The Directory of Social Change (DSC) is a registered charity (800517) which complies with all aspects of the Data Protection Act 1998 and the Privacy and Electronic Communications (EC Directive) Regulations 2003 and from 25 May 2018 will comply with the General Data Protection Regulations. Currently DSC is not registered with the Information Commissioner.
DSC complies with GDPR by providing the following rights for individuals:
- The right to be informed.
- The right to access to a copy of their personal data.
- The right of rectification.
- The right of erasure (or right to be forgotten).
- The right to restrict processing.
- The right to data portability.
- The right to object.
- Rights in relation to automated decision making and profiling.
The right to be informed encompasses DSC’s obligation to provide “fair processing information” typically through the privacy notice, and to be transparent in how personal data is used.
With regard to the right of access DSC will provide confirmation that the data is being processed, and access to personal data free of charge if requested within 28 days of receiving the request. (This can be extended by a further month if the request is complex or onerous).
Under the right of rectification DSC will rectify any inaccurate or incomplete data within 28 days of notification. DSC will also inform any third parties, if applicable, of these rectifications. DSC will put into place procedures to ensure all personal data is kept up to date.
An individual has the right to erasure and DSC will erase data under the following specific circumstances -;
- where personal data is no longer necessary in relation to the purpose for which it was originally collected/processed,
- where an individual withdraws consent,
- when the individual objects to the processing and there is no overriding legitimate interest for continuing processing,
- the personal data was unlawfully processed,
- the personal data has to be erased to comply with a legal obligation,
- the personal data is processed in relation to the offer of information society services to a child.
DSC will ensure that in certain circumstances the processing of personal data will be restricted. This can include where data may be inaccurate, and where the individual has objected to the processing and DSC is considering whether its legitimate grounds override those of the individual.
Under GDPR there is a right to data portability whereby an individual can ask for their data in a form which can easily and securely be transferred from one IT environment to another. DSC would ensure that data held can be securely transferred if a request is made.
Under the right to object DSC will stop processing personal data where there is an objection unless there are compelling legitimate grounds to process, or if the processing is for the establishment, exercise or defence of legal claims. The right to object is included in the DSC privacy notice. DSC will stop processing personal data for direct marketing purposes as soon as an objection is received. This right is also included on the DSC privacy notice.
DSC will ensure that individuals will not be subject to a decision based on automated processing. When processing personal data for profiling/targeting marketing communications DSC will
- Ensure processing is fair and transparent by providing meaningful information about the logic involved, as well as the significance and the envisaged consequences.
- Use appropriate mathematical or statistical procedures for the profiling.
- Implement appropriate technical and organisational measures to enable inaccuracies to be corrected and minimise the risk of errors.
- Secure personal data in a way that is proportionate to the risk to the interests and rights of the individual and prevents discriminatory effects.
Should an individual wish to act upon one of the above rights, they can do so by contacting the Data Controller. On written request from an individual, the Data Controller will supply details of what information is held, why it is held and to whom it may be disclosed. A copy of the relevant Data Record can also be supplied.
DSC will aim to comply with requests for access within 28 days.
Direct marketing activities that are undertaken by DSC include a wide range of promotional activities.
The Privacy and Electronic Communication Regulations 2003 (PECR) provide rules about sending marketing and advertising by electronic means such as by telephone, email, text message and picture (including video) message.
[Section explaining, with the example from the ICO, that we contact our existing customers – and new ones as we get them – on the basis of Legitimate Interest]
Balancing test – is LI overridden by individuals rights or freedom?
To comply with the first data protection principle, DSC will always tell individuals what their personal information will be used for. We will explain:
- Who we are,
- What we will use the information for,
- Any other relevant details to ensure that we are using the information fairly i.e. passing our marketing lists to other organisations and how we contact people e.g. phone, post, email, etc.
Each time an individual is contacted, DSC must give the individual an opportunity to decline future contact. Again these requests will be noted on the Progress database and will take no longer than 28 days to put into effect.
If DSC wishes to share marketing lists with other organisations that have similar aims and objectives, express consent must be sought from each individual, and specific detail of the organisations with which DSC is planning to share the data.
The following privacy statement will be presented to or made available (depending on the context) to all DSC employees, trustees, associates, authors or other partners
[Full privacy statement]
1.2 Telephone Marketing
DSC will not make unsolicited telephone calls to an individual or organisation that has told us they do not want our calls or to any numbers held in the Telephone Preference Service list, unless those individuals or organisations that have informed us that they do not, for the time being, object to being contacted.
1.3 Automated Calls
DSC does not make any automated calls to any individuals or organisations, without their consent.
This refers to email, text, voice, picture and video messages. DSC will not send any unsolicited electronic email to individuals, without obtaining consent, unless there is clear and demonstrable Legitimate Interest – in most cases this will be the basis for contact – link back to ICO case study. When using electronic mail to contact corporate organisations, we will say who we are and provide a contact address.
As per our terms and conditions, if you purchase products from us we will process your order on a Contractual Basis. We will make contact about other relevant products on a Legitimate Interest basis. If at any time you no longer wish to hear from us simply email our Customer Service team here: firstname.lastname@example.org.
(this statement will be fully updated as of 25 May).