our privacy commitment
Openness, honesty and trust are the cornerstones of any community and key values here at The Together Plan.
Working in the former Soviet Union – where trust in institutions is understandably rock-bottom – reminds us daily how critical these values are in building real community. Recent world events demonstrate just how easily this trust is broken, and how damaging and destructive to society such an abuse of trust can be.
As a supporter of The Together Plan, you give the gift of community to our partners in Belarus, and we want to make sure that the same values define our relationship with you.
what the law says about data processing
Note: this section is intended as a summary. More details are given in our privacy notice.
Under UK and EU data protection law, there are six situations in which we are allowed to use your personal data:
- With your prior explicit agreement;
- Where necessary to fulfil The Together Plan’s objectives, as set out in this notice (known as “legitimate interest”). In these cases we need to prove our approach protects your privacy as far as possible and your legal rights and interests are unaffected;
- In order to fulfil a contract between you and us;
- In order to comply with our legal obligations;
- Where we have an obligation to protect your vital interests (or someone else’s interests);
- Where it is needed in the public interest in accordance with the law.
(We anticipate the last two uses will be extremely rare.)
We are only allowed to use your personal information for the purposes for which we collected it (or for closely related purposes we believe you would support).
If we need to use your personal information for an unrelated purpose we will contact you first, explaining why and how we plan to use your information and our legal basis for doing so.
Special categories of particularly sensitive personal information require higher levels of protection. We need to have further justification for collecting, storing and using the following types of personal information. The following categories are covered by these protections:
- Physical or mental health, including any details of a medical condition or disability;
- Nationality, race or ethnicity;
- Political opinions;
- Religious or philosophical beliefs;
- Trade union membership;
- Sexual orientation or sex life;
- Genetic information and biometric data; or
- Information relating to criminal convictions and offences.
We process this type of information where it is necessary to provide services to you in accordance with our agreement. Where you provide information to us voluntarily we only process such information with your consent. We process information:
- Relating to a health condition or disability in order to make reasonable adjustments in the provision of our services.
- Where it is needed to protect your vital interests (or someone else’s interests) and you are not capable of giving your consent, or where you have already made the information public.
- About your race or national or ethnic origin, religious, philosophical or moral beliefs, or your sexual life or sexual orientation, to ensure meaningful equal opportunity monitoring and reporting. We make every effort to anonymise such information.
- Relating to criminal convictions where the law allows or requires us to do so. Except where this is necessary for safeguarding reasons in the course of providing services, we do not envisage that we will hold information about criminal convictions.
We may process particularly sensitive personal information without your consent if we are under a legal obligation to do so or for reasons of substantial public interest.
We do not process particularly sensitive personal information about supporters and donors as part of our usual course of business.
We may from time to time approach you for your written consent to allow us to process certain particularly sensitive information for other purposes. If we do so, we will provide you with full details of the information that we would like and the reason we need it, so that you can carefully consider whether you wish to consent.
your data protection rights
By law, you have the right to:
Commonly known as a “data subject access request”. This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it.
This enables you to have any incomplete or inaccurate information we hold about you corrected.
You have the right to object to processing on the basis of our legitimate interests (or those of a third party) where your particular situation makes you want to object to processing on this ground. You also have the right to object where we are processing your personal information for marketing purposes.
This enables you to ask us to suspend the processing of personal information about you, for example if you want us to establish its accuracy or the reason for processing it.
This is also known as the right to data portability,
In the limited circumstances where we process your information for a specific purpose on the basis of your consent, you have the right to withdraw consent for the collection, processing and transfer of your personal information for that purpose at any time. Once we have received notification that you have withdrawn your consent, we will no longer process your information for the purpose or purposes you originally agreed to, unless we are required to continue to process your information in accordance with another lawful basis which has been notified to you.
We will be happy to comply with any requests in connection with the above rights, free of charge wherever possible, at any time. Please contact the Data Privacy Manager, via The Together Plan office in the UK on +44 (0)20 3375 0656 or at firstname.lastname@example.org or by writing to The Studio, 60 Glencoe Road, Bushey, Herts WD23 3DS with requests or for further information.
third parties who have access to your data
We share data with the following third parties who provide services to us:
All categories of personal data are routinely stored. Salesforce is an industry leader in data protection, and privacy policies and practices are available at https://trust.salesforce.com/en/. Our Salesforce instance is located on servers in Paris and Frankfurt (so subject to the EU’s GDPR rules).
Subscribers’ names, email addresses, marketing preferences and, in some cases, approximate geographic locations, are stored. Campaign Monitor guarantees compliance with GDPR. The Together Plan works together with Campaign Monitor to ensure the maximum possible protection for our data. Campaign Monitor uses servers located in the USA and outsourced services provided worldwide.
Google Cloud’s GSuite provides The Together Plan’s email systems, cloud storage and other internal communication and collaboration tools. Past email conversations and files containing all categories of personal data are stored.
These companies process details relating to payments to us. This usually includes the identity of the person or organisation who made the payment.
HMRC receives the personal details of our Gift Aid donors in order to verify the validity of their Gift Aid declarations and process.
Financial details are processed by these companies and not passed on to The Together Plan. Their respective privacy policies, which can be found on their websites, explain how they use data you provide to them. We also use JustGiving (https://www.justgiving.com/) for collecting donations.
We typically use Eventbrite to collect the names and email addresses of attendees and other information necessary for holding the event. Payment details are processed by Eventbrite and not passed on to The Together Plan.
These companies have access to data that could be used to identify individuals, such as IP addresses. The Together Plan does not use this data to identify individual visitors to its website as part of our usual course of business.
All of these organisations operate as “data processors”, meaning that they are authorised by us to use personal information only for purposes and in ways that we specify.
Some are also “data controllers”, meaning that they are able to use personal information provided to them by us for their own purposes. In these cases, legal responsibility lies with the third party for using your data appropriately and communicating to you how it will be used.
All our third-party service providers are required to take appropriate security measures to protect your personal information in line with our policies. We do not allow our third-party service providers to use your personal information for their own purposes. We only permit them to process your personal information for specified purposes and in accordance with our instructions.