Privacy Notice
- Purpose
- Data protection principles
- The data we collect about you
- Special categories of data
- How your personal data is collected
- How we use your personal data
- Disclosure of your personal data
- International transfers
- Data Security
- Automated decision making
- How long we will store your personal data for
- Your legal rights
- Making a complaint
- Changes to this privacy notice
- Accessibility
Purpose
Peoplehub is aware of its obligations under the General Data Protection Regulation (GDPR) and domestic data protection legislation, and is committed to processing your data securely and transparently. This privacy notice sets out, in line with our data protection obligations, the types of data that we may hold on you. It also sets out how we use that information, how long we keep it for and other relevant information about your data.
The People Hub Network Community Interest Company (peoplehub) is the data controller and responsible for your personal data. We are registered at Companies House with Company Number 07930391.
Our Registered Address and main office address is 30 Brotherston Drive, Blackburn, Lancashire, England BB2 4FJ. Our Data Protection Officer (“DPO”) is Courtney Wright. If you have any questions about this privacy notice or our data protection practices, please contact us by email at hello@peoplehub.org.uk.
Data protection principles
In relation to your personal data, we will:
- process it fairly, lawfully and in a clear, transparent way
- collect your data only for reasons that we find proper for working with you in ways that have been explained to you
- only use it in the way that we have told you about
- ensure it is correct and up to date
- keep your data for only as long as we need it
- process it in a way that ensures it will not be used for anything that you are not aware of or have consented to (as appropriate), lost or destroyed.
The data we collect about you
Peoplehub will collect information about people who get in touch and/or work with us to enable us to work with you effectively. We will treat any information given to us in line with our obligations under data protection legislation, and will work on the basis that any information you have provided to us has been provided to us lawfully. We may collect different types of information about you for different reasons, as described below.
We may collect, use, and store different kinds of personal data about you as follows:
- Identity Data including your name;
- Contact Data including your address, email, phone number;
- Financial Data including bank account details;
- Technical Data including internet protocol (IP) address, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, and other technology on the devices you use to access our website;
- Feedback and survey responses;
- Usage Data including information about how you use our website and specialist functions we provide;
- Marketing and Communications Data including your preferences in receiving marketing from us and your communication preference.
Special categories of data
GDPR singles out some types of personal data as likely to be more sensitive, called special categories of data, and gives them extra protection. This is because use of this data could create significant risks to the individual’s fundamental rights and freedoms.
In all instances we may also collect, use, and store special categories of data about you including but not limited to:
- Health and related information such as care or personal assistance arrangements and independent living support arrangements.
How your personal data is collected
Direct interactions: You may give us your personal information by filling in forms or corresponding with us by post, phone, email or otherwise. This includes personal data you provide when you apply to participate in workshops/training, subscribe to our publications, request information to be sent to you, give us feedback, or contact us.
How we use your personal data
We will only use your personal data when the law allows us to. Most commonly, we will use your personal data in the following circumstances:
- Where we need to perform the commissioned work we are about to enter into or have entered into with you.
- Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.
- Where we need to comply with a legal obligation
- Occasionally, we may rely on consent as a legal basis for processing your personal data but where we do this we will explain what we would like consent for.
We have set out below, in a table format, a description of all the ways we plan to use your personal data, and which of the legal bases we rely on to do so. We have also identified what our legitimate interests are where appropriate. Note that we may process your personal data for more than one lawful ground depending on the specific purpose for which we are using your data. Please contact us if you need details about the specific legal ground we are relying on to process your personal data where more than one ground has been set out in the table below.
Purpose/Activity | Type of data | Lawful basis for processing including basis of legitimate interest |
To process and deliver specialist functions including: ▪ To process and manage reward and recognition fees and expenses claims ▪ Collect and recover money owed to us | ▪ Identity ▪ Contact ▪ Financial ▪ Transaction ▪ Marketing and Communications | ▪ Performance of a contract with you ▪ Necessary for our legitimate interests (to recover debts due to us) ▪ Consent |
To manage our relationship with you which will include: ▪ Contacting you ▪ Notifying you about changes to our terms or privacy policy ▪ Asking you to leave a review or take a survey | ▪ Identity ▪ Contact ▪ Marketing and Communications ▪ Health information | ▪ Consent ▪ Performance of a contract with you ▪ Necessary to comply with a legal obligation ▪ Necessary for our legitimate interests (to keep our records updated, to study how people use our products/services/functions and interact with our organisation, and to develop our organisation) |
To comply with our legal responsibilities to HMRC , any other relevant official bodies and to comply with legal obligations to act in the public interest and uphold the rule of law | ▪ Identity ▪ Contact ▪ Financial ▪ Transaction | ▪ Necessary to comply with a legal obligation |
To comply with safeguarding responsibilities and duties | ▪ Identity ▪ Contact ▪ Health information | ▪ Necessary to comply with a legal obligation ▪ Necessary to protect the vital interests of the data subject or of another natural person |
To host training, meetings and events that you are attending | ▪ Identity ▪ Contact ▪ Marketing and Communications ▪ Health information | ▪ Consent ▪ Performance of a contract with you ▪ Necessary for our legitimate interests (to ensure a standard of performance across the organisation) |
To monitor the quality of any functions we deliver to you, and ensure they meet your expectations and to manage queries or complaints you may have. | ▪ Identity ▪ Contact ▪ Usage | ▪ Consent ▪ Performance of a contract with you ▪ Necessary for our legitimate interests (to ensure a standard of performance across the organisation) |
To send you questionnaires and surveys for evaluation and strategy development purposes. | ▪ Contact ▪ Marketing and Communications ▪ Usage | ▪ Consent ▪ Necessary for our legitimate interests (to develop our organisation) |
To train and develop peoplehub associates | ▪ Identity ▪ Contact ▪ Financial ▪ Health information | ▪ Consent ▪ Necessary for our legitimate interests (to develop our organisation) |
To administer and protect our business and our website (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data) | ▪ Identity ▪ Contact ▪ Technical | ▪ Necessary for our legitimate interests (for running our business, provision of administration and IT services, network security, to prevent fraud and in the context of a business reorganisation or restructuring exercise) ▪ Necessary to comply with a legal obligation |
To deliver relevant website content and advertisements to you and measure or understand the effectiveness of the advertising we serve to you | ▪ Identity ▪ Contact ▪ Usage ▪ Marketing and Communications ▪ Technical | ▪ Necessary for our legitimate interests (to study how people access our information and advertisements, to develop them, to grow our community and to inform our organisational strategy) |
To use data analytics to improve our website, functions we offer, marketing, relationships and experiences | ▪ Technical ▪ Usage | ▪ Necessary for our legitimate interests (to define our audience, to keep our website updated and relevant, to develop our organisation and to inform our organisational strategy) |
To send newsletters, articles and invitations to events and information relating to fundraising activities | ▪ Identity ▪ Contact ▪ Technical ▪ Usage ▪ Marketing and Communications | ▪ Consent ▪ Necessary for our legitimate interests (to develop and grow our organisation) |
Business management and planning, including accounting and auditing. | ▪ Identity ▪ Contact ▪ Financial | ▪ Necessary for our legitimate interests (to allow the proper running of our organisation) ▪ Necessary to comply with a legal obligation |
Complying with legal and regulatory frameworks including health and safety obligations and prevention of fraud. | ▪ Identity ▪ Contact ▪ Technical ▪ Usage | ▪ Necessary to comply with a legal obligation |
Equal opportunities monitoring. | ▪ Identity ▪ Health information ▪ Racial or ethnic origin ▪ Sexual orientation | ▪ Consent ▪ Necessary for our legitimate interests (to ensure we are reaching as wide a range of people as possible) |
We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If you wish to get an explanation as to how the processing for the new purpose is compatible with the original purpose, please contact us using the contact details at the top of this policy. If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so. Please note that we may process your personal data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.
Disclosure of your personal data
We may share your personal data with the specific third parties listed below:
- Hosts of training and other events to inform them about attendees’ access and other requirements;
- Official bodies if required by law and/or safeguarding obligations.
We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.
International transfers
We do not transfer your personal data outside the European Economic Area (EEA).
Data Security
We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. We have separate policies on data protection, data breach notification, and data transfer which detail these security measures.
In addition, we limit access to your personal data to those who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality. We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
Automated decision making
No decision will be made about you solely on the basis of automated decision making (where a decision is taken about you using an electronic system without human involvement) which has a significant impact on you.
How long we will store your personal data for
We will only retain your personal data for as long as is reasonably necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. We may retain your personal data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with you.
To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting or other requirements.
Type of personal data | Retention period |
Identification and Due Diligence | We will keep information that we need to complete anti-money laundering and due diligence checks for a period of 5 years from the date of our last interaction with you; this is in order to comply with our anti-money laundering obligations. |
Financial transactions | We will keep information about you and any financial transactions, including fees paid and payments for services, for a period of 7 years, in order to comply with HMRC requirements to keep accurate records that can be audited. |
Contact information | Contact information for marketing purposes will need to be refreshed periodically and in any event at least every 2 years. We will hold you contact details on a suppression list if consent is withdrawn to ensure that no further marketing materials are sent. |
Your legal rights
The law on data protection gives you certain rights in relation to the data we hold on you. These are:
- the right to be informed. This means that we must tell you how we use your data, and this is the purpose of this privacy notice
- the right of access. You have the right to access the data that we hold on you. To do so, you should make a subject access request. You can read more about this in our subject access request policy which is available by contacting us at hello@peolehub.org.uk.
- the right for any inaccuracies to be corrected. If any data that we hold about you is incomplete or inaccurate, you are able to require us to correct it
- the right to have information deleted. If you would like us to stop processing your data, you have the right to ask us to delete it from our systems where you believe there is no reason for us to continue processing it
- the right to restrict the processing of the data. For example, if you believe the data we hold is incorrect, we will stop processing the data (whilst still holding it) until we have ensured that the data is correct
- the right to portability. You may transfer the data that we hold on you for your own purposes
- the right to object to the inclusion of any information. You have the right to object to the way we use your data where we are using it for our legitimate interests
- the right to regulate any automated decision-making and profiling of personal data. You have a right not to be subject to automated decision making in way that adversely affects your legal rights.
Where you have provided consent to our use of your data, you also have the unrestricted right to withdraw that consent at any time. Withdrawing your consent means that we will stop processing the data that you had previously given us consent to use. There will be no consequences for withdrawing your consent. However, in some cases, we may continue to use the data where so permitted by having a legitimate reason for doing so.
If you wish to exercise any of the rights explained above, please contact our Data Protection Officer by emailing hello@peoplehub.org.uk.
We try to respond to all legitimate requests within one month. Occasionally it could take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated. If we are processing significant amounts of data for you, or numerous categories of data, we may also ask you to define the categories of data to which you are exercising your rights.
Making a complaint
The supervisory authority in the UK for data protection matters is the Information Commissioner’s Office (ICO). If you think your data protection rights have been breached in any way by us, you are able to make a complaint to the ICO. For more information, please visit https://ico.org.uk/.
Changes to this privacy notice
This privacy notice was reviewed in January 2022. It is due for review no later than end January 2023. We constantly review our internal privacy practices and may change this notice from time to time. When we do we will inform you by updating our website and telling you in any documentation or messages we send you.
Accessibility
If it would be helpful to have this notice provided in another format (for example: in another language, audio, braille) please contact us by email at hello@peoplehub.org.uk or by using the contact form on the Contact Us page of our website.
Version: 2.0
Dated: January 2022
Review: January 2023