Our commitment to your privacy
Crossroads Global Village (UK) Limited (“we”, “us”, “our”) is committed to protecting the privacy and security of your personal data. This Privacy Statement (“Statement”) gives you information about how we will collect and use personal data about you in connection with services we provide.
We are data controllers in respect of the personal data we collect about you for the purposes of the UK Data Protection Act 2018 (“DPA”) and the EU General Data Protection Regulation (EU Regulation 2016/679) (“GDPR”).
Information we may collect from you
We may collect and process the following types of personal data which you provide to us:
- your name, address, email, phone and fax numbers
- your gender and date of birth
- financial information such as credit card information (if you make a payment to us), bank account details (if we are making payment to you by direct debit) and financial status (if you have applied to receive certain items or assistance from us)
- health information (only in very specific circumstances, for example, if it is relevant to your participation in a volunteer service or an X-perience or if you have made a specific request for items or assistance related to your medical condition)
- responses to surveys or feedback provided
- website usage and publication take-up
- purchasing and donation history
- causes you are sympathetic towards
- X-periences you have participated in
- photographs of you participating, engaging, associating, supporting or benefiting from/in our activities
The purpose and legal basis for processing your information
Except as disclosed below the table, the purposes for which we may process all of the above non-sensitive personal data, and the legal basis on which may perform such processing, are:
|Processing purpose||Legal basis for processing|
|Communicating with you in relation to services that we provide you||We have a legitimate interest in communicating with you in relation to the services that we provide you.|
|Communicating and interacting with you via our websites||We have a legitimate interest in communicating and interacting with you via our websites|
|Conducting market or customer satisfaction research; and engaging with you for the purpose of obtaining your views on our services||We have a legitimate interest in conducting market or customer satisfaction research and engaging with you for the purpose of obtaining your views on our services.|
|Establishing, exercising and defending our legal rights||We have a legitimate interest in establishing, exercising and defending our legal rights|
|For audit, compliance, controls and other risk management||We have a legitimate interest in establishing, exercising and defending our legal rights|
|Identifying issues with our existing services; planning improvements to existing services; and creating new services||We have a legitimate interest in identifying issues with our existing services; planning improvements to existing services; and creating new services|
We may process Special Categories of Data for the following purposes and under the following legal bases:
|Processing purpose||Legal basis for processing|
|Considering information about your health (only in very specific circumstances, for example, if it is relevant to your participation in a volunteer service or an X-perience or if you have made a specific request for items or assistance related to your medical condition)||We have obtained your prior explicit consent to process your health data.|
|Detecting, investigating and preventing breaches of policy, and criminal offences, in accordance with applicable law.||We have a legitimate interest in processing personal data (including Special Categories of Data) for the purposes of preventing or detecting an unlawful act and to establish, exercise or defend ourselves against legal claims.|
Disclosure of personal data
In the course of providing services to you, we may share your personal data with the following third parties:
- Crossroads Foundation Ltd
- the printers who help us to prepare various communications we send to you
- our appointed insurance company
- financial service providers
We may disclose your personal data to these third parties in connection with services provided by the third parties to us. These service providers are required to take appropriate security measures to protect your personal data in line with our policies. We do not allow service providers to use your personal data for their own purposes. We only permit them to process your personal data for specified purposes and in accordance with our instructions.
In some contexts, we may disclose the personal data to the following controllers who will be directly responsible under data protection law for protecting the personal data:
- our legal adviser for the purpose of providing legal advice to us
- our auditor for the purpose of providing audit services to us
- HM Revenue & Customs if we are under a duty to disclose or share your personal data in order to comply with any legal obligation
- UK’s Charity Commission
- financial service providers
We may also disclose your personal data to other third parties, for example if we need to share your personal data with a supervisory authority or regulator or to otherwise comply with the law.
International transfers of personal data
The personal data that we process about you may be transferred outside the European Economic Area (“EEA“) including places like Hong Kong. We do this in a way which complies with data protection law and the mechanisms that we’ve used is standard contractual clauses approved by the European Commission for transfer of personal data. For a copy of this contact us at email@example.com.
Retention of personal data
We will hold your personal data only for as long as is necessary to provide the requested services.
To determine the appropriate retention period for your personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data and whether we can achieve the purpose of the processing through other means. Our retention of your personal data, and the criteria we apply to determine how long it is necessary for us to retain your personal data, is kept under review in accordance with our Data Retention Policy. This policy states that we keep your personal data for 7 years since your last active involvement with us but we may keep it longer if we’re required to do so by law.
Your rights under the EU General Data Protection Regulation
In certain circumstances, under the GDPR you will have the right to:
- Request access to your personal data.
- Request rectification of your personal data if it is inaccurate or incomplete.
- Request deletion of your personal data if there is no reason for its continued processing.
- Restrict the processing of your personal data (for example, if you want us to establish its accuracy or the reason for processing it).
- Object to the processing of your personal data being processed.
- Request the transfer of your personal data to another party.
- Withdraw your consent to processing, in the limited circumstances where you may have provided your consent to the collection, processing and transfer of your personal data for a specific purpose. Once we have received notification that you have withdrawn your consent, we will no longer process your information for the purpose or purposes you originally agreed to, unless they have another legitimate basis for doing so in law. Please note that the withdrawal of your consent will not affect the lawfulness of any processing of personal data based on your consent before its withdrawal.
If you want to access, rectify or request deletion of your personal data, object to the processing of your personal data, request that we transfer a copy of your personal data to another party, or withdraw your consent to processing (if applicable), please contact us in writing at the address given below.
Updates to this Statement
We reserve the right to update this Statement and any other relevant policies or procedures at any time. Any substantial changes that we may make to this Statement in the future will be posted on this page: http://www.cgvuk.org/privacy/ We may also notify you in other ways from time to time about the processing of your personal data.
If you have any questions concerning this Statement or the policies or procedures referred to above, please contact us at firstname.lastname@example.org
If you are dissatisfied with any aspect of how we handle your personal data, you have a right to lodge a complaint with the Information Commissioner’s Office (ico.org.uk).