This Data Protection Policy sets out how the Order of St John (“we”) processes your personal information. It also explains how we use your personal data and how we will treat it.
For the purpose of applicable data protection legislation (including but not limited to the Data Protection Act 2018 (the “DPA”) and the General Data Protection Regulation (the “GDPR”)), the data controller of your personal information is the Secretary General of the Order of St John (Charity number 235979, of 3 Charterhouse Mews, London EC1M 3BB).
What personal data do we collect?
We will ensure that the way in which we collect, store and use your personal data is compliant with the GDPR and the DPA. This statement explains the data protection practices which apply to all personal data.
We may collect contact information from you, including your:
- full name (including any preferences about how you to be addressed);
- full postal address;
- telephone and/or mobile number(s);
- e-mail address/es; and
- social media IDs/User Names (e.g. Facebook, Skype, Hangouts, WhatsApp).
If you are donating to the Order we may also collect financial and credit card information.
If you use our website we automatically get some technical details such as your chosen browser and unique IP address. As is common to all major websites, we also collect information about your visit, including information about how you are using the Website such as the movement of your mouse and what buttons you click. Most of this information is collected via the use of cookies.
Cookies are a useful way for us to understand how our website is used. Cookies are created by your web browser when you visit our website. Every time you go back to the website, your browser will send the cookie file back to the website’s server. They improve your experience of using our website, for example, by remembering your preference settings so that you are presented with information likely to be most relevant to you, and by measuring your use of the website to enable us to continuously improve our website to ensure that it meets your needs. Cookies can also be used to show you relevant content on social media services such as Facebook – these are known as “retargeting'” or “advertising” cookies. For further information about cookies and how to amend your browser settings in order to block cookies, please see the cookie information below.
How do we use your personal data?
We will use the information you provide to:
- fulfil your requests, donations or participation in campaigns and provision of information;
- process sales transactions, donations, or other payments and verify financial transactions;
- identify contributors;
- record any contact we have with you;
- prevent or detect fraud or abuses of our websites and enable third parties to carry out technical, logistical or other functions on our behalf;
- in aggregate, profile your use of the websites and carry out research on our users’ demographics, interests and behaviour to help us gain a better understanding of how our users navigate and use the websites, and to enable us to improve our service to you; and
- provide you with information which we think may be of interest to you, as explained below.
Who do we share your information with?
We may disclose your personal data to limited categories of trusted third parties, including, but not limited to:
- trustees of the Order, both domestic and those in third countries;
- any current or future member of our group, which includes our subsidiaries, our ultimate holding company and its subsidiaries, as defined in section 1159 of the UK Companies Act 2006, insofar as reasonably necessary for the purposes set out in this policy;
- third party service providers who perform functions on our behalf (including card payment providers, external consultants and professional advisers such as lawyers, auditors and accountants);
- HMRC and other government authorities;
- analytics and search engine providers that help us improve and optimise the Order;
- on an aggregate basis (without providing personal data), to prospective partners, advertisers and other reputable third parties and for other lawful purposes; and
- if we have to disclose or share your personal data to comply with any legal obligation or if we believe that such action is necessary to protect and defend the rights, property or personal safety of the Order, its sites or its visitors.
Conditions for using your personal data
We will obtain, hold and process all personal data in accordance with the GDPR for the following lawful methods:
- By consent
- By contract
- By legal obligation
- Legitimate interest
By Consent
We may use your personal data where you have specifically consented. This includes those individuals who are interested in, and wish to be kept informed of, the activities of the Order.
The information provided to the Order will be held and processed solely for the purpose for which you have given consent, unless specified elsewhere in this policy.
Information collected on membership purposes will not be used as donor information without your consent. A separate privacy policy for members is available at www.stjohninternational.org
You have the right to withdraw your consent at any time. We have set out details regarding how you can go about this above.
By Contract
We are allowed to use your personal data when it is necessary to do so for the performance of our contract with you. This includes those individuals who sell goods and/or services to, and/or purchase goods and/or services from the Order.
The information collected may contain details of:
- the goods/services being sold to, or purchased from the Order;
- bank and other details necessary and relevant to the making or receiving of payments for the goods/services being sold to, or purchased from the Order.
By Legal Obligation
As well as our obligations to you under any contract, we also have other legal obligations that we need to comply with and we are allowed to use your personal data when we need to in order to comply with those other legal obligations.
Legitimate Interests
We can use your personal data where it is in our interests to do so, provided those interests aren’t outweighed by any potential prejudice to you.
We consider that our use of your personal data is within a number of our legitimate interests, including:
- to communicate with volunteers and trustees on matters relating to the operation of the Order, for example:
- the holding of meetings;
- providing information about the Order’s activities
- seeking help, support and advice from volunteers/trustees, particularly where they have specific knowledge and experience; and
- ensuring that any particular needs of the volunteer/trustee are appropriately and sensitively accommodated when organising meetings and other activities of the Order;
- to fulfil the objectives of the Order;
- to process donations;
- to help us satisfy our legal obligations;
- to help us understand the people that use our services better and provide better, more relevant services to them;
- to ensure that our website runs smoothly; and
- to help us keep our systems secure and prevent unauthorized access or cyber attacks.
The Order also collects video CCTV images of people entering its premises in order to safeguard its assets from theft and vandalism. The information collected is only processed and, where appropriate, shared with other authorities (e.g. the Police) where it is necessary to investigate a potential crime. We consider this to be within our legitimate interests.
What are your rights?
The right of access (Data subject access request)
You have the right to request a copy of the information we hold about you. If we provide you with access to the information we hold about you, we will not charge you for this unless permitted by law. If you request further copies of this information from us, we may charge you a reasonable administrative cost. Where we are legally permitted to do so, we may refuse your request. If we refuse your request we will always tell you the reasons for doing so.
The right to rectification
You have the right to require us to rectify any inaccurate or incomplete personal data concerning them without undue delay.
The right to erase (The right to be forgotten)
You have the right to request that we “erase” your personal data in certain circumstances. Normally, this right exists where:
- the data are no longer necessary;
- you have withdrawn your consent to us using your data, and there is no other valid reason for us to continue;
- the data has been processed unlawfully;
- it is necessary for the data to be erased in order for us to comply with our obligations under law; or
- you object to the processing and we are unable to demonstrate overriding legitimate grounds for our continued processing.
We would only be entitled to refuse to comply with your request for erasure in limited circumstances and we will always tell you our reason for doing so.
When complying with a valid request for the erasure of data we will take all reasonably practicable steps to delete the relevant data.
The right to object
You have the right at any time to object to the processing of your personal data where we do so for our legitimate interests or to send you marketing materials. The Order shall no longer process your personal data unless we can demonstrate legitimate grounds for any ongoing processing. This may include the establishment, exercise or defence of legal claims.
The right to withdraw consent
Where we have obtained your consent to process your personal data for certain activities, you may withdraw this consent at any time and we will cease to use your data for that purpose unless we consider that there is an alternative legal basis to justify our continued processing of your data for this purpose, in which case we will inform you of this condition.
The right to restrict processing
You have the right to request that the Order restrict its processing of your personal data in certain circumstances, for example, if you dispute the accuracy of the personal data held or you object to our processing of your personal data for our legitimate interests.
The right of data portability
You have the right to transfer your personal data between service providers. This means you can request that the Order provides you with your personal data in a commonly-used format so that you can transfer the data to another service provider.
The right to complain
You have the right to lodge a complaint about the way in which your personal data is being handled and this can be done at
secretarygeneral@orderofstjohn.org
The Secretary General
The Order of St John
3 Charterhouse Mews
London EC 1M 6BB
You also have the right to complain to the Information Commissioner’s Office which can be contacted in the following ways:
- Phone: 0303 123 1113
- Email: casework@ico.org.uk
- Post: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF.
How long will we keep your personal data for?
Personal data shall not be retained for longer than:
In the case of data held by consent:
- the period for which you the data is deemed useful for the purposes as set out in the consent.
In the case of data held by legitimate interests:
- the period for which that legitimate interest applies. For example, in the case of data subjects who held a role, such as a volunteer, with the Order, the retention period is that for which the Order reasonably has a legitimate interest in being able to identify that individual’s role in the event of any retrospective query about their participation – this will normally two triennium (6 years) after someone has left.
In the case of data held by legal obligation:
- the period for which the Order is legally obliged to retain the data.
The Order shall regularly and at least every twelve (12) months, review the personal data which it holds and remove any data where retention is no longer justified. Such removal shall be made as soon as is reasonably practical, and in any case no longer than twenty (20) working days after retention of the data was identified as no longer justified.
Where do we keep your personal data?
Personal data that you provide to us may be transferred by us to our other offices and to other reputable third party organisations as referred to in this policy, and these may be situated outside the European Economic Area. We will ensure that appropriate safeguards are in place in respect of any such data transfer, for example by entering into data transfer agreements which incorporate the current standard contractual clauses adopted by the European Commission for transfers of personal data.
How we protect your personal data
We place great importance on the security of all personally identifiable information associated with our supporters, customers and users. We have security measures in place to attempt to protect against the loss, misuse and alteration of personal data under our control. For example, our security and privacy policies are periodically reviewed and enhanced as necessary and only authorised personnel have access to user information.
Cookies
Our website uses cookies to distinguish you from other users of our website. This helps us to provide you with a good experience when you browse our website and also allows us to improve our Website.
A cookie is a small file of letters and numbers that we store on your browser or the hard drive of your computer if you agree. Cookies contain information that is transferred to your computer’s hard drive.
We use the following cookies:
Strictly necessary cookies
These are cookies that are required for the operation of our website. They include, for example, cookies that enable you to log into secure areas of a website or use a shopping cart.
Analytical/performance cookies
They allow us to recognise and count the number of visitors and to see how visitors move around our website when they are using it. This helps us to improve the way our website works, for example, by ensuring that users are finding what they are looking for easily.
Functionality cookies
These are used to recognise you when you return to our website. This enables us to personalise our content for you, greet you by name and remember your preferences (for example, your choice of language or region).
Targeting cookies
These cookies record your visit to our website, the pages you have visited and the links you have followed. We will use this information to make our website and the advertising displayed on it more relevant to your interests. We may also share this information with third parties for this purpose.
Please note that third parties (including, for example, advertising networks and providers of external services like web traffic analysis services) may also use cookies, over which we have no control. These cookies are likely to be analytical/performance cookies or targeting cookies.
You block cookies by activating the setting on your browser that allows you to refuse the setting of all or some cookies. For further details of how to do this, please click on the following link: http://www.allaboutcookies.org/manage-cookies/. However, if you use your browser settings to block all cookies (including essential cookies) you may not be able to access all or parts of our Website. Except for essential cookies, all cookies will expire after 180 days.
Secretary General
July 2019