PRIVACY NOTICE (including Staff Privacy Notice)
1. Who Are we?
Camp Simcha takes the privacy and security of your personal information very seriously.
Camp Simcha is a company registered in England and Wales (no.11478657) and registered with the Charity Commission (no. 1180646). Our registered address is Amélie House, 221 Golders Green Road, London, England, NW11 9DQ.
Camp Simcha exists to make a difference to Jewish children affected by serious illness, as well as their families. Our mission is to ensure that no such child or their family, anywhere in the UK has to suffer without our support.
Detailed information about our organisation and our services can be found on our website.
References in this Privacy Notice to ‘we’, ‘us’ or ‘our’ mean ‘Camp Simcha’.
Camp Simcha is a ‘data controller’ for the purposes of the Data Protection Act 2018 (‘DPA 2018’) and the UK General Data Protection Regulation (‘UK GDPR’): we are registered with the Information Commissioner’s Office (ICO), registration no. ZA555870.
Please read this Privacy Notice carefully to understand our practices regarding the processing of your personal data.
2. What types of information do we collect from you?
In this Privacy Notice, the term “personal data”, means information relating to you that allows us to identify you either directly, or in combination with other information we hold.
When you contact us by letter, email, telephone or via our website, we may collect your personal data i.e. name, address, email, telephone number and date of birth (where relevant).
Special categories of personal data
The UK GDPR defines special categories of personal data as information about a person’s race and ethnicity, religious or philosophical beliefs, trade union memberships, political opinions, genetic data, biometric and health data, and information concerning a natural person’s sex life or sexual orientation.
Criminal offence data
Criminal offence data is defined as data relating to criminal convictions and criminal offences. This includes information disclosed by the Disclosure and Barring Service (DBS).
The following sections will answer any questions you have but if not, please contact us using any of the methods shown in the section below entitled “How Do I contact you?”.
3. What lawful basis do we use to process your personal data
The lawful bases for processing are set out in Article 6 of the UK GDPR. At least one of these six must apply whenever personal data is processed by us:
- Consent: we collect and process your data with your consent. This may include whether you agree to receive an email about the ways in which we can support you or how you would like to receive information about us or our services.
- Contract performance: the processing is necessary for the performance of a contract you have with us, or for the purposes of entering into a contract with us.
- Compliance with legal obligation: the processing is necessary for us to comply with the law for tax, social security, and employment purposes etc. This includes sharing with law enforcement agencies details of people involved in fraud or other criminal activity.
- Protection of vital interests: the processing is vital to an individual’s vital interests.
- Public interest: the processing is necessary to perform a task that is in the public interest or for an official function, and the task or function has a clear basis in law.
- Legitimate interests: the processing is necessary for our legitimate interests, or the legitimate interests of a third-party, unless there is a good reason to protect the individual’s personal data that overrides those legitimate interests.
4. Conditions to process special category personal data?
We rely on the following conditions (as appropriate) under Article 9 of the UK GDPR to process special categories of personal data:
- Explicit consent
- Employment, social security, and social protection (if authorised by law)
- Vital interests
- Not-for-profit bodies
- Made public by the data subject
- Legal claims or judicial acts
- Reasons of substantial public interest (with a basis in law)
- Health or social care (with a basis in law)
- Public health (with a basis in law)
- Archiving, research, and statistics (with a basis in law).
We aim to collect the least amount of special category data as possible for our processing purposes.
The processing of special category data is covered by relevant policies and procedures and all processing activities involving the processing of special categories of personal data are listed in our ‘Record of Processing Activity’ (RoPA).
5. The data processing principles
The law requires us to:
- Process your data in a lawful, fair and transparent way
- Only collect your data for explicit and legitimate purposes
- Only collect data that is relevant, and limited to the purpose(s) we have told you about
- Ensure that your data is accurate and up to date
- Ensure that your data is only kept as long as necessary for the purpose(s) we have told you about
- Ensure that appropriate security measures are used to protect your data.
6. Personal data we process
We process personal data necessary for Camp Simcha to pursue its charitable objectives for its beneficiaries. This also includes processing the personal data of staff, volunteers, advisers and stakeholders.
We collect your information when you email us, contact us via our website or social media, apply to work for us, work for us, or complete our forms. This includes information provided by you at the time of making a donation, registering with us to attend an event, registering to become a member of staff or a volunteer, registering your interest to receive our support or services, engaged as a freelance consultant, requesting materials, responding to a survey or visit our website, and/or when you report a problem with any of our communication channels or services.
We may collect personal information from you in the following ways, but not limited to:
- When you make a phone call or e-mail us to seek information about our services
- Recruitment and employment, including agents and freelance consultants
- When you have donated to us via any method whether directly or indirectly
- You have used our services or benefited from the organisation in some way
- Through your request for publications and other marketing materials
- Through your request for information about our services and/or events
- Through your registration for events
- Through your contacting us with enquiries and comments
- Through volunteering and event attendance
- ‘Next of kin’ information provided by our staff or volunteers.
The information we may collect in relation to the foregoing includes but is not limited to:
- Your name, address, email, and other contact information
- Occupation, skills and professional activity, network(s) and interests where relevant
- Other relevant personal details (e.g. age group, interests, subscriptions, and etc.)
- Records of your correspondence with us, meeting notes, attendance at events etc.
- Health data (including dietary requirements)
- Protected characteristics (age, disability, gender reassignment, marriage and civil partnership, pregnancy and maternity, race, religion or belief, sex, and sexual orientation)
- Donation history
- Records of volunteering
- Financial information
- Details of your visit to the website
- Multimedia files such as photographs and video footage
- Photographs and video taken at events or taken for marketing campaigns
- Information about your experiences as a user of our services
- Staff details relevant to their employment status including medical conditions, next of kin, contact details, employment references/work history and salary/pension details
- Staff details including performance monitoring, training and equal opportunities monitoring
- Volunteer details relevant to their engagement as a volunteer
- Information about your access to our databases
- Transaction details you provide to us for the fulfilment of your orders or donations
- Information provided in the surveys we may ask you to complete.
We also collect other information when you apply to use our services, such as health information i.e. details of any disabilities and safeguarding information.
7. How we use the information about you?
We collect personal data in order to manage our functions across our many activities and locations including, but not limited to:
- Provide you with the services you have requested
- Manage the contract of employment or volunteer agreement we have with you
- Administer statutory and contractual leave requirements as well as payment of salary/pension
- Administrative purposes
- Assessing enquiries
- Provide you with information about us and our services.
We will only use your personal data for the purpose it was collected. The data we collect could be in an electronic or paper format. If we believe your data is no longer needed for this purpose, we will not process your data any further.
When we interact with you, we may also collect notes from our conversations with you, and the details of any complaints or comments you make.
We may also collect your social media username if you interact with us through those channels so that we can respond to your comments or questions and provide feedback.
We may send you relevant and personalised communications by post. We will do this on the basis of our legitimate interest. You are free to opt out of hearing from us by any channels at any time.
8. Personal Data processed for recruitment purposes
We collect personal data on our staff and volunteers as part of the administration and management of our organisational activities.
Where an individual is applying to work for us, personal data is collected through the application process. Data is often collected through the CVs that are submitted to us.
There are several purposes that personal data for applicants are collected.
- Employment. We process an applicant’s personal data in order to assess their potential employment with us.
- Administration and management. We may also use this personal data in order to make informed management decisions and for administration purposes.
Personal data collected from applicants is held only for as long as necessary to fulfil the purpose for which it was collected, or for a maximum of two years thereafter where the purpose has been fulfilled and retention is no longer necessary.
9. Surveys and Service Messages
Sometimes we are required to inform you about certain changes. These service messages will not include any fundraising or marketing content and do not require prior consent when sent by email. This ensures that we are compliant with our legal obligations. You do not have to respond to either form of contact.
We may use your data to send you a survey and feedback requests to help improve the way we communicate. These messages will not include any fundraising requests or marketing and they do not require prior consent when sent by email. It is in our legitimate interest to send these messages as doing so this helps to improve our services and make them more relevant to you. Of course, you are free to opt out of receiving any of these communications at any time.
When you visit our website, we may collect your IP Address, page visited, web browser, any search criteria entered, previous web page visited and other technical information. This information is used solely for web server monitoring and to deliver the best visitor experience.
If, at any time, you do not wish to receive further information about us or our services, contact us at: email@example.com
11. Links to other websites
Our website may also contain links to other websites of interest. Any third-party websites are not covered by this Privacy Notice, and we encourage our users to refer to the Privacy Notices/Policies on the third-party website.
12. Sharing your personal data
We may disclose your personal information to third parties, with your permission, in the furtherance of providing services to you. We may be under a duty to disclose or share your personal data in order to comply with any legal obligation, or in order to enforce or apply any agreements, or to protect the rights, property, or safety of the organisation, or other individuals. This includes exchanging information with other companies and organisations for the purposes of safeguarding or other statutory regulations we must comply with as well as those organisations with whom you and we have reciprocal agreements for providing services for social care, education, or professional development. It will also include the sharing of information with, for example, HMRC for the purpose of tax collection and national insurance contributions for those who work for us.
For information on when and how we share photographs and videos please request a copy of our Multimedia Policy by emailing firstname.lastname@example.org.
13. How long will we hold your personal data?
We retain your personal data in a live environment for as long as necessary to fulfil the purpose(s) for which it was collected.
We may keep your data for longer to establish, exercise, or defend our legal rights and yours. Where there is a need, personal data is securely archived with restricted access and other appropriate safeguards where there is a need to continue to retain it.
We are required to keep details of financial transactions, including donations, for seven years to meet accountancy and HMRC requirements. We will anonymise or delete personal data if, after a period of seven years, we have not had any contact or communication from you (this will be measured on a rolling seven-year period).
We are required to securely store case files and appropriate staff and volunteer records pertaining to our work with children as per child protection guideline for 25 years, as noted in our Record, Retention and Disposal Policy.
We maintain a data retention criterion to help implement this. This takes account of our legal and accounting obligations, balancing this with what would be considered reasonable.
We will delete personal data or may anonymise (so that you can no longer be identified) for research and analysis purposes in which case we may use this information indefinitely without further notice to you.
14. Security of your personal data
We take the privacy and security of your personal data very seriously. Accordingly, in accordance with the Data Protection Act 2018 and UK GDPR, we have implemented appropriate technical and organisational measures to protect your personal data against unauthorised or unlawful processing and against accidental loss, destruction, or damage.
These measures include having clear internal policies and procedures and maintaining the physical security to our premises and IT security technologies to prevent the unauthorised access, damage, and loss of your data.
Additionally, we put in place appropriate security procedures and access controls to ensure the confidentiality of the special categories of personal data that we process. For instance, information relating to the medical conditions of our service-users.
It should be noted that the transmission of information via the Internet is not completely secure, and while we will do our best to protect your personal data, we cannot guarantee the security of any personal data transmitted to our site; any such transmission is at your own risk.
15. Locations of processing
The data we collect from you is processed on our servers located in the UK [and within the European Economic Area (EEA)]. We will ensure that your personal data is provided with adequate protection if it becomes necessary to transfer your personal data to a country that has not been granted a finding of adequacy by the European Commission (EC) or the UK government.
Transfers of personal data outside of the UK and European Economic Area (EEA), to a country that has not been granted a finding of adequacy, will be carried out using ‘appropriate safeguards’ such as Standard Contract Clauses (SCC), an International Data Transfer Agreement or in accordance with any approved Codes of Conduct. Alternatively, we will seek your consent (where appropriate), on a case-by-case basis.
16. What are my data subject rights?
We support your data subject rights in relation to the processing of your information under the Data Protection Act 2018 and the UK GDPR, including your:
- Right to be informed (chiefly via this Privacy Notice)
- Right of access
- Right to rectification
- Right to erasure
- Right to restrict processing
- Right to data portability
- Right to object
- Rights related to automated decision-making including profiling.
You can exercise any of these rights, including your right to request a copy of the information we hold about you (otherwise referred to as a Data Subject Access Request (DSAR)), by contacting us using any of the methods shown in the ‘How do I contact you?’ section (see below).
We will respond to your request as quickly as possible. Usually, this will be within one month of receiving your request.
To protect the confidentiality of your information and in our interests, we may sometimes ask you to verify your identity before proceeding with any request for information. If you have authorised a third party to submit a request on your behalf, we will ask them to prove they have your permission to request such information.
17. Updating my information
You may choose to correct, update, or delete your personal data by contacting us at any time using any of the methods shown in the ‘How do I contact you?’ section (see below).
If you have opted-in to receiving communications form us, your preferences will remain in effect until you tell us that you want to opt-out of receiving any further communications.
You can change your mind at any time by contacting using any of the methods shown below in the ‘How do I contact you?’ section.
18. Withdrawing my consent
Where we process your information based on your consent, you may withdraw your consent at any time. You can do this by contacting us using any of the methods shown in the ‘How do I contact you?’ section (see below).
19. Making a complaint to us
We hope you’ll never have the need to do so, but if you do want to complain about our use of your personal data, or our facilitation of your data subject rights requests, you can contact us using any of the methods shown in the ‘How do I contact you?’ section (see below).
We will investigate your complaint and provide you with an appropriate response as quickly as possible.
20. Making a complaint to the Information Commissioner
You can lodge a complaint with the Information Commissioner at any time. For instance, if you are unhappy with the way in which we are processing your information, or we have failed to facilitate your data subject rights.
The Information Commissioner can be contacted as follows:
Post: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
Phone: 0303 1231113 (local rate)
Further information about your data subject rights and how to complain to the ICO can be found here: ICO Make a Complaint
21. How do I contact you?
You may contact us using any of the following methods:
Post: Attention of the Data Protection Lead, Camp Simcha, Amélie House, 221 Golders Green Road, London NW11 9DQ
Phone: 020 8202 9297
By email: email@example.com
22. Changes to this Privacy Notice
We review the content of our Privacy Notice annually or earlier if required to ensure it accurately reflects what we do with your information.
This Privacy Notice was last updated in September 2022.