GDPR Policy
Who are we?
We are the Human Rights Consortium, a company registered in Northern Ireland, with registered office at Community House, 6A Albert Street, Belfast, BT12 4HQ, and registered number: NI611533. We are a registered charity NIC101538
We are a broad alliance of civil society organisations from across all communities, sectors and areas of Northern Ireland who work together to help develop a human rights based society.
What is this notice?
In order to provide our Services, we may need to process Personal Data from time to time (that is information about someone who can be identified from the data). This Personal Data may be about you or other people. This notice explains how we will use the Personal Data we hold.
As part of our Services we may transfer Personal Data to other people. We’ve set out a list of who we might transfer Personal Data to at paragraph 7. This notice only deals with our use of Personal Data. Recipients not bound by this privacy notice.
We might need to change this privacy notice from time to time. If we do, we let you know. So please do keep an eye on our notice before giving us any Personal Data.
All of the defined terms in this notice are explained in paragraph 14 below. If you have any questions about this notice, feel free to send us an email to info@humanrightsconsortium.org.
Who do we hold personal data about?
We hold Personal Data about the following groups of people (Data Subjects):
| Data Subjects | Description |
|---|---|
| Membership | that is any party who or which has signed up to be a member of our organisation (including any individuals in their companies); |
| Supporters | that is anyone who has signed up to our mailing list or otherwise supported us, other than through Membership; |
| Beneficiaries: | that is any individuals who receive our Services, for example by attending events we run |
Are We a Controller or a Processor?
We are a Controller in respect of the following data: Membership, Supporters and Beneficiaries. This means we make decisions about what data to collect (in respect of those groups of Data Subjects) and how to use it.
Where Do We Collect Personal Data From?
We might collect Personal Data in the following ways:
Membership
| Source | Types of Data Collected |
|---|---|
| Direct interactions with the Data Subject | Contact and Identity Data Transaction Data Preferences Job Roles and Business Data |
| Our Website | Traffic Data Usage Data Technical Data |
| Publically available sources (internet, Companies House) | Contact and Identity Data Job Roles and Business Data |
| Information provided by our Client on membership forms | Contact and Identity Data relating to the membership organisation |
Supporters
| Source | Types of Data Collected |
|---|---|
| Direct interactions with the Data Subject | Contact and Identity Data Transaction Data Preferences Job Roles and Business Data |
| Our Website | Traffic Data Usage Data Technical Data |
| Publically available sources (internet, Companies House) | Contact and Identity Data Job Roles and Business Data |
| Information provided by our Client on membership forms | Contact and Identity Data relating to the membership organisation |
Beneficiaries
| Source | Types of Data Collected |
|---|---|
| Direct interactions with the Data Subject | Contact and Identity Data Transaction Data Preferences Job Roles and Business Data |
| Our Website | Traffic Data Usage Data Technical Data |
| Publicly available sources (internet, Companies House) | Contact and Identity Data Job Roles and Business Data |
| Information provided by our Client | Information provided by our Client |
General
We may also collect, use and share Aggregated Data such as statistical or demographic data which we collect from interactions with these groups. Aggregated Data may be derived from Personal Data but since it cannot be used to identify an individual, it is not Personal Data.
How Will We Use the Personal Data We Hold and What Is Your Lawful Basis for Doing So?
Membership
- We hold and process Membership Data as a Controller, which means we must have a ‘lawful basis’ for doing so. We have set out how we use Membership Data along with our lawful basis in the table below.
- Anywhere we are relying on legitimate interest we believe that such processing is necessary for the purposes of our legitimate interest, which in this case is to function as a business. We consider such use goes no further than the Data Subject would reasonable expect; is likely to align with the Data Subject’s interests (by enabling us to provide a sustainable business model) and is unlikely to be detrimental to the fundamental rights and freedoms of the Data Subject.
| Purpose/Activity | Description | Types of Data | Lawful Basis |
|---|---|---|---|
| To provide our services | Including for organising meetings, events, AGMs etc | Identity Data Contact Data Transaction Data | Necessary for the performance of the contract for the provision of our services or taking steps necessary to enter into a contract. |
| To manage our relationship with you | Keeping members up to date with our work and ensuring we are up to date with theirs | Identity Data Contact Data | Necessary for the performance of the contract for the provision of our services or taking steps necessary to enter into a contract. Legitimate Interest |
| Administration | For the running of the Human Rights Consortium | Identity Data Contact Data Transaction Data | Legitimate Interest |
| Marketing | In the form of Membership Updates via Mailchimp | Identity Data Contact Data Transaction Data Profile Data Traffic Data | Legitimate Interest Consent |
Supporters
- We hold and process Supporter Data as a Controller, which means we must have a ‘lawful basis’ for doing so. We have set out how we use Supporter Data along with our lawful basis in the table below.
- Anywhere we are relying on legitimate interest we believe that such processing is necessary for the purposes of our legitimate interest, which in this case is to function as a business. We consider such use goes no further than the Data Subject would reasonable expect; is likely to align with the Data Subject’s interests (by enabling us to provide a sustainable business model) and is unlikely to be detrimental to the fundamental rights and freedoms of the Data Subject.
| Purpose/Activity | Description | Types of Data | Lawful Basis |
|---|---|---|---|
| To provide our services | Including for organising meetings, events etc. | Identity Data Contact Data Transaction Data | Necessary for the performance of the contract for the provision of our services or taking steps necessary to enter into a contract. |
| To manage our relationship with you | Keeping supporters up to date with our work and ensuring we are using appropriate details to contact you | Identity Data Contact Data | Consent Legitimate Interest |
| Administration | For the running of the Human Rights Consortium | Identity Data Contact Data Transaction Data | Legitimate Interest |
| Marketing | In the form of Membership Updates via Mailchimp | Identity Data Contact Data Transaction Data Profile Data Traffic Data | Legitimate Interest Consent |
Beneficiaries
- We hold and process Beneficiaries Data as a Controller, which means we must have a ‘lawful basis’ for doing so. We have set out how we use Beneficiaries Data along with our lawful basis in the table below.
- Anywhere we are relying on legitimate interest we believe that such processing is necessary for the purposes of our legitimate interest, which in this case is to function as a business. We consider such use goes no further than the Data Subject would reasonable expect; is likely to align with the Data Subject’s interests (by enabling us to provide a sustainable business model) and is unlikely to be detrimental to the fundamental rights and freedoms of the Data Subject.
| Purpose/Activity | Description | Types of Data | Lawful Basis |
|---|---|---|---|
| To provide our services | Including for organising meetings, events etc. | Identity Data Contact Data Transaction Data | Necessary for the performance of the contract for the provision of our services or taking steps necessary to enter into a contract. |
| Administration | For the running of the Human Rights Consortium | Identity Data Contact Data Transaction Data | Legitimate Interest |
| Marketing | In the form of Membership Updates via Mailchimp | Identity Data Contact Data Transaction Data Profile Data Traffic Data | Legitimate Interest Consent |
If you have any questions about who your data might be transferred to please send us an email at info@humanrightsconsortium.org
What Security Procedures Do We Have in Place?
- It is our policy to ensure that all Personal Data held by us is handled correctly and appropriately according to the nature of the information, the risk associated with mishandling the data, including the damage that could be caused to an individual as a result of loss, corruption and/or accidental disclosure of any such data, and in accordance with any applicable legal requirements.
- We will only hold data that is up to date and necessary. All staff have received training in our legal requirements under GDPR. All personal data that we hold is stored securely and can only be accessed by staff and volunteers who have signed and agreed to be bound by data protection forms. Where we hold paper copies of information it is stored in locked spaces within locked and alarmed office space. Where we hold digital records of your information it is always password protected and only accessible to staff of the Human Rights Consortium.
Where Do We Store the Personal Data We Collect?
- We use Mail Chimp to manage subscription lists, preferences and send emails for those that have signed up to emails via our website. Mail Chimp has staff based outside the European Economic Area, and stores your data in the US. Mail Chimp is certified under the EU-US Privacy Shield framework. You can find out more about Mail Chimp’s privacy policy information.
- If you are based outside the EEA and would like further information about where we hold your data, please contact us by email: info@humanrightsconsortium.org
For How Long Do You Store Personal Data?
Members
Our retention policies for Members as follows:
- we may retain data which is held for marketing purposes for as long as you continue to provide your valid consent
- we may store aggregate data without limitation (on the basis that no individual can be identified from the data).
Supporters
Our retention policies for Supporters are as follows:
- we may retain data which is held for marketing purposes for as long as you continue to give your valid consent
- we may store aggregate data without limitation (on the basis that no individual can be identified from the data).
Beneficiaries
Our retention policies for Beneficiaries are as follows:
- we may retain data which is held for marketing purposes for as long as you continue to give your valid consent
- we may store aggregate data without limitation (on the basis that no individual can be identified from the data).
What Rights Does a Data Subject Have About the Personal Data We Collect and Hold?
Data Subjects have the following rights in respect of Personal Data relating to them which can be enforced against whoever is the Controller.
- Right to be informed: the right to be informed about what Personal Data the Controller collects and stores about you and how it’s used.
- Right of access: the right to request a copy of the Personal Data held, as well as confirmation of:
- the purposes of the processing;
- the categories of personal data concerned;
- the recipients to whom the personal data has/will be disclosed;
- for how long it will be stored; and
- if data wasn’t collected directly from the Data Subject, information about the source.
- Right of rectification: the right to require the Controller to correct any Personal Data held about the Data Subject which is inaccurate or incomplete.
- Right to be forgotten: in certain circumstances, the right to have the Personal Data held about the Data Subject erased from the Controller’s records.
- Right to restriction of processing: the right to request the Controller to restrict the processing carried out in respect of Personal Data relating to the Data Subject. You might want to do this, for instance, if you think the data held by the Controller is inaccurate and you would like to restrict processing the data has been reviewed and updated if necessary.
- Right of portability: the right to have the Personal Data held by the Controller about the Data Subject transferred to another organisation, to the extent it was provided in a structured, commonly used and machine-readable format.
- Right to object to direct marketing: the right to object where processing is carried out for direct marketing purposes (including profiling in connection with that purpose).
- Right to object to automated processing: the right not to be subject to a decision based solely on automated processing (including profiling) which produces legal effects (or other similar significant effects) on the Data Subject.
If you want to avail of any of these rights, you should contact us immediately at info@humanrightsconsortium.org. If you do contact us with a request, we will also need evidence that you are who you say you are to ensure compliance with data protection legislation.
What Happens if You No Longer Want Us To Process Personal Data About Me?
If we are holding Personal Data about you as a Controller, we will comply with your request unless we have reasons for lawfully retaining data about you.
If we are holding Personal Data about you and using that data for marketing purposes or for any other activities based on your consent, you may notify us at any time that you no longer want us to process Personal Data about you for particular purposes or for any purposes whatsoever and we will stop processing your Personal Data for that purpose. This will not affect your ability to receive our Services.
Who Do You Complain to if You’re Not Happy With How We Process Personal Data About You?
If you have any questions or concerns about how we are using Personal Data about you, please contact our Data Protection Officer immediately at our registered address (see paragraph 1.1 above) or by email to info@humanrightsconsortium.org.
If you wish to make a complaint about how we have handled Personal Data about you, you may lodge a complaint with the Information Commissioner’s Office by following this link: https://ico.org.uk/concerns/.
What Do All of the Defined Terms in This Privacy Notice Mean?
Throughout this notice you’ll see a lot of defined terms (which you can recognise because they’re capitalised). Where possible, we’ve tried to define them as we go, but we thought it might be useful to have a glossary at the end for you. Anywhere in this notice you see the following terms, they’ll have the following meanings:
Controller is a legal term set out in the General Data Protection Regulation (GDPR), it means the party responsible for deciding what Personal Data to collect and how to use it;
Data Subject means the individual who can be identified from the Personal Data;
Personal Data means data which can be used to identify a living individual. This could be a name and address or it could be a number of details which when taken together make it possible to work out who the information is about. It also includes information about the identifiable individual;
Processor is another legal term set out in the GDPR, it means the party who has agreed to process Personal Data on behalf of the Controller; and
Special Categories of Personal Data means details about an individual’s race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about health and genetic and biometric data.
Last updated: 28 June 2018