Privacy Notice


Contents


Introduction

Who are we and how can you contact us?

How we collect your personal dataReceiving your personal data directly

Receiving your personal data indirectly

When you use our website

What personal data do we collect?

Why do we process your personal data?

Protecting your personal data

Who do we share your personal data with?

International data transfers

How long do we keep your personal data?

Your data rights

Right of access

Right to rectification

Right to erasure

Right to restriction of processing

Right to object and withdraw consent

Right to portability

Complaints and questions

Changes to this Privacy Notice

Introduction

The White Eagle Lodge is a charity and we are committed to working to the highest standards; ensuring your privacy, respecting your wishes and treating you with fairness and transparency.  If you would like further information about Data Protection, the law and good practice, please see the Information Commissioner’s website: https://ico.org.uk/

Who are we and how can you contact us?

We are The White Eagle Lodge (‘the Lodge’) and we are the data controller for your personal data. We are a registered charity in England (1156336) and Scotland (SC045581). We are a company registered in England & Wales with registration number 08645252. We are registered with the ICO under registration number ZA110951.

You can contact us using the following details:

Postal address:

Data Protection Officer
White Eagle Lodge
Newlands, Brewells Lane
Liss
Hampshire
GU33 7HY

Tel: +44 (0) 1730 893 300

Email: enquiries@white-eagle.org.uk

How we collect your personal data

We receive your personal data both directly and indirectly.

Receiving your personal data directly

We collect your data directly from you during each transaction with the Lodge, whether that is a donation, member subscription, event booking etc. We also collect information from you when you use our website, for example when you complete one of our online forms.

Receiving your personal data indirectly

We may also obtain personal data from other sources. For example, we indirectly obtain information from:

  •  Charity commission.
  •  Fundraising and ecommerce websites.
  •  Companies House.
  •  Social media e.g. LinkedIn, Facebook, X.
  •  Search engines.

We may receive information from other organisations where you have agreed that they may share your details with us, including:

  •  Event organisers.
  •  Fundraising websites, e.g. Just Giving.

When you use our website

Like most websites, we use ‘cookies’ to help us make our site, and the way you use it, better. Cookies are small text files that sites transfer to your device (computer, phone or tablet) and make interacting with a website faster and easier – for example, by automatically filling in your name and address in text fields. We may also use other, similar technologies from time to time, like web beacons (sometimes called “tracking pixels” or “clear gifs”). These are tiny graphics files that contain a unique identifier that enable us to recognize when someone has visited our Websites or opened an e-mail including them. This allows us, for example, to monitor the traffic patterns of users from one page within a website to another, to deliver or communicate with cookies, to understand whether you have come to the website from an online advertisement displayed on a third-party website, to improve site performance, and to measure the success of e-mail marketing campaigns.

For more information about cookies, how we use them and your personal consent preferences, please see https://www.white-eagle.org.uk/cookies/

What personal data do we collect?

We will routinely collect the following basic information from you:

  •  Your name.
  •  Your contact details, including postal address, email address, telephone numbers, along with your preferences as to which of these we should use to contact you in the future.
  •  Financial information when you make a donation or payment to us, for example bank account details and debit/credit card details.
  •  Other personal information or sensitive data you share with us.

We may occasionally seek to collect additional data in order to provide greater insight into issues important to supporters of the Lodge. However, any additional data collection will always be optional, and services will not be constrained if you choose not to share your personal information.

We will also collect the following information from you if you apply to work for us:

  •  Criminal record check documents.
  •  Confirmation of your right to work in the UK.
  •  Your CV, including relevant experience, qualifications or training.
  •  Personal and professional references.

Why do we process your personal data?

When we use your personal data, we will always explain to you how and the reason for using your personal information. In summary, we use your data to deliver our services to you, to conduct our sales, fundraising and marketing activities, for recruitment purposes, and to work with our suppliers and insurers.

No personal information you have given us will be passed on to third parties for commercial purposes.

The below table shows the purposes for which we process your personal data and the lawful bases we rely on for those purposes.

Purposes

Lawful basis

Provide you with the information or services you have requested, for example about our events.

Legitimate interest, as we have an interest in providing you with the information or services you have requested.

Managing your involvement in events, for example if you have completed a form about an event or responded to an invitation.

Legitimate interest, as we have an interest in running our events properly and ensuring you are informed about events you have expressed an interest in.

To reply to compliments and also investigate and respond to complaints.

Legitimate interest, as we have an interest in handling your compliment or complaint.

To keep you up to date with the work you are supporting. Appeals for donations, volunteering. Subscriptions to marketing mailing lists.

To ensure we know how you prefer to be contacted.

For communications sent by electronic mail or SMS: consent.

For communications over the phone or by post: legitimate interest (i.e. raising awareness of our work).

To allow you to purchase the following: Membership, gifts and products from our shop, event bookings, educational visits, venue hire.

Contract.

Processing and recording financial transactions and to prevent fraud.

Legitimate interest, so that your payment can be properly processed and received by us and so we can ensure the payment is legitimate. For financial contributions, to fulfil our legal obligations to retain accounting records under Part 8 of the Charities Act 2011.

Keep a record of your correspondence, questions you have asked us, or comments or complaints you have made.

Legitimate interest to communicate with you and improve our activities.

Recruitment: to process applications for employment; to complete the interview and assessment process; to verify any references and information about qualifications or training you provide to us; to verify your right to work in the UK; to assess your suitability as a candidate; for equal opportunities monitoring; and to inform you of employment opportunities.

Contract - processing is necessary in the context of a (prospective) employment contract.

Legal obligation (right to work checks).

Consent - for any sensitive data (equal opportunities monitoring).

Understand how we can improve our services, and the resources or information we send out. Identify areas for future development. Carry out market research. Basic analysis of the data we hold to determine whether an invitation to engage further with the Lodge would be welcome.

Legitimate interest so that we can improve our activities.

Protecting your personal data

The Lodge operates a CRM database, which is held securely by our provider, [name].

We will always consider and address the privacy risks first when planning to use or hold personal information in new ways, such as when introducing new electronic systems.

We provide training to staff who handle personal information and treat it as a disciplinary matter if they misuse or do not look after your personal information properly.

We also have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.

Who do we share your personal data with?

We will not sell your personal information to any outside organisation. However, your information may be shared with agents or contractors of the Lodge when they provide services to the Lodge, but only if necessary and with confidentiality assured. The Lodge may also disclose personal information if required to do so by law or in the good-faith belief that such action is necessary to a) conform with the law; b) protect and defend the rights or property of the Lodge or c) act in circumstances where it is necessary to protect the personal safety of members of the Lodge’s staff.

Some of your information will be passed to third-party service providers that perform functions on our behalf, such as:

  •  Customer Relationship Management service.
  •  E-commerce (we use Shopify).
  •  Payment processing.
  •  Sending postal mail.
  •  Email (we use Vertical Response).
  •  Analysing data.
  •  Research and lead generation.

If you would like to obtain further information about the organisations your data is shared with, please contact us.

International data transfers

Due to the nature of servers and cloud-based storage all over the world, this may mean that, during the processing of your data, it leaves the UK. Although they may not always be subject to the same data protection laws as in the UK, we will take steps to make sure they provide an adequate level of protection in accordance with UK data protection law.

For data that is stored outside of the UK, we share data to countries for which an adequacy decision is in place.

We also share data to countries without an adequacy decision. For data transfers to the United States, we rely on the UK Extension to the EU-U.S. Data Privacy Framework.

If there is no adequacy decision in place, we have Standard Contractual Clauses (SCCs) in place with the relevant third parties.

If you would like further details of the protections we have put in place regarding international data transfers, please contact us.

How long do we keep your personal data?

We intend to minimise the amount of personal data that we store about you. We will keep personal data for the shortest time necessary in accordance with our Retention Policy.

Where there are legal obligations in place, we may have to keep your data for longer. For example, we will keep a record of any donations you have made for at least seven years. If you ask us to cease communications with you, we will keep a record of your contact details and appropriate information to enable us to comply with your request.

If you would like to request further information about our retention periods, please contact us.

Your data rights

You have the following rights under data protection law. You can exercise your rights by contacting us using the contact details at the top of this privacy notice. We will respond to your request without undue delay and in any case within one month. It may be necessary to take steps to ascertain your identity if there are reasonable doubts about your identity, in which case we may request further information from you.

Right of access

You have the right to ask for a copy of the information we hold about you.

Right to rectification

You have the right to ask us to rectify personal information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete. If there are any discrepancies in the details we provide, please let us know and we will correct them.

Right to erasure

You have the right to ask us to erase your personal information in certain circumstances.

Right to restriction of processing

You have the right to ask us to restrict the processing of your personal information in certain circumstances.

Right to object and withdraw consent

You have the right to object to the processing of your personal information in certain circumstances. Where processing is based on consent, you have the right to withdraw your consent at any time. You can also change or stop what you receive from us by following the instructions at the bottom of any postal communication or email.

Right to portability

You have the right to ask that we transfer the personal information you gave us to another organisation, or to you, in certain circumstances.

Complaints and questions

If you have any concerns or questions about our use of your personal information, you can contact us using our contact details at the top of this privacy notice. We will respond to you within one month.

If we are unable to resolve your concerns, you can also complain to the ICO or your local supervisory authority.

ICO website: https://www.ico.org.uk

Changes to this Privacy Notice

We may update this Privacy Notice from time to time to ensure it provides fully up-to-date information. The latest version of our Privacy Notice can always be found on this page. For any major changes, we may contact you to inform you of these.

Privacy Notice

Note: “Lodge” means any property or premises of White Eagle Lodge.

Introduction 

The Data Protection Act 2018 (DPA 2018) establishes a framework of rights and duties which safeguard personal data. Personal data is information about a living individual, who can be identified from the data. This framework balances the legitimate needs of organisations to collect and use personal data for business and other purposes, against the right of individuals to respect, for the privacy of their personal details.

The White Eagle Lodge is committed to protecting the privacy of individuals and handles all personal data in a manner that complies with the DPA 2018. The Lodge has established the following policy to support this commitment. It is the personal responsibility of all employees, contractors, volunteers, agents and anyone else processing information on our behalf to comply with this policy. This policy continues to apply to employees and individuals, even after their relationship with the Lodge ends.

Any deliberate breach of this policy could amount to a criminal offence under one or more pieces of legislation, for example the Computer Misuse Act 1990 and the DPA 2018. All incidents will be investigated and action may be taken under the Lodge’s formal disciplinary procedure. A serious breach of this policy could be regarded as gross misconduct and may lead to dismissal and / or criminal action being taken.

This policy explains what our expectations are when processing personal data. This policy should be read alongside the IT Policy which can be found in the Employee Handbook.

1.0 Data protection principles

1.1 The DPA 2018 is underpinned by a set of six common-sense principles, which must be adhered to whenever personal data is processed. Processing includes obtaining, recording, using and holding, disclosing and deleting personal data.

A summary of the data protection principles is as follows:

a) Personal data must be: Processed lawfully, fairly and in a transparent manner in relation to individuals,

b) Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes. Further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes,

c) Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed,

d) Accurate and where necessary, kept up to date. Every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay,

e) Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed. Personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest,

scientific or historical research purposes subject to implementation of the appropriate technical and organisational measures required by the General Data Protection Regulation (GDPR) in order to safeguard the rights and freedoms of individuals and

f) Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

2.0 Access and use of personal data

2.1 Access and use of personal data held by the Lodge, is only permitted by employees (temporary or permanent), members, contractors, agents and anyone else processing information on our behalf, for the purpose of carrying out their official duties. Use for any other purpose is prohibited.

2.2 Deliberate unauthorised access to copying, disclosure, destruction or alteration of or interference with any computer equipment or data is strictly forbidden and may constitute a criminal and/or a disciplinary offence.

2.3 It is an offence under Section 170 (1) of the Data Protection Act for any person to knowingly or recklessly obtain, procure or disclose personal data without the permission of the Data Controller subject to certain exceptions.

2.4 It is also an offence for someone to sell or offer to sell personal data which has been obtained in contravention of Section 170 (4). Full details of this offence can be found under Section 170 of the Data Protection Act 2018.

3.0 Collecting personal data

3.1 When personal data is collected, for example on a questionnaire, survey or a form the data subject (that is to say the person who the information is about) must be told, unless this is obvious to them, which organisation(s) they are giving their information to; what their information will be used for; who it may be shared with and anything else that might be relevant e.g. the consequences of that use. This is known as a Privacy Notice.

3.2 A person’s name and other identifying information should not be collected where depersonalised (anonymous) information would suffice. Personal data collected must be adequate, relevant and not excessive for the purpose of the collection.

3.3 If the information is collected for one purpose, it cannot subsequently be used for a different and unconnected purpose without the data subject’s consent (unless there is another lawful basis for using the information (see section 4 below)). It must be made clear to the data subject at the time the information is collected what other purposes their information may be used for.

4.0 Lawful basis for processing

4.1 The lawful bases for processing are set out in Article 6 of the GDPR. At least one of these must apply where personal data is processed.

a) Consent: the individual has given clear consent for you to process their personal data for a specific purpose (e.g. becoming a member).

b) Contract: the processing is necessary for a contract you have with the individual or because they have asked you to take specific steps before entering into a contract.

c) Legal Obligation: the processing is necessary for you to comply with the law (not including contractual obligations)

d) Vital Interests: the processing is necessary to protect someone’s life.

e) Public task: the processing is necessary for you to perform a task in the public interest or for your official functions and the task or function has a clear basis in law.

f) Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.

4.2 Article 9 of the DPA 2018 defines ‘sensitive’ personal data as information relating to a person’s racial or ethnic origin, political opinion, religious or philosophical beliefs, trade union membership and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person. Data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited.

5.0 Disclosing personal data

5.1 Personal data must not be disclosed to anyone internally or externally unless the person disclosing the information is fully satisfied that the enquirer or recipient is authorised in all respects and is legally entitled to the information.

5.2. If information sharing agreements or protocols exist this should be adhered to.

5.3 In response to any lawful request only the minimum amount of personal information should be disclosed. The person disclosing the information should ensure that the information is adequate for the purpose of the disclosure, relevant and not excessive.

5.4 When personal data is disclosed internally or externally, it must be disclosed in a secure manner.

6.0 Accuracy and relevance

6.1 It is the responsibility of those who receive personal information to ensure, so far as possible, that it is accurate and up to date. Personal information should be checked at annual intervals to ensure that it is still accurate. If the information is found to be inaccurate steps must be taken to rectify it. Individuals who input or update information must also ensure that it is adequate, relevant, unambiguous and professionally worded. Data subjects have a right to access personal data held about them and have inaccuracies corrected. More information about a data subject’s rights can be found in Section 8 below.

7.0 Retention and disposal of data

7.1 The Lodge holds a large amount of information. The DPA 2018 requires that we do not keep personal data for any longer than is necessary. Personal data should be checked at regular intervals and deleted or destroyed when it is no longer needed, provided there is no legal or other reason for holding it.

7.2 Ensure data is disposed of responsibly; personal records on paper should be shredded or burnt. 


8.0 Individual’s rights

8.1 Individuals have several rights under the DPA 2018. These include the right to access personal data held about them (this is known as Subject Access); the right to prevent their information being used in a way which is likely to cause damage or distress; the right to compensation for any damages as a result of their information not being handled in accordance with the DPA 2018; and the right to have inaccurate or misleading information held about them corrected or destroyed.

8.2 It is particularly important that if a person has made a Subject Access request that this is forwarded to the Data Controller immediately.

9.0 Reporting security incidents

9.1 The Lodge has a responsibility to monitor all incidents that occur within the organisation that may breach the security and/or the confidentiality of its information. All incidents need to be identified, reported, investigated and monitored. All incidents to be reported to the Data Controller.

9.2 In the event of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data, the Lodge shall promptly assess the risk to people’s rights and freedoms and if appropriate report this breach to the Information Commissioner’s Office (ICO).