Historic Buildings & Places Privacy Notice
General Data Protection Regulation (GDPR)
The General Data Protection Regulation (GDPR) is a new, Europe-wide law that replaces the Data Protection Act 1998 in the UK. The GDPR sets out requirements for how organisations will need to handle personal data from 25 May 2018. (Personal data is anything that can identify an individual, such as your name and address or financial information.) Under this legislation, we are responsible for informing you what data we hold, on what lawful basis and how we use it. We are committed to protecting your data in line with the regulations and have published this Privacy Notice to set out how Historic Buildings and Places comply with GDPR.
- Data Controller & Data Processor
The Assistant Director of Historic Buildings & Places is both Data Controller (responsible for determining data processing and data protection requirements) and Data Processor (responsible for carrying out the processing of data on behalf of the Data Controller).
- Your Membership Data
We collect your data when you via our website’s ‘Join Us’ form (or if someone enrols you on your behalf, as in the case of Gift Membership).
We ask for full name, postal address, email. To set up Standing Orders we ask for bank name and address, sort code and account number.
We will only use your data to manage your membership and associated benefits, including sending you publications, and organising AGMs, visits and other events. We may send out membership communications by email and by post, including renewal reminders.
We may also collect and process information about your interactions with us, including details about our contacts with you through email, SMS, post, on the phone or in person. This might include the date, time, and method of contact, details about donations you make to us, events or activities that you register for or attend or any general enquiry.
We will not use or sell your personal data for any other purposes, such as profiling.
- Donor and Volunteer Data
If you provide your personal details along with a monetary donation to Historic Buildings & Places, or as part of volunteering your time or services, we will keep a record of your personal details alongside your contribution. We may use this information to claim Gift Aid. If you tell us about potential future donations you intend to make, including legacies, we will keep a record of this information.
- Website Visitor Data
Visiting the website of Historic Buildings & Places may result in personally identifying information like Internet Protocol (IP) addresses being logged by analytics software to collect statistics about the behaviour of visitors to the website.
If you navigate to an external website via a link on our site, it will not be covered by our data policy.
- Lawful Basis for Processing
Membership records: we hold data you have volunteered on or since joining as a member to fulfil our contract with you, whereby you pay a membership subscription and we enrol you as a member of Historic Buildings & Places. This is a “contractual basis.”
Mailing list: we use the lawful basis of ‘legitimate interest’ to send you publications, organise events, and include occasional hard copy inserts on titles reviewed in our newsletter where we feel they are of genuine benefit to members. We may send mailings to data subjects who are current or previous volunteers or donors on the basis of “legitimate interest” if we have reason to believe they wish to hear more about our work. We have conducted a Legitimate Interest Assessment prior to adopting this lawful basis for processing.
We may use the lawful basis of ‘legitimate interest’ to send members news about our work via email as part of the benefits of membership. Members will have the opportunity to unsubscribe from news at any time.
If in future we send subscribers who may or may not be members email content on matters supplementary to membership benefits, such as fundraising or campaigning, data will be processed using the lawful basis of ‘consent’ and such consent will be explicit, opt-in, and freely given.
- Sharing Your Data
We will never share your details with any third party for marketing or profiling purposes.
We only share data when processing by another party is necessary in relation to a contract which the individual has entered into. We have written agreements with our mailing houses, Direct Offset, Cathedral Communications Ltd, and our IT Consultant, Posix Ltd, to ensure they are compliant with GDPR and our Data Protection Policy, and that your data will not be sold, shared or kept on file indefinitely.
- Data Storage & Security
Your personal data is stored in digital form on an encrypted server in our office. Our membership database is password-protected and access is restricted to employees who process the data as part of their job description.
Antivirus software is kept up-to-date and monitored remotely by Posix Ltd.
Any hard copies of membership data are stored securely and disposed of confidentially.
- Data Retention
We will process your data during your membership period or period of active volunteering and won’t keep your data for longer than necessary after you stop being a member, donor or volunteer.
If you cancel your membership, we may need to retain your details for our records for a limited amount of time. HMRC regulations require us to keep data on Gift Aided payments for 6 years from the end of the financial year they relate to. We have therefore set a maximum Data Retention limit on personal data of 7 years, after which your data will be routinely deleted if you are no longer an active member, donor or volunteer.
Any record of the deletion will be kept in such a way that your data is anonymised.
- Your Communication Preferences
If you have provided us with your email address, we will use this as your preferred method of communication. To change this, please contact us.
You can stop receiving our hard copy publications at any time simply by contacting us, without having to stop being a member, donor or volunteer. We may still need to contact you individually by post and by email regarding your membership to fulfil our contract with you.
- Your Rights
If we are holding your personal data, under GDPR you have the following rights:
- Right of access –to request a copy of your data
- Right of rectification –to correct data that we hold about you that is inaccurate
- Right to be forgotten – to be erased from our records
- Right to restriction of processing – to restrict the processing
- Right of portability – to have the data we hold transferred to another organisation
- Right to object – to object to certain types of processing such as direct marketing.
- Right to object to automated processing, including profiling – not to be subject to the legal effects of automated processing or profiling.
You can cancel your membership at any time, and request that we no longer contact you. We will no longer send you publications or membership benefits as your contract with us will have ceased. To do this, email the Assistant Director on email@example.com or call the office on 020 7236 3934. In accordance with our Data Retention Policy we may be obliged to keep certain data; for example for Gift Aid purposes. We will always explain why this is.
Under GDPR right of access, you have a right to ask what personal data of yours is held by us, and to receive a copy of it within 28 days of making a Subject Access Request by email to firstname.lastname@example.org. (You will be required to prove your identity with an official document before we release personal data to you.)
If you have a complaint about our handling of your data you can contact the Data Controller / Data Processor on the details above. If you wish to complain to a supervisory authority you can do so by contacting the ICO at:
Information Commissioner’s Office (0303 123 1113 (local rate) or 01625 545 745) Wycliffe House Water Lane Wilmslow Cheshire SK9 5AF
Adopted May 2018
Last reviewed September 2021