GDPR Privacy Policy – Last updated: February 2023
1. Introduction
1.1. Preservation of your privacy is important to the Talisman Charitable Trust (the ‘Trust‘ ‘we‘, ‘our‘ or ‘us‘ being interpreted accordingly) and we are committed to letting you know how we use your personal information and to making only responsible and lawful use of your data.
1.2. Personal information relating to you or another individual from which they can be identified is called personal data (‘Personal Data‘).
1.3. This privacy policy (‘Privacy Policy‘) tells you about the Personal Data we collect; how we handle or process such Personal Data and who we may share it with. This Privacy Policy also provides information on any legal rights that you or another individual has in relation to their Personal Data.
2. Changes to this Privacy Policy
2.1. From time to time we may change the way we use your Personal Data and amend this Privacy Policy. Please check that you have seen the latest version.
3. What Personal Data do we collect and use?
3.1. The Personal Data that we collect and use includes the following:
3.1.1. name, title, address, phone and other contact details;
3.1.2. financial details and social circumstances;
3.1.3. means of visual identification;
3.1.4. details of physical or mental health;
3.1.5. employment and education history;
3.1.6. character opinions and accounts of behaviour; and,
3.1.7. information on racial or ethnic origin, religious or other beliefs of a similar nature
as well as any other Personal Data that you, or another individual or organisation with your consent, may provide to us from time to time.
4. How your Personal Data is collected
4.1. We collect Personal Data in various ways as follows:
4.1.1. through communications that you or others have with us with us from time to time;
4.1.2. through applications received by organisations on your behalf; and
4.1.3. through contact with a family member nominated by you to assist with practicalities in the provision of support.
4.2. Please also note that some of the Personal Data supplied to us and that we process may include what is known as ‘sensitive’ or ‘special category’ data, for example, information regarding ethnic origin or political, philosophical and religious beliefs or details regarding trade union membership.
5. Information about third parties
5.1. Please ensure that any Personal Data which relates to third party individuals is only provided to us with that person’s knowledge of our proposed use of their Personal Data
5.2. To the extent that you provide information to us about another individual as part of an application for grant-funding or as is otherwise necessary and, in particular, where such information is ‘sensitive’ or ‘special category’ data about an individual (as described in paragraph 4.2 above) you should only provide us with such information where you have obtained that individual’s prior, explicit consent. We will ask you to confirm that you have such consent as part of your application and, where you are acting on behalf of another individual, we also reserve the right to request documentary evidence from you in the future in order to verify that you have obtained the requisite consent and/or have continuing authority to act for that person.
6. What we use your Personal Data for
6.1. Other than as stated above, we may use Personal Data for one or more of the following purposes:
6.1.1. to provide charitable support by grant-making for the benefit of the public;
6.1.2. to keep and administer our records;
6.1.3. to manage the Trust’s own employees, volunteers and accounts;
6.1.4. to fundraise and promote the interests of the Trust in any other way;
6.1.5. to enforce and/or defend any of our legal claims or rights; and/or
6.1.6. for any other purpose required by applicable law, regulation, the order of any court or regulatory authority.
7. The lawful grounds on which we collect and process your Personal Data
7.1. We process Personal Data for the above purposes relying on one or more of the following lawful grounds:
7.1.1. where an individual has provided their specific, informed and unambiguous consent;
7.1.2. in order to set up and perform our contractual obligations to the individual whose Personal Data we process;
7.1.3. where we need to use Personal Data for legitimate purposes relevant to us being able to lawfully operate our charitable purposes as described in this Privacy Policy and in our constitution. We will always seek to pursue these legitimate interests in a way that does not unduly infringe on the relevant individual’s legal rights and freedoms and in particular any right of privacy; and/or
7.1.4. where we need to comply with a legal obligation or for the purpose of us being able to establish, exercise or defend legal claims or enforce our rights.
7.2. If we process ‘sensitive’ or ‘special category’ data about someone as referred to under paragraph 4.2 we will only do this if we have the explicit consent of the relevant individual; or, where we need to comply with applicable social security or social protection laws; or, we need to protect a person’s vital interests in an emergency; or, where an individual has already clearly publicised such information; or, where we need to use such sensitive or special category data in connection with a legal claim that we have or may be subject to.
8. Our Legal Obligations regarding your data
8.1. We collect and process your Personal Data in accordance with applicable laws that regulate data protection and privacy. This includes, without limitation, the UK General Data Protection Regulation (also called the ‘UK GDPR’) and the UK Data Protection Act 2018 as may be amended or updated from time to time, together with other applicable laws that regulate the collection, processing and privacy of your Personal Data (together, ‘Data Protection Law‘)
9. Disclosing your Personal Data to third parties
9.1. We may need to disclose or make Personal Data available to certain third party organisations who are processing data in accordance with our instructions under contract (called ‘data processors’) in the following circumstances:
9.1.1. companies and/or organisations that act as our service providers or professional advisers; and,
9.1.2. companies and/or organisations that assist us in processing and/or otherwise fulfilling grant requests.
9.2. We may also disclose your Personal Data to third parties who make their own determination as to how they process your Personal Data and for what purpose(s) (called ‘data controllers’), such as:
9.2.1. where you have made an application on an individual’s behalf, to that individual;
9.2.2. local and central government, other voluntary and charitable organisations – where necessary to process an application received from them or in order to procure and arrange support; and
9.2.3. our regulators, including the Charity Commission.
The third party data controllers external to us with whom we deal as described in this Policy will handle the Personal Data provided to them in accordance with their own chosen procedures and you should check the relevant privacy policies of these companies or organisations to understand how they may use Personal Data. Since they are acting outside of our control, we have no responsibility for the data processing practices of these data controllers.
9.3. Very occasionally we may disclose your Personal Data to a family member nominated by you to assist with practicalities in the provision of support.
9.4. Other than as described above, we will treat all Personal Data we receive as private and will not disclose or make Personal Data available to third parties without you knowing about it. The exceptions are:
9.4.1. in relation to legal proceedings or where we are legally required to do so and cannot tell you;
9.4.2. where we use third party data processors who are engaged under contract to handle data on our behalf (for example an IT supplier or database hosting provider), we will make sure that they act only in accordance with our instructions and that adequate safeguards are put in place by them to protect Personal Data they handle on our behalf.
9.5. In all cases we always aim to ensure that your Personal Data is only used by third parties for lawful purposes and in compliance applicable Data Protection Law.
10. International Transfers
10.1. In order to help us process online applications we use a third party data processor called Freshworks and the Personal Data they host will be stored on computers in the EU (for more information on Freshworks’ GDPR compliance, please see here https://www.freshworks.com/gdpr/company/.)
10.2. Whenever we transfer Personal Data out of the UK, we will ensure that the transfer is subject to appropriate safeguards which may include putting in place contractual clauses which comply with Data Protection Law.
10.3. Please contact us if you want further information on the specific safeguards used by us when transferring Personal Data out of the UK.
11. How long we retain Personal Data for
11.1. The Trust only retains Personal Data identifying individuals for as long as they have a relationship with us; or as necessary to perform our obligations to you or the Trust’s grant recipients (or to enforce or defend contract claims); or as is required by applicable law.
11.2. We have a data retention policy (which we may make available on request) that sets out the different periods we retain data for in respect of relevant purposes in accordance with our duties under Data Protection Law. The criteria we use for determining these retention periods is based on various legislative requirements; the purpose for which we hold data; and guidance issued by relevant regulatory authorities including but not limited to the UK Information Commissioner’s Office (ICO).
11.3. Personal Data we no longer need is securely disposed of and/or anonymised so you can no longer be identified from it
12. Security that we use to protect Personal Data
12.1. We will take reasonable precautions to prevent the loss, misuse or alteration of information you give us.
12.2. We employ appropriate technical and organisational security measures to protect your Personal Data from being accessed by unauthorised persons and against unlawful processing, accidental loss, destruction and damage.
12.3. We also endeavour to take all reasonable steps to protect Personal Data from external threats such as malicious software or hacking. However, please be aware that there are always inherent risks in sending information by public networks or using public computers and we cannot 100% guarantee the security of all data sent to us (including Personal Data).
13. Your personal data rights
13.1. In accordance with your legal rights under applicable law, where we are handling your Personal Data you have a ‘subject access request’ right under which can request information about the Personal Data that we hold about you, what we use that Personal Data for and who it may be disclosed to as well as certain other information. Usually we will have a month to respond to such as subject access request. We reserve the right to verify your identity if you make such a subject access request and we may, in case of complex requests, require a further two months to respond. We may also justify a refusal or charge for administrative time in dealing with any manifestly unreasonable or excessive requests for access. We may also require further information to locate the specific information you seek before we can respond in full and apply certain legal exemptions when responding to your request.
13.2. Under Data Protection Law, where we are handling your Personal Data, you also have the following rights, which are exercisable by making a request to us in writing:
13.2.1. that we correct Personal Data that we hold about you which is inaccurate or incomplete;
13.2.2. that we erase your Personal Data without undue delay if we no longer need to hold or process it;
13.2.3. to object to any automated processing (if applicable) that we carry out in relation to your Personal Data, for example if we conduct any automated credit scoring;
13.2.4. to object to our use of your Personal Data for direct marketing;
13.2.5. to object and/or to restrict the use of your Personal Data for purpose other than those set out above unless we have a legitimate reason for continuing to use it; or
13.2.6. that we transfer Personal Data to another party where the Personal Data has been collected with your consent or is being used to perform contact with you and is being carried out by automated means.
13.2.7. To withdraw your consent to the processing of your personal data at any time.
13.3. All of these requests may be forwarded on to a third party data processor who is involved in the processing of your Personal Data on our behalf.
13.4. If you would like to exercise any of the rights set out above, please contact us at the address below.
13.5. If you make a request and are not satisfied with our response or believe that we are illegally processing your Personal Data, you have the right to complain to the Information Commissioner’s Office (ICO) – see https://ico.org.uk/.
14. Contact
14.1. If you have any queries regarding this Privacy Policy or wish to make a further request relating to how we use your Personal Data as described above, please write to our data control office, marking the top left hand side of your envelope with the words ‘DATA ENQUIRY’ in capitals:
P. R. Denman
Talisman Charitable Trust
Lower Ground Floor Office
354 Kennington Road
London SE11 4LD