Public Privacy

Notice

City Hearts (UK) Limited is a registered charity that runs programmes to help vulnerable people and survivors of modern day slavery. You can find out more information about us here https://www.cityhearts.global/.

This document (our “privacy notice”) sets out information relating to how we use personal information relating to our clients. It also sets out information about what rights individuals have in relation to their personal information and various other matters required under data protection law.

In particular, this privacy notice provides information to individuals about how they can object to our use of their personal information (see here), how they can withdraw any permissions they have given to us to enable us to process their personal information (see here) and how they can make a complaint (see here). 

  • This privacy notice applies to: 

    • individuals who use our website;
    • individuals who make enquiries;
    • individuals who subscribe to our newsletters or updates;
    • donors;
    • individuals who engage with us on social media;
    • individuals who access our premises or the surrounding areas and who may be recorded on our CCTV system;

    In the sections below, when referring to the individuals listed above, we use the terms “you” or “your”. 

  • We take your privacy extremely seriously and want you to feel confident that your personal information is safe in our hands. 

    We will only use your personal information in accordance with data protection law applicable to England and Wales from time to time.

    Under data protection law, when we use your personal information, we will be acting as a data controller. Essentially, this means that we will be making decisions about how we want to use your personal information and why. 

    Below, we summarise the main rules that apply to us under data protection law when we use your personal information: 

    We must be upfront about how we intend to use your personal information and must use your personal information fairly. Providing privacy information to individuals (such as in this privacy notice) is one aspect of using personal information fairly. 

    We must only use your personal information if we have a legal basis to do so under data protection law. These legal bases include: 

    • That you have consented to our use of your personal information; 
    • That we (or someone else) has a legitimate reason for needing to use your personal information and those legitimate interests are not outweighed by your rights or interests. We must balance our respective rights and interests before we can rely upon this legal basis; and 
    • We need to use your personal information to comply with laws we are subject to. 

    We must only use certain types of sensitive personal information (such as information relating to your health, racial or ethnic origin or religion) if we can also satisfy one of the conditions for processing this type of information set out in data protection law. These conditions include:

    • As a not-for-profit body, it is necessary for us to process your personal data internally, in the course of our legitimate activities;
    • That the processing is necessary for reasons of substantial public interest. 
    • That processing is necessary to protect your vital interests; or
    • That you have given us your explicit consent.

    We are only permitted to share your personal information with others in certain circumstances and if we take steps to ensure that your personal information will be secure.

    Generally speaking, we must only use your personal information for the specific purposes we have told you about. If we want to use your personal information for other purposes, we need to contact you again to tell you about this. 

    We must not hold more personal information than we need for the purposes we have told you about and must not retain your personal information for longer than is necessary for those purposes (this is known as the “retention period”). We must also dispose of any information that we no longer need securely. 

    We must ensure that we have appropriate security measures in place to protect your personal information. 

    We must act in accordance with your rights under data protection law.

    We must not transfer your personal information outside the European Economic Area (“EEA”) unless certain safeguards are in place. One such safeguard is that the personal data is only transferred to a country that has been approved by the European Commission as having an acceptable level of data protection law.

  • How we will use your personal information, the legal bases we will rely upon, how long we will keep your personal information and other details will depend upon who you are and why we need your personal information in the first place.

    In this section, we provide specific privacy information relating to the different categories of individuals that this privacy notice applies to.

    Individuals Who Use Our Website

    What personal information we will use 
    • Technical information, including the internet protocol address used to connect your computer to the internet, browser type and version, time zone setting, browser plug-in types and versions, operating system and platform.
    • Information about your visit, including the full Uniform Resource Locators (“URL”), clickstream to, through and from our website (including date and time), products you viewed or searched for, page response times, download errors, length of visit to certain pages, page interaction information (such as scrolling clicks and mouse-overs), methods used to browse away from the page and what device you used.
    How we will obtain the personal information
    • Some of the information is obtained by us automatically whenever you use our website by using Google Analytics to track the site activity.
    • Some of the information is collected by us each time you use our website through our use of cookies. Further information about the cookies we use and the purposes for which we use them can be found in our Cookies Policy.
    What purposes we will use the personal information for
    • The above information is used by us to:
      • make a tailored website available to you; 
      • track usage of our website;
    • Help us to continually improve our website by monitoring usage and access point. Information collected through our use of cookies is used in the ways described in our Cookies Policy.
    The legal grounds we rely upon
    • Our collection and use of the above information is based on our legitimate interests in ensuring that our website is user-friendly and appeals to our customers.
    How long we retain the personal information and why 
    • We retain Google analytics for 12 months.             
    Consequences of not providing/permitting us to obtain personal information 
    • If you disable our Cookies, you will be unable to use certain parts of/functions on our website. Further information about this can be found in our Cookies Policy.

    Individuals who Contact us with Enquiries

    What personal information we will use 
    • Your name;
    • Your contact details (such as your telephone number or email address);
    • Details of your enquiry. 
    How we will obtain the personal information
    • Provided by you when you contact us (e.g. by making a phone call or emailing us) or make an enquiry at our premises.
    What purposes we will use the personal information for
    • We will use the personal information to deal with your enquiry; 
    • We will also make a record of your enquiry for internal administrative purposes.
    The legal bases we rely upon
    • Our use of your personal information to dealing with your enquiry is based our legitimate interests in ensuring our organisation is run efficiently and effectively; 
    • Our use of your personal information for record keeping purposes is based on our legitimate interests in ensuring our organisation is run efficiently and effectively.
    How long we retain the personal information and why 
    • Records of general enquiries are retained for 12 months in case data is needed for further follow up.
    Consequences of not providing/permitting us to obtain personal information  If you do not permit us to collect or provide us with the personal information we require, we may not be able to deal with your enquiry.

     Donors

    What personal information we will use 
    • Your name;
    • Your contact details (such as your postal address, telephone number and/or email address);
    • Your Bank Account Details;
    • Whether you are a UK tax payer.
    How we will obtain the personal information
    • The information is provided by you.
    What purposes we will use the personal information for
    • We will use the personal information in order to process your donation (whether a one off or a regular donation) and to obtain any tax reimbursements through gift aid.
    Who we share your personal information with
    • We will share your personal information with HMRC in order to obtain any gift aid tax reimbursements, where applicable.
    The legal grounds we rely upon
    • Is that it is in our legitimate interests to process the personal information to process your donation and to obtain any tax reimbursements. These donations allow City Hearts to further the interests of the charity.
    How long we retain the personal information and why 
    • Your contact details will be retained for the duration of the giving.  
    • Records of donations not including personal details will be kept for 7 years post donations in line with legal requirements.
    Consequences of not providing/permitting us to obtain personal information
    • Failure to provide us with your name address and bank account details will mean we cannot process any donation other than a cash or cheque donation.

    Individuals Who Subscribe To Our Newsletters Or Updates

    What personal information we will use 
    • Your name and address;
    • Your email address; 
    • Your delivery preferences.
    How we will obtain the personal information
    • Provided by you when you subscribe to our newsletters or updates.
    What purposes we will use the personal information for
    • To provide you with the newsletters or updates you have requested;
    • To provide you with related information that we think may be of interest to you.
    The legal grounds we rely upon
    • We will rely on your consent to provide you with the newsletters or updates you have requested and retain your details on our database; 
    • We will rely on our legitimate interest in promoting our activities and services to provide you with other information that may be of interest to you.
    How long we retain the personal information and why 
    • As long as needed in order to keep sending the newsletter in line with legal requirements 
    Consequences of not providing/permitting us to obtain personal information]
    • Without your contact details, we will not be able to provide you with newsletters and updates; 
    • You can opt-out of receiving related information at the time you subscribe to our newsletters and updates and each subsequent time we contact you.  

    Individuals who Engage with us on Social Media

    What personal information will we use?
    • Your name/user name; 
    • Your location data; 
    • Personal information contained in your posts.
    How we will obtain it? From the relevant social media site/your posts.
    What purposes will we use it for and what legal bases will we rely upon to do so? To interact with you on the relevant social media site; 

    We won’t use the above information for any other purpose. 

    The legal basis that we will rely upon to do so will be the consent provided by you when you agreed to the terms and conditions of use relating to the relevant social media site

    Engagement with us on Social Media

    Any social media posts or comments you send to us (on our Facebook page, for instance) will be shared under the terms of the relevant social media platform (e.g. Facebook or Twitter) on which they’re written and could be made public. Other people, not us, control these platforms. We are not responsible for this kind of sharing. So, before you make any remarks or observations about anything, you should review the terms and conditions and privacy policies of the social media platforms you use. That way, you will understand how they will use your information, what information relating to you they will place in the public domain, and how you can stop them from doing so if you are unhappy about it.

    Individuals Captured on our CCTV System

    What personal information will we use? Your image;

    The dates and times you accessed our premises.

    How we will obtain it? Automated CCTV recordings.
    What purposes we will use it for and what legal bases will we rely upon to do so? We will use the personal information referred to above for security purposes; 

    Our legal basis for doing so is our legitimate interest in ensuring that our premises are secure.

  • In addition to data protection law, if we use your personal information to send you information for marketing purposes, we may also be subject to additional rules that regulate direct marketing. The term “direct marketing” essentially means directing marketing material or advertising at a particular individual.

    To ensure compliance with both data protection laws and the specific rules relating to direct marketing, we will only use your personal information to tell you about what we are doing. This may include letting you know about services we offer now and hope to offer in the future; providing you with information which may be of interest to you, news and events; and/or providing you with fundraising updates. We will do this with your consent and you can change your mind and remove or add your consent at any time (see how to unsubscribe below).

    We will retain your personal information unless and until you inform us that you no longer wish to receive direct marketing information from us. 

    You can ask us to stop sending direct marketing to you at any time by contacting us using the details set out here or going to the “unsubscribe” section of our website.

  • Sometimes, we will need to share your personal information with others. This section sets out details of who we will share your personal information with and why. It also tells you about our legal basis for doing so under data protection law and steps we will take to protect your personal information. 

    We will never sell your personal information on to third parties.

    Our Service Partners

    Information about our service partners
    • Our service partners are other organisations that we have entered into contract with. They include:
      • The Salvation Army;
      • The Home Office;
      • The NHS;
      • The police;
      • Legal Advisers;
      • The Department for Work and Pensions;
      • Her Majesty’s Revenue & Customs; 
      • Other agencies that may be necessary to provide services and support.
      • Hope City Church
    Why we need to share your personal information with our Service Partners The purpose for sharing your personal data with our Service Partners is to facilitate the services we provide.
    The legal bases we rely upon when sharing your personal information  That we (or someone else) has a legitimate reason for needing to use your personal information and those legitimate interests are not outweighed by your rights or interests. We must balance our respective rights and interests before we can rely upon this legal basis; 

    That we need to use your personal information to comply with laws we are subject to.

    What precautions do we take? We ensure our Service Partners have appropriate security measures in place and which restrict their use of your personal information.

    Providers of Information Technology Services

    Who will we be sharing your personal information with?
    • Suppliers of information technology products and services such as:

     IT helpdesk and IT maintenance work provider

    • We have not included the names of our IT providers in this privacy notice because their identity will change from time to time. However, if you would like further information about any of our current IT providers, please contact us using the details set out here 
    Why we need to share your personal information with such providers
    • We use suppliers of information technology products and services in connection with the supply, maintenance and/or improvement of our IT network and the creation, development hosting and maintenance of our website;
    • We use analytics and search engine providers to assist us to improve our website.
    The legal bases we rely upon when sharing your personal information 
    • We rely upon our legitimate interests in ensuring that our business can function properly and efficiently and that our IT network is secure;
    • The sharing of your personal data with analytics and search engine providers is based on our legitimate interests in having an efficient and user-friendly website.
    What precautions do we take?
    • We enter into contracts with our IT providers which require them to put appropriate security measures in place and which restrict their use of your personal information.

    Other Third Parties

    We may also need to share your personal information with others in the following circumstances:

    Legal or regulatory requirements On occasion, we may be required to disclose your personal information to organisations such as the courts or the police to comply with legal obligations we are subject to and/or to prevent fraud or crime. 
    Protecting our organisation From time to time we may need to disclose your personal information in connection with steps we need to take to protect our organisation’s interests or property. 
    Professional advice and legal action We may need to disclose your personal information to our professional advisers (for example, our lawyers and accountants) in connection with the provision by them of professional advice and/or the establishment or defence of legal claims. 
  • We will only send your personal data outside the EEA where we have your explicit consent to do so. 

  • We take various steps to protect your personal information while it is in our possession, including:

    • Clients’ details are stored on our secure computer system and only those who work with you have access to it.
    • We have implemented appropriate security measures to protect our IT infrastructure;
    • Encryption of personal information;
    • Pseudonymisation of personal information;
    • Implementation of internal data security policies and training for members of staff in relation to such policies;
    • Regular reviews of data security measures implemented by service providers who may handle your personal data.
    • CCTV recordings will only be accessed by employees and DBS checked volunteers on a ‘need to know’ basis.
  • Under data protection law, you have a number of different rights relating to the use of your personal information. The table below contains a summary of those rights and our obligations. More information about your rights and our obligations can be found on the ICO website https://ico.org.uk/. 

    Your rights What this involves What our obligations are
    A right of access  This is a right to obtain access to your personal data and various supplementary information.  We must provide you with a copy of your personal information and the other supplementary information without undue delay and in any event within 1 month of receipt of your request; 

    We cannot charge you for doing so save in specific circumstances (such as where you request further copies of your personal information). 

    A right to have personal data rectified
    • This is a right to have your personal information rectified if it is inaccurate or incomplete.
    We must rectify any inaccurate or incomplete information without undue delay and in any event within 1 month of receipt of your request;

    If we have disclosed your personal information to others, we must (subject to certain exceptions) contact the recipients to inform them, that your personal information requires rectification.

    A right to erasure
    • This is a right to have your personal information deleted or removed. 
    • This right only applies in certain circumstances (such as where we no longer need the personal information for the purposes for which it was collected).
    • We have the right to refuse to delete or remove your personal data in certain circumstances.
    If this right applies, we must delete or remove your personal information without undue delay and in any event within 1 month of receipt of your request;

    If we have disclosed your personal information to others, we must (subject to certain exceptions) contact then recipients to inform them that your personal information must be erased.

    A right to data portability This is a right to obtain and re-use your personal information for your own purposes;

    It includes a right to ask that your personal information is transferred to another organisation (where technically feasible).

    This right only applies in certain limited circumstances. 

    If this right applies we must provide your personal information to you in a structured, commonly used and machine reasonable form 

    Again, we must act without undue delay and in any event within 1 month of receipt of your request

    We cannot charge you for this service. 

    A right to object  This is a right to object to the use of your personal information.

    The right applies in certain specific circumstances only. 

    You can use this right to challenge our use of your personal information based on our legitimate interests;

    You can also use this right to object to use of your personal information for direct marketing 

    If you object to us using your personal information for direct marketing, we must stop using your personal information in this way as soon as we receive your request. 

    If you object to other uses of your personal information, whether we have to stop using your personal information will depend on the particular circumstances. 

    A right to object to automated decision making This is a right not to be subject to a decision which is made solely on the basis of automated processing of your personal information where the decision in question will have a legal impact on you or a similarly significant effect.  Where such a decision is made, you must be informed of that fact as soon as reasonably practicable;

    You then have 21 days from receipt of the notification to request that the decision is reconsidered or that a decision is made that is not based solely on automated processing;

    Your request must  be complied with within 21 days. 

    A right to restrict processing  This is a right to ‘block’ or suppress processing of your personal information.

    This right applies in various circumstances, including where you contest the accuracy of your information).

    If we are required to restrict our processing of your personal information we will be able to store it but not otherwise use it. 

    We may only retain enough information about you to ensure that the restriction is respected in future. 

    If we have disclosed your personal information to others, we must (subject to certain exceptions) contact them to tell them about the restriction on use. 

    If you wish to exercise any of your rights you can make a request by contacting us using this email address Data.Protection@cityhearts.co.uk

    If you request the exercise of any of your rights we are entitled to ask you to provide us with any information that may be necessary to confirm your identity.

  • If you have given us your consent to use any of your personal information, you can withdraw your consent at any time. To do so, please contact us using this email address Data.Protection@cityhearts.co.uk.

  • We have appointed a Data Privacy Manager to oversee our compliance with data protection law and this privacy notice. The details are set out below. If you have any questions about this privacy notice, how we handle your personal information or if you wish to make a complaint, please contact our Data Privacy Manager. 

    You can get in touch with us in the following ways: 

    Name Louise Durham
    Email address Louise.durham@cityhearts.co.uk
    Phone number  +44 (0)114 213 2063
  • If we are unable to deal with a complaint to your satisfaction or if you are unhappy with the way we are using your personal data, you also have the right to make a complaint at any time to the UK’s supervisory authority for data protection issues, The Information Commissioner’s Office.

  • We may update this privacy notice from time to time. If we make any substantial updates, we will provide you with a new privacy notice. We may also notify you in other ways from time to time about the processing of your personal information. 

Privacy Policy – External Facing (Website) Review Date: July 2019 Responsible Contact: Louise Durham