Privacy Policy

This website is managed by AtaLoss.org which is the Data Controller for the purposes of this policy. Please read this policy in conjunction with the Terms and conditions for the website.

Introduction

AtaLoss.org (“We”) is committed to protecting and respecting your privacy.

This policy (together with our terms of use and any other documents referred to on it) sets out the basis on which any personal data we collect from you, or that you provide to us, will be processed by us.  Please read the following carefully to understand our views and practices regarding your personal data and how we will treat it.

The rules on processing of personal data are set out in the General Data Protection Regulation (the “GDPR”).

Definitions

Data controller – A controller determines the purposes and means of processing personal data.

Data processor – A processor is responsible for processing personal data on behalf of a controller.

Data subject – Natural person, a living individual

Categories of data: Personal data and special categories of personal data

Personal data – The GDPR applies to ‘personal data’ meaning any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier (as explained in Article 6 of GDPR). For example, name, passport number, home address or private email address. Online identifiers include IP addresses and cookies.

Special categories personal data – The GDPR refers to sensitive personal data as ‘special categories of personal data’ (as explained in Article 9 of GDPR). The special categories specifically include genetic data, and biometric data where processed to uniquely identify an individual. Other examples include racial and ethnic origin, sexual orientation, health data, trade union membership, and political opinions, religious or philosophical beliefs.

Processing – means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Third party – means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.

Who are we?

AtaLoss.org is the data controller. This means we decide how your personal data is processed and for what purposes. Our contact details are:  AtaLoss.org, 112 Salcott Road, London SW11 6DG. For all data matters contact our data protection officer on office@ataloss.org .

The purpose(s) of processing your personal data

We use your personal data for the following purposes:

  1. To keep you informed about the work of our charity
  2. To enable you to benefit from the services and activities we provide
  3. If you are a donor, to tell you how your funds have been spent and about further projects that you may wish to support or benefit from
  4. If you work for another charity or business, to tell you about opportunities that you may wish to work with us on or benefit from
  5. If you are working with us, we keep your data to enable us to provide proper employee support, whether you are a paid or an unpaid AtaLoss.org team member.

The categories of personal data concerned

With reference to the categories of personal data described in the definitions section, we process the following categories of your data:

1. Personal data

  • name
  • address;
  • place of work;
  • telephone number;
  • a description (particularly relating to a specific project/area of interest);
  • job title and sphere of responsibility;
  • gender;
  • age;
  • cultural, or social identity of that person;
  • one or more factors specific to the physical, physiological, genetic, mental, economic (including: bank details) of an individual;
  • online identifiers (IP address, email address).

2. Special categories of data

Information about the religious beliefs, ethnicity, marital status, sexual orientation, disability status and gender of paid and unpaid staff is kept in the interests of equal opportunities monitoring.

What is our legal basis for processing your personal data?

  1. Personal data (article 6 of GDPR)

Our lawful basis for processing your general personal data:

x☐ Consent of the data subject;Individual has provided their personal data to AtaLoss.org as an ‘employee or volunteer, as a donor or purchaser or because they are interested in or wish to benefit from the organisation or any services it offers, including the management of any projects or initiatives.
x☐ Processing necessary for the performance of a contract with the data subject or to take steps to enter into a contractEmployment, volunteer or provision of a service under a contract.  
x☐ Processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controllerTo develop the charity and increase the opportunities for raising its profile to benefit bereaved individuals
x☐ Processing necessary for the purposes of the legitimate interests of the data controller or a third party, except where such interests are overridden by the interests or fundamental rights or freedoms of the data subject We need to process your data to help further the legitimate interest of the charity. We have carefully considered the options and we have chosen the least intrusive way of processing your data and deliver services to our beneficiaries.

Our lawful basis for processing your special categories of data:

x☐ Explicit consent of the data subjectSupporters and donors have provided their details and asked to be kept informed. Purchasers have provided their data in order to secure a purchase from the website.
x☐ Processing necessary for carrying out obligations under employment, social security or social protection law, or a collective agreementWe hold and process data about our paid and unpaid staff
x☐ Processing necessary for archiving purposes in the public interest, or scientific and historical research purposes or statistical purposesEqual opportunities monitoring is collected anonymously to provide evidence that we are an equal opportunities employer.

Sharing your personal data (other than financial transactions – see below)

Your personal data will be treated as strictly confidential and will be shared only with authorised staff within the charity. 

Your data may also be available to our website provider to enable us and them to deliver their service to us, carry out analysis and research on demographics, interests and behaviour of our users and supporters to help us gain a better understanding of them to enable us to improve our services. This may include connecting data we receive from you on the website to data available from other sources. Your personally identifiable data will only be used where it is necessary for the analysis required, and where your interests for privacy are not deemed to outweigh their legitimate interests in developing new services for us. In the case of this activity the following will apply:

  1. Your data will be made available to our website provider
  2. The data that may be available to them include any of the data we collect as described in this privacy policy.
  3. Our website provider will not transfer your data to any other third party, or transfer your data outside of the EEA.
  4. They will store your data for a maximum of 7 years.
  5. This processing does not affect your rights as detailed in this privacy policy.

Financial Transactions and Personal Data

Financial transactions relating to our website and services may be handled by our payment services providers, Stripe and GoCardless. We will share transaction data with our payment services providers only to the extent necessary for the purposes of processing your payments, refunding such payments and dealing with complaints and queries relating to such payments and refunds. You can find information about the payment services providers’ privacy policies and practices atSTRIPE and GoCardless

Your data may also be available to our website provider to enable us and them to deliver their service to us, carry out analysis and research on demographics, interests and behaviour of our users and supporters to help us gain a better understanding of them to enable us to improve our services. This may include connecting data we receive from you on the website to data available from other sources. Your personally identifiable data will only be used where it is necessary for the analysis required, and where your interests for privacy are not deemed to outweigh their legitimate interests in developing new services for us. In the case of this activity the following will apply:

  1. Your data will be made available to our website provider 
  2. The data that may be available to them include any of the data we collect as described in this policy.
  3. Our website provider will not transfer your data to any other third party or transfer your data outside of the EEA.
  4. They will store your data for a maximum of 7 years.
  5. This processing does not affect your rights as detailed in this privacy policy.

Breaches

We are required by law to report any security breaches involving personal data to the ICO and we will keep a record of those breaches.

How long do we keep your personal data?

Except where we are required to keep data records by law, we will keep your personal data for no longer than reasonably necessary and will annually review the data held and determine whether it should be retained or destroyed. Data subjects may request the removal or correction of their personal data at any time.

Providing us with your personal data

You are under no statutory or contractual requirement or obligation to provide us with your personal data. Failure to do so will mean we will be unable to communicate with you and keep you informed about the charity and its services.

If you are an employee (paid or unpaid) we require your personal data as it is a statutory requirement to enter into a contract. All the information you provide during the recruitment process will only be used for progressing your application, or to fulfil legal or regulatory requirements, and will not be shared with any third parties for marketing purposes or stored outside of the European Economic Area. The information you provide, whether electronic or physical, will be held securely by us.  We will only use the provided contact details to progress your application. We do not collect more information than we need to fulfil our stated purposes and will not retain it for longer than necessary.  The information we ask for is used to assess your suitability for employment. You do not have to supply it, but it might affect your application if you do not. Other information may be requested to enable us to monitor equal opportunities. You are not obliged to provide this information and withholding it will not affect your application. If you accept a final offer from us, some of your personnel records will be held on our internal HR records system.

Your rights and your personal data

Unless subject to an exemption under the GDPR, you have the following rights with respect to your personal data:

  1. The right to request a copy of the personal data which we hold about you;
  2. The right to request that we correct any personal data if it is found to be inaccurate or out of date;
  3. The right to request your personal data is erased where it is no longer necessary to retain such data;
  4. The right to withdraw your consent to the processing at any time, where consent was your lawful basis for processing the data;
  5. The right to request that we provide you with your personal data and where possible, to transmit that data directly to another data controller, (known as the right to data portability), (where applicable i.e. where the processing is based on consent or is necessary for the performance of a contract with the data subject and where the data controller processes the data by automated means);
  6. The right, where there is a dispute in relation to the accuracy or processing of your personal data, to request a restriction is placed on further processing;
  7. The right to object to the processing of personal data where applicable, (i.e. where processing is based on legitimate interests, or the performance of a task in the public interest/exercise of official authority or direct marketing and processing for the purposes of scientific/historical research and statistics).

Under the GDPR, we are required to verify the identity of anyone requesting copies or changes to personal data. Once this is established we will provide the data requested within the timeframes stipulated under the regulations.

Transfer of Data Abroad

Whenever we transfer your personal data out of the EEA, we will comply with applicable data protection law. Some of the mechanisms we may choose to use when undertaking an international transfer are:

  • The transfer of your personal data is to a country that has officially been deemed to provide an adequate level of protection for personal data by the European Commission.
  • We may use specific contracts approved by the European Commission which give personal data the same protection it has in Europe (called the “EU Model Clauses”).

Where we use providers based in the US eg. Mailchimp, we may transfer data to them if they are part of the Privacy Shield which requires them to provide similar protection to personal data shared between Europe and the US. If the provider is not EU-US Privacy Shield certified, we may use the EU Model Clauses.

Automated Decision Making

We do not use any form of automated decision making in our charity.

Further processing

If we wish to use your personal data for a new purpose, not covered by this Privacy Policy, then we will provide you with a new notice explaining this new use prior to commencing the processing and setting out the relevant purposes and processing conditions.

Changes to our privacy policy

Any changes we may make to our privacy policy in the future will be posted on this page and, where appropriate, notified to you by e-mail. Please check back frequently to see any updates or changes to our privacy policy.

Our Terms and Conditions

This privacy policy should be read in parallel with our Terms and Conditions with regard to your obligations to AtaLoss.org and the use of this website and any other website we are responsible for.

How to make a complaint

To exercise all relevant rights, queries or complaints please in the first instance contact our data protection officer on office@ataloss.org

If this does not resolve your complaint to your satisfaction, you have the right to lodge a complaint with the Information Commissioners Office on 03031231113 or via email https://ico.org.uk/global/contact-us/email/ or at the Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, England.

Approved by the Board of AtaLoss.org: 23rd May 2018

Reviewed: May 2019

Amended: February 2020

I have read and understood this privacy policy