacy management, drop us a line at [email protected]
Changes to this privacy notice
We may change this privacy notice from time to time by amending this page.
This privacy notice was last updated on 25th November 2024