Should we ask you to provide (or we otherwise collect) certain information relating to you by which you can be identified (referred to in this policy as ‘personal information’), it will only be used in accordance with this policy.
Changes to this policy
Our legal obligations regarding your personal information
We collect and process your Personal Data in accordance with applicable laws that regulate data protection and privacy. This includes, without limitation, the EU General Data Protection Regulation (2016/679) and the UK Data Protection Act 2018 together with other applicable UK and EU laws that regulate the collection, processing and privacy of your Personal Data (together, ‘data protection law’). For the purposes of data protection law, Working Families is a ‘data controller’.
We may collect the following personal information:
- Name and job title
- Contact information including email address
- Donation details, payment details and gift aid eligibility
- Event attendance
- Your marketing preferences
- Information you provide on why you have chosen to support us
- Information regarding your responses to our campaigns and other emails
- Details of our contact with you (this may include details of the nature of your contact with our Legal Advice Services and in regard to your membership of Working Families as an employer)
- Other information relevant to customer surveys and/or offers.
Please also note that some of the personal information you supply and that we process may include what is known as ‘sensitive’ data about you, for example, information regarding your ethnic origin or political, philosophical and religious beliefs, health or sex life. Other data relating to criminal convictions and offences may also be processed.
The type and quantity of personal information we collect and use depends on why you have provided it/our legitimate interests in using it. We will only collect, use and otherwise handle your personal information if we can rely on one or more of the following grounds:
- Where you have consented to this for specified and explicit purposes;
- Where it is necessary to fulfil legal obligations that apply to us;
- Where we need to protect your vital interests or those of someone else and/or
- Where it is necessary for our legitimate interests relating to running and improving our daily operations, keeping records of our activities and publicising our services as long as, in each case, these interests are in line with applicable law and your legal rights and freedoms.
If we process sensitive personal information we will only do this with your explicit consent; or, to protect your vital interests (or those of someone else) in an emergency; or, where you have already publicised such information; or, where we need to use such sensitive data in connection with a legal claim that we have or may be subject to.
How your personal information is collected
We collect most of this personal information directly from you—in person, by telephone, text or email and/or via our website. However, we may also collect information around email opening and clicks using industry standard technologies including clear gifs to help us monitor and improve our communication. We may also collect information via cookies we use on our website. On occasion, we may receive data from third parties, usually marketing list specialists, for the purpose of business to business marketing.
What will we do with the personal information we collect:
- We will use your personal information to provide and services to you when requested
- We may use the personal information to analyse our delivery and improve our products and services, including our website, and to ensure that our policies are adhered to
- From time to time, we may also use your personal information to contact you for research purposes and to evaluate and improve our marketing activities
- We will provide you with direct marketing communications about what we are doing as well as products, services and/or campaigns which may be of interest to you by post or phone. If required under applicable law, where we contact you by SMS, email, social media and/or any other electronic communication channels for direct marketing purposes (emails about new services, events, special offers or other information which we think you may find interesting), this will be subject to you providing your express consent. You can object or withdraw your consent to receiving direct marketing from us at any time, by contacting us using the email address below.
- We collect statistics around email opening and clicks using industry standard technologies including clear gifs to help us monitor and improve our communication.
- We may use your personal to keep records of our activities and to administer our organisation and ensure its continuing operation.
- We may process your personal information to enforce and/or defend any of our legal claims or rights.
- We may process your personal information for any other purpose required by applicable law, regulation, the order of any court or regulatory authority.
Where will we keep this personal information:
All information you provide to us is stored on our systems. Any payment transactions will be encrypted. Where we have given you (or where you have chosen) a password which enables you to access certain parts of our website, you are responsible for keeping this password confidential. We ask you not to share your password(s) with anyone.
Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted to our website; any transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access.
Disclosing your personal information to third parties
We may need to disclose your personal information to certain third party organisations who are handling that data information on our behalf and in accordance with our instructions under contract (called ‘data processors’) in the following circumstances:
- Companies and/or organisations that act as our service providers (e.g. Mailchimp who deliver newsletters, invitations to our events and updates, and Lamplight who provide us with a secure cloud-base database) or professional advisors (e.g. auditors)
- Companies and/or organisations what assist us in processing and/or otherwise fulfilling transactions that you have requested (e.g. payment processors)
We only allow our service providers to handle your personal information if we are satisfied they take appropriate measures to protect your personal information. We also impose contractual obligations on service providers to ensure they can only use your personal information to provide services to us and to you.
In exceptional cases, we may disclose personal information provided to the Legal Advice Service (LAS) run by Working Families if:
- We have concerns that a young person is at risk of harm; or
- We have a safeguarding concern regarding an adult.
We may also disclose and exchange information with law enforcement agencies and regulatory bodies to comply with our legal and regulatory obligations.
In all cases we always aim to ensure that your personal information is only used by third parties for lawful purposes and in compliance applicable data protection law.
We are a United Kingdom based charity and provide our products and services from UK offices.
The personal information that we collect from you is primarily processed in the UK although it may be transferred to and stored at a destination outside the European Economic Area (EEA). Some countries outside the EEA (for example, the United States) are not regarded as having the same legal standards for protection of personal information that apply inside the EEA.
If we do transfer your personal information outside the EEA however, we will take appropriate steps to ensure that adequate measures are taken in accordance with data protection law to safeguard and protect your personal information. For example, Mailchimp, who deliver newsletters, invitations to our events and updates are based in the US and participate in the EU-US Privacy Shield Framework in which orgnaisations self-certify a commitment to protect personal data in accordance with standards which were accepted to meet EEA requirements. For more information, please see Mailchimp’s privacy notice.
How long we retain your personal information
We only retain personal information identifying you for as long as you have a relationship with us; or as necessary to perform our obligations to you (or to enforce or defend contract claims); or as is required by applicable law.
We have a data retention policy that sets out the different periods we retain data for in respect of relevant purposes in accordance with our duties under data protection law. The criteria we use for determining these retention periods is based on various legislative requirements; the purpose for which we hold data; and guidance issued by relevant regulatory authorities including but not limited to the UK Information Commissioner’s Office (ICO).
Personal information we no longer need is securely disposed of and/or anonymised so you can no longer be identified from it.
Your personal data rights
In accordance with your legal rights under applicable law, you have a ‘subject access request’ right under which can request information about the personal information that we hold about you, what we use that personal information for and who it may be disclosed to as well as certain other information. Usually we will have a month to respond to such as subject access request. We reserve the right to verify your identity if you make such a subject access request and we may, in case of complex requests, require a further two months to respond. We may also charge for administrative time in dealing with any manifestly unreasonable or excessive requests for access. We may also require further information to locate the specific information you seek before we can respond in full and may apply certain legal exemptions when responding to your request.
Under data protection law you also have the following rights, which are exercisable by making a request to us in writing:
- that we correct personal information that we hold about you which is inaccurate or incomplete;
- that we erase your personal information without undue delay if we no longer need to hold or process it;
- to object to any automated processing (if applicable) that we carry out in relation to your personal information, for example if we conduct any automated credit scoring;
- to object to our use of your personal information for direct marketing;
- to object and/or to restrict the use of your personal information for purpose other than those set out above unless we have a legitimate reason for continuing to use it; or
- that we transfer personal information to another party where the personal information has been collected with your consent or is being used to perform contact with you and is being carries out by automated means.
All of these requests may be forwarded on to a third party provider who is involved in the processing of your personal information on our behalf.
If you would like to exercise any of the rights set out above, please contact us at the address below.
If you make a request and are not satisfied with our response, or believe that we are illegally processing your personal information, you have the right to complain to the Information Commissioner’s Office (ICO).