Battersea’s Data Protection Policy
1.1. This policy applies to both Battersea Dogs & Cats Home and our trading subsidiary, Battersea Dogs Home Limited, (together “Battersea”).
1.2. Battersea is committed to complying with privacy and data protection laws including:
- the General Data Protection Regulation (“the GDPR”) and any related legislation which applies in the UK, including, without limitation, any legislation derived from the Data Protection Act 2018;
- the Privacy and Electronic Communications Regulations (2003) and any successor or related legislation, including without limitation, E-Privacy Regulation 2017/0003; and
- all other applicable laws and regulations relating to the processing of personal data and privacy, including statutory instruments and, where applicable, the guidance and codes of practice issued by the Information Commissioner’s Office (“ICO”) or any other supervisory authority.
- (together “the Legislation”)
1.3. This policy sets out the principles we will apply when handling individuals’ personal data and also describes what comes within the definition of “personal data”. It is the responsibility of staff and any others who handle personal data in any way for Battersea to ensure that we adhere to the principles of the Legislation and this policy.
1.4. Any breach of this policy will be taken seriously and may result in disciplinary action.
1.5. The types of personal data that Battersea may collect include information about:
- Current, past, and prospective staff, volunteers (including foster carers), and trustees;
- Donors (current, past and prospects);
- Event attendees and fundraisers (i.e. those who raise money on the Battersea’s behalf);
- Intake and rehoming customers, and those of a lost or found animal;
- Individuals buying products or services through our shop and our website;
- Organisations we work with (and individuals who work at these organisations);
- Suppliers (and individuals who work at or with these suppliers); and
- Any others with whom we communicate.
1.6. This personal data, whether held on paper, on computer or other media, will be subject to certain legal safeguards in accordance with the Legislation.
2. Data Protection compliance
2.1. All staff, volunteers and trustees have responsibility for compliance with the Legislation and implementation of this policy and all managers have responsibility for ensuring their teams’ compliance. Any concerns or queries concerning Battersea’s compliance with the Legislation and implementation of this policy, or any questions or concerns about the interpretation or operation of this policy should be referred in the first instance to DataProtection@battersea.org.uk
3. Scope of the Policy
4.1. Anyone processing personal data must comply with the data protection principles set out in the GDPR. We are required to comply with these principles (summarised below), and show that we comply, in respect of any personal data that we deal with as a data controller.
4.2. Personal data should be:
- processed fairly, lawfully and transparently;
- collected for specified, explicit and legitimate purposes and not further processed in a way which is incompatible with those purposes;
- adequate, relevant and limited to what is necessary for the purpose for which it is held;
- accurate and, where necessary, kept up to date;
- not kept longer than necessary; and
- processed in a manner that ensures appropriate security of the personal data.
4.2.1. Processing data fairly, lawfully and transparently
The first data protection principle requires that personal data is obtained fairly and lawfully and processed for purposes about which the data subject has been told. Processing will only be lawful if certain conditions can be satisfied, including where the data subject has given consent, or where the processing is necessary for one or more specified reasons, such as where it is necessary for the performance of a contract.
126.96.36.199. To comply with this principle, when we receive personal data about a person directly from that individual, which we intend to keep, we need to provide that person with “the fair processing information”. In other words, we need to tell them:
- the type of information we will be collecting (categories of personal data concerned);
- who will be holding their information, i.e. Battersea Dogs and Cats Home including contact details and the contact details of staff responsible for Data Protection;
- why we are collecting their information and what we intend to do with it (for example to process donations or send them mailing updates about our activities);
- the legal basis for collecting their information (for example, are we relying on their consent, or on our legitimate interests or on another legal basis);
- if we are relying on legitimate interests as a basis for processing what those legitimate interests are;
- whether the provision of their personal data is part of a statutory or contractual obligation and details of the consequences of the data subject not providing that data;
- the period for which their personal data will be stored or, where that is not possible, the criteria that will be used to decide that period;
- details of people or organisations with whom we will be sharing their personal data;
- if relevant, the fact that we will be transferring their personal data outside the EEA and details of relevant safeguards; and
- the existence of any automated decision-making including profiling in relation to that personal data.
188.8.131.52. Where we obtain personal data about a person from a source other than the person themselves, they must provide the following information in addition to that listed above:
- the categories of personal data that we hold; and
- the source of the personal data and whether this is a public source.
In some cases, this may be provided to them by the person or organisation who shared their data with us.
184.108.40.206. In addition, in both scenarios described above, (where personal data is obtained both directly and indirectly) we must also inform individuals of their rights outlined in this policy, including the right to lodge a complaint with the ICO and, the right to withdraw consent to the processing of their personal data.
220.127.116.11. This fair processing information can be provided in a number of places including on web pages, in mailings or on application forms. We must ensure that the fair processing information is concise, transparent, intelligible and easily accessible.
4.2.2. Processing data for the original purpose
The second data protection principle requires that personal data is only processed for the specific, explicit and legitimate purposes that the individual was told about when we first obtained their information.
18.104.22.168. This means that we should not collect personal data for one purpose and then use it for another. If it becomes necessary to process a person’s information for a new purpose, the individual should be informed of the new purpose beforehand. For example, if we collect personal data such as a contact number or email address in order to update a person about our activities it should not then be used for any new purpose, for example to share it with other organisations for marketing purposes, without first getting the individual’s consent.
4.2.3. Personal data should be adequate and accurate
The third and fourth data protection principles require that personal data that we keep should be accurate, adequate and relevant. Data should be limited to what is necessary in relation to the purposes for which it is processed. Inaccurate data should be edited or destroyed securely, and we must take every reasonable step to ensure that personal data which is inaccurate is corrected.
4.2.4. Not retaining data longer than necessary
The fifth data protection principle requires that we should not keep personal data for longer than we need to for the purpose it was collected for. This means that the personal data that we hold should be destroyed or erased from our systems when it is no longer needed. If you think that we are holding out-of-date or inaccurate personal data, please email DataProtection@battersea.org.uk.
22.214.171.124. For guidance on how long particular types of personal data that we collect should be kept before being destroyed or erased, please refer to Battersea’s Data Retention Policy or email DataProtection@battersea.org.uk
5. Rights of individuals under the GDPR
5.1. The GDPR gives people rights in relation to how organisations process their personal data. Everyone who holds personal data on behalf of Battersea needs to be aware of these rights. They include (but are not limited to) the right:
- to request a copy of any personal data that we hold about them (as data controller), as well as a description of the type of information that we are processing, the uses that are being made of the information, details of anyone to whom their personal data has been disclosed, and how long the data will be stored (known as subject access rights);
- to be told, where any information is not collected from the person directly, any available information about the source of the information;
- to be told of the existence of automated decision-making;
- to object to the processing of data where the processing is based on either the conditions of public interest or legitimate interests;
- to have all personal data erased (the right to be forgotten) unless certain limited conditions apply;
- to restrict processing where the individual has objected to the processing;
- to have inaccurate data amended or destroyed; and
- to prevent processing that is likely to cause unwarranted substantial damage or distress to themselves or anyone else.
5.2. Queries from a data subject relating to any of these rights should be referred to DataProtection@battersea.org.uk.
6. Data security
The sixth data protection principle requires that we keep secure any personal data that we hold.
6.1. We are required to put in place procedures to keep the personal data that we hold secure, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
6.2. When we are dealing with sensitive personal data (such as details of an individual’s health, race or sexual orientation) or criminal offences data, more rigorous security measures are likely to be needed, for instance, if this data is held on a memory stick or other portable device, such as a tablet or laptop, it should always be encrypted.
6.3. When deciding what level of security is needed, your starting point should be to look at whether the information is sensitive or highly confidential and how much damage could be caused if it fell into the wrong hands.
6.4. Battersea will ensure that:
- Everyone handling personal information in any way understands they are responsible for following good data protection practice and are appropriately briefed to do so;
- Anyone wanting to access their personal information knows what to do;
- Methods of handling personal information are regularly assessed and evaluated;
- Personal information is not disclosed to any unauthorised third party orally, in writing or otherwise.
6.5. When deciding what level of security is needed, the starting point should be to look at whether the information is sensitive (or includes criminal offences data) (as defined in the definitions section of this policy) or highly confidential and how much damage could be caused if it fell into the wrong hands.
6.6. The following security procedures must be followed in relation to all personal data for which Battersea is the data controller:
- Personal data must be secured at all times by user-unique password protection for computers, laptops and other devices, memory sticks or other electronic storage and communication methods (including communication via email), or kept locked in secure cabinets;
- Personal information and other confidential information (e.g. financial records) must not be stored on any privately-owned personal computer or other personal electronic device;
- Passwords should include a mixture of letters and numbers. Avoid passwords that are easy to guess such as your name or date of birth;
- Staff should ensure that individual monitors do not show confidential information to passers-by and that they lock their screen or log off from their PC when it is left unattended;
- Personal data may not be transferred to a third party unless it is with a data processor in accordance with the section below, or where there are arrangements in place to ensure that such transfer is carried out in accordance with the Legislation (e.g. the individual’s consent has been obtained for their data to be shared, or another relevant condition of processing applies);
- Data must be transferred securely, either using Secure File Transfer Protocol (“SFTP”) or using appropriate encryption/password protection on the files being transferred. Advice should be sought from the IT Department should further information or resources be needed.
- In accordance with Battersea’s Data Retention Policy, personal data should be disposed of securely. Paper documents should be shredded. Portable media on which personal data is stored such as memory sticks, CD-ROMs etc. should be physically destroyed when they are no longer required.
6.7. During employment and on leaving Battersea, staff, volunteers, Directors, and Trustees must respect all confidential affairs of Battersea and must not, except as authorised by Battersea, make known to any third party any confidential information or knowledge about Battersea and/or personal data it holds, other than that which is already held in the public domain.
6.8. Whilst working from home, staff are responsible for keeping all documents and information associated with Battersea’s business secure at all times. Specifically, staff have a duty to:
- Keep filing cabinets and drawers locked when they are not being used;
- Keep all documentation belonging to Battersea in locked cabinets/drawers at all times except when in use; and
- Set up and use a unique password, which must not be shared with any other individuals, for any computer/personal electronic device that is used to access personal data for which Battersea is the data controller.
7. Sharing personal data with data processors
7.1. Battersea is required to take particular security precautions when it uses third parties to process personal data on its behalf.
7.2. Third parties may include IT contractors, providers of website hosting services, professional fundraisers, outsourced service providers and payroll providers.
7.3. These third parties are data processors (see definitions below). Staff who are responsible for the selection or appointment of any data processors, or are involved in contract negotiations with data processors must:
- Select only data processors who provide sufficient guarantees in respect of the technical and organisational security measures they will use in relation to the processing of personal data;
- Ensure that Battersea enters into a written contract with each data processor. It is important to do this before the processing actually begins. Please email DataProtection@battersea.org.uk regarding the form of contract;
- Where the data processor is located outside the European Economic Area, additional requirements may apply. If you think this might be the case, please email DataProtection@battersea.org.uk;
- Ensure that each data processing contract makes it clear that data processors must only act on instructions from Battersea. The law currently makes Battersea responsible for the processing of all personal data, even if it is carried out on its behalf by a data processor. It must, therefore, maintain control over such processing at all times.
7.4. Where a member of staff is not sure whether a data processing agreement is needed, please email DataProtection@battersea.org.uk.
8. Data relating to supporters, donors and prospects used for marketing purposes
8.1. Battersea will follow the principles of the GDPR, the Privacy and Electronic Communication Regulations 2003 and all other relevant guidance related to data concerning supporters, donors and prospects. Specifically, in relation to communications to donors, supporters and prospects:
8.1.1. Postal marketing/Direct mail
126.96.36.199. When sending marketing materials by post, it should be remembered that:
- People have the right to ask Battersea to stop processing their personal data for direct marketing purposes. Battersea should record all such requests on a “suppression list” and refrain from contacting those people (unless they ask Battersea to start contacting them again). There are no exceptions and Battersea must comply with requests within a reasonable period of time. Most requests should be complied with within one month.
- An individual who wishes to prevent personally addressed marketing material being sent to them may register with the Mailing Preference Service (“MPS”). Battersea should not send any unsolicited direct mail by post to a person who has registered with MPS unless they have consented to Battersea sending such mail (for example, by ticking an opt-in box agreeing to Battersea’s marketing mail or providing their postal address in the knowledge that it would be used for marketing purposes).
- When individuals’ personal data is added to Battersea’s fundraising and associated databases, we will ensure that they are notified of who we are, what we will use their information for and anything else necessary to make sure we are using their information fairly.
8.1.2. Email and SMS marketing
188.8.131.52. Battersea must have consent before making any kind of approach by email or SMS for marketing purposes.
184.108.40.206. The emails/SMS should provide clear instructions for unsubscribing from future emails of that kind (for example, by providing an unsubscribe link or an email address to reply to). Battersea should record all unsubscribe requests on a “suppression list” and refrain from contacting those people.
220.127.116.11. These principles apply to unsolicited direct marketing by fax, email, and text message as well as by automated telephone messages.
8.1.3. Telephone marketing
18.104.22.168. Battersea must have consent before making any kind of approach by telephone for marketing purposes.
22.214.171.124. Battersea should never make marketing telephone calls to an individual or organisation who has told us they do not want calls from us or to any numbers on the Telephone Preference Service (“TPS”) or Corporate Telephone Preference Service (“CTPS”) lists unless they have consented to Battersea making such calls (for example, by ticking an opt-in box agreeing to our marketing calls, or providing their telephone number in the knowledge that it would be used for marketing purposes).
126.96.36.199. Individuals can give consent to receiving unsolicited calls which overrides TPS registration, but this is only valid where the overriding consent is given to the organisation in question, i.e. Battersea. Particular care needs to be taken in the case of calling numbers obtained from a third-party list, to ensure that the individual has consented to calls specifically from Battersea. If there is any doubt about the validity of such consent, then the numbers should be screened against TPS before calling. Mobile numbers can also be registered on the TPS and so must also be screened where necessary. Battersea can, however, send texts, pictures, or video messages without needing to screen against TPS, but prior consent will be needed before sending such messages.
188.8.131.52. The Fundraising Preference Service (“FPS”) is a website-based service which helps members of the public control the communications they receive from charities. More detail can be found at https://www.fundraisingpreference.org.uk/. Battersea complies with the FPS by ensuring that any notifications received informing Battersea that a supporter has opted-out of marketing communications will be suppressed internally.
8.1.4. Digital marketing via cookies
184.108.40.206. Battersea uses implied consent to process cookie information for marketing purposes.
220.127.116.11. All communications must include information on how to contact Battersea, or include a link to the Battersea website.
9. Data relating to customers for our animals
9.1. Battersea records personal details, which may include their address and details of their home, of customers (e.g. those who gift us animals, those who enquire to the lost dogs and cats line, those who are reunited with their animals, and prospective or actual animal rehomers) when they contact Battersea, or set up an account on our website. This data is held electronically and is subject to Battersea’s standard IT security protocols and this Data Protection Policy. This data may sometimes include sensitive personal data regarding the health of an individual. All sensitive personal data must be processed in accordance with the relevant section below.
9.2. Personal data relating to customers for our animals is only requested and held where it is relevant to that purpose and will not be used by other functions within Battersea for their use (e.g. for fundraising or marketing) unless they have been informed that the data will be used for these purposes and their consent has been obtained where necessary. The customer has the right to opt out of processing of this kind at any time by contacting Battersea’s Supporter Services team via email@example.com.
9.3. When a customer adopts a cat or dog from Battersea, the pet insurance company will gather their personal data via the insurance application form. The pet insurance company has their own data protection policy which is outlined on the insurance forms.
10. Data relating to volunteers and foster carers
10.1. Battersea may hold any or all of the following pieces of information on current, former and prospective volunteers (foster carers are included in this grouping) as well as unsuccessful applicants.
- Name, age, and contact details;
- Length and periods of service (and absence from service);
- Training Records;
- Details of the volunteer’s experience, qualifications; and motivations to volunteer
- Emergency contact details;
- Details of health conditions;
- Details of any DBS or other background checks;
- Any complaints relating to the volunteer;
- A photograph for the purposes of identification;
- Equality information (including sensitive personal data such as details of ethnic and racial origin and religious beliefs).
10.2. Battersea uses this information in the course of their volunteering role, to administer and provide support to volunteers (including providing for needs around health concerns) to communicate with volunteers regarding its activities, to carry out checks, to update its volunteers on new developments within Battersea, to conduct benchmarking activities against other voluntary organisations, and for other purposes in furtherance of Battersea’s charitable purposes.
10.3. Personal data relating to volunteers is only requested and held where it is relevant to their role and will not be shared with other functions within Battersea for their use (e.g. for fundraising or marketing) unless volunteers have been informed that the data will be used for these purposes and their consent has been obtained where necessary, or the volunteer has chosen to engage with another department e.g. as a donor or when rehoming an animal.
11. Data relating to staff and trustees (where relevant)
11.1. Battersea may hold any or all of the following personal data on its current and former employees and trustees as well as unsuccessful applicants:
- Name, contact details, date of birth and gender;
- Documents relating to recruitment, CV’s, application forms and qualifications;
- Proof of the right to work in the UK
- Details of any DBS checks, unspent criminal convictions and references;
- Emergency contact details, and dependents;
- Documents relating to your working hours and the terms and conditions of your employment;
- Notes on discussions between management and staff;
- Probationary reviews, performance reviews and ratings and performance improvement plans;
- Documents relating to grievance, discipline, capability, whistleblowing, or termination of employment;
- Learning and development records;
- Salary, benefits, bank/building society details and national insurance number;
- Equality monitoring information (including sensitive personal data such as ethnic origin, sexual orientation and religious beliefs);
- Details of health conditions, including whether or not you have a disability for which Battersea needs to make reasonable adjustments;
- Leave taken, including holiday, sickness absence, maternity, paternity, adoption, parental, emergency carers, bereavement and compassionate, jury service, unpaid leave and sabbaticals;
- A photograph for the purposes of identification.
11.2. Battersea processes this information in the course of the employment/trustee relationship (for example recruitment, training, promotion, payroll, employee benefits, disciplinary and grievance, retirement, provision of a reference), to manage and communicate with the employee or trustee, to monitor equal opportunities, and to comply with relevant legal and regulatory obligations.
11.3. Individuals are entitled to see a copy of a reference given by their previous employer once it is in the possession of their new employer. Therefore, all references given by/on behalf of Battersea must be made by the HR department, and will be held on an individual’s employee file held in HR.
11.4. Personal data is only disclosed outside Battersea where there is an authorised purpose (e.g. where a third party is processing the data on behalf of Battersea, such as payroll or pension administration), where disclosure is required by law, or where there is immediate danger to the employee’s health or safety. In other cases, personal data (including references given by Battersea to potential new employers) may only be disclosed outside Battersea with the written consent of the member of staff.
11.5. Employee and trustee personal data will not be shared with other functions within Battersea for their use (e.g. for fundraising or marketing)
12. Data relating to videography and photography
12.1. For full details of Battersea’s policy regarding photography and videography under GDPR, please refer to the Photography and Videography Policy document.
12.2. Battersea will only process and store data in the form of photography or videography of individuals if any of the following apply:
- We have asked for your express consent and have a record of this (for example, when individuals have agreed to provide a case study, or feature in a photoshoot or video);
- We have a legitimate interest to do so. Our use will be fair and balanced and never unduly have an impact on your rights (for example, it is in our legitimate interests to capture photography and videography at events in order to promote future events for the purpose of Fundraising, or for the purpose of maintaining a historical record of key moments in the organisation’s history, or those featuring public figures – such as MPs or VIPs).
18.104.22.168. Where we intend to capture photography or videography featuring an individual or individuals, Battersea will aim to request consent at the point of capture – or at the point of registration, if related to an event (see Events below) – wherever practicable and possible. This consent will not be a condition of sign up or participation, in order to ensure that it is freely given.
22.214.171.124. Template consent forms exist for individuals over the age of 16, individuals under the age of 16 (to be completed with the permission of a parent/guardian), or for small-scale event audiences (where it is possible and practical to capture consent from all audience members).
126.96.36.199. Individuals who consents to their image being captured as part of a small-scale Battersea event, where it is possible to seek consent on an individual basis, will be given something by which they can be identified as having given consent (such as a specific-coloured lanyard, sticker or tag), If a participant loses/removes their tag, we default to assuming we do not have consent. Please see below for further details on process when it is not possible or practicable to seek consent for events – for example large-scale or public events, or those covered by media. In this instance we would seek to use a Legitimate Interest case for imagery capture.
188.8.131.52. Battersea will make every effort to ensure photographers and videographers process their images and video and delete any featuring non-consenting participants before being stored within a restricted access folder (see Data Storage details below). This will be detailed within contracts and/or statements of work where appropriate.
184.108.40.206. Data subjects can withdraw consent for these channels and activities at any time by contacting Supporter Services on: Phone: 0300 323 1216 Email: firstname.lastname@example.org Post: Supporter Services Team, Battersea Dogs & Cats Home, 4 Battersea Park Road, London SW8 4AA.
220.127.116.11. Should consent be withdrawn, Battersea will make every effort to do this; removing images from social media and digital channels and (future) print work. However, if imagery has been shared externally with with media outlets or agencies, Battersea are unable to retract or control its future use. Similarly, if print deadlines have passed for marketing materials, it may be too late to remove the subject from that material.
12.2.2. Legitimate Interests
18.104.22.168. This legal ground for processing means that we can process personal information if we have a genuine and legitimate reason for doing so, and that reason is not overridden by the rights and interests of an individual.
22.214.171.124. We will consider and balance our legitimate interest cases against individuals’ privacy rights in these scenarios, and we do not believe that any adversely affect our supporters’ rights or interests.
126.96.36.199. A template Location Notice exists for events at which we have a legitimate interest case for capturing photography and/or videography for future Marketing, Fundraising and PR purposes, but for which it would not be possible or practical to gather individual consent. These should be displayed at any Battersea-owned events, though it may not be possible/practical to do this at public events at which Battersea have a presence (such as the London Marathon, for example.
188.8.131.52. Archive photography and videography (including physical copies) for which we no longer have compliant permission will be deleted, in accordance with the retention schedule.
184.108.40.206. Please note that Battersea (or our authorised service providers) or third-party partners may film or photograph participants, volunteers and spectators attending or taking part in events and use such footage or photographs.
220.127.116.11. We do this in order to publicise the event for commercial and/or fundraising purposes including, but not limited to: television broadcasts, advertising, publications, marketing material, merchandising, social media, personalised direct mail and other media that may be made available to the public. Secondly, to enable our commercial partners to publicise their involvement and/or association with the event.
18.104.22.168. No personal details (including names) of any under 16-year-old participants will be used in any publicity materials without the written consent of their parent or legal guardian, but we may use images where children are incidentally included (for example, images of mass participation in the warm-up exercises, or on the starting line).
22.214.171.124. For large-scale events attended by members of the public, such as Muddy Dog Challenge, Collars and Coats Gala Ball or the London and Brighton Marathons, we have a Legitimate Interest case for capturing photography and/or videography for future Marketing, Fundraising and PR purposes. In the case of Battersea-owned events, Location Notices will be used to alert attendees to the possibility that they may be captured in photography or videography by ourselves or other third parties (such as media outlets or event partners).
12.2.4. Data storage
126.96.36.199. Photography and videography will be stored within a restricted access area, accessible by relevant Marketing and Communications staff members, as well as selected individuals with a need to access the data.
13. Data Retention
13.1. We should not keep personal data for longer than is necessary for the purpose it was collected for. This means that the personal data that we hold should be archived, destroyed or erased from our systems when it is no longer needed.
13.2. Battersea will periodically review the nature of the personal data being collected and held to ensure there is a good reason for it to be retained.
13.3. For guidance on how long particular types of personal data that we collect should be kept before being destroyed or erased, please see Battersea’s Data Retention Policy.
14. Transferring data outside the EEA
14.1. The GDPR requires that when organisations transfer personal data outside the EEA, they take steps to ensure that the data is properly protected. We may transfer personal data outside the EEA if organisations which provide services to us may transfer personal data outside the EEA for processing purposes, but we’ll only allow them to do so if your data is adequately protected (for example, if they are certified under the EU/US Privacy Shield scheme, or if we have a prescribed contract in place with them).
14.2. The European Commission has determined that certain countries provide an adequate data protection regime and are therefore on an approved list. These countries currently include Andorra, Argentina, Canada, Guernsey, Isle of Man, Israel, New Zealand, Switzerland, Faroe Islands, Jersey and Uruguay, but this list may be updated. As such, personal data may be transferred to people or organisations in these countries without the need to take additional steps beyond those you would take when sharing personal data with any other organisation.
14.3. In transferring personal data to other countries outside the EEA (which are not on this approved list), it will be necessary to enter into an EC-approved agreement, seek the explicit consent of the individual, or rely on one of the other derogations under the GDPR that apply to the transfer of personal data outside the EEA.
14.4. The EU-US Privacy Shield is an instrument that can be used as a legal basis for transferring personal data to organisations in the US, although specific advice should be sought from DataProtection@battersea.org.uk before transferring personal data to organisations in the US.
15. Processing sensitive personal data
15.1. On some occasions Battersea may collect information about individuals that is defined by the GDPR as special categories of personal data or that covers criminal convictions data, and special rules will apply to the processing of this data. In this policy we refer to “special categories of personal data” as “sensitive personal data”. The categories of sensitive personal data are set out in the “definitions section of this policy.
15.2. Purely financial information is not technically defined as sensitive personal data by the GDPR. However, particular care should be taken when processing such data, as the ICO will treat a breach relating to financial data very seriously.
15.3. In most cases, in order to process sensitive personal data, Battersea must obtain explicit consent from the individuals involved. As with any other type of information we will also have to be absolutely clear with people about how we are going to use their information.
15.4. It is not always necessary to obtain explicit consent. There are a limited number of other circumstances in which the GDPR permits organisations to process sensitive personal data. An example of this is data relating to criminal convictions. If you are concerned that you are processing sensitive personal data and are not able to obtain explicit consent for the processing, please email DataProtection@battersea.org.uk.
16. Subject Access Requests
16.1. Data subjects must make a formal request for information we hold about them, and this must be made in writing. Any staff receiving a written request from an individual for the personal information Battersea holds on them should immediately refer this to DataProtection@battersea.org.uk, so that the request can be handled in accordance with relevant legislation and completed within the specific timescales required (currently within one month).
17.1. We recognise that whilst there is no obligation for us to make an annual notification to the ICO under the GDPR, we will consult with the ICO where necessary when we are carrying out “high risk” processing.
17.2. We will report breaches (other than those which are unlikely to be a risk to individuals) to the ICO where necessary, within 72 hours. We will also notify affected individuals where the breach is likely to result in a high risk to the rights and freedoms of these individuals.
17.3. If you think there has been a breach you should immediately refer this to DataProtection@battersea.org.uk
18. Record keeping
18.1. We must keep a record of our data processing activities, to demonstrate that we are complying with them. These records will include the purpose of processing, descriptions of categories of data subjects and categories of personal data, details of transfers to third countries and retention periods of personal data.
19. Monitoring and review of the policy
19.1. This policy is reviewed annually by our senior management and Board of Trustees to ensure that it is achieving its objectives.
20.1. The following terms are used in this policy:
- Data Subjects include all living individuals about whom we hold personal data, for instance an employee or a supporter. A data subject need not be a UK national or resident. All data subjects have legal rights in relation to their personal data.
- Personal Data means any information relating to a living person who can be identified directly or indirectly from that information (or from that information and other information in our possession). Personal data can be factual (such as a name, address or date of birth) or it can be an opinion (such as a performance appraisal). It can also include an identifier such as an identification number, location data, an online identifier specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.
- Data Controllers are the people who, or organisations which, decide the purposes and the means for which, any personal data is processed. They have a responsibility to process personal data in compliance with the Legislation. Battersea Dogs and Cats Home is the data controller of all personal data that we manage in connection with our work and activities.
- Data Processors include any person who processes personal data on behalf of a data controller. Employees of data controllers are excluded from this definition but it could include other organisations such as website hosts, fulfilment houses or other service providers which handle personal data on our behalf.
- European Economic Area includes all countries in the European Union as well as Norway, Iceland and Liechtenstein.
- ICO means the Information Commissioner’s Office (the authority which oversees data protection regulation in the UK).
- Processing is any activity that involves use of personal data, whether or not by automated means. It includes but is not limited to:
- adapting or altering;
- disclosing by transmission;
- disseminating or otherwise making available;
- alignment or combination;
- erasing; or
- destruction of personal data.
- Sensitive Personal Data (which is defined as “special categories of personal data” under the GDPR) includes information about a person's:
- racial or ethnic origin;
- political opinions;
- religious, philosophical or similar beliefs;
- trade union membership;
- physical or mental health or condition;
- sexual life or orientation;
- genetic data;
- biometric data; and
- such other categories of personal data as may be designated as “special categories of personal data” under the Legislation.