20's Plenty for Hertfordshire - Privacy Statement
20s Plenty for Hertfordshire (hereafter “Herts”) (“we”, “us”, or “our”) is committed to protecting and respecting the personal data that we hold. This privacy statement describes why and how we collect and use personal data and provides information about individuals’ rights. It applies to personal data provided to us, both by individuals themselves or by others. We may use personal data provided to us for the purposes described in this privacy statement or as made clear before collecting personal data.
We process personal data for several purposes, and the means of collection, lawful basis of processing, use, disclosure, and retention periods for each purpose are set out in the relevant sections below.
The personal data that is provided to us is provided either directly from the individual concerned or from a third party acting on behalf of an individual.
Where we receive personal data that relates to an individual from a third party, we request that this third party inform the individual of the necessary information regarding the use of their data. Where necessary, reference may be made to this privacy statement.
“Personal data” is information about a person which is identifiable as being about them. It can be stored electronically or on paper, and includes images and audio recordings as well as written information.
“Data protection” is about how we, as an organisation, ensure we protect the rights and privacy of individuals, and comply with the law, when collecting, storing, using, amending, sharing, destroying or deleting personal data.
3. The Data that we hold
3.1 Volunteers, Subscribers and Committee members
20s Plenty for Herts is a community based organisation. We invite volunteers, subscribers and committee members to share their personal data with us so that we can keep them informed about what we do and how they can play their part in the organisation and its activities.
When people visit our website, we do not collect personal data through automated tracking and interacting with various forms on the website or apps (collectively referred to as the websites).
Personal data is collected when individuals fill in forms on our websites or by corresponding with us by phone, e-mail or otherwise. This includes information provided when an individual registers to receive our emails or makes an enquiry.
3.2 What data is collected?
We keep the names, email addresses and if provided, telephone numbers and home addresses of our volunteers, subscribers and committee members. We also record the same data about people who have taken part in our activities. We also keep financial records of any subscribers who have given a donation and do not wish to remain anonymous.
We will keep records of consent given for us to collect, use and store data. These records will be stored securely.
3.3 Why do we process data?
Where data is collected for volunteers, subscribers and committee members, it is used for a number of purposes, as follows:
i. Providing services to you.
We send regular email newsletters about our work and campaigns using your consent as the legal basis for processing your data.
We use our legitimate interests as a community based organisation to keep a record of our volunteers, subscribers and committee members to keep them informed about our meetings including regular planning meetings and annual general meetings.
iii. Our legitimate interests
We also use our legitimate interests to record details of people who have taken part in our activities, such as helping to run stalls, or carrying out campaigning activities. We also use this information to contact you about your participation in these activities.
iv. Other purposes
In the case where personal information has been gathered for other reasons, we will only hold that information for the purpose for which the individual has given explicit consent.
3.4 How long is data retained for?
We retain the personal data processed by us for as long as is considered necessary for the purpose(s) for which it was collected. There may also be occasions which will require data to be kept for longer; however this will typically be for legal purposes.
In addition, personal data may be securely archived with restricted access and other appropriate safeguards where there is a need to continue to retain it. We will periodically review this data, to ensure that it is still relevant and necessary.
When we no longer need data, or when someone has asked for their data to be deleted, it will be deleted securely. We will ensure that data is permanently deleted from computers, and that paper data is shredded.
3.5 Other data considerations
We try to keep personal data up-to-date and accurate.
We will keep clear records of the purposes of collecting and holding specific personal data, to ensure it is only used for these purposes.
4. Data Security
We take the security of all the data we hold seriously. Relevant personnel are made aware of their responsibilities for data protection, confidentiality and security prior to handling data.
All information you provide to us is stored on password protected servers and computers.
Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted to our site; any transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access.
5. Sharing Personal Data
We will only share personal data with others when we are legally permitted to do so. When we share data with others, we put contractual arrangements and security mechanisms in place to protect the data and to comply with our data protection, confidentiality and security standards.
Personal data held by us may be transferred to:
i. Third party organisations that provide applications/functionality, data processing or IT services to us.
We use third parties to support us in providing our services and to help provide, run and manage our internal IT systems. For example, providers of information technology, cloud based ‘software as a service’ providers, identity management, website hosting and management, data analysis, data back-up, security and storage services. The servers powering and facilitating that cloud infrastructure are located in secure data centres around the world, and personal data may be stored in any one of them.
ii. 20sPlenty for St Albans District. 20sPlenty for Herts coordinates its campaign with other 20sPlenty groups throughout Hertfordshire in order to maximise the effectiveness of its campaign.
iii. To allow volunteers to work together.
In order to allow volunteers to work together for the group, it is sometimes necessary to share volunteer contact details with other volunteers and third party organisations that otherwise assist us in providing goods, services or information, such as event facilitators.
iv. Law enforcement or regulatory agencies or those required by law or regulation.
It is possible that we could receive requests from third parties with authority to obtain disclosure of personal data, such as to check that we are complying with applicable law and regulation, to investigate an alleged crime, to establish, exercise or defend legal rights. We will only fulfil requests for personal data where we are permitted to do so in accordance with applicable law or regulation.
6. Individual’s Rights
Individuals have certain rights over their personal data and committee members are responsible for fulfilling these rights as follows:
i. Individuals may request access to their personal data held by us. Where an individual has requested a record of the personal information that we hold, we will supply this to the individual within one month
ii. Individuals may request us to rectify personal data submitted to us or. Where an individual has requested that their personal information be amended, we will amend our records within one month.
iii. Individuals may request that we erase their personal data. Where an individual has requested that their personal data is erased, we will delete it within one month, unless we are required to keep it for legal reasons.
Where we process personal data based on consent, individuals may withdraw their consent at any time by contacting us or clicking on the unsubscribe link in an email received from us. We provide information about how to be removed from the email list with every email we send out.
If you wish to exercise any of these rights, please send an email to firstname.lastname@example.org
7. Data Breaches
We will endeavour not to have data breaches. In the event of a data breach, we will endeavour to rectify the breach by getting any lost or shared data back. We will evaluate our processes and understand how to avoid it happening again.
Serious data breaches which may risk someone’s personal rights or freedoms will be reported to the Information Commissioner’s Office within 72 hours, and to the individual(s) concerned.
We hope that you won’t ever need to, but if you do want to complain about our use of personal data, please send an email with the details of your complaint to email@example.com. We will look into and respond to any complaints we receive.
You also have the right to lodge a complaint with the UK data protection regulator, the Information Commissioner's Office (“ICO”). For further information on your rights and how to complain to the ICO, please refer to the ICO website https://ico.org.uk/concerns
9. Contact Information
If you have any questions about this privacy statement or how and why we process personal data, please contact us at firstname.lastname@example.org
10. Changes to our Privacy Statement
We will review our privacy statement every two years or as required by law. Updates to our privacy statement will appear on this website.
This privacy statement was last reviewed on 27/01/2021.