Context and Overview
KP Projects CIC needs to gather and use
certain information about individuals.
These can include customers, suppliers,
business contacts, freelance employees, project participants, volunteers and
other people the organisation has a relationship with or may need to contact.
This policy describes how this personal
data must be collected, handled and stored to meet the company’s data
protection standards – and to comply with the law.
Why this policy exists:
This data management policy ensures KP
- Complies with data protection law and follows good practice
- Protects the rights of customers, staff and partners
- Is transparent about how it stores and processes individuals’ data
- Protects itself from the risks of a data breach
Data protection law:
General Data Protection Regulation (GDPR) applies in the UK and across the EU
from May 2018. It requires personal data shall be:
3.1 Processed lawfully, fairly
and in a transparent manner in relation to individuals
3.2 Collected for specified,
explicit and legitimate purposes and not further processed in a manner that is
incompatible with those purposes; further processing for archiving purposes in
the public interest, scientific or historical research or statistical purposes
shall not be considered to be incompatible with the initial purposes
3.3 Adequate, relevant and
limited to what is necessary in relation to the purposes for which they are
3.4 Accurate and, where
necessary, kept up to date; every reasonable step must be taken to ensure that inaccurate
personal data, having regard to the purposes for which they are processed, are
erased or rectified without delay
5.5 Kept in a form which
permits identification of data subjects for no longer than is necessary for the
purposes for which the personal data are processed; personal data may be stored
for longer periods insofar as the personal data is processed solely for
archiving purposes in the public interest, scientific or historical research
purposes or statistical purposes subject to implementation of the appropriate
technical and organisational measures required by GDPR in order to safeguard
the rights and freedoms of individuals
3.6 Processed in a manner that
ensures appropriate security of personal data, including protection against
unauthorised or unlawful processing and against accidental loss, destruction or
damage, using appropriate technical or organisational measures
3.7 The controller shall be
responsible for, and be able to demonstrate, compliance with the above principles
4. People and
KP Projects CIC’s Director, Karen Poley will be responsible for fulfilling the tasks of Data Protection Officer in respect of KP Projects CIC
This person will be responsible to inform,
advise and monitor the organization and its employees about their obligations
to comply with GDPR and data protection laws.
5. Scope of personal
information to be processed.
5.1 Names of clients, email addresses, postal
addresses and phone numbers are collected for customers through booking a ticket.
This is kept on Eventbrite for the duration of the event unless the client
subscribes to the Mailchimp mailing list
5.2 Names, email address phone numbers and
emergency contact details are collected from Volunteers. These are stored on a
secure online server (dropbox) and password protected. It is deleted when the
project ends or when the volunteer requests to leave. Periodic emails will be
sent to volunteers to ask them if they are still interested in being part of
the volunteer team for KP Projects CIC.
5.3 Names & email addresses are
collected on event evaluation forms, for inclusion on the KP Projects CIC
mailing list. These are kept on
Mailchimp until the person unsubscribes
5.4. Names & email addresses may be
collected via social media or website subscriptions to the Mailchimp mailing
list & are kept until the person unsubscribes
6. Uses and Conditions for processing
|Outcome/Use ||Processing Required ||Date to be processed ||Conditions for processing ||Evidence for lawful basis |
|Bi-monthly or quarterly newsletter ||Sent via Mailchimp ||Name and email ||Consent ||Agreed by email, signing up at events, social media & Mailchimp or on Eventbrite |
|Information on Volunteering ||Mailmerge with volunteer contacts ||Name and email ||Consent ||Agreed on application for becoming a volunteer |
|Ticketing & event information ||Processed via Eventbrite ||Name, email, address, payment details ||Consent ||Agreed on booking tickets |
|Impact research data ||Follow up questionnaires sent via Mailchimp or Survey Monkey || Email ||Consent ||Agreed by signing up at events |
7. Privacy Impact Assessment
Using PIA guidance & a
template this website – https://gdpr-info.eu/issues/privacy-impact-assessment/
– it has been determined that a PIA is not currently required, a decision that
will be monitored on an ongoing basis.
8. Data Sharing
Data collected will not be shared
with any external organisations or individuals
9. Security Measures
information will be collected & held for processing on either Mailchimp or
Eventbrite, using their online security mechanisms.
data will be held on the Dropbox online file sharing service in a password
10. Subject Access requests
have the right to access any personal data held and can request this verbally
or in writing. KP Projects CIC will
respond within one month to requests.
11. Privacy Notices wording examples
Coast Undersea Experience is produced by KP Projects CIC. The information
provided will only use the contact details you have provided for delivering of
the experience. Once the event has past
and all financial transactions have been completed all personal information is
Mailchimp subscription notice
subscribing to our mailing list you have agreed for KP Projects CIC to contact
you about The Living Coast Undersea Experience. Your information will not be
shared with any third parties unless otherwise agreed. We store your
information in a secure manner and your details will only be kept for the
duration of the project.
wish to change your information or to be removed from the mailing list then
please click on the ‘unsubscribe’ link
Photo consent notice, permission form & poster wording for use at
Photo Consent Notice
Projects CIC will be taking pictures and/or video of this event to use in our
publicity (including social media & website) & reporting to funders.
These images will be used by KP projects
CIC and [insert any partner organisations] in the following ways:
- Printed publicity
- Online publicity (including Facebook, Twitter
- Shared with potential funders
They will be stored securely and will not
be kept for longer than they are needed for the purposes listed above.
If you would prefer not
to be photographed, please speak to the Event Manager.
Permissions Form for children
KP Projects CIC often take photographs/ films of children
at our activities to use in our publicity (including social media and website)
& reporting to funders. Once we no longer need images
for publicity purposes, we will delete them. You can ask to see a copy of
images we hold of your child(ren), or ask for them to be deleted, at any time
by emailing us on firstname.lastname@example.org
Please sign below to give consent for us to
photograph your child and use the images as described above.
Newsletter sign up wording on evaluation form
Can we contact you about The Living
Coast Undersea Experience: Yes /No
brief questionnaire about ongoing impact of this project: Yes/No
your email address?
share your email with The Living Coast Biosphere region Yes/No
Coast Undersea Experience is produced by KP Projects CIC, which will only use
the contact details you have provided for delivering The Living Coast Undersea
details may be shared with event partners & funders directly involved in producing
this event, including The Living Coast, Sussex IFCA, & Sussex Wildlife
Trust, but only if you specifically agree.
12. Ongoing documentation of measures to
Maintain documentation/evidence of the privacy
measures implemented and records of compliance
- Regularly test the privacy measures implemented
and maintain records of the testing and outcomes.
- Use the
results of testing, other audits, or metrics to demonstrate both existing and
continuous compliance improvement efforts.
records showing training of employees on privacy and data protection matters.
KP Projects CIC 2019