Data privacy statement

1. About this privacy statement

We, Guy's and St Thomas' Charity (with 'the Charity', 'we', 'our' or 'us' being interpreted accordingly) are committed to protecting your privacy and personal information. Personal information relating to you from which you can be identified that we collect or which you provide is called 'personal data'.

This privacy statement tells you about the personal data we collect; how we handle or process such personal data and who we may share it with. This privacy statement also provides information on your legal rights in relation to your personal data.

2. Our legal obligations regarding your personal data

We collect and process your personal data in accordance with applicable law. This includes, without limitation, the EU General Data Protection Regulation (2016/679) ('GDPR') and the UK Data Protection Act 2018 together with other applicable UK and EU laws that regulate the collection, processing and privacy of your Personal Data (together, 'Data Protection Law').

3. What personal data do we collect and use?

The personal data about you that we collect and use may include the following:

  • Your name, address, phone number and email address;
  • Your employer and job role;
  • Details of our relationship and communications with you;
  • Education and work experience;
  • Details of particular areas of interest in our work;
  • Giving history;
  • Payment details;
  • Whether you are a UK tax payer;
  • Other demographic information from which you may be identified.

As well as any other personal data that you may provide to us from time to time.

4. How is your data collected?

We collect personal data about you in various ways as follows:

  • Through your relationship and direct communications with us e.g. from website enquiries, emails or grant applications;
  • From publically available sources e.g. Companies House, LinkedIn, media reports, or your employer's website;
  • Directly from a third party e.g. due diligence providers, or project delivery partners.

Please also note that some of the personal data you supply and that we process may include what is known as 'special category' or 'sensitive' data about you, for example, information regarding your ethnic origin or political, philosophical and religious beliefs, health or sex life. Other data relating to criminal convictions and offences may also be processed.

5. What we use your personal data for

We may use your personal data for one or more of the following purposes:

  • To respond to queries we receive from you;
  • To process and record any donations you make to the Charity;
  • To evaluate grant applications;
  • To communicate with you regarding projects, events or fundraising activities you are involved in;
  • To keep records of our operations and activities;
  • Administration of our operations and activities, including updating our contact and donor records and contacts;
  • Ensuring our internal policies and procedures are adhered to;
  • To contact those who have benefited from our work in the past for the purposes of developing case studies;
  • To gain a better understanding of those who benefit from our work, and to use that understanding to effectively plan future work;
  • To conduct checks to identify donors and verify their identity;
  • Screening for financial and other sanctions or embargoes;
  • To research our supporters and potential supporters to establish areas of interest and identify specific fundraising opportunities which may be of interest;
  • To provide you with direct marketing communications about what we are doing as well as products and/or campaigns which may be of interest to you by post or phone. If required under applicable law, where we contact you by SMS, email, fax, social media and/or any other electronic communication channels for direct marketing purposes, this will be subject to you providing your express consent. You can object or withdraw your consent to receive direct marketing from us at any time, by contacting us at info@gsttcharity.org.uk;
  • To enforce and/or defend any of our legal claims or rights; and /or
  • For any other purpose required by applicable law, regulation, the order of any court or regulatory authority.

6. The lawful grounds on which we collect and process your personal data

We process your personal data for the above purposes relying on one or more of the following lawful grounds:

  • Where you have freely provided your specific, informed and unambiguous consent for particular purposes;
  • Where we agree to provide product(s) and/or services to you, in order to take any pre-contract steps at your request and/or to perform our contractual obligations to you;
  • Where we need to use your personal data for legitimate purposes relevant to us being able to operate and administrate the Charity, make sure we are following our internal policies and procedures, preventing and detecting activities which could be damaging for us and for you, to send marketing material regarding our activities, and to get to know our supporters (and potential supporters) and more effectively target our fundraising efforts. We will always seek to pursue these legitimate interests in a way that does not unduly infringe on your other legal rights and freedoms and, in particular, your right of privacy;
  • Where we need to protect your vital interests or those of someone else (such as in a medical emergency); and/or
  • Where we need to collect, process or hold your personal data to comply with a legal obligation.

If we process 'special category' or 'sensitive' data as referred to above, we will only do this with your explicit consent; or, to protect your vital interests (or those of someone else) in an emergency; or, where you have already publicised such information; or, where we need to use such sensitive data in connection with a legal claim that we have or may be subject to.

7. Disclosure and sharing of personal data

We may need to disclose your personal data to certain third party organisations who are handling that data on our behalf and in accordance with our instructions under contract (called 'data processors') in the following circumstances:

  • Companies and/or organisations that act as our service providers (e.g. suppliers of IT and online services, such as SurveyMonkey, and third party fundraiser companies) or professional advisers; and
  • Companies and/or organisations that assist us in processing and/or otherwise fulfilling transactions that you have requested (e.g. payment processors).

Other than as described above, we will treat your personal data as private and will not disclose your personal data to third parties without you knowing about it. The exceptions are in relation to legal proceedings or where we are legally required to do so and cannot tell you.

In all cases we always aim to ensure that your personal data is only used by third parties for lawful purposes and in compliance with applicable Data Protection Law, which may include ensuring certain safeguards and contractual arrangements have been put in place.

8. Data retention

Personal data will not be retained for any longer than necessary for the purpose for which it was collected. The length of time over which data will be retained will depend upon the circumstances and is represented in our Internal Data Retention Policy.

Personal data we no longer need is securely disposed of and/or anonymised so you can no longer be identified from it.

9. International transfer

The GDPR restricts data transfers to countries outside the European Economic Area (EEA). This applies to personal data that is transmitted to, or accessed in, a non-EEA country whose laws are not considered to meet the same legal standards of protection for personal data as set out in Data Protection Law.

We will not transfer your personal data to any territory outside the United Kingdom or EEA which is not considered to have adequate legal standards of protection for personal data under Data Protection Law, without seeking your explicit consent to do so.

10. Rights of individuals (subject access)

In accordance with your legal rights under applicable law, you have a 'subject access request' right under which you can request information about the personal data that we hold about you, what we use that personal data for and who it may be disclosed to as well as certain other information. Usually we will have a month to respond to a subject access request but in case of complex requests, we may require a further two months to respond. The Charity will use all reasonable measures to verify the identity of a data subject who requests access so we avoid a data breach (that is, disclosing personal data to a third party unlawfully). A copy of a passport or driving licence may be requested. We may also charge for administrative time in dealing with any manifestly unreasonable or excessive requests for access. We may also require further information to locate the specific information you seek before we can respond in full and apply certain legal exemptions when responding to your request. For any further copies requested by the data subject, we may be allowed to charge a reasonable fee for administrative costs.

Under Data Protection Law you also have the following rights, which are exercisable by making a request to us in writing:

  • That we correct personal data that we hold about you which is inaccurate or incomplete;
  • That we erase your personal data without undue delay if we no longer need to hold or process it;
  • To object to any automated processing (if applicable) that we carry out in relation to your personal data, for example if we conduct any automated credit scoring;
  • To object to our use of your personal data for direct marketing;
  • To object and/or to restrict the use of your personal data for purpose other than those set out above unless we have a legitimate reason for continuing to use it; or
  • That we transfer personal data to another party where the personal data has been collected with your consent or is being used to perform contact with you and is being carried out by automated means.

All of these requests may be forwarded on to a third party provider who is involved in the processing of your personal data on our behalf.

If you make a request and are not satisfied with our response, or believe that we are illegally processing your personal data, you have the right to complain to the Information Commissioner's Office (ICO).

You can exercise your rights by contacting us using the details set out in the “Further information” section below.

11. Fundraising

Built upon a longstanding partnership, Guy’s and St. Thomas’ Charity is accountable for the fundraising activity and the expenditure of donated sums for the benefit of the Trust amongst other activities which service the Charity’s purpose. Our fundraising delivery partner, King’s College London, leads on fundraising activity and is the main point of contact for fundraising queries on the Charity’s behalf. To see what our Fundraising Team will and will not do with your personal data, please see their privacy statement.

12. Data security

The Charity will take all appropriate security measures against unlawful or unauthorised processing of personal data, and against the accidental loss of, or damage to, personal data. This includes procedures and technologies to maintain the security of all personal data from the point of collection to the point of destruction.

13. Further Information

If you would like further information on collection, use or disclosure, or to exercise any of the rights listed above, please contact Rob Parker, the Charity’s Data Protection Lead at info@gsttcharity.org.uk.

If you wish to opt-out of something specific, please email us at info@gsttcharity.org.uk or call us on 020 7089 4550.