Privacy Policy

TheThis section explains what information The Club collects, keeps and stores about you.

What information do we collect?

The Club holds personal information about you which may include your name, date of birth, address, gender, and whether you have a disability, so that we can make sure our services meet your needs. We will also record information about the service we provide.

Why do we collect your information?

Under the General Data Protection Regulation (GDPR), and the UK’s Data Protection Bill, we must have a legal reason to keep your data and process it. When The Club provides you with a service, we will process your data on the basis of legitimate interest or public task. We do this because we cannot provide a service to you without using your personal information.

Who do we share your information with?

We share your data within The Club in order to provide you with a service, i.e. processing membership applications, security checks in order to work with children. We may be required to share your data with other agencies for legal reasons, a court order for example, or with other organisations if we believe that you are at risk of harm or may harm someone else.

There may be occasions when we will ask you for consent to use your data, for example to help us inform the public about our work. If this is the case, we will explain to you exactly what your data will be used for. You can withdraw your consent at any time, and wherever possible, any of your data that has been used for publicity purposes will be deleted.

Who is responsible for your data?

The Data Controller is responsible for your data. This may be The Clubs secretary or IT person or the local authority or agency that funds any particular service being delivered by The Club. 

How long do we keep your data?

The Club will keep your data for a specified period of time once we have finished working with you. Depending on the nature of the service and our legal obligations this will be a minimum of 6 years.

How can you access your data? (subject access requests)

You may request a copy of the information that The Club holds about you. 

How do we collect your personal information?

We obtain personal information from you when you enquire about membership, becoming a volunteer, send or receive an email, make a donation to us, support a campaign, or ask a question about our services.

Occasionally we obtain publicly available information, such as contact information, or we research information to help us perform due diligence checks to ensure we are not being abused by fraudsters or criminals posing as genuine donors, or to ensure that there are no conflicts of interest from potential supporters or organisations prior to our engagement. We do these checks to help protect Barnardo’s from abuse. For further information see ‘How we communicate with you’ below. 

What information do we collect?

The personal information we collect may include name, address, email address, telephone numbers, date of birth, bank account details (for setting up regular direct debit or payment information), gender and campaign experience (for contacting you in support of our campaigns) and your family relationships (when submitting a family history enquiry). Data protection law recognises that certain categories of personal information are more sensitive. These are known as special categories of data and cover health information, race, religious beliefs and political opinions. We do not usually collect special categories of data about our supporters unless there is a clear reason for doing so, such as participation in a run or walk or similar fundraising event or where we need to ensure we provide the appropriate facilities or support to enable you to participate in an event.

How do we use your data?

We may use your personal information for:

• dealing with your enquiries, requests and complaints
• processing your donations and orders made online or through our shops
• providing you with information about our work activities events and services
• complying with our legal obligations, policies and procedures, for example claiming Gift Aid
• providing and personalising our services
• administering membership records
• fundraising and marketing
• conducting market research

Donating or buying through our online shop

Data collected by our online shops is used to take and fulfil customer orders and to administer and enhance the site and service. If you donate to us, and are a UK taxpayer, we may ask your permission to claim Gift Aid on those donations. In this case we ask for your name and address.

If you use your credit or debit card to donate to us, buy something, or pay for a registration online or over the phone, we will ensure this is done securely. We do not store your credit or debit card details following the completion of your transaction. All card details are securely destroyed once the payment or donation has been processed. Only staff authorised and trained to process payments can see your card details.

The Club will never sell your personal data. However, we may share your information with third parties in order to provide services to you. Your data may be accessible to our IT support person or any company we hire to manage our business critical systems, however, this is only for the purpose of supporting our IT systems.

We require all third parties to respect the security of your personal information and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal information for their own purposes and only permit them to process your personal information for specified purposes and in accordance with our instructions. Some of our partners run their operations outside of the EEA (European Economic Area) and this may include countries who have different data protection laws. We will always take steps to make sure appropriate protections are in place (in accordance with UK data protection law) and that information is safeguarded.

Except for these specific cases listed below, we won’t share financial information with third parties without your specific consent unless required to do so by law. By donating or making a purchase from our websites you are consenting to your financial and/or personal information being passed to any third-party organisations necessary to process your transactions with The Club, such as credit card companies, banks and the companies that handle shipping on our behalf. We will also share your data with HMRC if you give us permission to claim Gift Aid on your donation.

We can share your personal information with:

• selected third parties, including:
  • business partners, suppliers and subcontractors for the performance of any contract we enter into with them, including:
    • providers of our online shop and fundraising pages, advocacy, email marketing, and events
    • our customer relationship management systems
    • archive and storage systems
    • commissioners, printers, fulfilment houses, photographers, videographers, creative designers, creative agencies, and online survey providers
    • insurers, solicitors, brokers, loss adjusters, managing agents and landlords
    • benefits providers and criminal records check processors
• analytics and search engine providers that assist us in the improvement and optimisation of our site
• where we are under a duty to disclose or share your personal information in order to comply with any legal obligations, or in order to enforce or apply our terms of use and other agreements; or to protect the rights, property, or safety of Barnardo’s, our donors, beneficiaries or others – this includes exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction
• a prospective seller or buyer of our business or assets in the event we sell or buy any such business or assets, including where Barnardo’s or substantially all of its assets are acquired by a third party, in which case personal data will be one of the transferred assets
• for employees, payroll agencies, HMRC, pension, insurance companies and statutory bodies, where regulated to do so by law
• we will keep your personal information confidential, and where we provide it to other third parties we will only do so under contract, on conditions of confidentiality and security, and only for the purposes for which you have provided your information to us

Third-party websites

Our websites may contain links to third-party websites. This policy only applies to this site, so if you follow a link to a third-party site, please make sure you read the privacy policy on that site. We do not accept any responsibility for third-party sites.

We take the security of your personal information very seriously. We have internal policies, controls and appropriate data collection, storage and processing practices and security measures in place to ensure that your data is not lost, accidentally destroyed, misused or disclosed, and is not accessed except by authorised club members.

We work hard to make sure that our security procedures do the job they are designed to do and any communications between you and our websites are protected by encryption (this means that communications are turned into codes that only Kiwanis Club of Croydon’s websites can understand, which stops unauthorised people seeing them).

We use strict procedures and ISO 27000 security-compliant features to prevent unauthorised access to or loss of data from our systems. However, we cannot guarantee the security of data that you transmit to our websites and therefore any transmission to us is at your own risk.

Please be aware that any personal information you choose to post on the public areas of our websites can be read, collected, or used by other users and could be used to send you unsolicited messages. We are not responsible for the personal information you choose to make public. In addition, we are not responsible for the content you publicly post on the site that can be found via web-based search engines.

Where we have given you (or where you have chosen) a password which enables you to access certain parts of our website, you are responsible for keeping this password confidential. We ask that you do not share your password with anyone.

The information that we collect from you may be transferred to, and stored in, a location outside of the United Kingdom, but only where we are satisfied that it has an adequate level of protection. It may also be processed by board members of the club operating in the normal capacity of their club duties. By submitting your personal information, you agree to this transfer, storing or processing. The Kiwanis Club of Croydon will take all steps reasonably necessary to ensure that your information is treated securely and in accordance with this privacy notice.

Under the General Data Protection Regulation (GDPR), you have the following rights:

a. the right to be informed

b. the right to access your personal information

c. the right to edit and update your personal information

d. the right to request to have your personal information deleted

e. the right to restrict processing of your personal information

f. the right to data portability

g. the right to object – including automated decision making and profiling

h. the right to lodge a complaint with a supervisory authority

If you wish to exercise your rights, please contact us, providing as much information as possible about the nature of your contact with us to help us locate your records. Any changes you have requested may take 30 days before they take effect.

The right to be informed.

You have the right to be informed about the data we hold and share about you. This will be
described to you in the service specific information leaflet if you are a service user or through your
line manager if you are a member of staff or a volunteer or through our privacy notice above.

The right to access your personal information

You have a right to access your personal data. By making a subject access request to Barnardo’s you can find out what personal data we hold about you, why we hold it and who we disclose it to. You must make a subject access request in writing, and include proof of your identity – you can download a standard form from this website to help make the process quicker and easier.

Email: secretary@kcoc.co.uk

Once we have received your request, and verified your identity, we will respond within 30 days.

Anonymization is the process of either encrypting or removing personally identifiable information from data sets, so that the people who the data describe remain unknown or anonymous.

Comply with a legal or regulatory obligation means processing your personal data where it is necessary for compliance with a legal or regulatory obligation that we are subject to, eg, The Children’s Act, Care Leaver’s Act, as well as regulatory requirements under CQC and other quality bodies.

Consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes.

The Data Controller is the organisation that is responsible for your personal data. They are required to keep it secure, make decisions about what happens to your data and are accountable if it’s lost or not kept confidential.

The Data Processor is the natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

Encryption is the method by which plain text or any other type of data is converted from a readable form to an encoded version that can only be decoded by another entity if they have access to a decryption key. Encryption is one of the most important methods for providing data security, especially for end-to-end protection of data transmitted across networks.

General Data Protection Regulation (GDPR) is the 2018 legal framework that sets guidelines for the collection and processing of personal information of individuals in the European Union (EU).

Legitimate business interests legal basis means the interests of our company in conducting and managing our business to enable us to give you the best service/products and the best and most secure experience. For example, we have an interest in making sure our marketing is relevant to you, so we may process your information to send you marketing that is tailored to your interests. When we process your personal information for our legitimate interests, we make sure to consider and balance any potential impact on you (both positive and negative), and your rights under data protection laws. Our legitimate business interests do not automatically override your interests – we will not use your personal data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law).

Personal data means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

Profiling means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s economic situation, personal preferences, interests and location.

Pseudonymisation means the processing of personal data in such a manner that the personal data can no longer be attributed to the data subject without the use of additional information. The additional information must be kept separately.

Public task legal basis means we can rely on this lawful basis as we need to process personal data ‘in the exercise of official authority’. This covers public functions and powers that are set out in law; or to perform a specific task in the public interest that is set out in law.

Service information leaflet provides detailed information of the data that is processed by individual children’s services and business lines services, which is given to the data subject or their parents along with the children’s services privacy notice.

Special category data means data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.

Subject access request is your right to get a copy of the information that is held about you.

Suppression list is a list that contains mailing or email addresses that you want to permanently exclude from future mailings or emails we send.

Third party means a natural or legal person, public authority, agency or body other than the data subject, controller, processor or persons who, under the direct authority of the controller or processor, are authorised to process personal data.