WESSEX HEARTBEAT

Privacy Policy updated for the new General Data Protection Regulations (GDPR)

 

 

 

 

 

This privacy policy explains what kind of personal information Wessex Heartbeat will collect and process when you register an account with us, pay for a product/service/charitable gift, or disclose your personal information with us/third party organisations that disclose information with us.

 

 

 

 

 

Personnel authorised to process data under the Data Controller – Wessex Heartbeat

 

John Munro                   CEO

Nicola Nash                  Finance Manager

Callum Munro                Fundraising Manager

Tina Richardson            Events and Community Fundraiser

Jennifer Kenny              Office Manager

Ken Wilde                     Commercial Manager

Trish Bishop                 House Manager

 

 

This is a working document to ensure that supporters who entrust us with their personal data, are fully aware of their rights and what we do with their data.

 

 

 

 

 

 

Wessex Heartbeat GDPR Privacy Policy

 

Wessex Heartbeat are a private limited company, limited by guarantee no. 5924982. The company is run as a fully registered charity regulated under the Charity Commission for England and Wales.

Charity No. 1116510

In this document, "we", "our", or "us" refer to Wessex Heartbeat, registered at 152-154 Tremona Road, Southampton, SO16 6HW.

This privacy policy explains what kind of personal information Wessex Heartbeat will collect and process when you register an account with us or pay for a product/service/charitable gift, in turn disclosing your personal information.

Wessex Heartbeat as a Data Controller, work hard to ensure that any Personal Data being processed is done only when necessary to ensure the growth of Wessex Heartbeat as a non-Government funded charity. 

Introduction

This is a notice to inform you of our policy about all information that we record about you. It sets out the conditions under which we may process any information that we collect from you, or that you provide to us. It covers information that could identify you (“personal information”) and information that could not. In the context of the law and this notice, “process” means collect, store, transfer, use or otherwise act on information.

We regret that if there are one or more points below with which you are not happy, your only recourse is to leave our website immediately.

We take seriously the protection of your privacy and confidentiality. We understand that all visitors to our website are entitled to know that their personal data will not be used for any purpose unintended by them and will not accidentally fall into the hands of a third party.

We undertake to preserve the confidentiality of all information you provide to us, and hope that you reciprocate.

Our policy complies with UK law accordingly implemented, including that required by the EU General Data Protection Regulation (GDPR).

The law requires us to tell you about your rights and our obligations to you regarding the processing and control of your personal data. We do this now, by requesting that you read the information provided at www.knowyourprivacyrights.org

Except as set out below, we do not share, or sell, or disclose to a third party, any information collected through our website, without your consent.

The reason we process information about you

The law requires us to determine under which of six defined bases we process various categories of your personal information, and to notify you of the basis for each category.

If a basis on which we process your personal information is no longer relevant to the growth of the charity, then we shall immediately stop processing your data.

If the basis changes then if required by law, we shall notify you of the change and of any new basis under which we have determined that we can continue to process your information.

Wessex Heartbeat process your data based on our legitimate interest. These interests are:

Raising funds to support and improve cardiac care in the Wessex Region

Improve the overall efficiency of the Wessex Cardiac Centre

Understanding whether a person has the means to support the cause

Assessing whether a person would be likely to donate to the cause

Because of these legitimate interests that Wessex Heartbeat have, we will use information that can be found in the Public Domain to improve our understanding of a Data Subject’s data. This allows Wessex Heartbeat to ensure that the data subject only receive materials from us that will be of interest to them; lessening the amount of unwanted or irrelevant information. It is also important to allow us to recognise the potential of a major donor; something that is necessary and important to the raising of funds for Wessex Heartbeat.

Any processing we do under legitimate interest is of course subject to objection. If you disagree with our methods of processing data, please feel free to get in touch by email – [email protected] or telephone - 023 8070 6095. You are always welcome to contact us via social media if easier, at www.facebook.com/heartcharity.  We take your comfort around personal data very seriously and will honour any objections you have.

For contacting somebody regarding marketing or fundraising campaigns via Email, we will only ever do so if we have received a positive opt in from the data subject at some point. If you are unsure whether or not you have opted in to receive our emails, please feel free to call us on 023 8070 6095, or simply email [email protected], outlining your desire to receive our emails.

What information do we collect about you? 

We collect information about you when you register an account on our website –

www.heartbeat.co.uk. We also collect your information when you authorise a payment to Wessex Heartbeat. This could be through online donations, donations by post, verbal donations; or any kind of interaction with us, where you disclose your information.

The information that we collect on creation of an account consists of:

  • First Name
  • Surname
  • Email Address
  • Optional information that isn’t required to create an account, but we still may hold when specified by you, consists of:
  • Prefix
  • Middle Name
  • Suffix
  • Title
  • Organization
  • Phone/Mobile Phone
  • Country
  • Address details

Information we collect through any other means that isn’t through our website, will only ever consist of personal information you have given to us or that you have given to a third party organisation that shares data with us. We will never collect third party data that you are not aware about, but we do urge you to read through all company's privacy policy's and guidelines to ensure that you are happy with where your data is going.
Sometimes Wessex Heartbeat will act as a Data Processor on behalf of a third party Data Controller, meaning that we will receive personal data from this party, in order to fulfil a service. This data received in this way will never be kept and processed on our database or any other means of records, unless we were to receive a donation/direct interest in being held on our records. When a service with another Data Controller is fulfilled completely, this personal data will be removed from any record that we may have and destroyed.

We will only ever process data that we absolutely need, so to keep our data organised and to ensure that your personal data is never being used incorrectly or mistreated.

We understand your right to withhold any kind of personal information and would encourage you to contact a team member at Wessex Heartbeat if you ever feel uncomfortable about revealing a certain piece of required personal data. You can contact us at 023 8070 6095 or email [email protected].

We use PayPal as a financial gateway for any transactions made through our website. PayPal share your information with us when you make a transaction through our website. For more information on how PayPal process and share your data, please read through their Privacy Policy - https://www.paypal.com/en/webapps/mpp/ua/privacy-full#2.

How will we use the information about you?

We collect this information to process any orders and manage your account. 

We will also use these details to keep you updated on the work that the charity is doing, any upcoming events and general news. We will only use your data to email you for this purpose, if you have positively opted in to receiving emails from us. 

We may send direct mail to you if you disclose an eligible address when giving us your information. We do this out of the legitimate interest of the charity. Wessex Heartbeat is in no way Government funded and rely solely on individual donations from supporters. We use this reasoning to send out a form of direct mail to our supporters to ensure that you are given the correct information and an uncomplicated way to support us. You have the right to opt out of receiving any form of direct mail from Wessex Heartbeat, when giving us any information. 

This information is sometimes used to personally thank you for gifts or orders; and to send out any other means of personal dialogue between you as a supporter. Personal dialogue may come in the form of a letter or an email, depending on your choices surrounding your personal data. Wessex Heartbeat will never instigate any form of personal dialogue or contact, without receiving a reason to contact you. The reasons range from receiving a donation to being directly contacted with a query or message.

We fully understand and appreciate the importance of controlling and processing your personal data. At the end of the day, it is YOUR personal data and we will always bear that in mind when processing it. We encourage you to think about whether you would like to hear from us in future and be vocal in letting us know. This may be in the form of a tick box when creating an account, a letter/email or a verbal conversation. Your comfort over your personal data is far more important to us than it is to process it.

Only if you choose to positively opt in to receive emails from us when creating an account or sharing your details, we may share some personal data with ECA (Effemey Cosby Advertising Ltd), who manage and maintain our email marketing and analytics. The information that they receive from us will only ever consist of:

  • First Name
  • Surname
  • Email Address

If you are receiving any kind of unwanted contact from us, then please don’t hesitate to contact us via the contact details located at the bottom of the page or click the unsubscribe link on any email we have sent you in the past.

Any other Data Controllers/Processors that we may share your data with

Our website and database are run on a system called iMIS 200, owned by a company called ASI. 

This system is a secured cloud-based CRM and is where all the data that we process is stored. The website is linked to this system, allowing registration to communicate with our database, instantly holding your data after an account is created. 

The system will only ever hold the information that you provide us with, and will be held for four years, unless specified differently from you. A new donation to the charity will result in this time starting again, meaning all your personal data and records will be completely wiped from our records after four years of no interaction. You can always contact us to have your data removed at any point.

ASI are a US and London based company and must comply to EU Data Laws such as GDPR. This means that we work under GDPR compliant agreement, meaning that your data must be secured on their system under the compliance of the EU data laws.

Data Centre: iMIS is implemented and hosted in Coreix’s Tier III+ Data Centre in London.

Infrastructure: Coreix is a global leader in cloud solutions. Their Tier III+ data centres are equipped with full UPS power, back-up systems and N+1 (or greater) redundancy, with a proven, industry-leading >99.99999% uptime record. In addition, we use Cisco data security and Masergy capacity management solutions to provide you with best-in-class data security and system performance. Coreix’s data centre is ISO:27001 certified. To learn more visit www.coreix.net.

Support: We support your system with a team of certified iMIS, Microsoft, and data security experts who monitor your system 24 hours a day, 7 days a week to make sure your iMIS system is protected, properly maintained, and always available.

Other Institutions

Our financial records may be shared with the HM Revenue & Customs (HMRC), if they were to ever audit our records. Financial records will be kept for up to 6 years.

We will also share personal data with the HMRC when claiming for Gift Aid. We will never share your data with the HMRC regarding Gift Aid, unless you have specified with us that you wish for your donations to have Gift Aid claimed.

When we send out direct marketing via post in the form of a newsletter; we will share your personal data with Hobbs the Printers Ltd. They will access your name and address, so that they can print and send the newsletters to the correct address.

We send via post under the legal basis of Legitimate Interest. If you are a previous donor who hasn’t donated to us in a while, we would like to update you on what we are doing, to allow you the choice of continuing to support us. This allows us to raise funds for our charitable cause and keep you updated on our work. At any time you may unsubscribe from receiving post from us by clicking here or contacting us using the contact details at the bottom of this policy.

Any data that we keep saved, is done safely using Office 365 and OneDrive. We ensure that encryption and data security it a top priority at all times when dealing with files containing personal data. As soon as a file containing personal data has been used for its purpose, it will be deleted off of our server permanently.  Microsoft work hard to ensure full data retention policies and extremely safe cloud based file storage; if you are interested in their own privacy policy, you can find it here - https://products.office.com/en-gb/business/office-365-trust-center-privacy

We will only ever share personal data with another Data Controller if we absolutely must, in order to complete and maintain our objectives at the charity. If there is to ever be a change in who we share your data with, we will update this policy in accordance and make it very clear on any communication that we undertake with you.  

Access to your information and correction

Wessex Heartbeat would be happy to reveal to you, what data of yours we hold. If you would like a copy of your stored information then you can contact us at [email protected], write to us or call 023 8070 6095. We will provide you with everything that we store and process, regarding your information. There will be no charge for this, and you can request this information as much as you like.

We always want to ensure that any information you care to share with us is 100% accurate and up to date. If you realise that something is incorrect, please contact us and we will correct it. You can also sign into your account at any time on our website and change whatever you need to there.

The data that we hold, and process only comes from what details you disclose when registering an account with us or sending us a donation/payment. We will never seek out extra or additional details about you, without your consent. 

Sending a message to our team

When you contact us, whether by telephone, through our website or by e-mail, we collect the data you have given to us to reply with the information you need.

We record your request and our reply to increase the efficiency of our organisation when approaching similar circumstances.

We do not keep any personally identifiable information associated with your message, such as your name or email address.

Within 14 days of receiving an email, our entire inbox will be backed up and secured in our MFA secured Office 365 OneDrive, with our Outlook inbox being deleted. Any emails that may contain personal data that is not necessary to be kept will be deleted immediately and indefinitely. Emails that are kept on our secure OneDrive server are there to ensure that we have any necessary evidence of important conversations. If you ever wish to contact us regarding this, then please do not hesitate to do so. We would be more than happy to remove any past emails that contain your information.

 

 

Verification of your information

When we receive any request to access, edit or delete personal identifiable information we shall first take reasonable steps to verify your identity before granting you access or otherwise taking any action. This is important to safeguard your information.

Encryption of data sent between us

We use Secure Sockets Layer (SSL) certificates to verify our identity to your browser and to encrypt any data you give us.

Whenever information is transferred between us, you can check that it is done so using SSL by looking for a closed padlock symbol or other trust mark in your browser’s URL bar or toolbar.

How you can complain

If you are not happy with our privacy policy or if have any complaints, then you should tell us by email, or any other contact methods located at the bottom of this document.

If a dispute is not settled, then we hope you will agree to attempt to resolve it by engaging in good faith with us in a process of mediation or arbitration. 

If you are in any way dissatisfied about how we process your personal information, you have a right to lodge a complaint with the Information Commissioner's Office. This can be done at https://ico.org.uk/concerns/

Retention period for personal data

We retain your data kept on our Database for 4 years, before reviewing and deleting as necessary. Any modifications or new communications will cause the retention period to reset, from the date of the change.

Financial records kept in our Office 365 OneDrive or kept physically; must be kept for 6 years to comply with HM Revenue & Customs audit policies.

Emails that we receive are reviewed and deleted as necessary every 14 days, under the Data Retention tools used on Office 365. We may store emails as documents in our OneDrive if necessary, with great care taken to ensure that personal data is not only protected via encryption, but hidden when applicable.

Documents kept in our Office 365 OneDrive, will be reviewed and deleted as necessary every 2 years. Any modifications to the document will reset the retention period.

You may contact us at any time and exercise your right to have your data removed from any of our storage means. We will always be completely willing to do this for you and will provide you with information regarding whatever outcome of us not holding your data may be.

You will be able to find our full contact details at the bottom of this document.



 

Compliance with the law

Our privacy policy has been compiled to comply with the law of every country or legal jurisdiction in which we aim to do business. If you think it fails to satisfy the law of your jurisdiction, we should like to hear from you.

However, ultimately it is your choice as to whether you wish to use our website.

Review of this privacy policy

We may update this privacy notice from time to time as necessary. The terms that apply to you are those posted here on our website on the day you use our website. We advise you to print a copy for your records. 

If you have any question regarding our privacy policy, please contact us. 

Cookies

Cookies are text files placed on your computer to collect standard internet log information and visitor behaviour information. This information is used to track visitor use of the website and to compile statistical reports on website activity. For further information visit www.aboutcookies.org or www.allaboutcookies.org. 

You can set your browser not to accept cookies and the above websites tell you how to remove cookies from your browser. However, in a few cases some of our website features may not function as a result.

Other websites

Our website contains links to other websites. This privacy policy only applies to this website so when you link to other websites you should read their own privacy policies. 

Data may be processed outside the European Union

Our websites and database are hosted in Coreix’s Tier III+ Data Centre in London.

Data obtained within the UK or any other country could be processed outside the European Union. For example, some of the software our website uses may have been developed in the United States of America or in Australia.

Both our organisation and the processor are public authorities between whom there is either a legally binding agreement or administrative arrangements approved by a supervisory authority in the European Union relating to protection of your information.

Contact Details

You may contact us at any time with any query regarding your data. Being comfortable with how your data is being processed and obtained is very important and can seem daunting and complex to most. We are here to ensure that you feel comfortable with how Wessex Heartbeat process your data and to always offer you the right to retain or remove any or all data that we hold. 

To discuss any data queries, please contact Callum Munro on 023 8070 6095; or

07739072313 for out of hours. You can also contact via email at [email protected] or write to 152-154 Tremona Road, Southampton, SO16 6HW.