The purpose of this policy is to demonstrate our commitment to robust data protection processes and to show that we follow the Principles of the Data Protection Act 1998 (the Act) and the General Data Protection Regulation (GDPR).
StC Payroll Giving (“we”) promises to respect any personal data you share with us, or that we get from other organisations and keep it safe. We aim to be clear when we collect your data and not do anything you wouldn’t reasonably expect.
Under the GDPR, the data protection principles set out the main responsibilities for organisations.
Article 5 of the GDPR requires that personal data shall be:
a) processed lawfully, fairly and in a transparent manner in relation to individuals;
b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;
c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals; and
f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
Article 5(2) requires that:
“the controller shall be responsible for, and be able to demonstrate, compliance with the principles.”
Who does the GDPR apply to?
The GDPR applies to ‘controllers’ and ‘processors’.
A controller determines the purposes and means of processing personal data.
A processor is responsible for processing personal data on behalf of a controller.
If you are a processor, the GDPR places specific legal obligations on you; for example, you are required to maintain records of personal data and processing activities. You will have legal liability if you are responsible for a breach.
However, if you are a controller, you are not relieved of your obligations where a processor is involved – the GDPR places further obligations on you to ensure your contracts with processors comply with the GDPR.
The GDPR applies to processing carried out by organisations operating within the EU. It also applies to organisations outside the EU that offer goods or services to individuals in the EU.
The GDPR does not apply to certain activities including processing covered by the Law Enforcement Directive, processing for national security purposes and processing carried out by individuals purely for personal/household activities.
What information does the GDPR apply to?
The GDPR applies to ‘personal data’ meaning any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier.
This definition provides for a wide range of personal identifiers to constitute personal data, including name, identification number, location data or online identifier, reflecting changes in technology and the way organisations collect information about people.
The GDPR applies to both automated personal data and to manual filing systems where personal data are accessible according to specific criteria. This could include chronologically ordered sets of manual records containing personal data.
Personal data that has been pseudonymised – e.g. key-coded – can fall within the scope of the GDPR depending on how difficult it is to attribute the pseudonym to a particular individual.
Personal data relating to criminal convictions and offences are not included, but similar extra safeguards apply to its processing (see Article 10).
How We Collect Information from You
We collect information in the following ways:
- In addition, the type of device you’re using to access our website or apps and the settings on that device may provide us with information about your device, including what type of device it is, what specific device you have, what operating system you’re using, what your device settings are, and why a crash has happened. Your device manufacturer or operating system provider will have more details about what information your device makes available to us.
We do not sell or share personal details to third parties for the purposes of marketing.
How We Keep Your Data Safe and Who Has Access
We ensure that there are appropriate technical controls in place to protect your personal details. For example, our online forms are always encrypted, and our network is protected and routinely monitored.
We undertake regular reviews of who has access to information that we hold to ensure that your information is only accessible by appropriately trained staff. Data users are obliged to comply with this policy when processing personal data on our behalf. Any breach of this policy may result in disciplinary action.
None of our suppliers currently run their operations outside the European Economic Area (EEA). However, if a situation should arise where we are obligated to use a supplier that transfers personal data to a country outside the EEA:
We ensure that one of the following conditions applies:
(a) The country to which the personal data are transferred ensures an adequate level of protection for the data subjects’ rights and freedoms.
(b) The data subject has given his consent.
(c) The transfer is necessary for one of the reasons set out in the Act, including the performance of a contract between us and the data subject, or to protect the vital interests of the data subject.
(d) The transfer is legally required on important public interest grounds or for the establishment, exercise or defence of legal claims.
(e) The transfer is authorised by the relevant data protection authority where we have adduced adequate safeguards with respect to the protection of the data subjects’ privacy, their fundamental rights and freedoms, and the exercise of their rights.
We will only ever share your data if we have your explicit and informed consent.
Keeping Your Information Up to Date
Where possible we use publicly available sources to keep your records up to date; for example, the Post Office’s National Change of Address database and information provided to us by other organisations as described above.
We really appreciate it if you let us know if your contact details change.
Can I access my personal information?
You have the right to get a copy of the information that we hold about you. This is known as a subject access request.
This right of subject access means that you can make a request under the Data Protection Act to any organisation processing your personal data. The Act calls these organisations ‘data controllers’.
You can ask us to supply you with copies of both paper and computer records and related information.
We may charge a fee of up to £10.
However, it is important to remember that not all personal information is covered and there are ‘exemptions’ within the Act which may allow us to refuse to comply with your subject access request in certain circumstances.
If you want to access your information, send a description of the information you want to see and proof of your identity by post to:
StC Payroll Giving, Unit 97C+D, Harvey Drive, John Wilson Estate, Whitstable, Kent, CT5 3QZ.
Raising a Concern
If you have a concern about the way in which we are handling your information; if we:
- are not keeping your information secure;
- hold inaccurate information about you;
- have disclosed information about you;
- are keeping information about you for longer than is necessary; or
- have collected information for one reason and is using it for something else;
We believe that we should deal with it. We take your concern seriously and will work with you to try to resolve it.
We do not accept these requests by email, so we can ensure that we only provide personal data to the right person.
How do you ask us to stop using your data?
You have a right to ask us to stop processing your personal data, if it’s not necessary for the purpose you provided it to us for. Contact us 01227 289100 or email@example.com
- Data controller: StC Payroll Giving, Unit 97C+D, Harvey Drive, John Wilson Estate, Whitstable, Kent, CT5 3QZ
- Data Protection Officer: Alice Wright, Unit 97C+D, Harvey Drive, John Wilson Estate, Whitstable, Kent, CT5 3QZ
t: 01227 376998
Changes to this Policy
If you have any questions please send these to firstname.lastname@example.org, and for further information see the Information Commissioner’s Office guidance here https://ico.org.uk/for-the-public/