Scope
This privacy notice applies to The Downs Syndrome Research Foundation UK (DSRF UK PO Box 576, Tunbridge Wells, TN2 9WJ). We are committed to protecting your privacy. We aim to ensure that all information you give to us is held securely, responsibly and to a high professional standards and is only used in a manner that you have consented to or would expect.
This notice explains how we collect, store and use your personal data. The information in this notice is provided in accordance with the Data Protection Act 1998 and the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) and considers the General Data Protection Regulations (GDPR) which will be implemented on 25/5/2018.
We may amend this privacy notice at any time by posting the amended version on this site including the effective date of the amended version. We will announce any material changes to this privacy notice through email.
What information do we collect?
We collect data from you when you interact with us online, face to face, by post, over the phone or via web form. This personal data is limited and is used to identify you and provide services to and for you. Examples of personal data include your name, address, telephone number, email address and sometimes bank details if you are making a donation. We will only collect data which is relevant to the purpose for which you have given it.
How do we use your personal data?
The purpose of collecting personal data is to ensure you receive the materials/resources/service you may have requested. We may also use your personal data to keep you informed about our work if you have requested this or have not opted out of receiving such communications. Examples of such communications are our newsletters and other paper based and electronic communications.
We may also occasionally ask you to financially support our work by sending you fundraising appeals. We may also use your data to process any donations you have given and any Gift Aid associated with that donation. All promotional and fundraising communications are classed as Direct Marketing.
We use your personal information to pursue our legitimate interests where your rights and freedoms do not outweigh these interests. We have implemented controls to balance our interests with your rights. This includes to:
- Contact you about public policy matters, or other current events, related to your ability to use our Services. This could include an invitation to join a petition, letter writing, call or other sort of public policy related campaigns.
How will we contact you?
We may contact you via post, email, telephone or SMS text. However, we will only contact you by the channel you have told us you wish to receive communications by and where we have received your consent to do so.
Some supporters may not have expressed their communication preferences to us. In those cases, we will conduct a balancing exercise to determine whether we have a legitimate interest in continuing to send Direct Marketing. This balancing exercise will include recent contact and donation history, any previous notification that we may send Direct Marketing, whether we have previously given you a clear opportunity to opt-out of Direct Marketing and, importantly, whether you would reasonably expect to receive information from us. We will also ensure you have not objected to receiving Direct Marketing. However, we will only use legitimate interest for sending mail through the post. For email, phone and SMS we require your specific opt-in consent.
If you are a new supporter, we will aim to capture your consent for Direct Marketing purposes at the data collection point. You do not have to give consent – it is your decision. If you do consent, we will also aim to capture your contact channel preferences at the data collection point. Should you wish you can specify a time limit for your consent to remain valid for, after which time we will not be able to contact you unless you give further consent. As a default position we will consider consent to remain valid while you are financially supporting us or receiving our regular communications and have not objected to doing so.
You can give or withdraw consent to Direct Marketing, or change your contact channel preferences, at any time by writing to us at the address above or emailing us at dsrf@dsrf-uk.org. Please let us know if you change your contact details or if you believe any information we hold is incorrect.
Storing and sharing your data
The DSRF-UK stores your data on a secure cloud-based database hosted by a company called Dropbox. Dropbox headquarters are located at 333 Brannan St, San Francisco, CA 94107. All files stored online by Dropbox are encrypted and kept in secure storage servers. Storage servers are located in data centers across the United States. Dropbox will meet the requirements of the GDPR by 25 May 2018. Their security practices already comply with the most widely accepted standards and regulations and they were one of the first cloud service providers to achieve ISO 27018—the internationally recognized standard for leading practices in cloud privacy and data protection. More about Droboxes compliance can be found here https://www.dropbox.com/security/GDPR and questions to them can be sent here: privacy@dropbox.com.
Your data will not be processed outside of the DSRF-UK and will not be disclosed to any parties outside of the DSRF-UK except to trusted partners and affiliates with whom we work, or work for us, to fulfil orders, e.g. sending our supporter magazine and fundraising appeals, sending electronic mail, or to process donations and Gift Aid, e.g. our bank and HMRC.
As part of our responsibilities to ensure that data we hold is accurate and up to date, we may occasionally undertake a process of cleansing data and we will employ a specialist third party to carry out that process.
We only enter into relationships with third parties who have appropriate data protection policies and procedures in place. All data held by third parties is destroyed when it is no longer needed.
We will not disclose your data to any other third parties unless we have your explicit consent to do so. At no time, will your data be passed to a third party for marketing purposes.
If you request that we stop processing some or all of your personal information or you withdraw (where applicable) your consent for our use or disclosure of your personal information for purposes set out in this privacy notice, we might not be able to provide you all of the Services and customer support offered to our users and authorised under this privacy notice and our User Agreement.
Upon your request, we will close your account and remove your personal information from view as soon as reasonably possible, based on your account activity and in accordance with applicable national laws.
How long do we hold your personal data?
Your personal data will be held on our database during the period of our active relationship. Once we no longer require your data it will remain on our database indefinitely but will be marked inactive and no further steps will be taken to process it. We will not keep your personal data for any longer than is necessary. Once it is no longer required we will take all reasonable steps to destroy it or erase it from our systems.
Your Rights
In relation to us processing your personal data you have the following rights, which can be exercised at any time:
- To withdraw your consent for us to process your data.
- To be forgotten – to request your data is no longer processed or quarantined.
- Subject access requests – a right to request a copy of the data we hold about you.
- To object to your data being used by us for the purposes of direct marketing.
What else you should know about privacy
Remember to close your browser when you have finished your session. This will help ensure others cannot access your personal information and correspondence if you share a computer with someone else or are using a computer in a public place like a library or internet café. You, as an individual, are responsible for the security of, and access to, your own computer. Please be aware that whenever you voluntarily disclose personal information over the internet that this information can be collected and used by others. In short, if you post personal information in publicly accessible online forums, you may receive unsolicited messages from other parties in return. Ultimately, you are solely responsible for maintaining the secrecy of your usernames and passwords and any account information. Please be careful and responsible whenever you are using the internet.
Our pages may contain links to other support service websites, and you should be aware that we are not responsible for the privacy practices on other websites.
Your Questions
Contact us via email dsrf@dsrf-uk.org. Any issues, questions or concerns you may have in relation to the way the DSRF-UK process your data please do not hesitate to contact our office.
If at any time you have any concerns about the way your data has been processed by the DSRF-UK and those concerns cannot be resolved by the DSRF-UK directly you have the right to take those concerns externally and raise them with the regulator, the Information Commissioner www.ico.org.uk
Changes to this Privacy Notice
This privacy notice was last updated on 10 August 2018.