PRIVACY STATEMENT
1 INTRODUCTION
1.1 The Society of Our Lady of Lourdes (SOLL) is a company limited by guarantee (co. reg. no. 4156243) and a charity registered with the Charity Commission in England & Wales (charity reg. no. 1086419). References in this document to “SOLL”, “we” or “us” mean the Society.
1.2 When you provide us with personal data in order to participate in our activities ordeal with us, we will keep a record of that data in order to fulfil our contract with you, to comply with our statutory obligations or provide you with other information or services for which you have given your consent.
1.3 Everyone has rights regarding how their Personal Data are handled by organisations. These rights are governed by the General Data Protection Regulation 2016/279 (GDPR), which will be incorporated into UK Data Protection legislation. Under the GDPR, SOLL is a Data Controller with respect to the Personal Data that we hold about you. We are committed to ensuring that your Personal Data are properly and securely managed in accordance with the Data Protection legislation. This Statement sets out how we do that and the rights you have regarding the information that we hold. The Statement applies to living identifiable individuals only.
2 WHAT PERSONAL DATA WE HOLD ABOUT YOU
2.1 Depending on the reason for which you gave us the data, we may hold the following information about you:
2.1.1 name and contact details;
2.1.2 gender, age, date of birth, marital status, professional qualifications;
2.1.3 role(s) in SOLL and its pilgrimages (eg Society Friend; Pilgrimage 2018 Registered Helper);
2.1.4 financial information (eg bank details; donations made and whether gift aided);
2.1.5 information obtained as result of background checks (eg references for new helpers);
2.1.6 for those who participate in a Pilgrimage as a sick pilgrim or one with special needs: medical information supplied in your application forms or in connection with the Pilgrimage and notes made by the SOLL Medical Team caring for you;
2.1.7 photos, videos etc taken in connection with SOLL activities or posted on the SOLL website.
2.2 We may also hold other Personal Data about you supplied by third parties that is necessary for fulfilment of our statutory obligations or relevant to the care we provide to you or others participating in a SOLL activity.
3 HOW AND WHY WE PROCESS YOUR PERSONAL DATA
3.1 Medical information for sick pilgrims and those with special needs is needed to enable the pilgrimage Medical Team to decide on the level and type of care that you may need during the pilgrimage and to manage your care while you are with us. It is strictly confidential and will not be shared with third parties, although it may need to be given to Lourdes hospital or other medical units if you require further treatment during the course of the pilgrimage.
3.2 Other Personal Data that we hold about you for various reasons maybe processed in a number of ways, for example:
3.2.1 to manage a SOLL pilgrimage or other event in which you are participating (Such information may be shared with our travel agent. We always first obtain assurances from the travel agent that Personal Data shared in this way will be processed in accordance with our policies and the GDPR requirements.);
3.2.2 to ensure we comply with our legal obligations (eg processing safeguarding records and applications);
3.2.3 to process donations you have made, including the preparation of tax recovery claims for submission to HMRC;
3.2.4 to manage SOLL subscriptions and responses to appeals for funds;
3.2.5 to record grants that we have made to assist individuals to participate in a pilgrimage. This information is confidential and not shared beyond the senior officers of SOLL and its
pilgrimage and those involved in the administration and review of SOLL’s accounts;
3.2.6 with your consent, to communicate with you about SOLL news and activities, including distribution of the printed SOLL magazine, Pilgrims’ Way, and the online SOLL Newsletter;
3.2.7 for individuals who are members of SOLL Council, its committees or ad hoc groups, and with their consent, to facilitate communication between fellow members;
3.2.8 with your consent, to include photos or videos of you as an individual in the SOLL website, Pilgrims’ Way or SOLL promotional material; your consent will not be deemed necessary for photos or scenes in which you appear merely as part of a group and which do not focus on you as an individual.
3.3 Any information gathered through the use of cookies and similar technologies via the SOLL website is used to measure and analyse information on visits to the website, to tailor the website to make it better for visitors and to improve technical performance. We will not use the data to identify you personally or to make any decisions about you.
4 GROUNDS FOR PROCESSING YOUR PERSONAL DATA
4.1 We have to have one or more grounds specified in the legislation for processing your Personal Data. The grounds on which we rely are the following:
4.1.1 Medical information referred to in paragraph 3.1 above is necessary for the purposes of medical diagnosis or the provision of health or social care or treatment. Such Personal Data are processed by or under the responsibility of a professional subject to the obligation of professional secrecy under EU or UK law or rules of national competent bodies.
4.1.2 Processing Personal Data provided under paragraph 3.2.1 above is necessary in order to perform our contract with you for participation in a pilgrimage or other event.
4.1.3 Processing Personal Data provided for compliance with safeguarding legislation is necessary to enable us to comply with our legal obligations regarding the collection and use of such information.
4.1.4 Processing Personal Data relating to donations and subscriptions received and responses to appeals for funds, and Personal Data relating to grants made (as described in paragraphs 3.2.3, 3.2.4 and 3.2.5 above) is necessary to enable us to keep proper accounting records, as required by law, and to submit them to the Independent Accountant who reviews our annual financial statements. Personal Data relating to donations received under Gift Aid have also to be submitted to HMRC to substantiate our tax recovery claims.
4.1.5 Personal Data received for the purposes outlined in paragraphs 3.2.6 and 3.2.7 above are processed with your written consent, which you are entitled to withdraw at any time. If you withdraw your consent, we will destroy or delete your Personal Data held on this basis and cease to contact you, unless we have reason to do so under one of the other grounds specified above.
4.1.6 It may not be possible to destroy or delete personal data that have been widely disseminated, for example photos used in printed materials. However, the use for which such personal data may be put is disclosed to the Data Subject at the point at which consent is obtained.
5 RETENTION OF PERSONAL DATA
5.1 Medical Personal Data are held for six years following the pilgrimage for which they were provided and are then securely destroyed.
5.2 Personal Data processed solely to enable us to manage a pilgrimage or other event in which you are participating are deleted or destroyed two years after completion of the pilgrimage or event. For this reason, if you wish us to contact you about similar events in the future, you will have to give us your written consent to do so, as specified in paragraph 3.2.6 above.
5.3 Personal Data processed in accordance with our legal obligations are retained for as long as necessary to enable SOLL to demonstrate that it has complied with those obligations. Under the safeguarding rules this is ten years. For the purpose of being able to substantiate our financial records, the period is normally six years from the completion and review of the annual financial statements to which they relate.
6 SHARING YOUR INFORMATION
6.1 We will only use your Personal Data within SOLL for the purposes for which it was obtained. As detailed in section 3, we may share certain information with other organisations in order to perform the activity for which it was provided (eg contact details for the travel agent; medical information to a hospital in the event of your requiring further treatment; name and address to HMRC for gift aided donations). When such bodies are not themselves under a duty of professional secrecy, we require them to confirm that they will comply with our policies on confidentiality and with the requirements of the GDPR.
6.2 In order to maintain or improve our processing systems, we may have to allow IT consultants or other specialists access to our records of Personal Data. As in paragraph 6.1 above, we require the organisation to confirm that it will comply with our policies on confidentiality and the requirements of the GDPR. The Independent Reviewer of our annual financial statements has similar access but is already bound by his own Institute’s code of professional secrecy regarding his client’s affairs.
7 YOUR RIGHTS
7.1 You have rights in respect of the Personal Data you provide to us. In particular:
7.1.1 the right to request a copy of some or all of the Personal Data that we hold about you (including in some cases in a commonly used machine readable format so that it can be transferred to other Data Controllers). We do not make a charge for this service;
7.1.2 if we process your Personal Data on the basis that we have your consent, the right to withdraw that consent;
7.1.3 the right to ask for any inaccuracies in your Personal Data to be corrected; 7.1.4 the right to have us restrict the processing of all or part of your Personal Data;
7.1.5 the right to ask us to delete your Personal Data where there is no compelling reason for us to continue to process it.
7.2 The above rights may be limited in some situations, for example, where we can demonstrate that we have a legal requirement to process your Personal Data. Furthermore, we may need to ask you to provide us with proof of identity for verification and security purposes before you can exercise your rights.
7.3 Parents/guardians or family members do not have an automatic right to see information about their children or other family members (or any other third parties). Rights may only be exercised by the individual to whom the Personal Data relates (including children from 12 years upwards) or with their express permission or by a person legally empowered to represent them in such matters.
8 CHANGES TO THIS STATEMENT
8.1 We may make changes to this Statement from time to time to reflect changes in our organisational practices or in applicable law. We will not make any use of your Personal Data that is inconsistent with the original purposes for which it was collected or obtained without notifying you in advance wherever possible. Any changes that we make will need to comply with the Data Protection Legislation at the time of the change.
9 GLOSSARY
9.1 “Data Controller” means a person, organisation or body that determines the purposes for which and the manner in which any Personal Data is processed. A Data Controller is responsible for complying with the Data Protection Rules and establishing practices in line with them. In this Statement, the Data Controller is SOLL.
9.2 “Data Processor” means any person, organisation or body that processes Personal Data on behalf of and on the instruction of the Data Controller. Data Processors have a duty to protect the information they process by following the Data Protection Rules.
9.3 “Data Subject” means a living individual about whom the Data Controller processes Personal Data and who can be identified by the Personal Data. A Data Subject need not be a UK national or resident. All Data Subjects have legal rights in relation to their Personal Data and the information that the Data Controller holds about them.
9.4 “Personal Data” means any information relating to a living individual who can be identified from that information which is in or likely to come into the Data Controller’s possession. Personal Data can be factual (such as a name, address or date of birth) or it can be an opinion (eg a reference regarding an individual’s suitability for acceptance as a registered helper). It can even include a simple email address. A mere mention of someone’s name in a document does not necessarily constitute Personal Data but personal details such as someone’s contact details (if they enabled an individual to be identified) would fall within the definition.
9.5 “Processing” means any activity that involves use of Personal Data. It includes obtaining, recording or holding the information or carrying out any operation or set of operations on it, including organising, amending, retrieving, using, disclosing, erasing or destroying it. Processing also includes transferring or disclosing Personal Data to third parties.
9.6 “Special Categories of Personal Data” (previously called “Sensitive Personal Data”) means information about a person’s racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership, mental or physical health or condition or sexuality. It also includes genetic or biometric data. Special Categories of Personal Data can only be processed under strict conditions. Although such processing usually requires the explicit consent of the Data Subject, it does not do so for medical information supplied for the purposes described in paragraph 3.1 of this Statement.
DOWNLOAD THIS PRIVACY STATEMENT HERE