OUR FUNDRAISING PROMISE
Our promise to you:
We promise to communicate with you in a way that suits you. If you tell us you would prefer less contact or don’t want to hear from us at all, we will respect your wishes.
We promise to check at the start of every conversation, on the phone or in person, that you are happy to speak to us.
We promise never to sell your data to any third party. We will not share your details with other charities.
We promise to adhere to all industry guidelines and regulations and require others acting on our behalf to do the same. We will take appropriate action promptly if we find any failure to meet our standards. We will regularly monitor the activities and compliance of our suppliers, including for the protection of vulnerable people.
We promise to make it easy for you to tell us your contact preferences and we are here to talk to you about our work or answer any questions. You can call our dedicated Supporter Relations Team on 0800 716 146 (Monday to Friday 9am – 5pm) or email email@example.com.
In this policy, you’ll find important information about your personal rights to privacy, and how and why we use your personal information.
It’s up to you whether you choose to give us your personal information. But if you don’t, we may not be able to give you a complete service.
A quick note on what “Marie Curie” means
Our promise to keep your information safe
At Marie Curie, we’re committed to protecting your privacy. We promise to respect any personal information you share with us (or that we receive from other organisations) at all times, and we promise to keep it safe.
How we process your data
This policy sets out how we process your data. It also explains your rights and options around how we use your personal information.
We collect information about you:
...when you give it to us directly
This might be when you:
- interact with us online
- register with us
- communicate with us
- make a donation
- take part in an event
- buy something from our shops
- apply to work or volunteer for us
- give us your personal information in any other way, for example if you’re
- receiving care from Marie Curie as a patient.
...when you give it to us indirectly
This is when your personal information is given to us by third parties. These might be:
- websites such as JustGiving or Ebay
- business partners
- sub-contractors in technical, payment and delivery services
- event organisers
- advertising networks
- analytics providers and search information providers.
You’ll always hear from them when this happens, and you’ll be told how and why we intend to use that information.
You might tell us through a third-party website (such as the London Marathon) that you’d like to fundraise for Marie Curie by taking part in an event.
When this happens, we’ll contact you by phone or email to check how you’d like to hear from us in the future, and to offer you support with your fundraising efforts.
...when others give it to us
If you’re receiving care or support from Marie Curie as a patient, we’re given personal information about you from your NHS healthcare team when you are referred to us by your district nurse, GP or hospital consultant.
This includes details of your health and any treatments of services you have received.
...when it’s available publicly
Some information about you may be in the public domain, using public registers such as Companies House, the electoral roll and press reports. For example:
- whether you have charitable interests
- to establish possible common connections between Marie Curie’s network and yours.
- Depending on your privacy settings for professional services such as LinkedIn.
...when you visit this website
When you visit this website, we automatically collect the following personal information:
- technical information, including:
- the internet protocol (IP) address used to connect your computer to the internet
- your browser type and version
- your time zone setting
- browser plug-in types and versions
- your operating systems and platforms
- information about your visit to our website, including:
- the uniform resource locator (URL) clickstream to, through and from this site (including date and time)
- products/services you viewed and searched for
- page response times
- download errors
- length of visits to certain pages
- referral sources (how you arrived at the website)
- page interaction information (such as scrolling and clicks)
- methods used to browse away from the page.
What is personal information?
We collect, store and use the following kinds of personal information:
- Your name and contact details, including postal address, telephone number, email address and, where applicable, social media profile URL
- Your date of birth
- Financial information, such as bank details or credit/debit card details, where you provide them to make a payment. We don't store credit or debit card details, but we're required to store bank details in some circumstances, including when they're used for direct debit payments.
- Information about your computer/mobile device and your visits to and use of this website, including for example your IP address and geographical location
- Information about our services which you use/which we consider of interest to you
- Information as to whether you are a tax payer so that we can claim Gift Aid.
If you are receiving care from Marie Curie as a patient:
- any contact we have had with you and when you have visited us
- notes and reports about your health and any treatment you have received, either from us or from other healthcare providers
- relevant information from your relatives or those who care for you and know you well
- your NHS number and details of your next of kin
- any other personal information shared with us as described above.
What is sensitive personal information (special category data)?
The General Data Protection Regulation (“GDPR”) recognises certain categories of personal information as sensitive and therefore requiring more protection.
For example, this includes information about your health, religious beliefs, ethnicity and political opinions.
In the course of providing care to our patients, Marie Curie routinely processes sensitive personal data. In other limited cases, we may collect and/or use your sensitive personal information.
In each case, we will only do so if we have a valid reason and the GDPR permits it, as described in how and why we will we use your personal information.
How do we use your personal information?
We use your personal information to:
- provide you with services, products or information you’ve asked us for
- provide further information about our work, services, activities or products
allow you to purchase goods
- process your donations
- further our charitable aims, including for fundraising activities
- research the impact and effectiveness of our work and services
- register, administer and personalise online accounts
- register and administer your participation in events you’ve registered for
administer and keep our website safe and secure and for internal operations, including troubleshooting, data analysis, testing, research, statistical and survey purposes
- improve your interactions with our website, for example by making sure that content is presented in the most relevant and effective manner for you and for your computer/mobile device
- report on the results and impact of our work, services and events
- analyse and improve our work, services, activities, products or information (including our website) or for our internal records
- use IP addresses and monitor website use to identify locations, block disruptive use, record website traffic or personalise the way information is presented to you
- to process your application for a job or volunteer role with us
- training and/or quality control
- audit and/or administer our accounts
- satisfy legal obligations which are binding on us, for example arising from contracts entered into between you and us or in relation to regulatory, government and/or law enforcement bodies with whom we may work
prevent fraud, misuse of services or money laundering and to perform due diligence in respect of larger donations;
- reduce credit risk
- communicate with you in any other way
- for the establishment, defence and/or enforcement of legal claims; and/or
If you are receiving care from Marie Curie as a patient, we use your personal information to:
- plan your care and provide you with a high standard of care
- provide health and social care professionals who are involved in your care with relevant, accurate and up-to-date details about your health and other needs
- investigate any concerns or complaints you may have, either about your care or the standards of any health or social care professionals looking after you
- check and make improvements to our services
- in some cases, use your anonymised information (by removing anything that identifies you) for research purposes and to help us improve the quality of our services.
How creating a record for you helps us to be more relevant
We may use your personal information to create a record of your interests and preferences.
This means we can make our contact with you more relevant, timely and appropriate. It also helps us understand the background of our supporters to help us make sure that what we’re asking is appropriate.
Marketing to you and talking about fundraising
We use your details to give you information about our work, events, services and/or products which we think might interest you.
For example, we might contact you about goods or services you’ve purchased or used in the past, or send you updates about our fundraising appeals, volunteering opportunities and latest campaigns.
Where we do this via email, SMS or phone (if you are registered with the telephone preference service), we’ll only do this with your prior consent.
Donations and other payments
When you use our secure online donation or payment pages, you’ll be directed to a specialist supplier company, who will receive your credit card number and contact information to process the transaction. We don’t retain your credit or debit card details.
Where we capture children’s data online, we’ll seek parental consent for any children under 13. We won’t actively market to under 18s.
How long do we keep your personal information?
In general, if we no longer need your information for the reasons you gave it to us, we remove your personal information from our records six years after the date it was collected.
But we’ll remove it sooner if:
- your personal information is no longer required for the purpose you shared it with us
- we’re no longer lawfully entitled to process it
- you ask us to remove it.
What happens if you ask for your data to be removed?
If you ask to receive no further contact from us, we’ll keep some basic information about you to make sure we don’t send you unwanted materials in the future.
Please note that special rules apply to health records, which may often be kept for longer than six years.
Where your personal information is used to support research, it is usually kept for longer and may be used in the future to help with further research as medical science advances.
Our lawful grounds for processing your information
The GDPR requires us to rely on one or more lawful grounds to process your personal information. These are the grounds we think are relevant.
- Where you’ve given your consent for us to use your personal information in a certain way.
- For example, we’ll ask for your consent to use your personal information to send you electronic direct marketing/fundraising, and we may ask for your explicit consent to share sensitive personal information with us.
- Where necessary so that we can comply with a legal obligation (for example, where we need to share your personal information with regulatory bodies which govern our work and services).
- Where necessary for the performance of a contract which we have with you or to take steps before entering a contract (for example, if you purchase something from our online shop or apply to work for/volunteer with us).
- Where it is in your/someone else’s vital interests (for example, in case of medical emergency suffered by someone using our terminal illness services).
- Where there is a legitimate interest in us doing so (for example, writing to supporters to let them know about our work and ways of supporting us).
What do we mean by ‘legitimate interests’?
The GDPR allows us to collect and process your personal information if it is reasonably necessary to achieve our or others’ legitimate interests, as long as that processing is fair, balanced and does not unduly impact your rights.
Marie Curie’s legitimate interests
In broad terms, our “legitimate interests” means running Marie Curie as a charitable entity in pursuit of our aims and ideals. For example, by:
- providing information about terminal illnesses
- processing donations
- administering events
- taking applications for staff and volunteers.
Your legitimate interests
“Legitimate interests” can also include your interests, such as when you have requested information or certain goods or services from us, and those of third parties (for example, beneficiaries of our work and services).
How do we balance these interests?
When we legitimately process your personal information in this way, we consider and balance any potential impact on you (both positive and negative), and your rights under data protection laws.
We won’t use your personal information for activities where our interests are overridden by the impact on you. For example, where use would be excessively intrusive (unless, for instance, we are otherwise required or permitted to by law).
Processing sensitive personal data
The GDPR prohibits the processing of sensitive personal data (special category data) unless additional conditions are met.
We think the following conditions are relevant, in each case in accordance with the relevant safeguards:
- where the processing is necessary for the provision of health or social care
- where the processing is necessary for scientific research.
Will we share your personal information?
We never share, sell or rent your information to third parties for marketing purposes.
However, in general we may disclose your personal information to selected third parties in order to achieve the other purposes set out in this policy.
These may include (among others):
- healthcare professionals, medical researchers and organisations involved in the provision of care and/or medical research
- business partners, suppliers and sub-contractors
- advertisers and advertising networks
- analytics and search engine providers
- IT service providers
- other beneficiaries, executors and legal advisers, when administering a legacy.
In particular, we reserve the right to disclose your personal information to third parties:
- in the event that we sell or buy any business or assets, in which case we will disclose your personal information to the prospective seller or buyer of such business or assets;
- if substantially all of our assets are acquired by a third party, personal information held by us may be one of the transferred assets;
- if we are under any legal or regulatory duty to do so; and/or
to protect the rights, property or safety of Marie Curie, its personnel, users, visitors or others.
- Security, storage and access to your personal information
We promise to keep your personal information safe and secure.
We have appropriate and proportionate security policies and organisational and technical measures in place to help us do this. For example, we require specialist suppliers who process secure payments to comply with the Payment Card Industry Data Security Standard (PCI DSS) standards.
Who can see my personal information?
Only appropriately trained staff, volunteers and contractors can access your information. It is stored on secure servers with features to prevent unauthorised access.
Where is my personal information stored?
In general, the personal information that we collect from you will be stored at a destination within the UK or European Economic Area (“EEA”).
However, we use agencies and suppliers to process personal information on our behalf.
Your personal information may therefore be transferred or stored outside, and/or otherwise processed by contractors operating outside, the UK or EEA who work for us or for one of our suppliers.
Please note that some countries outside of the EEA have a lower standard of protection for personal information, including lower security requirements and fewer rights for individuals.
Where your personal information is transferred, stored and/or otherwise processed outside the EEA, we’ll take all reasonable steps necessary to make sure the recipient implements appropriate safeguards (such as by entering into standard contractual clauses) designed to protect your personal information and to ensure that your personal information is treated securely and in accordance with this Policy.
Unfortunately, no transmission of your personal information over the internet can be guaranteed to be 100% secure.
These are your rights in relation to how we process your personal information:
Right to be informed
You have the right to be told how your personal information will be used. This policy and other policies and statements used on this website and in our communications provide you with a clear and transparent description of how your personal information may be used.
Right of access
You can write to us to ask for confirmation of what information we hold on you and to request a copy of that information.
Provided we are satisfied that you are entitled to see the information requested and we’ve successfully confirmed your identity, we’ll give you your personal information (subject to any exceptions that apply).
Right of erasure
You have the right to ask us to delete your personal information, and we’ll do this when you ask us to. In many cases, we’ll check to see if you’re happy for us to make it anonymous first, rather than delete it completely.
Right of rectification
If you believe our records of your personal information are inaccurate, you have the right to ask us to update those records.
You can also ask us to check the personal information that we hold about you if you are unsure whether it is up to date.
Right to restrict processing
You have the right to ask us to restrict the processing of your personal information if there is disagreement about its accuracy or legitimate usage.
Right to object
You have the right to object to processing where we are:
- processing your personal information on the grounds of legitimate interest
- using your personal information for direct marketing or
- using your personal information statistical purposes.
Where we rely on your consent to use your personal information, you have the right to withdraw that consent at any time.
This includes the right to ask us to stop using your personal information for marketing or fundraising by electronic means (for example to be unsubscribed from our email newsletter list).
Right to data portability
Where we are processing your personal information:
- because you gave us your consent
- because such processing is necessary for the performance of a contract to which you are party or to take steps at your request prior to entering into a contract, and the processing is carried out by automated means
you may ask us to provide it to you – or another service provider – in a machine-readable format.
Rights related to automated decision-making
Where we take automated decisions (ie with no human involvement) in relation to your personal information, you have the right to ask us for human intervention or to challenge any such decision.
How to exercise your rights
- To exercise any of these rights, please send a description of the personal information in question using the contact details below. We reserve the right to ask for:
- personal identification
- further information
- Please note that you may only use/benefit from some of these rights in limited circumstances. For more information, we suggest that you consult guidance from the Information Commissioner’s Office (ICO) or please contact us.
- You have the right to make a complaint to the ICO about us or the way we have processed your personal information. Find further information on how to exercise this right, or contact them.
Changes to this Notice
We may update this Policy from time to time so please check back periodically. We will notify you of significant changes by placing a notice on our website. This Policy was last updated in May 2018.
Links and third parties
We link our website directly to other sites. This Policy does not cover external websites and we are not responsible for the privacy practices or content of those sites. We encourage you to read the privacy policies of any external websites you visit via links on our website.
How to contact us
Please let us know if you have any questions or concerns about this policy or about the way in which your personal information is being processed by contacting us at the following channels:
0800 716 146
Supporter Relations Team
PO Box 23897
14 Links Place
Edinburgh EH6 9AB
If you’d like to contact our Data Protection Officer (“DPO”), email Beth Silver at firstname.lastname@example.org