Data Protection

Find out what information we might have on you, what we do with it, and what your rights are

Introduction to new data protection policy, 25th May 2018

Openness, honesty and trust are the cornerstones of any community and key values here at The Together Plan. Working in the former Soviet Union – where trust in institutions is understandably rock-bottom – reminds us daily how critical openness, honesty and transparency and inclusivity are in building a community.

Recent world events demonstrate just how easily this trust is broken, and how damaging and destructive to society such an abuse of trust can be. As a supporter of The Together Plan, you give the gift of community to our partners in Belarus, and we want to make sure that the same values define our relationship with you.

On 25th May, the EU’s new General Data Protection Regulation (GDPR) came into force. These new rules are designed to ensure that organisations treat their customers and supporters with the respect for their privacy that they deserve. We wholeheartedly approve of the new GDPR pride ourselves on our transparent relationship with our partners and supporters.

The information below explains what information The Together Plan holds about you, how and why we use it, and your legal obligations.

About this notice

The information on this page explains what personal information we hold, the ways in which we collect, store and use that information, our legal basis for doing so, and your legal rights.

If you have had any correspondence or relationship with The Together Plan in the past, we probably hold or have held personal information relating to you, and therefore some or all of this notice will apply to you. If you are not sure if this notice applies to you, please contact us.

If you have any questions about this transparency notice or how we handle your personal information, please contact us on +44 (0)203 375 0656 or at office@thetogetherplan.com or write to PO Box 70138, London, N12 2EY.

You can also download our privacy statement in full by clicking here.

We are The Together Plan, a UK Registered Charity (No. 1154167) and a company limited by guarantee registered in England and Wales (Company No. 8399795).

This page was last updated on 24/05/2018.

How we use your personal information

We hold…

your name and email address, in order to send you regular email communications that you have chosen to receive. We currently send:

  • A regular newsletter containing news and information about our work (sent approximately weekly;
  • Invitations to upcoming events run by The Together Plan (usually sent once when booking opens and once shortly before the event).

If you have chosen to receive marketing communications by post instead, we will process your postal address.

Where you have given us specific consent, we will use your approximate address to restrict the event invitations we send you to those for nearby events.

We do this because…

you have given us your explicit consent. You will only receive subscription communications from us if you have given us explicit permission to send them (or have provided your personal details specifically for this purpose). You may withdraw consent at any time.

You may choose to receive both the newsletter and event invitations, only one of these, or none, by clicking the “choose which emails you receive” link in the footer of any subscription email, or by email to office@thetogetherplan.com.

We collect your information…

when you subscribe to communications. This might be using an online or paper sign-up form or by email, telephone or in person. If you consent orally, we will send you written confirmation of this before sending you any other communications.

You will be informed before signing up which communications your subscription is for. Automated sign-up processes including the sign-up forms displayed on our website apply to both the newsletter and events invitations.

We store your information…

for the duration of your subscription. We will ask for your renewed consent every two years. We keep a record of unsubscriptions for the purpose of preventing you from being re-subscribed in error; however, you may request the deletion of this record if you wish.

We hold…

  • Your name, address and contact details;
  • A record of your engagement with The Together Plan, including past donations, event attendance, volunteer activities, etc.
  • Background information about you and your relationship with the charity, to inform and improve the service we provide to you.
  • Feedback you provide on our events, campaigns and other services

In the case of donations by companies or charities, we process the above for the company or charity and its employees and representatives.

We do this because…

it is necessary for the legitimate interests of promoting and growing our charity, improving our services, and fundraising for our charitable purposes.

If you authorise an electronic payment in person, in writing or by phone, we use your financial details in order to process the payment. This processing is necessary for the fulfilment of the contract between us. Financial details are deleted once the payment is successfully authorised. Where payments are authorised online, financial details are provided to a third party (see above) who acts as data controller and is responsible to you for their use of that data. The Together Plan does not process your financial details for online payments.

We share your information…

publicly on our website, in the case of certain fundraising and sponsored events. This is for the purposes of allowing participants to see their fundraising progress and encouraging further sponsorship in order to support The Together Plan’s fundraising activities. In this case, your name, donation amount, and any other optional information you provide (such as a message to participants) will be published.

You may donate anonymously to such sponsored events by choosing the “anonymous donation” option. We will clearly inform you of our intention to publish donations before you donate, so that you may consider whether to donate anonymously.

If you donate anonymously, no personal data provided by the donor is included in the publicly available record of anonymous donations. However, other information you provide, such as a message to participants, may still be published, so be sure not to include any personally identifiable information in these fields if you wish your donation to be anonymous.

Sometimes, we may seek to publish information relating to individual major donations for the purposes of further fundraising or transparency. In these cases we will contact you so that you may consider whether you wish to consent.

If you would prefer to donate without leaving any public record (whether anonymous or not), then we encourage you to make your donation(s) here.

We store your information…

for the duration of your relationship with us, unless we are required to hold this information longer for legal or regulatory reasons. We consider this relationship to have ended once two years have passed since your last interaction with us.

In addition to Section #2 above:

We hold…

  • Information relating to your family history, including names of ancestors and the dates and places of their birth, death, marriage, emigration, naturalisation and other life events
  • If travelling to Belarus, details required for booking travel, accommodation and visas, including your date of birth, occupation, passport details and medical insurance details

We do this because…

this processing is necessary to fulfil the contract between us. Withholding information will affect our ability to conduct genealogical research or plan a trip to Belarus on your behalf.

We collect your information…

when you provide it to us directly, as well as from public sources such as archives in the course of our research.

We share your information…

with our archive researchers and associates, who are official representatives of The Together Plan and who are required to comply with these data protection rules and all UK, EU and local law. They may further share your information with staff at archives and museums where we intend to carry out genealogical research.

In booking flights, accommodation and visas we may need to share your information with airlines, hotels, transport companies, the Belarusian Embassy in the UK and/or your country of residence, and your inviting organisation (for visa purposes).

In all cases we will inform you of our intentions, so that you may consider whether to consent or object to this sharing of your data.

It is a Belarusian visa requirement to provide evidence of medical insurance cover for your trip. Depending on your insurer, this documentation may contain sensitive information relating to your medical history (see the section on particularly sensitive information below). To streamline the visa application process, this information will also be seen by The Together Plan in order to check that your insurance policy meets all requirements.

We store your information…

for the duration of your research and/or travel to Belarus. After this, family history is deleted, unless you give us explicit permission to keep it (for example, if you intend to commission further research in the future). Passport, visa and insurance details are deleted as soon as they are no longer needed. Please allow two months for data deletion to take place.

Personal information covered by Section #2 is likely to be stored for longer. See that section for more information.

In addition to Section #2 above:

We hold…

  • Information related to contracts between us
  • In the case of our employees, information necessary for our employment of you, such as tax information
  • Financial information, including bank details for payment of fees or salaries

We do this because…

it is necessary to fulfil the contract(s) between us.

We collect your information…

when you provide it to us directly in person, in writing or using an online volunteer sign-up form.

We store your information…

for the duration of your relationship with us, unless we are required to hold this information longer for legal or regulatory reasons.

In addition to Section #2 above:

We hold…

  • Background information about you and your relationship with the charity, to inform and improve the service we provide to you. This may include lifestyle information about you and your family.
  • Information relating to applications for funding made either to The Together Plan or to a third party with our support. This may include information about your family or other third-party beneficiaries.
  • Personal information contained in documents reviewed by us as part of any due diligence.
  • Feedback you provide to us on our services.

In the case of partners and beneficiaries who are organisations, we process this data for the organisation and its representatives, staff and volunteers. We may also hold further data on individual members or service users of the organisation with the consent of those individuals.

We do this because…

it is necessary for the legitimate interests of fulfilling our charitable objectives, providing services to you, and informing the development of our services.

We collect your information…

when you, or an organisation representing you, provide it to us directly, or from publicly available sources in the course of our provision of services to you.

We store your information…

for the duration of your relationship with us, unless we are required to hold this information longer for legal or regulatory reasons.

Click on the sections above to see the appropriate information for your circumstances.

In addition, please note that, for all people about whom we hold information:

  • In order to comply with our legal obligations, we may perform due diligence in the form of credit checks and verification of your identity including checking photographic identification and proof of address.
  • To the extent permitted by law, we may monitor electronic communications for the purposes of ensuring compliance with our legal and regulatory obligations and internal policies.
  • We may, from time to time, approach you for your consent to allow us to process your personal information for other purposes. If we do so, we will provide you with details of the information that we would like and the reason we need it, so that you can carefully consider whether you wish to consent.

What the law says about data processing

Legally, there are six situations in which we are allowed to process your data:

  • With your prior agreement;
  • Where necessary to fulfil The Together Plan’s objectives, as set out in this notice (known as “legitimate interest”). In these cases we need to prove our approach protects your privacy as far as possible and your legal rights and interests are unaffected;
  • In order to fulfil a contract between you and us;
  • In order to comply with our legal obligations;
  • Where we have an obligation to protect your vital interests (or someone else’s interests);
  • Where it is needed in the public interest in accordance with the law.

(We anticipate the last two uses will be extremely rare.)

We are only allowed to use your personal information for the purposes for which we collected it (or for closely related purposes we believe you would support).

If we need to use your personal information for an unrelated purpose we will contact you first, explaining why and how we plan to use your information and our legal basis for doing so. Please be aware that we will not always notify you when using personal information in ways set out in this notice.

Your data protection rights

By law, you have the right to:

Commonly known as a “data subject access request”. This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it.

 This enables you to have any incomplete or inaccurate information we hold about you corrected.

This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing (see below).

You have the right to object to processing on the basis of our legitimate interests (or those of a third party) where your particular situation makes you want to object to processing on this ground. You also have the right to object where we are processing your personal information for marketing purposes.

This enables you to ask us to suspend the processing of personal information about you, for example if you want us to establish its accuracy or the reason for processing it.

This is also known as the right to data portability,

In the limited circumstances where we process your information for a specific purpose on the basis of your consent, you have the right to withdraw consent for the collection, processing and transfer of your personal information for that purpose at any time. Once we have received notification that you have withdrawn your consent, we will no longer process your information for the purpose or purposes you originally agreed to, unless we are required to continue to process your information in accordance with another lawful basis which has been notified to you.

We will be happy to comply with any requests in connection with the above rights at any time. Please contact the Data Privacy Manager, via The Together Plan office in the UK on +44 (0)203 375 0656 or at office@thetogetherplan.com or by writing to PO Box 70138, London, N12 2EY, with requests or for further information.

For example, some rights do not apply where they would prevent us from fulfilling our legal obligations or where considerations of the public interest or the vital interests of our data subjects apply in line with this notice.

Exercising these rights, including access to your personal information, is free of charge. However, we may need to charge a fee to recover our costs if your request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.

We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is a security measure to ensure that personal information is not disclosed to any person who has no right to receive it.

Special categories of particularly sensitive personal information require higher levels of protection. We need to have further justification for collecting, storing and using the following types of personal information. The following categories are covered by these protections:

  • Physical or mental health, including any details of a medical condition or disability;
  • Nationality, race or ethnicity;
  • Political opinions;
  • Religious or philosophical beliefs;
  • Trade union membership;
  • Sexual orientation or sex life;
  • Genetic information and biometric data; or
  • Information relating to criminal convictions and offences.

We process this type of information where it is necessary to provide services to you in accordance with our agreement. Where you provide information to us voluntarily we only process such information with your consent. We process information:

  • Relating to a health condition or disability in order to make reasonable adjustments in the provision of our services.
  • Where it is needed to protect your vital interests (or someone else’s interests) and you are not capable of giving your consent, or where you have already made the information public.
  • About your race or national or ethnic origin, religious, philosophical or moral beliefs, or your sexual life or sexual orientation, to ensure meaningful equal opportunity monitoring and reporting. We make every effort to anonymise such information.
  • Relating to criminal convictions where the law allows or requires us to do so. Except where this is necessary for safeguarding reasons in the course of providing services, we do not envisage that we will hold information about criminal convictions.

We may process particularly sensitive personal information without your consent if we are under a legal obligation to do so or for reasons of substantial public interest.

We do not process particularly sensitive personal information about supporters and donors as part of our usual course of business.  

We may from time to time approach you for your written consent to allow us to process certain particularly sensitive information for other purposes. If we do so, we will provide you with full details of the information that we would like and the reason we need it, so that you can carefully consider whether you wish to consent.

Data storage, sharing and security

Sharing data with third parties

We share your data with the following third parties who provide services to us:

All categories of personal data are routinely stored. Salesforce is an industry leader in data protection, and privacy policies and practices are available at https://trust.salesforce.com/en/. Our Salesforce instance is located on servers in Paris and Frankfurt (so subject to the EU’s new GDPR rules).

Subscribers’ names, email addresses, marketing preferences and, in some cases, approximate geographic locations, are stored. Campaign Monitor guarantee compliance with GDPR. The Together Plan works together with Campaign Monitor to ensure the maximum possible protection for our data. Campaign Monitor use servers located in the USA and outsourced services provided worldwide.

Microsoft Office 365 provides The Together Plan’s email systems, cloud storage and other internal communication and collaboration tools. Past email conversations and files containing all categories of personal data are stored.

These companies process details relating to payments to us. This usually includes the identity of the person or organisation who made the payment.

HMRC receives the personal details of our Gift Aid donors in order to verify the validity of their Gift Aid declarations and process

Financial details are processed by these companies and not passed on to The Together Plan. Their respective privacy policies, which can be found on their websites, explain how they use data you provide to them. We have also used BT MyDonate (https://mydonate.bt.com/) in the past for collecting donations.

We typically use Eventbrite to collect the names and email addresses of attendees and other information necessary for holding the event. Payment details are processed by Eventbrite and not passed on to The Together Plan.

These companies have access to data that could be used to identify individuals, such as IP addresses. The Together Plan does not use this data to identify individual visitors to its website as part of our usual course of business.

All of these organisations operate as “data processors”, meaning that they are authorised by us to use personal information only for purposes and in ways that we specify.

Some are also “data controllers”, meaning that they are able to use personal information provided to them by us for their own purposes. In these cases, legal responsibility lies with the third party for using your data appropriately and communicating to you how it will be used.

All our third-party service providers are required to take appropriate security measures to protect your personal information in line with our policies. We do not allow our third-party service providers to use your personal information for their own purposes. We only permit them to process your personal information for specified purposes and in accordance with our instructions.

In order to fulfil The Together Plan’s core purposes, personal data is made available to staff (employees and volunteers) of The Together Plan in Belarus. We require all our staff with access to personal data to respect EU and UK data protection laws in addition to local laws, no matter which country they are located in.

Except as noted above, as far as possible we do not transfer personal data to third parties outside of the European Economic Area (EEA), where data protection standards are typically lower. Should we need to transfer your personal information to third parties outside the EEA, we will put in place appropriate measures to ensure that your personal information is treated by those third parties in a way that is consistent with and which respects the EU and UK laws on data protection, and we will inform you of our intentions so that you may consider whether you wish to object.

If you are based outside the EEA we may transfer personal information to the correspondence address you provide to us. We will take all reasonable steps to ensure that such transfers are secure. By instructing us from outside the EEA you acknowledge and agree that such transfers are necessary for us to provide services to you.

We have put in place measures to protect the security of your information. Details of these measures are available upon request.

We have put in place appropriate security measures to prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, altered, or disclosed.

We limit access to your personal information to those employees, volunteers, agents, contractors and other third parties who have a business need to know. They will only process your personal information on our instructions, having completed appropriate training, and with appropriate oversight, and they are subject to a duty of confidentiality.

Third party data processors will only process your personal information on our instructions and where they have agreed to treat the information confidentially and to keep it secure.

We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.

Data retention and deletion

We will only retain your personal information for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.

The retention period for each of the different types of data we process is specified above.

To determine the appropriate retention period for personal information, we consider the amount, nature and sensitivity of the personal information, the potential risk of harm from unauthorised use or disclosure of your personal information, the purposes for which we process your personal information and whether we can achieve those purposes through other means, and the applicable legal requirements.

Where a minimum retention period is required by law (such as retaining records for HMRC purposes or for compliance with the Charity Law requirements) we comply with that minimum period plus up to 12 months to allow time for us to anonymise or delete information in accordance with our internal data management processes.

If we are required to retain your information longer than our standard retention periods, we will let you know (unless we are prevented by law from doing so.)

In some circumstances we may anonymise your personal information so that it can no longer be associated with you. In this case, it is no longer personal information and we may use such information without further notice to you.