This privacy notice explains how Endometriosis UK ("we", "our", "us") collects, uses and shares your personal data, and your rights in relation to the personal data we hold. This privacy notice concerns our processing of personal data of members, those registering for and attending events and anyone else with an interest in endometriosis who interacts with the us (together, "you", "your").
This policy does not cover how we use your data to analyse use of our website. This is covered in our cookies statement.
Endometriosis UK (a registered charity, number 1035810), which is registered with the Information Commissioner's Office with registration number Z2898910) is the data controller of your personal data and is subject to the Data Protection Act 1998 ("DPA") (and, once in force, the General Data Protection Regulation (the "GDPR") as well as future legislative changes (“data protection legislation”).
How we collect your information
We may collect your personal data in a number of ways, for example:
- From the information you provide to us when you join as member, register for the events, make a donation or use or register with a support service
- When you communicate with us by telephone, email or via our website, for example to make enquiries about Endometriosis UK services
- In various other ways as you interact with us for the purposes set out below
The types of information we collect
We may collect the following types of personal data about you:
- contact and communications information, including:
- your contact details (including email address(es), telephone numbers and postal address(es);
- your communication preferences;
- records of communications and interactions we have had with you;
- your name, title,
- your image and likeness including as captured in photographs captured for Endometriosis UK;
- information you have publicly shared on social media;
- information concerning your engagement with us, including attendance at our events, responses to surveys, participation in support services etc;
- information about your health conditions, including diagnosis of endometriosis, family history of endometriosis and your personal experience with endometriosis;
- your date of birth or ethnicity;
- your internet protocol or IP address;
- dietary requirements and other special needs relevant to attendance at events or services purchased or requested from us (e.g. large print, levelled access).
- financial information, including: bank account number, name and sort code (used for processing Direct Debits payment for events, payment of fees or donations); details of financial transactions, for example membership fees, donations; Gift Aid declaration information, where relevant (for example, if you choose to make donations to Endometriosis UK).
The basis for processing your information and how we use it
We may process your personal data because it is necessary for the performance of your membership, event registration, donation or other contract with you (or in order to take steps at your request prior to entering into a contract). In this respect, we use your personal data for the following:
- to interact with you before or after you join as member or register for an event for example, to answer any questions you have;
- operating our support services;
- to deal with any concerns or feedback you may have;
- for any other purpose for which you provide us with your personal data.
We may also process your personal data because it is necessary for our or a third party's legitimate interests. Our "legitimate interests" include our charitable objectives. In this respect, we may use your personal data for the following:
- to monitor and evaluate the performance and effectiveness of our activities;
- to keep you informed (by letter, telephone, email and other electronic means) of news and information about our events, activities and details of opportunities to get further involved with Endometriosis UK in accordance with your communication preferences and subject to having your consent for being contacted by electronic means;
- to ensure that our communications are relevant to you and your interests;
- administrative purposes, for example in connection with your membership or an event you have registered for or attended;
- conducting surbeys, focus groups and other research;
- internal record-keeping, including the management of any feedback or complaints.
We may also process your personal data for our compliance with our legal obligations. In this respect, we may use your personal data for the following:
- to meet our compliance and regulatory obligations, such as compliance with anti-money laundering laws and tax reporting requirements;
- for the prevention and detection of crime;
- in order to assist with investigations (including criminal investigations) carried out by the police and other competent authorities.
We may also process your personal data where:
- it is necessary to protect your or another person’s vital interests;
- it is necessary for the establishment, exercise or defense of legal claims (for example, to protect and defend our rights or property, and/or the rights or property of our members);
- we have your specific or, where necessary, explicit consent to do so.
In particular, with your consent, we may process your personal data to provide you with information about our events, activities and details of opportunities to get further involved with Endometriosis UK, for example, by sending you updates, newsletters, membership emails and news alerts. If you do not wish to receive such information, you can withdraw your consent to these types of emails using the links in the email message or by contacting email@example.com.
Sharing your information with others
We do not sell your personal data to other organisations.
For the purposes referred to in this privacy notice and relying on the bases for processing as set out above, we may share your personal data with certain third parties who we use to support us in delivering our services.
We may disclose limited personal data to a variety of recipients including:
- employees, agents and contractors where there is a legitimate reason for their receiving the information, including third parties where we have engaged them to process data on our behalf as part of administering our services;
- internal and external auditors;
- when Endometriosis UK is legally required to do so (by a court, government body, law enforcement agency or other authority of competent jurisdiction), for example by the Charity Commission.
International data transfers
As a matter of course, we do not transfer your personal data outside of the European Economic Area. We may, however, transfer your personal data around the world on an ad hoc basis, for example where this is necessary for interaction with you, and you are located outside of the EEA. In such circumstances, we will consider whether any additional measures are required in order to give adequate protection for the information when it is transferred outside of the EEA.
How long your information is kept
Endometriosis UK has a data retention policy and disposal schedule which determines how long data will be held. A copy of our data retention policy and disposal schedule is available from firstname.lastname@example.org.
Under data protection legislation you have the following rights:
- to obtain access to, and copies of, the personal data that we hold about you;
- to require that we cease processing your personal data if the processing is causing you damage or distress;
- to require us not to send you marketing communications;
- to require us to correct the personal data we hold about you if it is incorrect;
- to require us to erase your personal data;
- to require us to restrict our data processing activities (and, where our processing is based on your consent, you may withdraw that consent, without affecting the lawfulness of our processing based on consent before its withdrawal);
- to receive from us the personal data we hold about you which you have provided to us, in a reasonable format specified by you, including for the purpose of you transmitting that personal data to another data controller;
- to object, on grounds relating to your particular situation, to any of our particular processing activities where you feel this has a disproportionate impact on your rights.
Please note that the above rights are not absolute, and we may be entitled to refuse requests where exceptions apply, such as, where we are required by law to hold specific data.
If you have given your consent and you wish to withdraw it, please contact email@example.com. Please note that where our processing of your personal data relies on your consent and where you then withdraw that consent, we may not be able to provide all or some aspects of our services to you and/or it may affect the provision of those services.
If you are not satisfied with how we are processing your personal data, you can make a complaint to the Information Commissioner. You can find out more about your rights under data protection legislation from the Information Commissioner's Office website available at: www.ico.org.uk.
If you have any queries about this privacy notice or how we process your personal data, or if you wish to exercise any of your rights under applicable law, you may contact our operations team
by email: firstname.lastname@example.org
by post: 75 Gloucester Place, London, W1U 8JP