retailTRUST is committed to protecting your data and your privacy. We aim to ensure that any information you give us is held securely and safely. Please read this policy carefully (along with our terms and conditions) to understand how we collect, use and store your personal information.
retailTRUST (Registered Charity 1090136/SC039684) operates three wholly owned trading subsidiaries:
Retail Trust Events Limited (Registered Company Number 03253828)
RT Wellbeing Services Limited (Registered Company Number 09958483)
Cottage Homes Contracts Limited (Registered Company Number 09127894)
These subsidiaries support the efficient fundraising, income-generation and operational activities of the charity, and their activities are also covered by this policy.
retailTRUST holds and processes personal details in accordance with Data Protection Legislation, which is the Data Protection Act 2018 and the General Data Protection Regulation (EU) 2016/679. retailTRUST is registered with the Information Commissioner (Registration Number Z8109661).
If you have any questions about this policy or how your data is handled, please write to:
Email: [email protected]
Telephone: 01332 554200 (during office hours, Monday to Friday, voicemail available for messages outside these hours)
retailTRUST takes data protection very seriously. As you use our website, get in touch with us, or take part in our activities and events, we collect information. This deepens our understanding of what you are interested in, helps us understand how well we are providing our services, and helps us to improve the quality and relevance of all of our interactions with helpline callers, residents, beneficiaries, donors, partners and other visitors.
retailTRUST and its subsidiaries will never share your information with another organisation for their own marketing purposes and we will never sell your information for any reason whatsoever. We know that this is important and want to reassure you that you are always in control of how we use the personal information you give us.
We do however need to collect and use your personal information for carefully considered and legitimate business purposes, which will help to ensure that we can run retailTRUST and its subsidiaries efficiently, raise funds effectively and deliver our charitable activities.
This policy will set out what data we collect, how we will use it, what the legal basis for this is, and outline what your rights are in respect of your personal data.
What we collect
retailTRUST will be a "controller" of the personal information that you provide to us either electronically, on paper or by telephone (unless at the time of collection we tell you otherwise).
We offer a wide range of charitable services to our helpline callers, residents, beneficiaries, donors, partners and other visitors. When you interact with us we may ask you for some or all of the following personal information:
Basic contact details – name, address, email address, date of birth, etc.;
Employment – name of your employer, job title and how long you’ve been employed, etc.;
If you apply for a grant we will need payment details – bank account number, sort code, card details, etc.;
If you telephone our helpline personal data given during your call may also be recorded;
Equality information – for example, disability, etc.;
You may be photographed or included in a video recording if you attend our events.
We use closed circuit television (CCTV) images to provide a safe and secure environment for our residents, visitors, and staff and to protect the property. If you visit one of our Estates your image may be recorded on CCTV. Where we have set up CCTV cameras, appropriate signs are prominently displayed so residents, visitors and staff are aware they are in an area covered by CCTV. Recordings are only viewed by trained and authorised staff. Images recorded by CCTV are kept for 1 month unless needed for an investigation. We will provide CCTV recordings to the police and other authorities or legal representatives if they request it and where we consider it to be lawful under the data protection legislation.
Special categories of personal data
We also, where necessary ask some of our helpline callers or other visitors for sensitive personal information known in the data protection legislation as special categories of personal data – for instance, information about your health, racial or ethnic origin, or faith. This will only be asked for where there is a clear reason for doing so and both a lawful basis and special condition for processing apply under the data protection legislation, such as where we need this information to ensure that we provide appropriate facilities or support, or we are obligated to collect it to protect you or other people. For instance, callers to our helpline will sometimes need to disclose some sensitive personal information so they can access our counselling support, and it may also be collected when you apply for a grant. We will only use sensitive personal information for the purpose it is has been given and will dispose of it securely as soon as it is no longer required.
There are also some limited situations where we may need to ask if you have a criminal record and record details of any offences. This will only be asked for where there is a clear reason for doing so and it is lawful to do so under the data protection legislation, such as where we are obligated to collect it to protect you or other people. We will only use such information for the purpose it is provided and will dispose of it securely as soon as it is no longer required.
Why we need your personal information – consent
We will always ask for your consent to send you marketing communications by email, SMS or other electronic means. We will also ask you for your consent before contacting you by telephone for the purpose of marketing. In most cases, except where we are obligated to collect it, if you provide any sensitive personal data about yourself (called special categories of personal data in the data protection legislation), we will always seek your explicit consent to process this data. Where you give us consent to process your data we will always keep a clear record of how and when this consent was obtained, and you can withdraw this consent for all channels and activities at any time by contacting us.
Why we need your personal information – contractual purposes
In some cases we may need to collect your personal information so that we can carry out our obligations under a contract with you. In each instance we will only use your personal information to fulfil our obligations under the contract. If you do not provide us with all of the personal information that we need to collect then this may affect our ability to provide training or other services.
Why we need your personal information – legal obligations
We are under a legal obligation to process certain personal information relating to our trustees and volunteers for the purposes of complying with our obligations under:
the Companies Act 2006, Charities Act 2011 and Charities and Trustee Investment (Scotland) Act 2005 to maintain a register of our board members and members, which includes our board members' and members' name, address, the date they were admitted to membership and the date on which they ceased to be our board member and/or member, and hold general meetings, including issuing notices and voting arrangements; and
the Protection of Vulnerable Groups (Scotland) Act 2007 to check that our volunteers are able to undertake regulated work with children and vulnerable adults; and
any other legislation that places an obligation upon us to process personal data.
Why we need your personal information – equality monitoring requirements
In some cases our commitment to giving everybody fair and equal treatment requires us to use your personal information relating to your racial or ethnic origin, etc. for equality monitoring purposes.
We will process such personal information to identify and keep under review the existence or absence of equality of opportunity or treatment between groups of people within the same categories to promote or maintain equality across our services.
Why we need your personal information – legitimate purposes
The data protection legislation allows personal data to be legally collected and used by an organisation if it is necessary for a legitimate interest of the organisation - as long as its use is fair and balanced and does not unduly impact the rights of the individual concerned.
Where we process your personal information in pursuit of our legitimate interests, you have the right to object to us using your personal information for the above purposes. If you wish to object to any of the above processing, please contact us. If we agree and comply with your objection, this may affect our ability to undertake the tasks below for the benefit of our beneficiaries and the funders who financially support the services we provide.
We process your personal information in pursuit of our legitimate interests to:
The delivery of our charitable mission as set out in our charitable priorities
Internal and external audit for financial or for regulatory compliance purposes
Marketing and income generation
Conventional marketing, publicity, advertising and fundraising
Analysis, targeting, and segmentation of data to help develop organisational strategy, and improve marketing and fundraising communications as well as improving operational efficiency
Processing for research purposes, such as marketing or fundraising research
Using publically available information to profile potentially important supporters
Physical security, IT and network security
Anonymising data so it can be shared with third parties without compromising confidentiality
Processing data for historical, scientific or statistical purposes
Responding to any solicited enquiry from any of our visitors
Providing products, information and/or fundraising packs requested by visitors
Communications designed to administer existing services that an individual has asked or registered for
Collating anonymous statistical information about our users which may be shared with third parties
Administrating Gift Aid
Ensuring we respond properly to complaints
Thank you communications and receipts
Maintenance of “Do not contact lists”
Why we need your personal information – public interest
We may also process your personal data when it is required to perform a task in the public interest that is set out in law. We consider our financial management and control to be tasks we carry out in the public interest, this includes:
Processing of financial transactions and the maintenance of financial controls
Preventing fraud, the misuse of our services, or money laundering
Enforcing legal claims, including debt collection via out-of-court procedures.
Other uses of your personal information
We may ask you if we can process your personal information for additional purposes. For example, where a new technology could allow us to offer improved services to our visitors. Where we do so, we will provide you with an additional privacy notice that explains how we will use your information for these additional purposes.
Who we share your personal information with
We may share your personal information with our wholly owned trading subsidiaries to assist us with the efficient fundraising, income-generation and operational activities of the charity, and their activities are also covered by this policy.
We may be required to share personal information with statutory or regulatory authorities and organisations to comply with statutory obligations. Such organisations include the Health & Safety Executive, HMRC, etc. for the purposes of safeguarding children and vulnerable adults.
We may also share personal information with our professional and legal advisors for the purposes of taking advice.
retailTRUST employs third party suppliers to provide services, including out of hours telephone support, counselling services etc. These suppliers may process personal information on our behalf as "processors" or “joint controllers” and are subject to written contractual conditions to only process that personal information in accordance with data protection legislation.
In the event that we do share personal information with external third parties, we will only share such personal information strictly required for specific purposes we have identified in advance, and will take reasonable steps to ensure that recipients shall only process the disclosed personal information in accordance with those purposes.
How we protect your personal information
Your personal information is stored in our secure electronic filing system and our servers based in the UK, and is only accessed by trained and authorised staff and volunteers for the purposes set out above. We keep your personal information secure by using a range of technical and organisational security measures, including tools, systems and processes to:
encrypt, anonymise and pseudonymise personal information
ensure the ongoing confidentiality, integrity, availability and resilience of our data processing systems
restore the availability and access to personal information in a timely manner in the event of a physical or technical incident.
We also store some personal information in paper files. Where we do this, those files are kept in secure locations in locked cabinets that only authorised staff have access to.
In addition we regularly test, assess and evaluate the effectiveness of all our technical and organisational measures for ensuring the security of the personal information we process.
How long we keep your personal information
We only keep your personal information as long as is reasonable and necessary for the relevant activity. We may extend this period after the relevant activity has completed to comply with statutory restrictions or industry best practice, for example, the collection of Gift Aid on donations or best practice on retaining records of helpline calls.
We have a data retention policy that sets out the periods for retaining and reviewing all information that we hold. This sets out different retention periods for different forms of data and you can request a copy by contacting us at [email protected]
'Cookie' is a name for a small file, usually of letters and numbers, which is downloaded onto your device, like your computer, mobile phone or table when you visit a website. They let websites recognise your device, so that the sites can work more effectively, and also gather information about how you use the site. A cookie, by itself, can't be used to identify you.
The cookies we use
We use two main cookies:
_ga Google Analytics - this is a performance cookie that collects anonymous information about how you use our site, like which pages are visited most. This helps us understand whether our website is working the way we expect.
has_js Drupal CMS - this is a functionality cookie which remembers whether you have accepted cookies.
The other cookies we use are for the Hotjar service that helps us get immediate feedback on our website. These cookies are not used to identify you personally. The full list of cookies used by Hotjar and the purpose for each one is given here: https://www.hotjar.com/legal/policies/cookie-information
No cookies, please
Your communications with us (including by telephone or email) may be monitored and/or recorded for training, quality control and compliance purposes to ensure that we continuously improve our customer service standards.
Your rights in relation to your personal information are:
you have a right to request access to the personal information that we hold about you by making a "subject access request";
if you believe that any of the personal information that we hold about you is inaccurate or incomplete, you have a right to request that we correct or complete it;
you have a right to object to and/or request that we restrict the processing of your personal information for specific purposes;
if you wish us to delete the personal information that we hold about you, you may request that we do so;
if you would like to obtain the personal information that we hold about you to reuse it for your own purposes, you may request that we do so; and
if we undertake any automated decision-making and profiling, you have a right to object to your personal information being used in this manner.
Any requests received by retailTRUST will be considered under applicable data protection legislation. If you remain dissatisfied, you have a right to raise a complaint with the Information Commissioner's Office at ico.org.uk.