AEDdonate Privacy Policies
Volunteer Privacy Notice
Who collects your personal data
The data controller is AEDdonate at:
14 Emerald Way, Stone Business Park, Stone, Staffordshire, ST15 0SR.
What personal data is collected and how it’s used
AEDdonate uses your data for administrative purposes to support and manage your volunteering role. These purposes may include, but are not limited to:
- records maintenance
- health and safety obligations
- identifying volunteering and training opportunities
- communication about your volunteering role
AEDdonate uses the health data you provide:
- to keep you and others safe while volunteering
- in risk assessments, and to put in place countermeasures for identified risks
The legal basis for processing your personal data
Volunteering is a role carried out in the public interest. AEDdonate must process your data to support and manage this role.
AEDdonate must process your health data:
- for public health reasons, such as keeping members of the public and other volunteers safe
- to fulfill its duty of care for volunteers under Section 3 of the Health and Safety at Work Act 1974
Consent to process your data
The processing of your data is not based on consent. You cannot withdraw it.
Who AEDdonate shares your personal data with
If your volunteering role involves direct contact with a partner organisation(s) or supervision by another volunteer, AEDdonate will securely share some information with them. This makes sure:
- you get continuity of support and management in your volunteering role
- the aims of a project or contract are met
Details shared may include, but are not limited to your:
- name
- contact details
- emergency contact details
- training records
- personal risk assessments
AEDdonate respects your personal privacy when responding to access to information requests. AEDdonate only shares information when necessary to meet the statutory requirements of the Environmental Information Regulations 2004 and the Freedom of Information Act 2000.
How long AEDdonate holds personal data
AEDdonate keeps personal data for:
- 2 years after your volunteering role ends
- 7 years if your personal data relates to a formal complaint or a reported health and safety incident
- 6 years in relation to any financial payments
If you’re interested in volunteering, AEDdonate will keep your details on file for up to 12 months. If there’s not a role immediately available, AEDdonate will remove them.
What happens if you do not provide the data
AEDdonate cannot accept your offer to volunteer if you do not provide the information requested.
Use of automated decision-making or profiling
The information you provide is not used for:
- automated decision making (making a decision by automated means without any human involvement)
- profiling (automated processing of personal data to evaluate certain things about an individual)
Transfer of data outside the European Economic Area (EEA)
AEDdonate will not transfer your data outside the EEA.
Your rights
Find out about your individual rights under the General Data Protection Regulation (GDPR), the Data Protection Act 2018.
Complaints
You have the right to make a complaint to the Information Commissioner’s Office at any time.
AEDdonate’s personal information charter
AEDdonate’s Personal Information Charter explains more about your rights over your personal data.
Employee Privacy Notice
This privacy notice:
- describes how AEDdonate or its service providers collect and use your personal data for recruitment and employment purposes
Who collects your personal data
The data controller is AEDdonate at:
14 Emerald Way, Stone Business Park, Stone, Staffordshire, ST15 0SR.
Send questions about how AEDdonate uses your personal data and your associated rights to Head of Finance.
We process personal data in order to carry our function as Charity defined by the Charities Acts 1992, 2006, 2011, 2016 & 2022.
You should be aware that if you are accepted for a role with us, your data will be processed in accordance with privacy notice for current and former employees, workers and contractors.
This privacy notice explains how the Charity processes your personal data. It also sets out some of your rights and entitlements in respect of that personal data.
What personal data AEDdonate collects
AEDdonate or its service providers store and use the following types of personal data:
- contact details, such as name, address, telephone number and email address
- dates of birth, marriage, civil partnership and divorce
- gender, marital status, dependants, next of kin, emergency contact and death benefit nominee
- National Insurance number
- bank account details and tax status information
- copy of driving licence, passport, birth and marriage certificates, etc
- secondary employment, register of interests and volunteering information
- recruitment information, such as right-to-work documentation, references and details in a curriculum vitae (CV)
- evidence of how you meet nationality rules, your right to work in the UK and immigration status, such as passport and nationality details
We store and use the following types of personal data relating to your employment:
- salary, payroll records, annual leave, pension and benefits information
- confirmation of your security clearance
- start and leave dates
- location of workplace
- employment records, such as your contract, job title, working hours and attendance
- performance, appraisal, disciplinary and grievance information
- CCTV footage and other information obtained through electronic means, such as swipe-card records
- your use of AEDdonate’s information and communications systems
- accident book, first aid records, injury at work and third-party accidents
Special category personal data
You may provide more sensitive personal data on a voluntary basis, such as:
- socio-economic background, such as type of school attended, parents’ highest qualification and main job
- race or ethnicity
- religious beliefs
- sexual orientation
- political opinions
- trade union membership
- health data, such as medical conditions and sickness records, which may include genetic and biometric data
Criminal conviction data
We only collect information about criminal convictions or allegations of criminal behaviour:
- where it’s appropriate to your role
- if it’s legally possible to do so
- as part of the recruitment process
- if you tell us during your employment or contract
Where AEDdonate collects your personal data from
AEDdonate or its service providers collect personal data about employees and contractors through the recruitment process. This data comes directly from candidates or sometimes from an employment agency or background check provider.
We sometimes collect information from third parties including:
- former employers
- credit reference agencies or other background check agencies
- doctors, medical and occupational health professionals
- Disclosure Barring Service
- United Kingdom Security Vetting
- UK Visas and Immigration
- consultants and other professionals who advise us
We may collect additional personal data during job-related activities throughout your employment.
How AEDdonate uses your personal data
AEDdonate or its service providers use your personal data to:
- manage your contract of employment
- make a decision about your recruitment or appointment, such as assessing qualifications for a role
- pay you and deduct tax and National Insurance contributions
- provide you with employment-related benefits
- give information to your pension provider, such as a promotion or change in working hours
- conduct performance reviews, manage performance and set performance goals
- help plan your education, training and development requirements
- monitor equal opportunities and diversity
- comply with health and safety regulations
- monitor your use of AEDdonate’s information and communication systems and check you follow its IT and security policies
- provide you with the security clearance appropriate for your role
- deal with Freedom of Information Act or Environmental Information Regulations requests
We may also use your personal data to:
- make a decision about transfer to another role
- check you’re legally entitled to work in the UK
- gather evidence for grievance or disciplinary matters
- make decisions about your continued employment or engagement and termination of contract
- deal with legal disputes involving you and other employees or contractors, including accidents at work
- decide if you’re fit to work or to manage sickness absence
- prevent fraud
- make decisions about salary reviews and compensation
- carry out business management and planning, for example accounting, auditing or for business continuity
Use of special category personal data
We may use your more sensitive personal data to:
- carry out our legal obligations or employment-related legal rights
- manage leave of absence
- carry out our statutory duties or for official purposes
- decide if you’re fit to work or to manage sickness absence
- ensure your health and safety in the workplace, provide appropriate workplace adjustments and administer benefits
- pay trade union premiums, register the status of a protected employee and to comply with employment law obligations
- administer our pension scheme
- prevent or detect unlawful acts
- protect your interests or those of another person
We’ll carry out equal opportunities monitoring and reporting using information you’ve provided on a voluntary basis about your:
- race or national or ethnic origin
- religious, philosophical or moral beliefs
- sexual orientation
This will include further processing of your data alongside other information, such as your gender, age, pay grade and working pattern.
Use of criminal conviction data
We will use information about criminal convictions or allegations:
- to make decisions regarding suitability for the role
- in possible grievance or disciplinary matters and associated hearings
We will also use this information to refer to relevant policy or operational instructions, the code of conduct and any terms and conditions which form your contract of employment. We only use your personal data in these ways where one of the following applies:
- we need to carry out our legal obligations or employment-related legal rights
- where it’s substantially in the public interest to do so and necessary for official purposes
- to carry out our statutory duties
Use of data for a different purpose
We may need to use your personal data for a purpose that we did not identify when first collected. If this is the case, we will tell you and explain the legal basis for using it for an unrelated or new purpose. We will not tell you if the purpose is compatible with the original purpose.
We will process your personal data without your consent if we’re required or permitted to by law.
The legal basis for processing your personal data
AEDdonate or its service providers only use your personal data when the law allows them to. They most commonly use your personal data:
- for the performance of a contract, such as your contract of employment
- when it’s in the public interest to do so
- for official purposes
- to carry out its statutory duties
- to comply with a legal obligation
- when you’ve provided personal data on a voluntary basis and consent to AEDdonate processing it in the agreed way
- to protect your interests or those of another person
We comply with the following legislation:
- Employment Rights Act 1996
- Equality Act 2010
- Equality Act 2010 (Specific Duties and Public Authorities) Regulations 2017
- Health and Safety at Work Act 1974
- Immigration, Asylum and Nationality Act 2006
- National Minimum Wage Act 1998
- Pension Act 2008
- Trade Union and Labour Relations (Consolidation) Act 1992
- Transfer of Undertakings (Protection of Employment) Regulations 2006
- Working Time Regulations 1998
Processing special category personal data
We must have further justification for processing your special category personal data. We may process this data to:
- carry out our obligations and exercise our rights in employment
- safeguard your employment rights
- protect your vital interests or those of another person where you are incapable of giving your consent
- establish, exercise or defend legal claims
- archive items that are in the public interest
We rely on the processing conditions in the Data Protection Act 2018 which relate to processing of special category data for employment, statutory and regulatory purposes.
Processing criminal conviction data
We may process personal data relating to criminal convictions and offences or related security measures to:
- meet our legal obligations, such as employment law, social security law or the law relating to social protection
- exercise our employment-related legal rights
- to protect your interests or those of another person
We rely on the processing conditions in the Data Protection Act 2018 which relate to processing of criminal conviction data for employment and statutory purposes.
Consent to process your data
AEDdonate or its service providers do not need your consent to use your personal data to carry out their legal obligations or for another reason described in this notice.
We may ask for your written consent to allow us to process certain sensitive data. We will provide you with details of the information that we would like and why we need it. You can consider if you wish to give consent. It’s not a condition of your contract of employment that you agree to give consent.
Providing information about your socio-economic background, race or ethnicity, religious beliefs, sexual orientation, and political opinions is voluntary. It’s not a condition of your contract that you provide this data. You have the right to:
- remove consent for us to hold or process this personal data
- ask us to delete any of this data that you’ve already provided
Who AEDdonate shares your personal data with
AEDdonate or its service providers share your personal data with third parties when:
- required by law
- requested by a regulator
- necessary to manage its working relationship with you
- it’s in the public interest to do so
- necessary for the performance of its functions as a government organisation
- contacted by a new or prospective employer for an employment reference
- asked for a financial reference, such a tenancy or mortgage application
- necessary for fraud and data error investigations
This may involve sharing special category data if you chose to provide it.
The third parties include service providers, contractors and other government bodies.
| Third party | Purpose |
| HM Revenue and Customs | Tax and pay |
| Disclosure and Barring Service, United Kingdom Security Vetting and UK Visas and Immigration | Visa applications and security vetting |
| Payroll provider | Administration of your, pay and pension records |
| Pension service provider | Pensions administration |
| External auditors | Variety of audit checks to assure compliance with process/policy |
| Debt collection agencies | Collection of money owed post-employment |
| Occupational health providers | Legal obligation to support employees health and wellbeing |
| Offsite document storage providers | Storage of your HR, pay and pension records |
We expect third-party service providers to take appropriate security measures to protect personal data, in line with AEDdonate’s policies.
We do not allow third-party service providers to use your personal data for their own purposes. We only permit them to process your personal data for purposes we have specified.
When responding to requests for information under the Environmental Information Regulations 2004 and the Freedom of Information Act 2000.
How long AEDdonate holds personal data
AEDdonate and its service providers only retain personal data for as long as necessary to fulfil the purposes they collected it for, such as legal, accounting or reporting requirements.
All data personal data is held in accordance with AEDdonate’s retention schedule.
What happens if you do not provide the data
If you do not provide certain data when requested, AEDdonate may not be able to:
- confirm an offer of employment
- fulfil its contract with you, such as to pay you or provide benefits
- meet its legal obligations, such as your health and safety
Use of automated decision-making or profiling
The data you provide is not used for:
- automated decision making (making a decision by automated means without any human involvement)
- profiling (automated processing of personal data to evaluate certain things about an individual)
Transfer of data outside the European Economic Area (EEA)
AEDdonate does not transfer data outside the EEA.
Your rights
Find out about your individual rights under the General Data Protection Regulation (GDPR), the Data Protection Act 2018.
Complaints
You have the right to make a complaint to the Information Commissioner’s Office at any time.
AEDdonate’s personal information charter
AEDdonate’s personal information charter explains more about your rights over your personal data.
Personal Information Charter
This charter sets out what you can expect from us when we ask for or hold your personal information.
AEDdonate is committed to the responsible handling and security of personal data. Your privacy is important to us and protected in law through the General Data Protection Regulation (GDPR), the Data Protection Act 2018 (DPA 2018), and/or the Law Enforcement Directive.
We must provide you with information setting out how we process your personal data. We have privacy notices for both volunteers and employees (insert links)
When we make changes, we will update the relevant privacy notice.
Transparency
The EU’s Article 29 Data Protection Working Party has issued guidance on transparency requirements necessary to comply with GDPR:
Transparency is an overarching obligation under the GDPR applying to three central areas: (1) the provision of information to data subjects related to fair processing; (2) how data controllers communicate with data subjects in relation to their rights under the GDPR; and (3) how data controllers facilitate the exercise by data subjects of their rights. Insofar as compliance with transparency is required in relation to data processing under Directive (EU) 2016/6803, these guidelines also apply to the interpretation of that principle.
What is personal data?
Personal data is data which identifies an individual directly or indirectly, in particular by reference to an identifier such as their name or a reference number.
Some personal data is more sensitive in nature and requires more careful handling. GDPR defines ‘special categories of personal data’ which means data relating to a living person’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health or data concerning someone’s sex life or sexual orientation.
Who does the GDPR apply to?
The Information Commissioner’s Office (ICO) has set out its view on who GDPR applies to:
- The GDPR applies to ‘controllers’ and ‘processors’.
- A controller determines the purposes and means of processing personal data.
- A processor is responsible for processing personal data on behalf of a controller.
- If you are a processor, the GDPR places specific legal obligations on you; for example, you are required to maintain records of personal data and processing activities. You will have legal liability if you are responsible for a breach.
- However, if you are a controller, you are not relieved of your obligations where a processor is involved – the GDPR places further obligations on you to ensure your contracts with processors comply with the GDPR.
- The GDPR applies to processing carried out by organisations operating within the EU. It also applies to organisations outside the EU that offer goods or services to individuals in the EU.
- The GDPR does not apply to certain activities including processing covered by the Law Enforcement Directive, processing for national security purposes and processing carried out by individuals purely for personal/household activities.
What are my rights?
You have rights under the General Data Protection Regulation and the Data Protection Act 2018 (DPA 2018). These are listed in full on the ICO website.
How we use your data?
We process your personal data in a number of ways to deliver services. We will inform you at the point of collection via a privacy notice, the reasons why we need your information, how your information is being collected, what we will do with it and who we will share it with. In some cases we may pass it on to our representatives to do these things on our behalf.
When we share personal data
We share or disclose personal data where we are required to so by law or to provide services to fulfil our role. Where we know there is a requirement to share your personal data we will tell you why and who we will share your personal data with. We will ensure that the data processor agrees to handle your data in conformity with your rights.
When we publish personal data
Charities are required to be transparent about the use of money (as defined by the Charities Act 2022), for example, and in some cases this may require the publication of personal information. Data published in these cases will balance the needs for transparency compared to your privacy rights.
We may have to release personal data and commercial information under the Environmental Information Regulations 2004 and the Freedom of Information Act 2000.
How long will we keep data?
Charities must retain information for various reasons, primarily to ensure accountability. When we no longer need personal data, arrangements are made to securely delete or destroy it. Records periods are set in line with statutory, regulatory, legal, security reasons or for their historic value. Details will be on the relevant privacy notice.
What if my details are inaccurate or incomplete?
If you discover that the personal data we hold about you is inaccurate or incomplete, please contact us so we can update your records
Where we maintain that the original information held was accurate, we will explain why. If you do not agree with our decision, you have the right to complain to the ICO.
How do I ask to see the data we hold about you?
You can ask to see what data we hold about you. This is called a ‘subject access request’. Please contact us.
On receipt of your request we will acknowledge it and may ask for proof of your identity.
We will respond within one month, and exceptionally extend this by up to 2 months in complex cases.
Do you transfer my personal data outside of the European Economic Area?
AEDdonate will not transfer your data outside of the EEA
Can I withdraw my consent or request my personal data be deleted?
You have the right to request that we no longer process your personal data and delete your personal data at any time. However, agreement may not be assumed as we may have to refuse your request should the data be required to comply with a legal obligation, performance of a contract or public interest task or exercise of official authority. We may also refuse for the purposes of public health purposes, exercise or defence of legal claims or archiving purposes in the public interest, scientific research, historical research or statistical purposes. Where this is the case and agreement is not required we will advise you of this. Prior to deletion we may anonymise and hold data for data analysis.
What are the consequences if I do not supply the requested personal data?
If you do not supply the requested personal data, it is more than likely that the service you are applying for or wish to use will not be available to you. This may have consequences in terms of non-compliance, for example not complying with specific legislation. We try to ensure that we only collect the minimum personal data that is necessary for us to offer the services to you.
Will my data be used for automated decision making?
Your personal data may be subject to automated decision making. You will be informed where automated decision making applies including profiling, and the envisaged consequences of such processing.
How do I make a complaint about how my personal data has been handled?
If you think your data has been misused or that AEDdonate has not kept it secure, you should contact us.
Contacts
For day-to-day use, please contact the Head of Finance. They are best placed to manage general enquiries, update the accuracy of your data or provide you with information.
Information Commissioner’s Office
If you’re unhappy with our response or need any advice, contact the Information Commissioner’s Office (ICO) who are the supervisory authority.
Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
0303 123 1113