WHY WE HOLD AND PROCESS MEMBERS’ PERSONAL DATA
We hold and process members' personal data for several reasons:
- To keep a record of donations made and actions taken by our members and our communications with them
- To send our members marketing information about our projects, fundraising activities and appeals where we have their consent or are otherwise allowed to
- To support volunteers, whether at events, at festivals or participating in fundraising events
- To record campaigning actions by members
- To support community-based fundraising and campaigning
- To claim gift aid on donations
- To fulfil contractual obligations entered into with members e.g. online purchases
- To comply with legal obligations
- To manage our organisation
- To ensure we do not send unwanted information to members or members of the public who have informed us they do not wish to be contacted
These reasons are underpinned by a "legal basis" under GDPR. We outline in the next section what these are for our main activities.
EXPLAINING THE LEGAL BASES WE RELY ON
The law on data protection sets out a number of different reasons for organisations to collect and process your personal data: When collecting your personal data, we will always make clear to you which data is necessary for a particular purpose.
Concerts for Carers relies on the following legal bases in our marketing activities:
Wherever possible, we will ask for your consent to send you marketing information. We will do this through a clear statement of what you will receive and allow you to select only those channels that you wish to hear from us by.
In specific situations, we process your data to pursue our legitimate interests in ways which might reasonably be expected and which do not materially impact your rights, freedom or interests. Concerts for Carers's use of legitimate interest includes the following:
Sending direct marketing information by email, to keep our members updated on Concerts for Carers's projects, fundraising activities and appeals. We will only do this where we have reason to believe that this information will be of interest. We make it easy for you to opt out Where you have bought items from the Concerts for Carers Online Shop we will email you to tell you about other relevant offers. All such emails will include a simple opt out mechanism. If you have opted in to Concerts for Carers emails we may use your details to link to your account on Facebook or other social media site in order to serve you Concerts for Carers content. We analyse your previous support of Concerts for Carers in order to offer relevant ways of supporting Concerts for Carers in the future. To help identify businesses who may wish to support Concerts for Carers, we send emails to individuals where relevant to their job, for instance people working in Corporate Social Responsibility. For activities other than marketing, we may rely on different legal bases:
If the law requires us to, we may need to collect and process your data. For example, where you sign up to the Gift Aid scheme, we will process your data for the purposes of submitting a Gift Aid claim to HMRC.
In limited situations we may use data in the public interest. It is likely to be in the public interest to collect data to prevent crime or dishonesty, ensure that we are fair in our practices by carrying out equality and diversity monitoring, or safeguard the wellbeing of people with whom we work.
WHEN AND WHY WE WILL SEND YOU PERSONALISED MARKETING COMMUNICATIONS
Concerts for Carers will only contact you for marketing purposes - for example keep you up to date on our work, or let you know of ways in which you can support that work - where we have your consent or we are otherwise allowed to do so.
We will make it easy for you to tell us if you would like to receive marketing communications from us and hear more about our work.We will not send you marketing material if you tell us that you do not wish to receive it.
Where you give us your consent to send marketing information, we will wherever possible let you know how long this consent will last. Unless we have grounds for believing that a longer period is reasonable and have explained this to you, we will understand your consent to last for 24 months. After this time, in order for us to continue to update you, we will need your refreshed consent. You can update or withdraw your consent at any time, for individual channels of communication, or for all channels.
Consent lasting more than 24 months
We will generally treat any marketing consent you give us as lasting for 24 months, but will apply the following exceptions (but only where we inform you of this at the time you give consent):
- Where you have committed to giving us a regular donation (usually monthly). In this situation, and unless you withdraw your consent, we will treat consent as enduring until you cancel your donation, at which point your consent will expire 24 months after the last donation. This is to enable us to keep you up to date with the impact of your gifts, and to ask whether alternative means of support would be of interest.
- Where you have notified us that you will be leaving a legacy to Concerts for Carers. This is a lifetime commitment and although we will provide you with regular opportunities to shape and control your communication from Concerts for Carers we will treat your consent as ongoing.
OTHER CIRCUMSTANCES IN WHICH YOU MAY RECEIVE MARKETING INFORMATION FROM CONCERTS FOR CARERS
We may send you marketing communications by email where you are a regular member and we have evidence that you do not object to receiving marketing material through the post.
"Soft opt in"
This allows organisations to send marketing communications by email to individuals who have previously purchased similar goods and services, provided they were given the opportunity to opt out at the time of purchase. In Concerts for Carers's case, this allows us to send marketing emails to previous users of the Concerts for Carers balloting system. We apply a 24-month time limit, and only communicate on this basis where you have made a purchase within this period. We will not use the "soft opt in" option if you have opted out of receiving email.
When you give it to us DIRECTLYYou may give us your personal data directly when you make a donation, sign up for one of our events, take part in a campaigning action, volunteer, purchase products from the Concerts for Carers ballot system, when you communicate with us or when you download the Concerts for Carers app.
When you give it to us INDIRECTLYYou may give us your information indirectly when you sign up to events such as the London Marathon, contribute to Concerts for Carers via fundraising sites like JustGiving or Virgin Money Giving, or participate in a campaigning action with a partner. These independent third parties will pass your data to Concerts for Carers where you have indicated that you wish to support Concerts for Carers and have given your consent or it is a necessary part of completing a contract with you.
Sometimes your personal data is collected by an organisation working on our behalf (for example a professional fundraising agency) but as they are acting on our behalf we are the "data controller" and responsible for the security and proper processing of that data.
When you access Concerts for Carers's Social MediaWe might also obtain your personal data through your use of social media such as Facebook, WhatsApp, Twitter or LinkedIn, depending on your settings or the privacy policies of these social media and messaging services. To change your settings on these services, please refer to their privacy notices, which will tell you how to do this.
When the information is publicly availableWe might also obtain personal data about individuals who may be interested in giving major gifts to charities or organisations like Concerts for Carers. In this scenario, Concerts for Carers may seek to find out more about these individuals, their interests and motivations for giving through publicly available information. This information may include newspaper or other media coverage, open postings on social media sites such as LinkedIn, and data from Companies House. Concerts for Carers will not retain publicly available data relating to major donors without their consent, which will be sought at the earliest practical opportunity. Where we decide not to make contact, we will delete all personal data obtained, other than basic contact details, to which we will apply a suppression flag to ensure we do not make contact in the future.
We may also gather information if your activities relate to our work - for instance, if you are a public figure such as a Member of Parliament or you represent an organisation which we work with or which is related to one of our campaigns we may gather information about you in order to inform our campaigning and make decisions - for instance, whether we engage with you to seek your support for our work, ask your constituents to write to you, or choose to work you in another way.
WHAT INFORMATION MIGHT CONCERTS FOR CARERS COLLECT ABOUT YOU?
We only collect personal data relevant to the type of transactions or interaction you have with Concerts for Carers. Whatever your interaction with us this information will be minimal and linked to the purpose for which we need it.
For example, when you contact Concerts for Carers to make a donation, purchase an item online, support our gift aid scheme, take a campaign action, or sign up to any of Concerts for Carers's activities or online content (such as newsletters, competitions, or message boards) or you telephone, email, write to or text Concerts for Carers, or engage with Concerts for Carers via social media channels, we may receive and retain personal information.
In these cases we are likely to process details such as your name, email address, postal address, telephone or mobile number, bank account details to process donations and whether or not you are a tax payer so that we can claim Gift Aid.
If you participate in an event we may (with your permission) take your photograph or video, or interview you. If you participate in market research, we may ask you questions regarding your experience with us, or other survey questions relating to your experience. If you are a campaigner or work with our campaigns team, we may collect information such as correspondence with you regarding campaigning, details of your background and activities with us or relating to the issue, the events you attend, or how we would like to work with you.
Where we gather information about you which is publicly available - for instance as a major donor or your views on our campaigning activity - this may include your name, contact details, views and positions you have expressed, and details regarding your circumstances- for instance which political roles you hold or what your background is.
SENSITIVE PERSONAL DATA
We only collect "sensitive personal data" about our members, e.g. health status, where there is a clear and specific reason for doing so, such as participation in a marathon or volunteering at a music event or an Concerts for Carers event.
We collect this data where we need it to ensure that we provide appropriate facilities or support to enable you to participate in the event or carry out your role. Clear notices will be provided on application forms so that it is clear what information we need and why we need it. In certain circumstances, such as when we recruit volunteer festival stewards, we need to obtain information about criminal convictions (where these are unspent) in order to check that it is appropriate for you to undertake the role.
Should you support Concerts for Carers in a substantial way, we may provide an account manager to help you tailor your relationship to suit your interests. If this is the case we may collect sensitive personal data where relevant to our relationship, such as your political or religious views. Should you disclose information to us about your health or your family, this may also be recorded, so that we can communicate with you in a considerate and appropriate manner.
All sensitive personal data is stored on a secure database, to which only a limited number of relevant staff have access. It is deleted when no longer relevant, is never shared with third parties, and is available to you at any point should you wish to see it.
HOW WILL CONCERTS FOR CARERS USE YOUR PERSONAL DATA?
Concerts for Carers will use your personal information for the following purposes:
For administrative reasons, including:
- "service administration", which means that Concerts for Carers may contact you for reasons related to administering any donations you have made, your tax status with regard to Gift Aid if claimed, the completion of commercial or other transactions you have entered into with Concerts for Carers or the activity or online content you have signed up for;
- to confirm receipt of donations (unless you have asked us not to do this), and to say thank you and provide details of how your donation might be used. for example if you donate via text you will receive a "bounce back" text message;
- in relation to correspondence you have entered into with us whether by letter, email, text, social media, message board or any other means, and to contact you about any content you provide;
- for internal record keeping so as to keep a record of your relationship with us;
- to fulfil sales contracts you have entered into with Concerts for Carers, such as the Tag Your Bag (Gift Aid) scheme, under which we are required to notify you of the proceeds from sale of items you have donated to Concerts for Carers shops;
- to provide logistical and fundraising information to people who are taking part in a fundraising event in aid of Concerts for Carers, such as the London Marathon;
- to communicate with Concerts for Carers volunteers - to support you in your designated role or administer that role and our organisation;
- to keep your data up to date - for instance we use the Royal Mail's data on postal address changes to ensure that we can maintain contact with you where we believe you are happy to be contacted by post, we also use services which notify us of the recently deceased to avoid any distress that continued communications would cause;
- to implement any instructions you give us to with regard to withdrawing consent to send marketing information.
- to use IP addresses to identify the location of users, to block disruptive use and to establish the number of visits from different countries;
- to protect our staff and those with whom we work, or to prevent crime and dishonesty. This will involve frequent fraud and anti-terrorism screening of employees and partners using the World-Check database (Thomson Reuters).
- to invite you to participate in surveys or research about Concerts for Carers or our work (participation is always voluntary);
- to analyse and improve the activities and content offered by the Concerts for Carers website to provide you with the most user-friendly navigation experience. We may also use and disclose information in aggregate (so that no individuals are identified) for marketing and strategic development purposes.
WILL CONCERTS FOR CARERS SHARE YOUR PERSONAL INFORMATION WITH ANYONE ELSE?
We will only use your information within Concerts for Carers for the purposes for which it was obtained. Concerts for Carers will not, under any circumstances, share or sell your personal data with any third party for their own marketing purposes, and you will not receive marketing from any other companies, charities or other organisations as a result of giving your details to us.
Concerts for Carers's suppliers
We may need to share your information with service providers who help us to deliver our projects, fundraising activities and appeals, for instance through handling balloting requirements or confirming end result tickets. These "data processors" will only act under our instruction and are subject to pre-contract scrutiny and contractual obligations containing strict data protection clauses. We do not allow these organisations to use your data for their own purposes or disclose it to other third parties without our consent and we will take all reasonable care to ensure that they keep your data secure.
Facebook and other social media sites
We may also use your email address and phone number to match to your account on Facebook or other social media sites in order to show you Concerts for Carers content while using these services. We only do this where you have opted in to marketing emails or phone calls and we keep your data secure by encrypting it. No data we hold about you is retained by the third party.
In addition, we may also use your email address and phone number to link to Facebook or other social media sites in order to identify other users of these sites whom we believe would be interested in Concerts for Carers, and we may then show them Concerts for Carers content. No data we hold about you is retained by the third party.
There are two ways to prevent this use of your data, you can either update your preferences at Concerts for Carers by opting out of the relevant channel of communication or you can do this via the social media site:
Updating your preferences with Concerts for Carers will not guarantee that you never see Concerts for Carers content on social media, since the social media site may select you based on other criteria and without your data having been provided by Concerts for Carers.
Where legally required
We will also comply with legal requests where disclosure is required or permitted by law (for example to government bodies, statutory bodies, or law enforcement agencies for tax purposes, where it is in the public interest, or the prevention and detection of crime, subject to appropriate protection in law).
Concerts for Carers may transfer your personal data outside the EEA. If it does so, this may occur under the protections of the European Commission's standard contractual clauses, but will otherwise only take place where appropriate standards and safeguards are in place.
HOW LONG WILL CONCERTS FOR CARERS KEEP YOUR PERSONAL INFORMATION?
We will hold your personal information on our systems for as long as is necessary for the relevant activity, for example we will keep a record of donations subject to gift aid for at least seven years to comply with HMRC rules.
If you request that we stop sending you marketing materials we will keep a record of your contact details and appropriate information to enable us to comply with your request not to be contacted by us.
Legacy income is vital to the running of the charity. We may keep data you provide to us indefinitely, to carry out legacy administration and communicate effectively with the families of people leaving us legacies. This also enables us to identify and analyse the source of legacy income we receive.
Where you contribute material to us, e.g. user generated content or in response to a particular campaign, we will only keep your content for as long as is reasonably required for the purpose(s) for which it was submitted unless otherwise stated at the point of generation.
HOW TO CONTROL WHAT WE SEND YOU OR REQUEST TO UPDATE YOUR PERSONAL INFORMATION?
The accuracy of your information is really important to us. We want to ensure that we are able to communicate with you in ways that you are happy with, and to provide you with information that is of interest.
If you wish to change how we communicate with you, or update the information we hold, then please contact us: [email protected]
How long will it take for these changes to be effective?
We endeavour to meet the following service levels where members request we do not send them marketing information:
- Email – seven working days
HOW CONCERTS FOR CARERS KEEP YOUR DATA SAFE
We ensure that there are appropriate technical controls in place to protect your personal details. For example our online forms are always encrypted and our network is protected and routinely monitored.
We undertake regular reviews of who has access to information that we hold to ensure that your information is only accessible by appropriately trained staff, volunteers and contractors.
We use external companies to collect or process personal data on our behalf. We do comprehensive checks on these companies before we work with them, and put a contract in place that sets out our expectations and requirements, especially regarding how they manage the personal data they collect on our behalf, or have access to. We have a robust partner monitoring framework to ensure these contractual obligations are met.
These organisations - referred to as "Data Processors" also have legal liability for the way in which your data is used, providing you with additional protection.
YOUR RIGHTS OVER YOUR PERSONAL DATA
You have a variety of rights in respect of your data, including the rights to see, update, restrict, object to the use of or withdraw use of your data. In particular, depending upon why we hold your data, you may have the right to request:
- Access to the personal data we hold about you, including how we first obtained your details, free of charge in most cases (this is known as a 'Subject Access Request').
- The correction of your personal data when incorrect, out of date or incomplete.
- That we stop using your personal data for direct marketing (either through specific channels, or all channels)
- That we delete your personal data from our systems (this is known as the "Right to be Forgotten").
- That we no longer process your data automatically to decide whether particular marketing activities are likely to be of interest, or suggest an appropriate donation level based on your previous donation history. This is known as profiling, and helps us to ensure that our marketing is relevant and appropriate.
You can contact us to request to exercise these rights at any time, via [email protected]
Opting out of Direct marketing
You have the right to stop the use of your personal data for direct marketing activity through all channels, or selected channels. We will always comply with your request.
Where we are sending you direct marketing on the basis of our legitimate interest, you can also ask us to stop. In the case of postal marketing sent on this basis, we will always comply with your request to opt out. Similarly, where we send email marketing on a soft opt in basis we will also comply with all requests to opt out.
Right to be Forgotten
Upon request we will delete your personal data from our systems, to the extent that we are permitted to by law or regulatory guidelines. For instance under HMRC rules we are required to retain financial data for 7 years for audit purposes, and so will not be able to delete donation details until this time period has elapsed
Opting out of profiling
Upon request we will cease using your personal data to decide whether you would be interested in particular updates and other marketing. Such requests may lead to you not hearing from us in future.
Subject Access Requests
You have the right to request a copy of the personal information we hold about you. We will provide this as soon as possible, and within a month unless there are specific reasons why this would not be possible. We will always let you know if this is likely to be the case
Checking your identity
To protect the confidentiality of your information, we will ask you to verify your identity before proceeding with any request you make under this Privacy Notice.
If you have authorised a third party to submit a request on your behalf, we will ask them to prove they have your permission to act.