INTRODUCTION
The data protection laws that apply to the DEC and govern how we use your personal information are the Data Protection Act 2018 (“DPA”), the UK General Data Protection Regulation and the Privacy and Electronic Communications Regulations 2003. This privacy policy relates to all personal data we collect and process about you. If you are unsure how we are handling information about you, or you think we could improve our privacy information, please let us know.
We strive to process information about you fairly, lawfully, and in a transparent manner and the aim of this document is to provide you with sufficient information for you to be able to understand what we are doing with your personal data. If you have any questions about this policy or the way we use your personal data, please contact us online via our contact form.
SCOPE OF POLICY
This policy sets out the basis on which any personal data we collect from you, or that you provide to us through your use of our website, or that we create about you in the course of operations will be processed by us. Please read the following carefully to understand our practices regarding your personal data and how we will treat it. For specific information on our use of cookies and similar technologies, please see our cookie policy.
INFORMATION WE COLLECT ABOUT YOU
The personal data we collect about you depends on your relationship with us. Examples of the types of data we collect include:
- Your name and contact details (e.g., email address, telephone number, mobile number).
- Your contact preferences (e.g., whether you want to receive marketing communications from us).
- Financial information if you donate to us (including your gift aid status). This will be kept with records of your donation history.
- Correspondence between us (e.g., questions regarding a donation you may have made or a complaint you might have).
- Challenge event information. For example, if you set up a JustGiving page and undertake to raise money for us.
- Employment information if you apply for a job with us. This includes your employment history, current and previous employer contact details (e.g., for referencing) and skills and ability.
- Your interests, charitable giving and propensity to donate as part of our commitment to deliver appropriate content and communications to our audience.
We collect information in the following ways:
Information you provide to us directly
You may provide us with your information when you submit a query on our website, write to us or call us, or when you make or enquire about making a donation. This may include your name, address, email address, telephone number, amount of donation, payment details, appeal you wish to support, gift aid status and information you provide in any correspondence with us. You may also provide us with marketing and communications preferences (please see the section “How we use the personal data we collect” for information on the lawful basis for processing).
Information we collect about you indirectly
We may use information from external, publicly available, sources such as Royal Mail’s national change of address database and/or the public electoral roll to identify when we think you have changed address so that we can update our records and stay in touch. We may also contractually engage third party data cleansing companies to assist us reviewing and updating our databases. We do this so we can continue to contact you where you have chosen to receive marketing messages from us and contact you if we need to make you aware of changes to our terms or assist you with problems with donations. This activity also prevents us from having duplicate records and out of date preferences, so that we don’t contact you when you’ve asked us not to. You may object to any data processing we undertake which involves direct marketing.
If you click on any of our appeals adverts our digital marketing agencies will tell us. We undertake these activities and collect your personal data in this way to make sure our marketing communications are appropriate to the receiving audience, to help us prepare for any meetings we might have with you and to facilitate us making connections with other people like you that might be interested in hearing about the vital work we undertake.
We may receive information from our sub-contractors providing services to us such as payment services in order to process any donation you may make.
We will also collect information about you from other sources such as event organisers and sources such as Companies House and the Electoral Register who are able to provide us with information about you and your charity affiliations to help us to understand you more as an individual.
Social Media
Depending on your settings or the privacy policies of the social media platforms and messaging services you use (e.g. Facebook, YouTube, Twitter, Instagram, WhatsApp etc.) you may allow us to access information from those services for example if you publicly “like” or “follow” us we may be able to collect information from your social media profile. We strongly advise you check the privacy settings on your social media accounts and the applicable privacy policies to ensure that you know what information is shared with us and others.
HOW WE USE THE PERSONAL DATA WE COLLECT
The main uses of personal data we collect, create and hold are set out in the table below along with information about the lawful grounds for processing.
If we would like to process your personal data for any other purpose incompatible with the purposes listed below, we will provide you with additional privacy information at the appropriate time. Our commitment to you is that we will not process your data for any purpose other than those listed or similar to those listed in this privacy policy. If you interact with Member Charities in response to any of our appeals, those Charities will provide you with any additional privacy information relevant to their processing at that time.
Purposes for processing personal data | Lawful basis | Data retention |
Processing donations including handling card payments, cheques and other payments (e.g., Gift Aid), and acknowledging receipt of a donation or sending a thank you where appropriate. | Legitimate interests of the DEC, the donor, and the appeal to which we transfer funds for donations made online and via phone and post. Our processing activities are necessary to fulfil the wishes of the donor making a donation and to enable the transfer of funds to the appeal of their choice. Consent of the donor is applied to donations made via SMS text to donate services. | We retain information about donors and donations for no longer than we need to from the date of donation for taxation and financial record-keeping. |
Responding to queries. | Legitimate interests of the DEC and those making requests. We use information provided by individuals to respond to questions they may raise with us in a timely, accurate and professional manner. | We retain information about queries and/or contact from individuals for as long that it is needed for us to respond to the query and/or maintain records of queries for our internal management purposes. |
Marketing our appeals by post. | Legitimate interests of the DEC and our Member Charities. We contact our database of previous and prospective donors from time to time by post to ask if they would like to make a donation to an appeal. Our fundraising activities are necessary so that we can fulfil our charitable objectives and raise funds for the appeals we run. | Records of our marketing activities are kept in accordance with our donor records above. |
Marketing our appeals through digital direct marketing activities. | Consent. We contact our database of previous donors through a range of digital methods from time to time such as SMS and email and through social media channels to ask if they would like to make a donation to an appeal. Each communication will allow or provide information for you on how to opt-out of receiving marketing related materials. | Records of our digital marketing activities and how individuals interact with them are kept in accordance with our donor records above. |
Updating you on the work Member Charities are doing with your funds | Legitimate interests of the DEC and our Member Charities. We contact those who have made donations from time to time to inform them of how their donation was is being used and the success of our appeals. Each time we communicate with you we will provide you with the option to opt-out of such activity. | Records are kept in accordance with our donor records above. |
Understanding our supporters and their engagement with our activities | Legitimate interests. The sorts of activities we undertake here include:
We may use social media platforms and their tools (e.g., Meta’s “look-alike” audiences) and marketing agencies to collate and/or review the above information to help us determine how to improve or maximise our campaigns. | Records are kept in accordance with our donor records above. |
Profiling and segmenting our database(s). | Legitimate interests. We use the information that we have about each person on our database to understand their interests, donation patterns and to predict if an appeal is likely to be of interest to them. We also use this information to identify and target individuals with whom we do not have a relationship through tools such as Facebook “lookalike” audiences. We also engage third party suppliers to assist us in developing our database of donors and researching high value donors. This could include using publicly available sources to better understand you and your motivations and propensity to donate. | Records are kept in accordance with our donor records above. |
Supporter research as part of product development. | Legitimate interests. We use the information we collect and create to develop new ideas relating to fundraising. For example, inviting supporters to particulate in surveys. |
|
Inviting you to webinars | Consent. We email high value individuals who have previously donated to the DEC. | We retain information about donors and donations for no longer than we need to from the date of donation for taxation and financial record-keeping. |
Recruitment | Contract for personal data collected for the purposes of interviewing you and, where you are successful, issuing an employment contract.
Legal obligation for personal data collected for equality, diversity and inclusion or health and safety purposes. | Two years |
Administration of the charity | Legitimate interests of the DEC and our Member Charities*. This purpose includes:
These activities are necessary for us to meet our legal responsibilities and to respond to complaints, queries etc. We also use information we collect from people who make enquiries about our appeals (e.g. abandoned baskets) to add to our database of potential donors and to help us to run an efficient organisation and increase the funds we raise for our appeals. | We retain records of donors and potential donors for as long as we feel you may be interested in making donations |
* Please note that the DEC does not disclose any personal data about those who support our campaigns to our Member Charities. You can find out more about our Member Charities here.
DATA RETENTION
DEC will hold your personal data as outlined above unless:
a) you ask us to remove it or stop processing it for specific purposes;
b) we believe that you are no longer interested in our organisation and our appeals; and/or
c) we no longer need it for the purposes it was collected.
We always think about your best interests when we apply retention rules to our systems and are always happy to remove information about individuals on request. If you have any questions regarding the length of time we retain personal data please contact us.
DONATING ON BEHALF OF SOMEONE ELSE
If you provide us with any personal information other than your own, you are responsible for ensuring they know that you have done this and for providing them with access to this privacy policy. To comply with our obligations under data protection law, we may contact any such individual and inform them when, where and how we obtained their personal data including citing you as the source.
INFORMATION SECURITY
We will take all steps reasonably necessary including implementing policies, procedures and security controls to ensure that personal data is kept safe and protected from unauthorised and unlawful access, and is used in accordance with this privacy notice. Examples of the security controls that we deploy include:
- regular penetration testing,
- multi-factor authentication
Unfortunately, the transmission of information via the internet is not completely secure and although we will do our best to protect personal data transmitted to us via the internet, we cannot guarantee the security of any information transmitted to the DEC website from any device. Any transmission is therefore made at the user’s own risk.
SHARING PERSONAL DATA
We will share personal data that we hold with the following categories of organisations/people as necessary to undertake our processing activities. This list is not exhaustive and may change from time to time. If we add a different category of recipients we disclose personal data to, we will update this privacy policy.
Payment platform providers
The DEC is a small team of less than 50 people, who launch UK-wide appeals processing donations from hundreds and potentially thousands of different people a year. In order to achieve this, we work with some of the best third -parties to allow you to make donations as efficiently, effectively and securely as possible. This means the donations we receive may pass through a third-party platform to get to us. Each organisation we appoint is carefully reviewed and maintains the same security and standards towards data protection as we do. Examples of the third parties we engage in this category are set out below:
Names of Organisation | Purpose |
Stripe and Braintree (PayPal_, Barclaycard SmartPay | Online Donation Processing |
Woods Valldata | Postal Donation Processing |
Spoke | Phone Donation Processing |
Angel | Call Centre Phone Donation Processing |
Fonix | SMS (TXT) Donation Processing |
We may also receive donations from Meta (Facebook) and JustGiving if you choose either of these platforms to create a challenge or other event to raise money for us.
Official organisations and our advisors
We share personal data from time to time with:
- government agencies and official authorities such as HMRC (e.g. for Gift Aid processing); and
- our professional advisors (e.g. to enforce or apply our terms of use and other agreements; protect the rights, property, or safety of the DEC, our customers, or others including exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction; if we are under a duty to disclose or share personal data to comply with any legal obligation; or fulfil any service that you request from us (e.g. enquiry via our website ).
Other type of organisation
We employ specialist companies to host our website, databases, fulfil direct mailings, and provide facilities for our email marketing social media presence. These organisations are data processors and governed by legal obligations in a compliant data processing agreement. Examples of the third parties we engage in this category are:
Names / Categories of Organisation | Purpose |
Homemade Digital | Donation management system |
Dotdigital | Customer engagement platform |
Paragon/DCX | Direct Mail Printers |
Salesforce | Central database and marketing |
Zendesk | Customer service enquiries |
Open Creates | Targeting via Direct Mail |
Organisations who run focus groups | Sometimes we run small 10 people focus groups to help streamline our appeals, if you have opt-in to communication, we may contact you to see if you would like to attend |
Zoom | Online webinars |
International transfers of personal data
We do not routinely transfer personal data to a country outside of the European Economic Area. If we do need to transfer personal data internationally we will only do so in compliance with the GDPR. Examples of the transfer mechanisms we might use to safely transfer your data include: :
- the receiving country has an adequacy regulation in place that demonstrates its data protection laws are equivalent to those in the UK. This applies for the personal data we transfer to the EEA; or
- the third party and the DEC sign an international data transfer agreement (using the ICO’s template), commonly referred to as “standard data protection clauses”;
If you would like to know more about any international transfers and the safeguards in place, please contact us.
Your rights
You have certain rights set out in the data protection law as set out below:
Right of access. | You have the right to access to the information we hold about or concerning you, and to obtain a copy of that information. |
Right of rectification or erasure. | If you feel that any data that we hold about you is inaccurate you have the right to ask us to correct or rectify it. You also have a right to ask us to erase information about you where you can demonstrate that the data we hold is no longer needed by us, or if you withdraw the consent upon which our processing is based, or if you feel that we are unlawfully processing your data. Your right of rectification and erasure extends to anyone we have disclosed your personal information to and we will shall take all reasonable steps to inform those with whom we have shared your data about your request for erasure. |
Right to restriction of processing. | You have a right to request that we refrain from processing your data where you contest its accuracy, or the processing is unlawful and you have opposed its erasure, or where we don’t need to hold your data anymore but you need us to establish, exercise or defend any legal claims, or we are in dispute about the legality of our processing your personal data. |
Right to Portability. | You have a right to receive any personal data that you have provided to us in order to transfer it onto another data controller where the processing is based on consent and is carried out by automated means. This is called a data portability request. |
Right to Object. | You have a right to object to our processing of your personal data. This includes the right to object to any direct marketing we may undertake and to any automated decisions based on profiling which we may carry out. This also includes the right to object to any processing based on legitimate interests, such as wealth screening. |
Right to Withdraw Consent. | You have the right to withdraw your consent for the processing of your personal data where the processing is based on consent. You can do so by contacting our support care team and they will immediately mark our records accordingly, and this will then take effect as soon as possible. Please be aware that some activities may already have left our system at time of consent withdrawal so we kindly ask that you ignore any correspondence you may receive in the days immediately following your request. |
Right of Complaint. | You are not happy with the way that we have processed your personal data we would welcome the opportunity to discuss the matter with you and resolve it if possible. However, if we have not been able to help you or we have not addressed your complaint to your satisfaction, you have a right to lodge a complaint with the UK’s Information Commissioner’s Office. The ICO can be contacted at https://ico.org.uk/make-a-complaint/, by calling them on 0303 123 1113 or writing to them at Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF |
If you would like to find out more about or exercise any of your rights please contact us online.
COOKIES
For more information on which cookies the DEC website uses see our cookie policy here.
PRIVACY POLICY HISTORY
This privacy policy was lasted updated in March 2024.
CHANGE HISTORY
Policy 2.8 Removal of Cookie information to a stand-alone Cookie Policy, re-writing data processing purposes and lawful grounds for processing, expansion of information about international transfers, re-structure and expansion of information about what personal data we collect and why, expansion of information about data retention, insertion of information about profiling and automated decision making, insertion of change history.
Policy 2.9: Wholesale review of the policy to consolidate and streamline the text and generally improve the way that it is written.