Privacy & Cookies

Introduction

When you interact with Good Company (Surrey), whether as a supporter, donor, volunteer, employee, or in another capacity, we may need to collect, use, or store some data about you. If this information could be used to identify you individually – for example, your name or address – then it is ‘personal data’. This notice explains how we will hold and process your personal data, explaining your rights and our responsibilities.

The security and privacy of your data is of utmost importance to us, and we are committed to full compliance with our legal obligations under the EU General Data Protection Regulation (‘GDPR’) and the Data Protection Act 2018.

If you have any questions about this notice, or about how your data is being processed, please email us at [email protected].

Who are we?

Good Company (Surrey) is an independent charitable organisation (Charity Number 1197493) working to prevent and alleviate poverty in East Surrey. We are a data controller, registered with the UK Information Commissioner’s Office (registration number ZB313472). Good Company (Surrey) is based at:

  • Good Company Hub
  • Ruxley Lane
  • Epsom
  • KT19 0JG

We have policies, procedures, and training in place to help our people to understand their data responsibilities, and we have a nominated member of staff who serves as our Data Protection Lead.

Contents

Privacy Notice. 1

Introduction. 1

Who are we?. 1

Definitions 3

How do we collect your personal data?. 3

What personal data do we collect?. 4

Our lawful basis for processing personal data. 4

Why do we collect personal data?. 4

How do we share personal information?. 7

How long do we keep personal information?. 8

Your rights 9

Changes to this notice. 9

Making a complaint 9

Data retention periods 10

 

Definitions

Key terms used in this notice include:

  • Personal data – any information relating to a person that would cause them to be identified, either directly or indirectly. This includes identifiers such as a name, an identification number, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the person.
    • Special category personal data – particularly sensitive data relating to one or several categories of information, including information about a person’s health, religion, political opinions, trade union membership, race or ethnic origin, or sexuality.
  • Data Processing – any operation performed on personal data, such as collection, recording, organisation, storage, alteration, retrieval, sharing, restriction, erasure or destruction.

Roles relating to the processing of personal data:

  • Data Subject – the person whose personal information is being processed.
  • Data Controller – the person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
  • Data Processor – a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;

How do we collect your personal data?

We may collect your personal data from you directly when you:

  • communicate with us for any reason, by post, telephone, text, email or via our website;
  • make a donation;
  • visit or are referred to a foodbank;
  • become a member at Epsom Pantry;
  • participate in a survey or research;
  • work or volunteer for us;
  • make an application to work or volunteer for us;
  • agree to help us promote our work; or
  • interact with us as a supplier, contractor, consultant or in any other capacity.

We may also collect personal information about you from other organisations – for example, we may receive information on our clients from a referral agency like a doctor’s surgery.

What personal data do we collect?

We only collect personal information that we genuinely need. This may include:

  • name;
  • contact details, such as address, email address and phone numbers;
  • date of birth;
  • gender;
  • nationality;
  • financial information that you provide to us – for example, when donating money; and
  • any other information that you give us relating to your circumstances.

We may also need to collect some “special category personal data”, which can include:

  • information on your health, such as allergies; or
  • other special category personal data that you make us aware of.

Our lawful basis for processing personal data

Under Data Protection legislation (UK GDPR), our organisation needs to have a lawful basis for keeping and using your data. The lawful bases we use most often are our legitimate interest, our legal obligation, and your consent.

  • We may collect and use your personal data if it is necessary for our work – under GDPR, this is called our legitimate interest – so long as its use is fair, balanced, and does not unduly impact your rights.
  • We may also process personal information because it is necessary for the performance of a contract, or because we are legally obliged to do so.
  • Where appropriate, we also rely on your explicit consent to hold your personal data, such as if you agree to us holding relevant health information.

In extreme situations, we may share your personal information if we believe someone’s life is at risk.

Why do we collect personal data?

We collect and use personal information about people who use our services (e.g., food banks or Epsom Pantry), supporters, job applicants and volunteers, for several reasons outlined below:

Assisting clients

We collect personal data from you directly if you use a food bank, or via an organisation that refers you to a food bank. Our lawful basis for using this information is our legitimate interest, as we wish to ensure that we are providing help when and where it is most needed. We will share this information with the Trussell Trust, which works with us and other food banks to support our network.  The Trussell Trust’s privacy policy is available at https://www.trusselltrust.org/privacy/.

Epsom Pantry

We collect personal data from you directly if you become a member of Epsom Pantry. This data is used to generate statistics and reports relating to visits and other personal information. Our lawful basis for using this information is our legitimate interest, as Epsom Pantry uses these statistics to make decisions about opening hours, stock, and other issues. Church Action on Poverty uses anonymised statistics from the database to report on the impact of Pantries to our supporters. Your Local Pantry’s Privacy Notice is available at https://www.yourlocalpantry.co.uk/privacy-notice/

Developing relationships with supporters

Our work is made possible because of the generosity of our supporters. We need a good understanding of our supporters so that we can communicate with them effectively and appropriately. We will only send you marketing communications via email or text where you have opted in to receiving them. You can unsubscribe from receiving these communications at any time by contacting [email protected]

Processing donations

If you make a financial donation to us, we will use your personal data to collect your donation and maintain a record of our donors. Our lawful basis for using your personal data for this purpose is to fulfil our legitimate interest of working toward our fundraising objectives. We are legally required by HMRC to collect some personal information if you choose to gift aid your financial donation.

Dealing with complaints and appeals

If a complaint is raised with us, we will process the personal data that are provided to us to manage and resolve the complaint or appeal. This may include sharing relevant information with the Trussell Trust, Your Local Pantry, or a person that the complaint has been made about. Our lawful basis for using personal data for this purpose is our legitimate interest.

Promoting our work

We will use personal information that you share with us if you agree to help us promote our work. This might include photographs and videos. For example, we may use your information in case studies and stories that we publish or share with the media. We will only use your information for this purpose if you have given your consent for us to do so.

Carrying out surveys and research

If you choose to take part in one of our surveys, we will use the personal information that you provide to process the results of the survey and undertake analysis. Survey results are anonymised before being shared or published.

Recruitment

If you provide us with information about yourself, such as a CV or cover letter, in connection with a job or volunteer application or enquiry, we may use this information to process your enquiry. We will not store this information for any purpose other than that relating to your application. Our legal basis for using your information in this way is for our legitimate interest.

Employee administration and development

We will process personal information of our employees to fulfil our contract with them, and to meet our legal obligations as an employer. This includes payroll processing and the provision of training. We are required by law to share some financial information with the HMRC. We may also need to share some personal information with other organisations, for example solicitors, pension providers.

For more information on how we process and protect employees’ personal information, please see our Privacy Notice for Employees.

Volunteer administration and development

If you volunteer with us, we collect personal information to support the administration of your volunteering activity. Our lawful basis for processing volunteers’ personal information is our legitimate interest, or to meet our legal obligations. We share personal information about our volunteers with The Trussell Trust and Your Local Pantry.

Undertaking safeguarding activities, including DBS checks

When necessary, we process relevant personal information about employees and volunteers for safeguarding purposes. This might include undertaking DBS and other checks to identify any criminal and other activity we need to be aware of. It may be necessary to share some personal information with relevant authorities, such as the police. Our lawful basis for this processing is to meet our legal obligations.

Processing expenses

We will use your personal information, including your bank account details, to process expense claims. Our lawful basis for using your information for this is for the performance of a contract.

Governance

We process relevant personal information about existing and potential trustee members for governance purposes. This might include undertaking DBS and other checks to identify any criminal and other activity we need to be aware of to ensure that we select appropriate trustees. Our lawful basis for this processing is to meet our legal obligations with the Charity Commission and Companies House.

How do we share personal information?

We will only share your personal information where we need to, where someone’s life is at risk, or we are required to do so by law.

  • We may share your information with third parties (such as in the case of liaising with external organisations such as The Trussell Trust and Your Local Pantry) and data processors who may need to access your information for performing purposes such as those specified in this notice.
  • We take reasonable organisational and technical measures to protect your information against access, modification, or misuse. We work to ensure your information is accessed by trustees, volunteers, and third-party partners on a needs-only basis.
  • We may also share your information with our bank to process a payment, with our professional advisers (such as our legal advisers) where it is necessary to obtain their advice, and with our IT support and data storage providers.
  • Where required, we will process personal information to comply with our legal obligations. In this respect, we may share your personal data to comply with subject access requests, tax legislation, for the prevention and detection of crime, and to assist the police and other competent authorities with investigations including criminal and safeguarding investigations.

Transferring personal data outside of the EEA

Where we need to transfer personal information to countries or jurisdictions outside the European Economic Area, we ensure they have a similar standard of data protection law in place to that of the UK. We put in place appropriate contracts and agreements with third parties to ensure an appropriate level of data protection and security. Third parties with data processing outside of the EEA may include:

  • Workday Peakon Employee Voice – used to help our volunteers give us feedback on their experiences.
  • AdvicePro – a fully-managed, secure web-based case management system developed specifically for advice organisations. AdvicePro is owned by Advice UK and Advanced Case Management Solutions. It is encrypted and password-protected and ensures that data is protected to required standards when it is shared outside of the EEA.

Cookies and aggregate information collected from our website

We use cookies on our website to store information about how you use our website. A cookie is a small file of letters and numbers that is downloaded on to your computer when you visit a website. This information is not linked to personal profiles or to personally identifiable information provided by users.  We use it to analyse visitor trends and use of our website, administer the website and to gather broad demographic information of our website users. For more information, view our Cookies Policy at https://goodcompany.org.uk/cookies-policy/

How long do we keep personal information?

We will hold your personal information only for as long as is necessary. We will not retain your personal information if it is no longer required. In some circumstances, we may legally be required to retain your personal information – for example, for finance, employment, or audit purposes.  We have in place a personal data retention schedule which sets out how long we keep your personal information for. A summary of our Data Retention Periods is available in Appendix A of this document. Please contact [email protected]  if you wish to see our full personal data retention schedule.

Your rights

If you no longer wish to receive communications about products and services from us, please contact [email protected]

You can also unsubscribe at any time from emails that we may send to you about the products and services that we think will be of interest to you. A link to unsubscribe from all direct marketing will be included in any communications.

You also have the right to:

  • Ask us for copies of your personal information.
  • Tell us to change or correct your personal information if it is incomplete or inaccurate.
  • Ask us to restrict our processing of your personal data or to delete your personal data if there is no compelling reason for us to continue using or holding this information.
  • Receive from us the personal information we hold about you which you have provided to us, in a reasonable format specified by you, so that you can send it to another organisation.
  • Object, on grounds relating to your specific situation, to any of our processing activities where you feel this has a disproportionate impact on you.

For all requests, please contact us at [email protected]. We will respond to any request within 28 days.

Please note that we may be entitled to refuse requests where exceptions apply – for example, if we have reason to believe that the personal data we hold is accurate, or we can show our processing is necessary for a lawful purpose set out in this Privacy Notice.

Changes to this notice

This Privacy Notice may change from time to time. We recommend that you visit our website periodically to keep up to date with any changes.

Making a complaint

If you are not satisfied with our response to any query you raise with us, or you believe we are processing your personal data in a way which is inconsistent with the law, you can make a complaint to the Information Commissioner’s Office at:

Wycliffe House, Water Lane

Wilmslow, Cheshire

SK9 5AF

Helpline number: 0303 123 1113

Data retention periods

A summary of our retention periods is available below. Please contact us at [email protected]  if you wish to see our full personal data retention schedule.

 

People who need help from a food bank Your personal information is stored in a secure database for six years
People who donate food at a food bank Where you provide personal information alongside your food donation, your personal information is stored in a secure database for three years.
People signing up to a campaign Your personal information is stored in a secure database for up to two years.
Financial donors Your personal information is stored in a secure database for seven years.
Volunteers (inc. people engaged in our participation projects) If your application is unsuccessful, your information will be held for six months, if you stop volunteering it will be held for twelve months.
Survey and research participants Twelve months after survey is completed. Then results are anonymised.
Promoting our work through sharing stories and photographic imaging Three years after consent was obtained.
Representatives of referral agency partners Two years after the date of the last referral made.
Representatives of food banks in the network Twelve months after a person ceases to be connected to a food bank.
Complainants Six years if the complaint is upheld, three years if the complaint is not upheld.
Employees Seven years after employment ceases.

 

Cookies Policy

We use cookies on our website to store information about how you use our website. This enables us to make navigation easier and direct you to information that best corresponds to your interests.

For any cookies are not strictly necessary for the operation of our website, we will ask you to consent to our use of cookies when you first visit the website.

For more information on Good Company’s use of data, see our Data Privacy Policy.

About cookies

A cookie is a small file, typically of letters and numbers, downloaded on to a device when the user accesses certain websites. Cookies are then sent back to originating website on each subsequent visit. Cookies are useful because they allow a website to recognise a user’s device.

Cookies may not contain any information that personally identifies a user, but personal data that we store about you may be linked to the information stored in and obtained from cookies.

Most web browsers automatically accept cookies, but if you prefer, you can change your browser to prevent that. However, you may not be able to take full advantage of a website if you do so.

Cookies may be either “persistent” cookies or “session” cookies: a persistent cookie will be stored by a web browser and will remain valid until its set expiry date, unless deleted by the user before the expiry date; a session cookie, on the other hand, will expire at the end of the user session, when the web browser is closed.

First party cookies are specific to the server that created them and cannot be accessed by other servers, which means they cannot be used to track your movements around the web. Third party cookies are added by scripts added to the website, examples include Facebook, Twitter and YouTube. Although they do identify a user’s computer, cookies do not personally identify customers or passwords. Credit card information is not stored in cookies.

Cookies we use, and why

Necessary

These are cookies that are required for the operation of our website. Cookies used for this purpose are:

  • CookieConsent: Stores the user’s cookie consent state for the current domain

Statistics

We use functionality cookies, which are used to recognise you when you return to our website and remember your preferences.

We also use analytical or performance cookies, including Google Universal Analytics. These allow us to recognise and count the number of visitors and to see how visitors move around our website when they are using it. This helps us to improve the way our website works – for example, by ensuring that users are finding what they are looking for easily. The cookies collect information in an anonymous form, including the number of visitors to the website and blog, where visitors have come to the website from and the pages they visited.

Cookies used for this purpose are:

  • _dc_gtm_UA-#: Used by Google Tag Manager to control the loading of a Google Analytics script tag.
  • _ga: Registers a unique ID that is used to generate statistical data on how the visitor uses the website.
  • _gat: Used by Google Analytics to throttle request rate
  • _gid: Registers a unique ID that is used to generate statistical data on how the visitor uses the website.

Marketing

We use cookies from Google Analytics that are used for marketing purposes for the managers of online content. These cookies are used by Google to determine your interests, to track your previous visits to our website and your visits to other websites. You can opt out of Google’s personalised advertising by visiting https://www.google.com/settings/ads and you can opt out of third party cookies use for personalised advertising by visiting http://www.aboutads.info. You can review Google’s privacy policy at https://policies.google.com/privacy.

Cookies used for this purpose are:

  • ads/ga-audiences: Used by Google AdWords to re-engage visitors that are likely to convert to customers based on the visitor’s online behaviour across websites.
  • Collect: Used to send data to Google Analytics about the visitor’s device and behaviour. Tracks the visitor across devices and marketing channels.
  • PREF: Registers a unique ID that is used by Google to keep statistics of how the visitor uses YouTube videos across different websites.
  • VISITOR_INFO1_LIVE: Tries to estimate the users’ bandwidth on pages with integrated YouTube videos
  • YSC: Registers a unique ID to keep statistics of what videos from YouTube the user has seen.

How do I change my cookie settings?

Most web browsers allow some control of most cookies through the browser settings. The methods for doing so vary from browser to browser, and from version to version. To find out more about cookies, including how to see what cookies have been set and how to manage and delete them, visit www.allaboutcookies.org. You can also obtain up-to-date information about blocking and deleting cookies on specific browsers via these links:

Our website contains links to the sites of third parties. When you visit these sites, we suggest that you read their privacy policies. Good Company is not responsible for the privacy policies or the content of such sites. To opt out of being tracked by Google Analytics across all websites, visit http://tools.google.com/dlpage/gaoptout

Good Company maintains a presence on social media platforms, including Facebook & Twitter. If you share content from one of Good Company’s social media websites, a cookie may be used by the service you have chosen to use to share that content. Epsom & Ewell Foodbank does not control these cookies. You should check the relevant third-party main website for more information.

Your right to information

You have the right to a copy of the information we hold about you. This is known as a subject access request. For more information on this, please visit:

Please e-mail any questions, concerns or comments you have about cookies to [email protected]