Data Privacy

We will collect and use your personal data (this means any information which identifies you, or which can be identified as relating to you personally, such as your name, address, phone number, email address or member number). We’ll only collect the personal data we need and we’ll make it clear at the point of collection why we are collecting it. 

This personal data you give us may include your name, title, address, date of birth, age, gender, employment status, demographic information, email address, telephone numbers, personal description, photographs, CCTV images, attitudes, opinions, usernames and passwords.

We may automatically collect information as you use our digital services such as the app and website. This may include the pages you have visited, information about the device or browser you are using, any errors you encountered and data relating to any online transactions such as the order number for memberships, renewals and donations.

We’ll also collect data on your activity when you log in to your ‘Friends of Gressenhall’ or 'Workhouse Network' account. In whatever way you interact with us, such interaction may create other items of personal data. This could include details of how you’ve helped us by volunteering or by supporting our campaigns and other activities. If you decide to donate to us, we’ll also keep records of when and how much you give to support our cause.

If you have contacted us on behalf of an organisation, for example making an Educational Booking or a Trade enquiry, we will also store details of individuals in their professional capacity. 

Where people have been involved in the research, conservation or use of historic objects, sites or buildings about workhouses and related academic areas, we may gather information about them to facilitate current or future historical and scientific research. 

Volunteers

If you’re a volunteer we may collect extra information about you (such as references, criminal records checks, details of emergency contacts or medical conditions). We will keep this information for legal or contractual reasons, to protect us (including in the event of an insurance or legal claim), and for safeguarding purposes.

Minors

Children under 18 are included on family memberships and are members of the Friends of Gressenhall. We collect their names and dates of birth to ensure they get free admission

Child membership is available to everyone between the ages of 5 and 17 inclusive. Under 13s can have their membership bought for them by an adult, where we collect names and dates of birth.  Those aged between 13 and 17 can buy membership directly in which case we will also collect contact information in order to service that membership.

We’ll only use your personal data on relevant lawful grounds as permitted by the EU General Data Protection Regulation and Privacy of Electronic Communication Regulation.

We will use your personal data for the purpose or purposes outlined at the time you gave it to us. 

We use this information: 

• to provide the service, product or essential information you expect from us;

• where you have given us your consent to do so, to keep you informed about: membership, events, conservation work, fundraising, or volunteering.

• to enable trusted partner organisations to perform services on our behalf or to help us understand our supporters more effectively;

• to better understand how we can improve our services for you.

We may also need to provide your personal data if we’re asked by the police, or any other regulatory or government authority investigating suspected illegal activities.

We use the personal data you provide as a member to fulfil your membership. This includes emailing or posting Friends of Gressenhall newsletters, providing information about our Annual General Meeting, and sending renewal information to annual members by mail and email.

We collect certain information relating to the use of, and visitors to, our website. This notice explains how we use any personal information and should be read alongside our Cookie policy. 

The primary purpose for processing any personal data of website users is to maintain and monitor the performance of our website and to constantly improve the site and the services it offers to our users.

Where personal information is collected via our website (for example, through web forms for feedback or requests), you will be informed as to what information is being captured and why, seeking your consent where necessary.

Any personal information that you provide to us will be used only for the purpose stated at the time we request it, or as required by law. We will not sell, licence or trade your personal information to others. We do not provide your personal information to direct marketing companies or other such organisations.

Legal basis for processing personal data

The lawful basis we rely on to process your personal data is either Article 6(1)(a) of the UK GDPR, for example when we require your consent for the optional cookies we use, or Article 6(1)(f) which allows us to process personal data when it’s necessary for our legitimate interests. For example in order to maintain the integrity of our IT systems and the continuity of our business.

Where we collect data via web forms or similar we will let you know the lawful basis we are relying on for the collection and use of data in each case, referring to our other privacy notices as appropriate.

How we use your information

By submitting a webform on this site you will be sharing some of your personal data with the The Friends of Gressenhall (the Charity), and we are required by law to look after your information, and help you understand how it will be used.

Firstly, any personal data collected in this form will only be used by the Charity for the purpose described in the form itself. The form will also explain our grounds (or ‘lawful basis’) for requiring you to provide the information. Furthermore, if you are providing your information because of a statutory or contractual requirement or obligation, we will include in the form any possible consequences of failing to provide the personal data. 

We will use the information you have provided for as long as required for the purpose, and always in accordance with the Charity's records retention policies. We will securely destroy or fully anonymise your information when it is no longer needed. 

We will not share your information with any third parties unless this is required for the purpose explained in the form, or unless required by law.

Depending on the purpose, you are likely to have choice and control over how we use the personal data you have submitted in this form. UK data protection law gives you rights, which are explained on the Information Commissioner's website. 

If you have any comments or concerns about the way your personal data is collected or used in this instance, please contact dataprotection@friendsofgressenhall.org, including any information which will allow us to identify the specific form you’ve accessed. 

Where we have your permission, we may invite you to support vital heritage conservation and research work by making a donation, buying a raffle ticket, getting involved in fundraising activities or leaving a gift in your will. 

Occasionally, we may invite supporters to attend events where they can find out more about the ways donations and gifts in wills make a difference. We’ll keep a record of which events you are invited to and whether you were able to attend

If you make a donation, we’ll use any personal information you give us to record the nature and amount of your gift, claim Gift Aid where you’ve told us you’re eligible, thank you for your gift or let you know if you have won a raffle prize. If you interact or have a conversation with us, we’ll note anything relevant and store this securely on our systems.

If you tell us you want to fundraise to support our cause, we’ll use the personal information you give us to record your plans and contact you to support your fundraising efforts.

Charity Commission rules require us to know where funds have come from, as well as any conditions attached to them. We follow a due diligence process which involves researching the financial soundness, credibility, reputation and ethical principles of donors who’ve made, or are likely to make, a significant donation to the Friends of Gressenhall.

As part of this process we’ll carry out research using publicly available information and professional resources. 

The security of your information is paramount to us. We regularly review our measures to ensure they are up to date and in line with latest developments, particularly when we are handling payment information.

Our committee and volunteers with data responsibility complete information security and data protection training.

When you trust us with your data we will keep your information secure to maintain your confidentiality. Whenever your information is stored or transferred, we use strong encryption to minimise the risk of unauthorised access or disclosure. You can check this when you enter information on our website by right clicking on the padlock icon in the address bar.

If you have a password to allow access to certain parts of our website, you must keep that password safe and not share it with anyone or your personal information could be at risk.

We will keep your personal data for no longer than is necessary for the purposes for which it is processed, in accordance with our internal policies.  If we dispose of your information, it will always be done securely.

Storing Information

The Friends of Gressenhall operations are based in the UK and we store most of your data within the European Union (EU). Some organisations which provide services to us may transfer your data outside the European Economic Area but we’ll only allow this if your data is adequately protected. Some of our systems are provided by US companies and while it is our policy that we prefer data hosting and processing to remain in the EU, it may be that using their products results in your data being transferred to the USA. However, we only allow this when we are certain your data will be adequately protected in accordance with US Privacy Shield or Standard EU contractual clauses.  In particular our core systems are provided by Google who comply with the GDPR in relation to processing of customer personal data in all Google Cloud and Google Workspace services.  For more information, see Google's page on GDPR compliance and the Cloud Data Processing Addendum. 

Payment card security

The Friends of Gressenhall has an active PCI-DSS (Payment Card Industry Data Security Standard) compliance programme. This is the stringent international standard for safe card payment processes. As part of our compliance, we ensure that our IT systems do not directly collect or store your payment card information, such as the full 16-digit number on the front of the card or the security code on the back.

Our online payment solutions are carried out using a ‘payment gateway’ (such as Sagepay) which is a direct connection to a payment service provided by a bank. This means that when you input card data into the payment page, you are communicating directly with the bank and the bank passes your payment to us. This means that your payment card information is handled by the bank and not processed or held by us.

We want to ensure you remain in control of your personal data.  Part of this is making sure you understand your legal rights, which are as follows:

• the right of access to a copy of the information we hold about you (this is known as a subject access request)

• the right to have your data erased (though this will not apply where it is necessary for us to continue to use the data for a lawful reason e.g. HMRC and Gift Aid auditing)

• the right to have inaccurate data rectified

• the right to object to your data being used for marketing or profiling

• Where technically feasible, you have the right to personal data you have provided to us which we process automatically on the basis of your consent or the performance of a contract.  The information will be provided in a common electronic format.

Please bear in mind that there are exemptions to the rights above and though we will always try to respond to your requests there may be situations where we are unable to do so.

If you would like further advice or information on your rights, or you wish to exercise them, please contact dataprotection@friendsofgressenhall.org.

 If you are not happy with our response or you believe that your data protection or privacy rights have been infringed, please talk directly to us, so we can learn from and resolve any problem or query. You can send an email with the details of any data protection complaint to dataprotection@friendsofgressenhall.org . We will respond to any complaints we receive.  You have the right to contact the Information Commissioner's Office (“ICO”) (the UK data protection regulator).  For further information on your rights and how to complain to the ICO, please refer to the ICO website.