1. Context and Overview
KP Projects CIC needs to gather and use certain information about individuals.
These can include customers, suppliers, business contacts, freelance employees, project participants, volunteers and other people the organisation has a relationship with or may need to contact.
This policy describes how this personal data must be collected, handled and stored to meet the company’s data protection standards – and to comply with the law.
2. Why this policy exists:
This data management policy ensures KP Projects CIC:
- Complies with data protection law and follows good practice
- Protects the rights of customers, staff and partners
- Is transparent about how it stores and processes individuals’ data
- Protects itself from the risks of a data breach
3. Data protection law:
The General Data Protection Regulation (GDPR) applies in the UK and across the EU from May 2018. It requires personal data shall be:
3.1 Processed lawfully, fairly and in a transparent manner in relation to individuals
3.2 Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research or statistical purposes shall not be considered to be incompatible with the initial purposes
3.3 Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed
3.4 Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that inaccurate personal data, having regard to the purposes for which they are processed, are erased or rectified without delay
5.5 Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data is processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by GDPR in order to safeguard the rights and freedoms of individuals
3.6 Processed in a manner that ensures appropriate security of personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures
3.7 The controller shall be responsible for, and be able to demonstrate, compliance with the above principles
4. People and responsibilities
KP Projects CIC’s Director, Karen Poley will be responsible for fulfilling the tasks of Data Protection Officer in respect of KP Projects CIC
This person will be responsible to inform, advise and monitor the organization and its employees about their obligations to comply with GDPR and data protection laws.
5. Scope of personal information to be processed.
5.1 Names of clients, email addresses, postal addresses and phone numbers are collected for customers through booking a ticket. This is kept on Eventbrite for the duration of the event unless the client subscribes to the Mailchimp mailing list
5.2 Names, email address phone numbers and emergency contact details are collected from Volunteers. These are stored on a secure online server (dropbox) and password protected. It is deleted when the project ends or when the volunteer requests to leave. Periodic emails will be sent to volunteers to ask them if they are still interested in being part of the volunteer team for KP Projects CIC.
5.3 Names & email addresses are collected on event evaluation forms, for inclusion on the KP Projects CIC mailing list. These are kept on Mailchimp until the person unsubscribes
5.4. Names & email addresses may be collected via social media or website subscriptions to the Mailchimp mailing list & are kept until the person unsubscribes
6. Uses and Conditions for processing
|Outcome/Use||Processing Required||Date to be processed||Conditions for processing||Evidence for lawful basis|
|Bi-monthly or quarterly newsletter||Sent via Mailchimp||Name and email||Consent||Agreed by email, signing up at events, social media & Mailchimp or on Eventbrite|
|Information on Volunteering||Mailmerge with volunteer contacts||Name and email||Consent||Agreed on application for becoming a volunteer|
|Ticketing & event information||Processed via Eventbrite||Name, email, address, payment details||Consent||Agreed on booking tickets|
|Impact research data||Follow up questionnaires sent via Mailchimp or Survey Monkey||Consent||Agreed by signing up at events|
7. Privacy Impact Assessment
Using PIA guidance & a template this website – https://gdpr-info.eu/issues/privacy-impact-assessment/ – it has been determined that a PIA is not currently required, a decision that will be monitored on an ongoing basis.
8. Data Sharing
Data collected will not be shared with any external organisations or individuals
9. Security Measures
Public information will be collected & held for processing on either Mailchimp or Eventbrite, using their online security mechanisms.
Volunteer data will be held on the Dropbox online file sharing service in a password protected document
10. Subject Access requests
Individuals have the right to access any personal data held and can request this verbally or in writing. KP Projects CIC will respond within one month to requests.
11. Privacy Notices wording examples
The Living Coast Undersea Experience is produced by KP Projects CIC. The information provided will only use the contact details you have provided for delivering of the experience. Once the event has past and all financial transactions have been completed all personal information is deleted.
Mailchimp subscription notice
By subscribing to our mailing list you have agreed for KP Projects CIC to contact you about The Living Coast Undersea Experience. Your information will not be shared with any third parties unless otherwise agreed. We store your information in a secure manner and your details will only be kept for the duration of the project.
If you wish to change your information or to be removed from the mailing list then please click on the ‘unsubscribe’ link below.
Photo consent notice, permission form & poster wording for use at events
Photo Consent Notice
KP Projects CIC will be taking pictures and/or video of this event to use in our publicity (including social media & website) & reporting to funders.
These images will be used by KP projects CIC and [insert any partner organisations] in the following ways:
- Printed publicity
- Online publicity (including Facebook, Twitter & Instagram)
- Shared with potential funders
They will be stored securely and will not be kept for longer than they are needed for the purposes listed above.
If you would prefer not to be photographed, please speak to the Event Manager.
Permissions Form for children
KP Projects CIC often take photographs/ films of children at our activities to use in our publicity (including social media and website) & reporting to funders. Once we no longer need images for publicity purposes, we will delete them. You can ask to see a copy of images we hold of your child(ren), or ask for them to be deleted, at any time by emailing us on firstname.lastname@example.org
Please sign below to give consent for us to photograph your child and use the images as described above.
Newsletter sign up wording on evaluation form
Can we contact you about The Living Coast Undersea Experience: Yes /No
With a brief questionnaire about ongoing impact of this project: Yes/No
What’s your email address?
Can we share your email with The Living Coast Biosphere region Yes/No
The Living Coast Undersea Experience is produced by KP Projects CIC, which will only use the contact details you have provided for delivering The Living Coast Undersea Experience project.
Your details may be shared with event partners & funders directly involved in producing this event, including The Living Coast, Sussex IFCA, & Sussex Wildlife Trust, but only if you specifically agree.
12. Ongoing documentation of measures to ensure compliance
1) Maintain documentation/evidence of the privacy measures implemented and records of compliance
- Regularly test the privacy measures implemented and maintain records of the testing and outcomes.
- Use the results of testing, other audits, or metrics to demonstrate both existing and continuous compliance improvement efforts.
- Keep records showing training of employees on privacy and data protection matters.
KP Projects CIC 2019