Approved by the Trustees of the Company of Merchants of the Staple of England Charitable Trust
Charity Number 1101121
Publication Date: March 2019
Review Date: March 2021
The Company of Merchants of the Staple of England Charitable Trust (charity number 1101121); (The Staple) needs to collect and retain certain personal data to fulfil charitable purposes and to meet its legal obligations. The Staple is the charitable trust of the Company of Merchants of the Staple of England. (The Company). (www.merchantsofthestapleofengland.co.uk)
Personal data means any information relating to an identified or identifiable living person. An identifiable person is one who can be identified, directly or indirectly, in particular by an identifier such as a name, identification number, on-line identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person. Processing is any activity carried out involving personal information, including holding and storing it in any format, both digital and hardcopy.
The Staple is committed to protecting the rights of individuals with regard to the processing of personal data and undertakes to manage personal data fairly and lawfully in accordance with the General Data Protection Regulation.
This policy (together with its annexes) deals with the requirements of the General Data Protection Regulation and its principles and provides the policy framework through which effective management of personal data can be achieved.
2. Responsibility for this policy
Ultimate responsibility for the development of clear and effective processes and procedures associated with data protection and the management of personal data lies with the trustees of The Staple.
Responsibility for the implementation of this policy is shared across all staff and functions, both individually and collectively, of The Staple.
If you have any questions about The Staple’s privacy practices, please contact the Data Protection Officer. (DPO).
How to contact us: Email: firstname.lastname@example.org
Address: Data Protection Officer
The Company of Merchants of the Staple of England
21 West Street
North Yorkshire YO17 6SP
3. The principles of data protection
There are six data protection principles set out under the General Data Protection Regulation. In summary they are that personal data should be:
- Processed fairly and lawfully and in a transparent manner
- Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes
- Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed
- Accurate and kept up to date
- Kept only for as long as is necessary for those purposes
- Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage.
Procedural approach to data protection
The Staple only collects personal data for specified legitimate purposes and shall only process the information in accordance with those purposes.
4. General use of personal data
In accordance with the normal and proper conduct of business operations, The Staple holds personal data on applicants for prizes offered by the charity and its sister organisations or are connected with The Staple.
Personal data is held in a variety of formats, both electronic and hard copy.
For individuals this will include (but not be restricted to) the normal conduct of business matters.
5. The types of personal information The Staple collects
The Staple collects and processes information relating to applicants to the prizes, bursaries, donations and scholarships it offers.
Not all of the personal information The Staple holds about its applicants will come directly from the applicants. It may, for example, come from other organisations; for example; referral organisations.
The Staple also holds the names and addresses of donors to the Charitable Trust. These will include Freemen of The Company and external supporters of the Staple.
6. Lawful basis for processing
The Staple will only process and use personal data for legitimate and lawful purposes, and where practicable, with the relevant individual’s consent.
It is necessary for The Staple to collect, process and use personal data in order to fulfil the engagement between the applicants and The Staple.
The Staple will ensure that personal data is accurate, kept up to date and securely, and is only retained for as long as is necessary.
Access to personal data is restricted to those personnel to whom it is necessary for the performance of their role. All staff who are authorised to access personal data are under an obligation to comply with this policy, the General Data Protection Regulation and any other relevant guidelines or legislation.
Staff with access to personal data are required to ensure that it is held in a secure location where other unauthorised staff will not be able to access it without permission.
The Staple will routinely and safely dispose of information once it appears to have exceeded its useful life and will do so in accordance with its data retention policy and related procedures.
If reasonably necessary or required to meet legal or regulatory requirements, resolve disputes, prevent fraud and abuse, or enforce our terms and conditions, we may also keep hold of some of your information as required, even if it is no longer needed to provide the services to you.
7. Rights of individuals
Under the General Data Protection Regulation, an individual has the following rights:
- To be informed about how their personal data is being used
- To access the personal data held about them
- To request that elements of that data be ported to another service provider
- To request rectification of any mistakes in the data that is held
- To request the erasure of personal data in certain situations
- To request the restriction of processing
- To object to the processing
- To object to any decisions being taken by automated means
A formal request to exercise any of these rights can be made free of charge and in writing to the DPO. The Staple will require proof of identity and address and the information to which the request relates.
For further information on each of these rights, including the circumstances in which they apply, see the Guidance from the UK Information Commissioner’s Office (ICO) on individual’s rights under the General Data Protection Regulation.
8. Accessing your personal data
Subject to the requirements of the General Data Protection Regulation, anyone has the right to know and inspect what personal data The Staple holds about them and for this to be correct. If an individual has a query regarding the accuracy of their personal data, then their request will be dealt with fairly and impartially.
9. Data Transfer
The Staple will only disclose or transfer personal data to third parties where consent has been obtained, where required by law, or as otherwise authorised under the General Data Protection Regulation.
Personal data will only be transferred to third parties where this is for proper purposes related to business matters. This can include where The Staple uses a subcontractor to carry out activities on its behalf. In such cases, The Staple will ensure that the subcontractor is engaged under a suitable contract and that appropriate controls are in place to ensure that personal data is protected. Third party service providers include professional service providers such as website hosts, marketing agencies and advertising partners.
Any exceptional disclosure of personal data will always be balanced against the rights of the person as provided for under the General Data Protection Regulation. The Staple will not sell or supply personal data to third parties for their own marketing purposes unless specific consent has been obtained or as otherwise authorised by law.
The Staple will only transfer personal data to countries located outside the European Economic Area in accordance with a European Commission approved contract as permitted under Article 46 (5) of the General Data Protection Regulation that are designed to safeguard privacy rights.
Personal data may be transferred to countries which are located outside the European Economic Area. For more information, please contact the Data Protection Officer.
If there are concerns regarding the processing or security of personal data, individuals should contact the Data Protection Officer.
If an individual remains dissatisfied with The Staple’s response or requires any advice in regard to personal data they should contact the Information Commissioner’s Office (ICO).
about You by emailing or writing to us at the address in section 2 of this document.
12. Monitoring and evaluation of the provision
Formal responsibility for monitoring and evaluation of this policy lies with the Data Protection Officer.