Sistema Scotland is a company limited by guarantee and Scottish Charity, registered at Raploch Community Campus, Drip Road, Stirling, FK8 1RD. Our company registration number is SC312903 and our Scottish Charity number is SC039119. We are registered as a data controller with the Information Commissioner, with the registration number ZA055145.
2. Purpose and scope
This policy may be amended from time to time. An updated copy can be obtained by emailing firstname.lastname@example.org
3. Personal data which we collect
Sistema Scotland is committed to protecting your privacy. Personal data about you that we collect and process will vary depending upon your interaction with us.
Your personal data will be collected and processed when you visit our website and interact on our Fundraising and/or Volunteering page; completing our online enrolment form for Big Noise Stirlingwide; when applying for a job with Sistema Scotland/Big Noise via our online application form; by using the Contact Us section; or by signing up to our eNewsletter. We will also collect and process your personal data if you write to us by post, for example to make a donation by cheque.
The following provides an explanation of how we will collect and process your personal data:
We may collect the information you provide to us either directly or through third parties. If you provide your data to us directly, for example by email, by letter or through our website, we may store and process contact details, communications preferences and financial information. If you send us a cheque we retain copies for our financial records and the copy will include your name and bank details. These copies will be retained in line with our records retention policy, and to allow us to comply with HMRC rules. If you provide your data to us through a third party (including but not limited to: Charity Checkout, Charities Aid Foundation, Charities Trust, The Big Give and JustGiving) we may store and process your contact details, communications preferences and amounts donated. We do not store financial data of individuals who donate online through a third party as these donations are processed by the third parties.
Personal data we retain and may process includes:
- Information that you have given us directly (for example when you send us an email or online enquiry, when you send us a cheque or when you send us a Gift Aid Declaration)
- Your contact name, address, email and telephone numbers
- Confirmation of your communications preferences
- Correspondence you send us
- Copies of correspondence that we send to you (for example thank you cards)
- Information on where you heard about Sistema Scotland (not mandatory)
We will use your data as follows:
- To provide you with the services and information you requested
- Administer/acknowledge your donation/support your fundraising, including processing Gift Aid
- Understand how we can improve our services, products or information
- Keep a record of your relationship with us
- Ensure we know your contact preferences
- In order to keep your contact preferences up to date, we will retain your data on our thankQ database
- If you have told us you would like to be contacted, we will be in touch with updates, events invitations and/or ways to support. You can opt out at any time or change your communications preferences, by emailing email@example.com and we will include this option in all of our communications.
3.2. Sistema Scotland/Big Noise website:
When you use our website we take measures to ensure your information is private and secure. To better serve visitors to our website, we may collect the following information:
- Contact information
- Business details
- Browser cookies
- Survey responses and competition submissions
- Contact names and addresses, telephone numbers and email address
- Your communications preferences
- Any other information about you that you have given to us (for example when you request details on becoming a volunteer with Sistema Scotland.)
We may use this information to measure web activity, produce internal records or create services and promotions most relevant to our customers. You will have full control over what information we collect and how we use it in the future.
Please see Appendix 3 for information on cookies.
Personal information (personal data) provided by you via our website
When you provide us with personal data via our website, you will have a choice about how we use this information. Personal data is only collected from certain pages on our website for example, which include the option to sign up to our newsletter; on our Fundraising page (including “Staying in Touch”); on our Volunteering page; completing our online enrolment form for Big Noise Stirlingwide; when applying for a job with Sistema Scotland/Big Noise via our online application form; by using the Contact Us section or by clicking Donate Now on any page on our website (in which case you will be taken to a third party website to donate and submit your data).
4. Purposes of processing
The General Data Protection Regulation (see Appendix 4) states that processing of personal data will be lawful only if and to the extent that at least one of the following applies:
(a) The data subject has given consent to the processing of his or her personal data for one or more specific purposes;
(b) Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
(c) Processing is necessary for compliance with a legal obligation to which the controller is subject;
(d) Processing is necessary in order to protect the vital interests of the data subject or of another natural person;
(e) Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
(f) Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
Sistema Scotland will therefore process your personal data either by obtaining your consent to do so, or as a result of legitimate interests, for example as a result of a transaction between you and Sistema Scotland. You will have the option to decide what you consent to through our privacy notice through our enrolment form and on our website. Section 3.1 above explains the ways in which your personal data will be processed:
Appendix 1 provides clarification on the legal basis for processing your data.
5. Data Storage and Security
Records relating to you may be held in both paper and electrical versions. Where paper records are retained, these are stored in a locked filing cabinet and access will be restricted to authorised staff only. Electronic records will be stored on Sistema Scotland’s server, which is hosted by a third party; email communications held within our IT systems which are hosted by Google as well as data that has been backed-up and is stored on the Amazon S3 Cloud. Records are also held within web databases (for example thankQ). Documents will be protected by a password and only those with authorisation will be able to access these records.
Your information is only accessible to the appropriate Sistema Scotland staff.
We do not share data with third parties for marketing purposes but we use external companies to collect or process data on our behalf (for example we use MailChimp to send out emails giving updates on Sistema Scotland, invitations to Big Noise events and ways in which you can support us). These companies are GDPR compliant and you can view the privacy policies on their websites or, if applicable, at the point of providing your data.
Your personal data may be stored on Access thankQ, which is our Customer Relationship Management System (CRM) and is our web-based database processed by the Access Group. This may include contact details, details of donation amounts and communications preferences but does not include financial information. Access Group is a data processor who manages Access thankQ CRM and enables us to keep accurate and up-to-date records of your data.
6. Disclosure of your personal data
Unless required to do so by law (for example to the police, regulatory bodies or legal advisors), or to protect our own interests, we will not otherwise share or distribute your personal data (other than as outlined in section 5) without your consent and we will not sell your personal information to a third party.
7. Transfer of your personal data outside the EEA
There may be occasions where your personal data is transferred outside of the European Economic Area. Such instances may include where an application service provider holds data on our behalf. This is restricted to occasions where you opt in to any email communications from ourselves and where we use third parties (such as MailChimp or Survey Monkey) as data processors on our behalf. In these circumstances the only personal data shared will be your name and email address. We will ensure that any such application service providers have signed up to the Privacy Shield Framework. More information on the Privacy Shield Framework can be found at https://www.privacyshield.gov/welcome
8. Retention of your personal data
We will retain your personal data for so long as we reasonably require in light of the purpose(s) for which we are holding it and all relevant legal, commercial and operational considerations.
As a guide, we envisage that your personal data will be retained as detailed in Appendix 2.
9. Access to your personal data
You have a right (referred to as a data subject access request or “DSAR”) to have access to the personal data which we hold about you subject to certain limitations. If you would like to exercise that right, you must submit a written request to firstname.lastname@example.org specifying the information that you want us to provide to you (or give you access to).
We are obliged to respond to any such request within one month of receiving it (subject to limited exceptions, for example, where disclosing the data would adversely affect the rights and freedoms of others).
We will inform you in writing following receipt of your written request and if necessary, seek additional information from you about your request.
10. Corrections to your personal data
You have a right (referred to as the right to rectification) to have your personal data rectified if it is inaccurate or incomplete.
If you become aware that any of the data that we hold about you is inaccurate, you should inform us by emailing email@example.com as soon as practicable.
We are obliged to comply with any such requests within one month. This may be extended to two months where the rectification request is complex.
You must notify us by emailing firstname.lastname@example.org immediately on becoming aware of any change of circumstances which require changes to be made to any of the personal data which we hold about you.
11. Deletion of your personal data
You have a right (referred to as the right to erasure) to request the deletion or removal of your personal data where there is no compelling reason for its continued processing.
Your right to make such a request will arise in specific circumstances for example, where data is no longer necessary for the purpose for which it was collected or where you withdraw your consent for processing of your data (and where consent is the sole basis on which your data is processed).
The right to erasure does not however include data which Sistema Scotland must retain in order to comply with statutory regulations, therefore should you request the deletion or removal of your personal data where we have a legal obligation to retain it, we will inform you of this in writing.
If you would like to exercise this right you must submit a written request to email@example.com, specifying the information you wish deleted. We will then consider this request in accordance with our obligations under data protection laws. We will write to you to confirm the outcome and if appropriate the reasons why we are unable to comply with your request.
12. Transferring your personal data
You have a right (referred to as the right of data portability) to obtain and reuse your personal data for your own purposes across different services. This right allows you to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way.
If you would like to exercise this right, you must submit a written request to firstname.lastname@example.org, specifying the information that you wish to be transferred.
Where this right applies, we are obliged to comply with any such requests within one month. This may be extended to two months where the rectification request is complex or where multiple requests are received at the same time. We will notify you in writing if an extension is necessary.
13. Restricting use of your personal data
You have a right (referred to as the right to restrict processing) to block or suppress the processing of your personal data in certain circumstances.
If, for example, you contest the accuracy of the personal data, processing may be restricted until the accuracy of the personal data has been verified. This may also apply where you contest that the processing is unlawful.
If you would like to exercise this right, you must submit a written request to email@example.com specifying the information which you wish us to impose a processing restriction on.
14. Objecting to the use of your personal data
You have a right to object to processing of your personal data where you have grounds relating to your particular situation, and where the personal data we collect is based on any of the following:
- processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling), unless we are able to demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms as the data subject or for the establishment, exercise or defence of legal claims;
- direct marketing (including profiling); and
- processing for purposes of scientific/historical research and statistics, unless the processing is necessary for the performance of a task carried out for reasons of public interest
If you would like to exercise this right, you must submit a written request to firstname.lastname@example.org outlining your grounds of objection. We will then consider this request in accordance with our obligations under data protection laws.
15. Data Protection – contacts and complaints
The overall day-to-day responsibility for processing of personal data lies with the HR Team. Contact details for the HR Team are as follows:
Raploch Community Campus
Telephone: 01786 475349
You have a right to complain to the Information Commissioner’s Office (ICO) if you think that there is a problem with how we are handling your data. The contact details for the ICO are:
Information Commissioner’s Office
Telephone: 0303 123 1113 (local rate) or 01625 545745