The data controller is the individual or legal person who determines the purposes for which and the means by which personal data is processed.

The data subject refers to any individual person who can be identified, directly or indirectly, via an identifier such as a name, an ID number, location data, or via factors specific to the person’s physical, physiological, genetic, mental, economic, cultural or social identity.

In applying this policy, Chwarae Teg will have due regard for the need to promote equality of opportunity and equitable outcomes, and to provide for good relations between people of diverse groups. All reasonable steps will be taken to ensure that Chwarae Teg policies, practices and culture do not discriminate or isolate individuals.

As an organisation we will always abide by the main principles set out in the Data Protection rules and guidance and the main principles are: -

1. Lawfulness, fairness and transparency: We will seek to make sure we communicate and follow the rules for data collection.
2. Purpose limitation: We will seek to only collect personal data ‘for a specific purpose’, we will clearly state what that purpose is, and only collect data for ‘as long as necessary’ to complete that specific purpose.
3. Data minimisation: We will seek to only process personal data that is adequate, relevant and limited to what ‘we need to achieve its processing purposes’.
4. Accuracy: We will seek to ensure that ‘every reasonable step’ is taken to erase or rectify data that is inaccurate or incomplete.
5. Storage limitation: We will seek to delete personal data when ‘it’s no longer necessary’. For details, please refer to Appendix 2.
6. Integrity and confidentiality: We will seek to ensure that personal data is “processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures”.

Chwarae Teg will seek a GDPR defined ‘lawful basis from the following list, for processing data:

• It is necessary for the performance of a contract (e.g., an employment contract, or in order to take steps at the request of the data subject prior to entering into a contract).
• It is necessary for compliance with our legal obligations.
• It is in the vital interests of either the data subject or some other person (such as needing to process the personal data to protect someone’s life, and they are incapable of providing consent)
• It is in the public interest (this could be in the exercise of official authority)
• It is in the legitimate interests of the organisation or those of a third party, where the data subject’s interests or fundamental rights and freedoms do not override our interests (this can include ordinary and honest business practices).

In the event that none of the above lawful bases apply, Chwarae Teg will be required to seek the express consent of the data subject in order to process their data.

Active Consent

Where Chwarae Teg relies on consent as the lawful basis for processing data, we will ask the data subject to give a positive statement, actively opt-in or provide clear affirmative action; we understand that consent must be “freely given, specific, informed and unambiguous’ and that pre-ticked boxes, inactivity or silence do not constitute consent.

We collect information in the following ways:

When you give it to us DIRECTLY

You may give us your information in order to sign up for one of our:

• Events
• Programmes
• Newsletters
• Networks,
• Recruitment purposes and whilst you are employed
• Contribute to policy development and research
• To fundraise for us
• A supplier or a customer
• Or for more information on our work

We are responsible for your data at all times.

When you give it to us INDIRECTLY

Your information may be shared with us by independent event organisers, for example networking events, partner venues or fundraising sites. These independent third parties will only do this if you’ve indicated you’re happy for them to do so. You should check their privacy policy when you provide your information to understand fully how they will process your data.

When you give permission to OTHER ORGANISATIONS to share it

You may have provided permission for a company or other organisation to share your data with third parties, including charities. This could be when you buy a product or service, register for an online competition or sign up with a comparison site.

Depending on your settings or the privacy policies for social media and messaging services like Facebook, WhatsApp or Twitter, you might give us permission to access information from those accounts or services.

The information we get from other organisations may depend on your privacy settings or the responses you give, so you should regularly check them.

This may include information found in places such as Companies House and information that has been published in articles/newspapers.

We may combine information you provide to us with information available from external sources in order to gain a better understanding of our supporters to improve our communications, products and services.

When we collect it as you use our WEBSITES OR APPS

Like most websites, we use “cookies” to help us make our site, and the way you use it, better. Cookies mean that a website will remember you. They’re small text files that sites transfer to your computer (or phone or tablet). They make interacting with a website faster and easier – for example by automatically filling your name and address in text fields.

As well as this, cookies can tell us the type of device you’re using to access our website or apps and the settings on that device may provide us with information including what type of device it is, what operating system you’re using, what your device settings are, and why a crash has happened. This information helps us understand how people are using our website and how to make it better.

Your device manufacturer or operating system provider will have more details about what information your device makes available to us.

The type and quantity of information we collect depends on why you are providing it.

If you, for example, apply for a programme, apply for a role, sign up for an event, fundraise for us, volunteer or participate in a project, we will usually collect:

• Your name
• Your address
• Your contact details
• Your date of birth
• Other personal information relevant to the activity you are participating in
• Other special category data where and when appropriate

Where it is appropriate, we may also ask for:

• Information relating to your health
• Information relating to the services you want to use
• Where you heard about us
• Parental consent if you’re under 16
• Security checks
• Eligibility to work checks

We will only ever ask for information that is needed to provide the service, information or administration you have requested.

If and when we collect and manage information from children, we aim to manage it in a way which is appropriate to the age of the child.

If a child is under 16 we will seek consent from a parent or guardian before collecting their information. Our events have specific rules about whether children can participate, and we’ll make sure advertising for those events is age appropriate.

What we use your information for, depends on why you are providing it. We will mainly use your data to:

To provide you with the services, products or information you’ve asked for

We run a variety of services for individuals and businesses. The service you access will depend on the best fit for your circumstances and could be provided as part of a project or on a commercial basis.

Access to this data will always be limited to appropriate individuals with a legitimate interest in providing these services.

We also collect data in order for you to participate in an event or programme, in relation to policy and research, training and development, our projects, volunteering, fundraising and working with us.

If you enter your details onto one of our online forms, and you don’t ‘send’ or ‘submit’ the form, we may contact you to see if we can help with any problems you may be experiencing with the form or our websites.

To make sure we know how you prefer to be contacted

We record communication preferences, so we only contact you in the ways you want to hear from us.

To meet our obligations as an employer

We ensure that the data collected during our recruitment process is lawful and for the specific purpose of fulfilling either our legal obligations (e.g., eligibility to work in the UK checks) or to ensure a fair and transparent method of recruiting and contacting candidates.

For Employees we will collect a range data for legitimate purposes, linked to information required whilst in employment.

If you take up the employee benefits, we offer then we will share specific personal data with the provider of such benefits.

To send you Direct Marketing

We will only ever contact you with direct marketing about our work, activities and campaigns with your explicit consent. We make it easy for you to tell us how you want us to communicate, and what interests you. We also include information on how to opt out when we send you marketing.

We do not sell or share personal details to third parties for the purposes of marketing. But occasionally, we may include information in our communications from partner organisations or organisations who support us.

If you change your mind at any time, and no longer want to hear from us, that’s fine. Just let us know when you provide your data or contact us by email via [email protected]

To keep a record of your relationship with us

It’s important for us to have clear records on how you’ve supported us or have been supported by us in the past. This helps us to make sure your experiences of Chwareg Teg are the best they can be.

We may also collect and retain your information if you send feedback about our services, give us a compliment or make a complaint.

To understand how we can improve our services, products or information

We believe it’s important to make sure that all of our services are the best they can be. That’s why we evaluate them.

We may get in touch once you’ve been on our programmes, or take part in any of our fundraising campaigns, we may get in touch to ask you about your experiences with all aspects of Chwarae Teg and the work of its trading subsidiary. There’s no obligation to take part, but it really helps highlight ways we can make things better in future.

We use profiling and screening techniques to make sure communications are relevant and timely, and to provide an improved experience. Profiling also allows us to target our resources effectively.
When building a profile, we may analyse geographic, demographic and other information relating to you in order to better understand your interests and preferences in order to contact you with the most relevant communications.

In doing this, we may use additional information from third party sources when it is available. Such information is compiled using publicly available data about you, for example addresses, listed directorships or typical earnings in a given area.

We do this because it allows us to understand the background of the people who we work with.

We do not sell or share personal details to third parties for the purposes of marketing. We will only share your details with third party organisations when it’s necessary to;

Provide you with the services you’ve asked for

• We will make sure you’re happy for us to do this before anything happens and will explain who we are sharing the data with e.g., the Department of Work & Pensions, your local council etc.

• Administer your participation in an event
• Comply with Health & Safety regulations
• As an employee of Chwarae Teg may be required to share the appropriate personal data with relevant organisations in line with funding arrangement and IT support.

If we ever need to share data for these purposes, we will always take the utmost care, make sure only essential data is transferred, and that it’s done so securely and safely.

Exceptional circumstances

Chwarae Teg may also be required to share your details in exceptional circumstances. For example, where legally required by the police, regulatory bodies or legal advisors.

We will only ever share your data in other circumstances if we have your explicit and informed consent.

We make sure that there are appropriate measures and controls in place to protect your personal details. For example our online forms are always encrypted and our network is routinely monitored. We undertake regular reviews of who has access to information that we hold, to make sure that your information is only accessible by appropriately trained staff, volunteers and partners.

Before we use any external companies to collect or process personal data on our behalf, we will conduct comprehensive checks. We will always put a contract in place that sets out our expectations and requirements, especially how they manage the personal data they have collect or have access to.

Suppliers who run their operations outside the European Economic Area (EEA) are not subject to the same data protection laws as companies based in the UK. However, if we ever choose to use a supplier based outside of the EEA, we will make sure they provide an adequate level of protection in accordance with UK data protection law.

We may need to disclose your details if required to the police, regulatory bodies or legal advisors.

We will ensure that your data is only accessed by the people responsible for that data and not shared widely

We will only ever share your data in other circumstances if we have your explicit and informed consent.

We try and keep our records up-to-date so we send you the most relevant information, using the correct contact details.

If your personal details change, we’d really appreciate it if you let us know.

Where possible we use publicly available sources to keep your records up to date.

For example, the Post Office’s National Change of Address database and information provided to us by other organisations as described above.

Employed staff have access to systems where they can update their personal information.

Data Subject Rights

Data subjects have a number of rights. Data subjects can:

• Access and obtain a copy of their data on request
• Require Chwarae Teg to change incorrect or incomplete data
• Require Chwarae Teg to delete or stop processing their data, for example where the data is no longer necessary for the purposes of processing; and
• Object to the processing of their data where Chwarae Teg is relying on its legitimate interests as the legal ground for processing
• Withdraw consent at any point, where processing is based upon their consent. (Withdrawal of consent can be given at any time. Chwarae Teg will seek to ensure this process is easy and where no other grounds for processing apply, such as Chwarae Teg complying with our legal or contractual obligations, we will delete the data accordingly)
• Request the right to be forgotten and Chwarae Teg will amend records accordingly

Data subjects do have the ‘right to be forgotten’ under the legal framework, meaning that Chwarae Teg can either destroy or make contact with our third parties, who hold data, to make a request for them to confidentially destroy such data. Wherever possible, we will endeavour to comply with such a request.

However, where Chwarae Teg is unable to erase data due to having a lawful basis for retaining that data, or to comply with our contractual and reporting obligations, a further request may be made for Chwarae Teg to restrict our processing of such data instead. Similarly, restriction of processing will be subject to Chwarae Teg’s compliance with our legal, contractual and reporting obligations and Chwarae Teg will take into account any ongoing requirements to process that data before acting.

The organisation may need to give further consideration to a request where the request is potentially unfounded, excessive or is repetitive. In all events where a request is declined, or a fee is requested due to the circumstances, Chwarae Teg will respond to the data subject’s request with a full explanation, to include the lawful basis that underpins our decision-making, accordingly.

If you wish to withdraw consent to process or make a request to be forgotten, please contact us on email: [email protected].

You have a right to ask for a copy of the information we hold about you. If there are any discrepancies in the information we provide, please let us know and we will correct them.

If you want to access your information, send a description of the information you want to see and proof of your identity by post to Data Controller, Chwarae Teg, sbarc|spark, Maindy Rd, Cardiff CF24 4HQ . We do not accept these requests by email. This is so we can make sure that we only provide personal data to the right person. If you have any questions, please send these to [email protected], or by post to: The Data Controller, Chwarae Teg,sbarc|spark, Maindy Rd, Cardiff CF24 4HQ.

Any concerns raised will be considered as soon as reasonably possible and written responses will be provided within a reasonable timeframe, together with details of any corrective action if necessary. For further information see the Information Commissioner’s guidance here: https://ico.org.uk/your-data-matters/

We will keep your data safe

Your data is all stored electronically and backed up in compliance with “Cyber Essentials”

It is kept in line with regulatory and legal requirements

It is retained in line with grant and project funders requirements

We review this policy annually and may update it from time to time. If we make any significant changes in the way, we treat your personal information we will make this clear on our website or by contacting you directly.