We, Guy's and St Thomas' Charity (with 'the Charity', 'we', 'our' or 'us' being interpreted accordingly) are committed to protecting your privacy and personal information. Personal information relating to you from which you can be identified that we collect or which you provide is called 'personal data'.
This privacy statement tells you about the personal data we collect; how we handle or process such personal data and who we may share it with. This privacy statement also provides information on your legal rights in relation to your personal data.
We collect and process your personal data in accordance with applicable law. This includes, without limitation, the EU General Data Protection Regulation (2016/679) ('GDPR') and the UK Data Protection Act 2018 together with other applicable UK and EU laws that regulate the collection, processing and privacy of your Personal Data (together, 'Data Protection Law').
The personal data about you that we collect and use may include the following:
As well as any other personal data that you may provide to us from time to time.
We collect personal data about you in various ways as follows:
Please also note that some of the personal data you supply and that we process may include what is known as 'special category' or 'sensitive' data about you, for example, information regarding your ethnic origin or political, philosophical and religious beliefs, health or sex life. Other data relating to criminal convictions and offences may also be processed.
We may use your personal data for one or more of the following purposes:
We process your personal data for the above purposes relying on one or more of the following lawful grounds:
If we process 'special category' or 'sensitive' data as referred to above, we will only do this with your explicit consent; or, to protect your vital interests (or those of someone else) in an emergency; or, where you have already publicised such information; or, where we need to use such sensitive data in connection with a legal claim that we have or may be subject to.
We may need to disclose your personal data to certain third party organisations who are handling that data on our behalf and in accordance with our instructions under contract (called 'data processors') in the following circumstances:
Other than as described above, we will treat your personal data as private and will not disclose your personal data to third parties without you knowing about it. The exceptions are in relation to legal proceedings or where we are legally required to do so and cannot tell you.
In all cases we always aim to ensure that your personal data is only used by third parties for lawful purposes and in compliance with applicable Data Protection Law, which may include ensuring certain safeguards and contractual arrangements have been put in place.
Personal data will not be retained for any longer than necessary for the purpose for which it was collected. The length of time over which data will be retained will depend upon the circumstances and is represented in our Internal Data Retention Policy.
Personal data we no longer need is securely disposed of and/or anonymised so you can no longer be identified from it.
The GDPR restricts data transfers to countries outside the European Economic Area (EEA). This applies to personal data that is transmitted to, or accessed in, a non-EEA country whose laws are not considered to meet the same legal standards of protection for personal data as set out in Data Protection Law.
We will not transfer your personal data to any territory outside the United Kingdom or EEA which is not considered to have adequate legal standards of protection for personal data under Data Protection Law, without seeking your explicit consent to do so.
In accordance with your legal rights under applicable law, you have a 'subject access request' right under which you can request information about the personal data that we hold about you, what we use that personal data for and who it may be disclosed to as well as certain other information. Usually we will have a month to respond to a subject access request but in case of complex requests, we may require a further two months to respond. The Charity will use all reasonable measures to verify the identity of a data subject who requests access so we avoid a data breach (that is, disclosing personal data to a third party unlawfully). A copy of a passport or driving licence may be requested. We may also charge for administrative time in dealing with any manifestly unreasonable or excessive requests for access. We may also require further information to locate the specific information you seek before we can respond in full and apply certain legal exemptions when responding to your request. For any further copies requested by the data subject, we may be allowed to charge a reasonable fee for administrative costs.
Under Data Protection Law you also have the following rights, which are exercisable by making a request to us in writing:
All of these requests may be forwarded on to a third party provider who is involved in the processing of your personal data on our behalf.
If you make a request and are not satisfied with our response, or believe that we are illegally processing your personal data, you have the right to complain to the Information Commissioner's Office (ICO).
You can exercise your rights by contacting us using the details set out in the “Further information” section below.
The Charity will take all appropriate security measures against unlawful or unauthorised processing of personal data, and against the accidental loss of, or damage to, personal data. This includes procedures and technologies to maintain the security of all personal data from the point of collection to the point of destruction.
If you would like further information on collection, use or disclosure, or to exercise any of the rights listed above, please contact Rob Parker, the Charity’s Data Protection Lead at firstname.lastname@example.org.
If you wish to opt-out of something specific, please email us at email@example.com or call us on 020 7089 4550.