PRIVACY POLICY & GDPR NOTICES
The Worshipful Company of Tobacco Pipe Makers and Tobacco Blenders Registered Office: 14 Montpelier Road, Sutton, Surrey, SM1 4QE
PRIVACY NOTICE
(Liveryman or Freeman)
INTRODUCTION
Our Intent. We are committed to safeguarding the privacy of our members. The Company will only use the information that we collect about you lawfully and in accordance with the Data Protection Act 1998 (the “Act”).
Changes to Data Protection Legislation. Data Protection legislation and the Act is currently going through a period of change. The introduction of the European Union’s General Data Protection Regulation (GDPR) and the new British Data Protection Bill, that will replace the Act and is currently passing through Parliament is the basis of this change. This Privacy Notice is therefore intended to comply with the Act and GDPR but may change over time.
Member’s Terms and Conditions. This Privacy Notice, forms part of Terms and Conditions for being a member of the Company. In legal terms, members are “Data Subjects”, i.e. “you”. However, we may also under this collect personal information regarding your spouse and dependents if appropriate.
The Data Controller. The Worshipful Company of Tobacco Pipe Makers and Tobacco Blenders (to be known as the Company) is from a legal perspective classed as the “Data Controller”.
Data Protection Officer (DPO). The Company’s DPO is the Clerk. The Company’s Clerk fulfils a number of roles, one of which is to be the primary point of contact for data protection matters. The formal mechanism for members to raise concerns regarding the processing of personal data is primarily to email: clerk@tobaccolivery.org; or send a letter by registered mail to: 14 Montpelier Road, Sutton, Surrey, SM1 4QE, at which point the inquiry will be actioned. However, verbal enquiries from guests will be treated appropriately by Company staff members, although a written follow up may be requested if appropriate.
Purpose of Processing Personal Data. We collect personal data primarily to support The Worshipful Company of Tobacco Pipe Makers and Tobacco Blenders, support the City and the Lord Mayor and to raise money and support charitable and educational works.
Lawful Basis of Processing Personal Data. The lawful basis of processing your personal data are as follows:
Consent. Once you have agreed to this Privacy Notice of our Terms and Conditions, you will be registered for the processing of your personal data, based upon your Consent.
Categories of Personal Data Processed. The information we hold should be accurate and up-to-date. The personal information which we hold will be held securely in accordance with our internal data protection and security policies. The type or categories of personal data we will collect about you includes your:
DISCLAIMER: The information in this Privacy Notice is for general guidance on your rights and responsibilities and is not legal advice. If you need more details on your rights or legal advice about what action to take, please contact an advisor or qualified lawyer.
The Worshipful Company of Tobacco Pipe Makers and Tobacco Blenders Registered Office: 14 Montpelier Road, Sutton, Surrey, SM1 4QE
Name
Postal address
Email address
Mobile and/or landline number
Your Spouse or Partner’s name
Photograph
Bank/Building Society details
Direct Debit Information
Gift Aid details
Benevolent Fund Donations
Date of Birth
Freedom Date
Liveryman Date
Date of joining Standing Committees or the Court
Date of becoming Warden and Master
Proposer and Seconder’s names
Education Details
Business/Work Information
If you apply for further roles or appointments within the Company, we may request further information and retain additional records, such as interview notes.
Equally minutes of meetings and records of decisions may include your name and other information about you.
Category of Recipients of Personal Data. Your name and contact details will primarily only be used internally within the Company. However, if you participate in a dinner, Inter-Livery or charitable outreach activity, we will normally have to provide your name and possibly other details to other stakeholders.
Transfer of Personal Data Outside the EEA (European Economic Area). Personal data will only be transferred outside the EEA or other areas of adequacy determined by the EU, for specific events. If this is required, consent will be explicitly requested from you.
Sensitive Personal Data. We will never collect sensitive personal data about you without your explicit consent and a clear explanation why it is required.
Spouse and Children Personal Data. If we hold personal data about a member’s spouse, we will ask for consent from the spouse for this. For member’s children, under the age of 18 years old, we will assume parental consent, however your child(ren) may withdraw consent, including as an adult.
Sale or Passing of Personal Data to Third Parties. We will not sell or pass your personal data to any commercial or charitable organisation.
DISCLAIMER: The information in this Privacy Notice is for general guidance on your rights and responsibilities and is not legal advice. If you need more details on your rights or legal advice about what action to take, please contact an advisor or qualified lawyer.
The Worshipful Company of Tobacco Pipe Makers and Tobacco Blenders Registered Office: 14 Montpelier Road, Sutton, Surrey, SM1 4QE
Retention of Personal Data. We will retain your personal data as follows:
Information Held Under Consent. Whilst you are a member of the Company. Upon leaving, we will request your consent to continuing to hold your name and relevant details to support our historical records.
Data Subject’s Rights. Under the Act and even more under the GDPR you have a number of Rights which we have outlined below:
Right of Access. You are entitled to access your personal data so that you are aware and can verify the lawfulness of the processing. This is achieved through the mechanism of a Subject Access Request (SAR) and you have the right to obtain:
Confirmation that your data is being processed (held)
Access to your personal data (a copy) and
Other supplementary information that corresponds to the information in this privacy notice.
Fees and Timings. Under GDPR and from 25 May 2018, this information will be provided without charge; without delay and within one month. If an extension is required or requests are considered manifestly unfounded or excessive, in particular because they are repetitive, the Company may choose to: charge a reasonable fee taking into account the administrative costs of providing the information; or refuse to respond. The reasons for this will be formally notified to you and your rights to appeal to the appropriate Supervisory Authority, i.e. UK Information Commissioner’s Officer (ICO) will be highlighted.
Identity Verification. To protect your personal data, the Clerk will seek to verify your identity before releasing any information, which will normally be in electronic format. As a member this will normally be a simple process, however if the SAR is made from a member living overseas, or former member, or by the relative of a deceased member, then additional verification steps are likely.
Right of Rectification. You are entitled to have personal data rectified if it is inaccurate or incomplete. The Clerk will respond within one month of your request. In the unlikely event, the Clerk does not take action to the request for rectification, we will inform you of your rights to complain or seek judicial remedy.
Right of Erasure. You may request the deletion or removal of personal data where there is no compelling reason for its continued processing. The Right to Erasure does not provide an absolute ‘right to be forgotten’. However, you do have a right to have personal data erased and to prevent processing in specific circumstances:
Where the personal data is no longer necessary in relation to the purpose for which it was originally collected/processed
When you withdraw consent
When you object to the processing and there is no overriding legitimate interest for
continuing the processing
DISCLAIMER: The information in this Privacy Notice is for general guidance on your rights and responsibilities and is not legal advice. If you need more details on your rights or legal advice about what action to take, please contact an advisor or qualified lawyer.
The Worshipful Company of Tobacco Pipe Makers and Tobacco Blenders Registered Office: 14 Montpelier Road, Sutton, Surrey, SM1 4QE
The personal data was unlawfully processed
The personal data has to be erased in order to comply with a legal obligation
The personal data is processed in relation to the offer of information society services
to a child which the Company does not provide.
Right to Restrict Processing. Under the Act, you have a right to ‘block’ or suppress processing of personal data. The restriction of processing under the GDPR is similar. When processing is restricted, the Company is permitted to store the personal data, but not further process it. In this event, exactly what is held and why will be explained to you.
Right to Data Portability. You may request to obtain and reuse your personal data for your own purposes across different services. This allows you to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without hindrance to usability. The Right to Data Portability only applies:
To personal data you have provided to the Company
Where the processing is based on your consent or for the performance of a contract
and
When processing is carried out by automated means.
In these circumstances, the Clerk will provide a copy of your data in CSV format and, or PDF free of charge, without undue delay and within one month. If there is a delay to this, you will be informed.
Right to Object. You have the right to object to:
Processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling)
Direct marketing (including profiling) and
Processing for purposes of scientific/historical research and statistics.
Automated Decision Making and Profiling. The Company does not employ any automated decision-making or conduct profiling of Data Subjects. However, if you have consented to be held on our Customer Relationship Management (CRM) database, we may periodically send you marketing information so that you are informed of upcoming events. These are automated but they do not involve automated decision-making or profiling.
THE TOBACCO PIPE MAKERS AND TOBACCO TRADE BENEVOLENT FUND
PRIVACY NOTICE FOR GRANT RECIPIENTS AND DONORS
The Tobacco Pipe Makers and Tobacco Trade Benevolent Fund (registered charity number 1135646) (the “Charity”) is committed to protecting your personal data and being transparent about what personal data we collect and how we use it. This Privacy Notice explains why we collect certain personal information about you and how we use it. It sets out the legal basis for our processing and outlines your data protection rights.
Who we are and how to contact us
For the purposes of the UK General Data Protection Regulation (“UK GDPR”) and any further UK legislation covering data protection, the Charity is the controller of your personal data. That means that we determine the purposes (why) and the means (how) we process your data.
For further information regarding privacy and data protection at the Charity, or if you have any questions, please contact the Secretary via BenevolentFund@tobaccolivery.org.
What type of personal data we collect
Grant Recipients
We collect a variety of personal data in order to perform and administer our grant making function, including:
· Basic identifiers
· Contact details
· Occupation details
· Information concerning your engagement with us, including attendance at our events, responses to surveys or focus groups, records of meetings, etc.
· Any other information relevant to a grant funding application or award
· For promotional purposes, photographs of your charitable activities.
Certain types of personal data are considered by data protection law to be more sensitive than others. This includes “special category personal data” (information relating to your health, racial or ethnic origin, details of sexual life, sexual orientation, religious beliefs, political opinions or any genetic or biometric data that is used to identify you) and “criminal offences and conviction data”.
We do not routinely process any special category data or criminal offences and conviction data.
Donors
The type of personal data we process depends on the purposes for which we will need to use it, and may include:
· Basic identifiers
· Contact details
· Occupation details
· Information about our interactions with you
· Photos and videos, for example if you attend one of our events. We will always make sure you are aware if we plan to film an event you are attending.
We do not routinely process any special category data or criminal offences and conviction data.
How we collect your personal data
Grant recipients
We may collect your personal data in a number of ways, for example:
· From the information you provide to us when you interact with us before making an application for grant funding
· When you submit a formal application
· From third parties, for example partner organisations, in order to verify details about you and/or your application for an award, or to administer your grant once awarded
· When you communicate with us by telephone, email or via our website or our social media channels, for example in order to make enquiries about an application or an award
· In various other ways as you interact with us during your time as a grant recipient.
Donors
We may collect your personal data in a number of ways, for example:
· From the information you provide to us when support our work
· From third parties, for example partner organisations, in order to verify details about you
· When you communicate with us by telephone, email or via our website or our social media channels
· When you attend our events
· In various other ways as you interact with us during your time as a supporter.
How we use your personal data
Grant Recipients
The main reason we use your personal data is to allow us to work with you and perform our grant making function. In particular, we use your personal data for the following purposes:
· Reviewing and assessing applications for grant funding
· Maintaining records of previous grants and previously supported grantees
· Managing the grant, including coordinating any reporting obligations
· Monitoring your use of the grant
· Providing you with information and advice
· Administrative purposes, for example in connection with an event you have registered for or attended
· Conducting surveys, focus groups and other research
· Evaluating our work
· With your permission, featuring you or your representatives in promotional materials for marketing and fundraising purposes.
Donors
We will use your personal data for various purposes consistent with the legal basis we rely on. These purposes include:
· Processing and administering grants and donations
· Communicating with you
· Organising activities you have told us you wish to be involved in
· Sending you communications that may be of interest, including marketing information about our services and activities, campaigns and appeals for donations and other fundraising activities and promotions for which we seek support
· Seeking your views on the services or activities we carry on so that we can make improvements
· Maintaining our organisational records
· Carrying out analysis of our donor database. For example, this may include inviting prospective donors to events, or contacting past donors about new opportunities for donation
· Inviting you to take part in volunteering activities, where you have expressed an interest in this.
Our legal basis for processing your information
Grant Recipients
· Consent: here you have provided your consent for us to use your personal data. For example, if you sign up to receive marketing communications from us. You may withdraw consent at any time by emailing the Secretary via BenevolentFund@tobaccolivery.org. This will not affect the lawfulness of processing of your information prior to your withdrawal of consent being received and actioned.
· Legal obligations: It may be necessary for us to use your information to comply with our legal obligations, such as:
- to meet our compliance and regulatory obligations
- for the prevention and detection of crime
- in order to assist with investigations (including criminal investigations) carried out by the police and other competent authorities
· Where necessary for the establishment, exercise or defence of legal claims (for example, to protect and defend our rights or property, and/or the rights or property of our grantees, partner organisations or supporters).
· Legitimate interests: It may be necessary for us to use your personal data for the purposes of our legitimate interest or those of a third party. Where we are relying on this basis, we only do so where your interests do not override ours. Examples include:
- to manage grant applications
- to run our day-to-day operations, including maintaining our records
- to evaluate our work
- to share information with trusted third parties.
Donors
· Consent: here you have provided your consent for us to use your personal data. For example, if you sign up to receive marketing communications from us. You may withdraw consent at any time by emailing Secretary via BenevolentFund@tobaccolivery.org. This will not affect the lawfulness of processing of your information prior to your withdrawal of consent being received and actioned.
· Legal obligations: It may be necessary for us to use your information to comply with our legal obligations, such as:
- to meet our compliance and regulatory obligations
- for the prevention and detection of crime
- in order to assist with investigations (including criminal investigations) carried out by the police and other competent authorities.
· Where necessary for the establishment, exercise or defence of legal claims (for example, to protect and defend our rights or property, and/or the rights or property of our grantees, partner organisations or supporters).
· Legitimate interests: It may be necessary for us to use your personal data for the purposes of our legitimate interests, or those of a third party.
- planning fundraising campaigns
- inviting existing donors to increase engagement.
How we keep your personal data safe
We understand how important it is to protect your personal data and take appropriate steps to safeguard it.
We implement adequate technical and organisational measures to ensure a level of security appropriate to the potential risks. For example:
· all persons authorised to access personal data are required to undergo appropriate training and must comply with organisational and technical measures that we have put in place
· we have also put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
We ensure that access to your personal data is restricted to those members of our staff, volunteers and contractors who need to access personal data to fulfil their roles. All authorised persons are appropriately trained and commit to ensuring confidentiality and security of your data.
Please note, we interact via the internet and email, and no external data transmission over the internet can be guaranteed to be 100% secure. While the Charity strives to safeguard your personal data and mitigate any risks as far as possible, we cannot guarantee the security of the information you provide online and you do this at your own risk.
Who has access to your personal data
Routinely, we may share your personal data with the following third parties, to enable us to provide our services, fulfil our charitable objectives, or comply with our legal obligations. These include:
· Our partner organisations where necessary for the assessment of grant applications
· Our employees, agents and contractors where there is a legitimate reason for their receiving the information, including third parties where we have engaged them to process data on our behalf as part of administering the award application process
· Trusted third parties who help us to evaluate our work
· Third parties to whom we are required to do disclose personal data under a legal obligation (for example for the purposes of fraud prevention or tax compliance)
· Third parties in connection with or as a result of restructuring or reorganisation of our operations, for example if we merge with another charity. In such event we will require that a third party commits to protecting your personal data and privacy rights
· Organisations who provide services for us, for example our legal advisors, appointed accountants, auditors, IT services providers, mailing and marketing services providers. We select all third-party service providers with care and provide them with the minimum amount of information necessary to provide their service. We always a have an appropriate agreement in place that requires them to protect personal data to the same standard as we do
· Courts, Government bodies, Law enforcement agencies or other competent authorities, for example by the Charity Commission.
Transfers of your personal data to other countries
For financial or technical reasons, we may need to transfer your personal data to countries outside the UK, which are subject to different data protection laws. We may do this where for example, we use suppliers in a third country or data is stored on servers outside the UK. We meet the UK GDPR requirements by ensuring that any personal data transferred outside the UK continues to be protected as if it were being held in the UK. If you would like more information about how we protect your personal data if it is transferred outside the UK, please contact us.
How long we keep your personal data for
We will only store your personal data for as long we need it to fulfil the purposes we collected it for. When deciding how long to keep your personal data, we consider the amount and type of data, why we need it, how sensitive it is, and the potential harm if something went wrong. We keep all of the information we hold under review and will securely delete or anonymise personal data which is no longer required. For further information about how long we store your personal data, please contact us.
Automated decision-making and profiling
Automated decision-making is when a computer or similar electronic system uses personal data to make decisions about people without any human involvement. Profiling involves collecting various pieces of information about a person in order to analyse or evaluate certain aspects relating to that person or to make predictions about them (for example, how that person may behave or what their preferences are). Automated decision-making does not have to involve profiling, though it often will.
We do not use your personal data in automated decision-making, including profiling (i.e. we do not make decisions about you by way of automated means without human involvement).
If that changes we will update this notice and notify you in writing (where appropriate).
Your rights
You have certain rights in relation to your personal data, namely:
· Right to be informed – You have a right to information about how we collect and use your personal data (this is contained within this privacy notice)
· Right of access to your personal data (commonly known as a "subject access request") – You can ask us to confirm if we are holding your personal data, request a copy of your personal data and certain other information to check that we are processing your data lawfully
· Right to rectification – You can ask us to correct any information about you if you think it is wrong, or to update or complete information if you think it’s incomplete
· Right of erasure – You can ask us to erase information about you in some circumstances although there might be reasons why we cannot do this
· Right to restrict our processing of your personal data – You can ask us to stop processing your personal data, for example if you want us to establish its accuracy or you’re questioning our legal basis for processing it. This right only applies in certain circumstances
· Right to object – You can object to our use of your personal data in certain circumstances. Please note, you always have a right to object to processing of your personal data for direct marketing purposes
· Right to data portability – You can ask us to transfer your personal data to you or to another organisation free of charge and in a structured, commonly used format which is openly accessible to software (such as a CSV file). This right only applies where we hold your personal data to fulfil a contract or because we have gained your consent.
Some of these rights do not apply in all circumstances and we may be able to refuse or partially refuse requests in certain circumstances, such as where a legal exemption applies. In most cases we have one month to respond. Occasionally, we may need to verify your identity before we are able to process a request.
You can exercise these rights by contacting the Secretary via BenevolentFund@tobaccolivery.org.
Failure to provide personal data
When we collect personal information, we will make it clear whether you are required by law, or under a contract, to provide your personal data, and what will happen if you do not provide that data.
Complaints
In the first instance, please contact us to discuss any concerns and we will make every effort to resolve any issues.
You have the right to make a complaint to the Information Commissioner’s Office (ICO) if you are not happy with the way we are processing your personal data or our response to your attempt to exercise one of the rights above.
Changes to privacy notice
We may revise this notice from time to time to reflect any changes to the way we handle your personal data or new legal requirements. We will advertise any changes on our website or, if the changes are material, we will bring them to your attention directly.