We’ll keep this page updated to show you all the things we do with your personal data. This policy applies if you’re a supporter of the Foundation (patron, member, donor, volunteer, customer, employee) or attend any of our events, apply to us for funding, visit our website, email, call or write to us.
We’ll never sell your personal data and will only share it with organisations we work with when it’s necessary and the privacy and security of your data is assured.
In this policy, whenever you see the words ‘we,’ ‘us,’ ‘our’ ‘the Foundation’ or ‘Foundation,’ it refers to the Crichton Foundation. The Crichton Foundation is a Scottish Charitable Guarantee Company set up to support the creation and development of a diverse Campus and innovative centre for learning and enterprise in Dumfries and Galloway. Our Charity number is SC024589, Company Number is SC361942 and our ICO registration reference is Z6393954.
The Foundation carries out a range of fundraising activities to generate income including hosting charity events, raffles and auctions, collecting subscriptions, sponsorship and advertising.
Your personal data (any information which identifies you, or which can be identified as relating to you personally for example, name, address, phone number, email address) will be collected and used by us. We’ll only collect the personal data that we need.
We collect personal data in connection with specific activities such as booking tickets for our events, subscribing to our Friends scheme, applying to us for funding, donations, volunteering, employment etc.
You can give us your personal data by filling in forms in hard copy, via email or on our website, by attending our events, applying to us for funding or by corresponding with us (by phone, email or by becoming a member/supporter/customer). The personal data you give us may include name, title, address, date of birth, age, gender, employment status, demographic information, email address, telephone numbers, personal description and photographs.
We will retain your personal data until you inform us that you no longer wish us to use it. In some circumstances we may have to retain personal data after you have withdrawn consent, for example if we have made an award payment to you or if you have paid a donation to us. We will only keep information necessary for accounting purposes and will no longer contact you with information about our activities after you have asked us to delete your personal information.
This includes information you give when interacting with us, for example becoming a member, joining our Friends scheme, attending our events, applying to us for funding or communicating with us. For example:
We may automatically collect the following information:
Your activities and involvement with us will result in personal data being created. This could include details of how you’ve helped us by donating or attending our events. If you decide to donate to us then we’ll keep records of when and how much you give to a particular cause.
We’ll only use your personal data on relevant lawful grounds as permitted by the EU General Data Protection Regulation (from 25 May 2018)/UK Data Protection Act and Privacy of Electronic Communication Regulation.
Your personal data may be collected and used to help us deliver our charitable activities, help us raise funds, or complete your ticket request. Below are the main uses of your data which depend on the nature of our relationship with you and how you interact with our various services, websites and activities. If asked by the police, or any other regulatory or government authority investigating suspected illegal activities, we may need to provide your personal data.
Your privacy is important to us, so we’ll always keep your details secure. We’d like to use your details to keep in touch about things that may matter to you.
If you choose to hear from us we may send you information based on what is most relevant to you or things you’ve told us you like. We may also show you relevant content online. This might be about attending our events, membership, Friends scheme subscriptions, fundraising, our activities or applying to us for funding. We’ll only send these to you if you agree to receive them and we will never share your information with companies outside the Foundation for inclusion in their marketing. (We may however share cookie data with third parties to help with our own advertising targeting). If you agree to receive marketing information from us you can change your mind at a later date. However, if you tell us you don’t want to receive marketing communications, then you may not hear about events or other work we do that may be of interest to you.
We may sometimes use third parties to capture some of our data on our behalf, but only where we are confident that the third party will treat your data securely, in accordance with our terms and in line with the requirements set out in the GDPR. We may contact you for feedback on our events or services.
Fundraising, donations and legacy pledges
Where we have your permission, we may invite you to support our work by making a donation, buying a raffle ticket, getting involved in fundraising activities or leaving a gift in your will. Occasionally, we may invite some supporters to attend special events to find out more about the ways in which donations and gifts in wills can make a difference to specific projects and to our cause.
If you make a donation, we’ll use any personal information you give us to record the nature and amount of your gift, claim gift aid where you’ve told us you’re eligible and thank you for your gift. If you interact or have a conversation with us, we’ll note anything relevant and store this securely on our systems.
If you tell us you want to fundraise to support our cause, we’ll use the personal information you give us to record your plans and contact you to support your fundraising efforts.
If you’ve told us that you’re planning to, or thinking about, leaving us a gift in your will, we’ll use the information you give us to keep a record of this – including the purpose of your gift, if you let us know this. If we have a conversation or interaction with you (or with someone who contacts us in relation to your will, for example your solicitor), we’ll note these interactions throughout your relationship with us, as this helps to ensure your gift is directed as you wanted.
Charity Commission rules require us to be assured of the provenance of funds and any conditions attached to them. We follow a due diligence process which involves researching the financial soundness, credibility, reputation and ethical principles of donors who’ve made, or are likely to make, a significant donation to the Foundation.
As part of this process we’ll carry out research using publicly available information and professional resources. If this applies to you, we’ll remind you about the process when you make your donation.
We process customer data in order to fulfil bookings for our events. Your data will be used to communicate with you, including to confirm we’ve received your order and payment, to clarify where we might need more detail or to resolve issues that might arise with your booking. We may also hold dietary requirements for events.
We know it’s important to our supporters to use our resources in a responsible and cost-effective way. We use specific tools to profile how you interact with us online, for example, Google Analytics. Much of the information we collect is aggregated, however we may also collect some personal data for the use of personalising your experience, optimising our marketing campaigns, and to ensure the site is functioning as intended.
The personal information that is collect includes transactional information (i.e. booking reference number) for event ticket sales. This analysis may be carried out by us or by third party organisations working for us. We may also host encrypted personal data on third party websites (e.g. social media platforms) to ensure that you only see relevant, personalised and interesting content from those organisations.
In order to comply with our contractual, statutory, and management obligations and responsibilities, we process personal data, including ‘sensitive’ personal data, from job applicants and employees. Such data can include, but isn’t limited to, information relating to health, racial or ethnic origin, and criminal convictions. In certain circumstances, we may process personal data or sensitive personal data, without explicit consent. Further information on what data is collected and why it’s processed is given below.
Our contractual responsibilities include those arising from the contract of employment. The data processed to meet contractual responsibilities includes, but is not limited to, data relating to: payroll, bank account, postal address, sick pay, leave, maternity pay, pension and emergency contacts.
Our statutory responsibilities are those imposed through law on the organisation as an employer. The data processed to meet statutory responsibilities includes, but is not limited to, data relating to: tax, national insurance, statutory sick pay, statutory maternity pay, family leave, work permits, equal opportunities monitoring.
Our management responsibilities are those necessary for the organisational functioning of the organisation. The data processed to meet management responsibilities includes, but is not limited to, data relating to: recruitment and employment, training and development, absence, disciplinary matters, e-mail address and telephone number.
Sensitive personal data
The Act defines ‘sensitive personal data’ as information about racial or ethnic origin, political opinions, religious beliefs or other similar beliefs, trade union membership, physical or mental health, sexual life and criminal allegations, proceedings or convictions. In certain limited circumstances, we may legally collect and process sensitive personal data without requiring the explicit consent of an employee.
(a) We will process data about an employee’s health where it is necessary, for example, to record absence from work due to sickness, to pay statutory sick pay, to make appropriate referrals to the Occupational Health Service, and to make any necessary arrangements or adjustments to the workplace in the case of disability. This processing will not normally happen without the employee’s knowledge and, where necessary, consent.
(b) We will process data about, but not limited to, an employee’s racial and ethnic origin, their sexual orientation or their religious beliefs only where they have volunteered such data and only for the purpose of monitoring and upholding our equal opportunities policies and related provisions.
(c) Data about an employee’s criminal convictions will be held as necessary.
Disclosure of personal data to other bodies
In order to carry out our contractual and management responsibilities, we may, from time to time, need to share an employee’s personal data with one or more third party supplier. To meet the employment contract, we are required to transfer an employee’s personal data to third parties, for example, to pension providers and HM Revenue & Customs. In order to fulfil our statutory responsibilities, we’re required to give some of an employee’s personal data to government departments or agencies e.g. provision of salary and tax data to HM Revenue & Customs.
We want you to remain in control of your personal data. If, at any time, you want to update or amend your personal data or marketing preferences please contact us in one of the following ways:
Email: firstname.lastname@example.org with your full name, address and telephone number.
Telephone: 01387 702048. Office hours 9:30am to 3:30pm Monday to Thursday
Write to us: Crichton Foundation
Verification, updating or amendment of personal data will take place within 30 days of receipt of your request.
Where the Foundation is using your personal data on the basis of consent, you have the right to withdraw that consent at any time. You also have the right to ask the Foundation to stop using your personal data for direct marketing purposes. Contact us using the details above.
Subject access rights
If you would like further information on your rights or wish to exercise them, please write to us at the address above or email email@example.com
You will be asked to provide the following details:
We will also need you to provide information that will help us confirm your identity. If we hold personal information about you, we will give you a copy of the information in an understandable format together with an explanation of why we hold and use it.
Once we have all the information necessary to respond to your request we’ll provide your information to you within one month. This timeframe may be extended by up to two months if your request is particularly complex.
What to do if you’re not happy
In the first instance, please talk to us directly so we can resolve any problem or query. You also have the right to contact the Information Commissions Office (ICO) if you have any questions about Data Protection. You can contact them using their help line 0303 123 113 or at www.ico.org.uk
Cookies and links to third party websites
Cookies are a small file placed on your computer or mobile device’s hard drive by your web browser. They can be placed for a variety of reasons, for example to monitor traffic to a site, or to remember your login details, or to serve custom content to web users based on user behaviour. Cookies do not affect your computer in any way (i.e. they can’t access any of your personal information beyond anything you specifically share with it).
The Foundation uses analytical cookies to track user behaviour and the effectiveness of our website. We don’t keep any record of individual users of this website, or share any data with third parties.
Cookies and the law
Links to other websites
Keeping your information
We will only use and store your information for as long as it is required for the purposes it was collected for. How long it will be stored for depends on the information in question, what it is being used for and, sometimes, statutory legal requirements.
How we secure your data
Information system and data security is imperative to us to ensure that we are keeping our customers, donors, supporters, members, volunteers, employees and contractors safe. We operate a robust and thorough process for assessing, managing and protecting new and existing systems which ensures that they are up to date and secure against the ever changing threat landscape. When you trust us with your data we will always keep your information secure to maintain your confidentiality.
Disclosing and sharing information
We do not sell or share your personal information for other organisations to use.
Storage of information
Foundation operations are based in the UK and we store most of our data within the European Union (EU). Some organisations which provide services to us may transfer data outside the European Economic Area but we’ll only allow this if your data is adequately protected. Some of our systems are provided by US companies and whilst it is our policy that we prefer data hosting and processing to remain on EU-based solutions, it may be that using their products results in data transfer to the USA. However we only allow this when we certain it will be adequately protected.
Payment card Security
The Foundation has an active PCI-DSS compliance programme in place. This is the international standard for safe card payment processes. As part of our compliance to this very stringent standard, we ensure that our IT systems do not directly collect or store payment card information; for example the full 16 digit number on the front of the card or the security code on the back.