Your privacy is important to us. To better protect the privacy of our partners and contacts we provide this notice explaining our information practices and the choices you can make about the way your information is collected and used.
Your privacy is important to us, and we are committed to protecting your personal information whilst providing you with the support and engagement that you expect from WDC.
To better protect your privacy, we provide this notice explaining our online information practices and the choices you can make about the way your information is collected and used.
In this policy, whenever you see the words ‘we’, ‘us’ or ‘our’, it refers to WDC, Whale and Dolphin Conservation and in this context, specifically to members of the Partnerships team that is part of WDC’s wider fundraising team; whose remit is to manage WDC’s collaborations, affiliations and sponsorships with brands, businesses and high-profile individuals.
We are a registered charity and company wholly owned and operated by WDC. A company registered in England and Wales with company number 2737421 and a charity registered in England and Wales with charity number 1014705, and in Scotland with charity number SC040231. Our registered address is Brookfield House, 38 St Paul Street, Chippenham, Wiltshire SN15 1LJ.
WDC (Trading) Limited sells a range of goods through its shop and café based in Scotland, enters into corporate partnership agreements, and runs a raffle. All of its profits are passed to WDC. WDC (Trading) is wholly owned and controlled by WDC, and all staff are employed by WDC.
We may make changes to this policy from time to time. If we do so, we will post the changes on this page, and they will apply from the time we post them.
This policy was last changed on April 1st, 2022.
The General Data Protection Regulation (GDPR) came into effect on 25th May 2018 to update the existing data protection framework in the UK. The legislation covers every sector and every organisation, which means that people in different organisations have to think about what personal data they might be processing and put the principles into practice in their area of work.
With regards to WDC’s corporate and partnerships work, GDPR applies to all activities that result in the development of a relationship between a company and a charity. That could be for a charity of the year partnership, a specific fundraising campaign, employee fundraising or other support.
2.0 Geographic scope of GDPR
The GDPR is a set of rules agreed across Europe and applies to the data of EU citizens only. All partners and their staff residing within the EU will be subject to fully GDPR-compliant practices, as outlined in this document.
Where WDC is working with a partner outside of the EU the GDPR rules no longer apply however WDC will ensure at all times that all personal data for these companies and individuals is subject to relevant data protection rules and general good practice.
Where documents such as contact of mailing lists are generated that may include a combination of EU and non-EU data, these will be managed in accordance with GDPR rules.
The Information Commissioner's Office (ICO) will be responsible for enforcing GDPR.
3.0 Personal data
The GDPR applies to ‘personal data’, meaning any information relating to a living individual who can be directly or indirectly identified from it – this includes name, address and contact details but could also include two or more non-specific pieces of information that when combined could identify specific individuals, including, for example, a combination of gender, birth date, geographic indicator and other descriptors.
A fuller definition of ‘personal’ data can be found at https://ico.org.uk/.
In the course of its work, WDC’s partnerships team may process personal data from companies and brands in the course of our activities including:
- Carrying out external research to identify individuals within those organisations who may have a particular link to our charitable cause or who we may wish to approach regarding a collaboration or partnership. This may include looking at the backgrounds and influences of those individuals to understand their interests and role. We will ensure at all times that consideration is given as to how much within someone’s reasonable expectations the processing of publicly available information is – for example, our research will ensure that public profiles of individuals on social media are only reviewed where their job role is included in their bio/description and will focus solely on information pertinent to our research.
- Making contact with company representatives to find out more about their policies on charitable giving, their plans, priorities and interests and to discuss partnership opportunities.
- Storing contact information of relevant individuals within the company.
- Follow up communications, including thank you messages, gifting and other means of keeping the partner informed of WDC’s work, campaigns and actions and progress with projects they may support directly.
Our partnerships include those with both companies and high-profile individuals. With companies and brands, individuals associated with those organisations have rights in relation to any corporate data which identifies them specifically. Personal data include corporate email addresses and other contact details where they identify individuals directly (i.e., an email address using their full name) meaning that we are processing personal data when we work with both companies and high-profile individuals.
When processing personal data, we consider two key factors:
- What purposes we process the data for; and
- Demonstrating clearly that data has been processed lawfully.
4.0 Lawful basis for contact
Elements of WDC’s partnerships work includes ‘direct marketing’ – contacting individuals at a company to promote our cause and charitable objectives or carrying out research on company representatives for the purpose of making a partnership approach in future.
In these cases, there are two ways that WDC can demonstrate compliance with GDPR’s requirement for lawful basis for contact: obtaining the individual’s affirmative consent or demonstrating ‘legitimate interest’ as a basis to contact a member of staff at the company in question.
Consent includes cases where an individual has directly provided WDC with their contact details with specific consent for us to contact them for a particular purpose.
In many circumstances WDC’s partnerships team may be approaching a company contact without a prior introduction and would need to comply with the requirements to demonstrate legitimate interest – specifically the ‘3 step test’ for whether the communication is lawful. This requires:
- Showing we have considered the individual’s interests against our own by doing a legitimate interest assessment
- Advising the individual concerned know that we are processing their data and for what purpose
- Offering them the opportunity to opt out of further communications if they wish to do so.
To ensure compliance with the 3-step test, WDC’s partnerships team will ensure the following:
- Recording our basis for contacting an individual on a dedicated Asana thread, confirming a legitimate interest assessment has been carried out, when and by whom.
- A clear privacy notice outlining how we process the individual’s personal data and how they can opt out on our website, with a link to this in our email signatures.
5.0 Corporate subscribers
Sending e-mail or SMS marketing to individual subscribers requires the individual’s consent under the Privacy and Electronic Regulations 2003 (PECR).
When approaching companies, WDC’s partnerships team may lawfully use legitimate interest to send direct marketing communications by email under the ‘corporate subscriber’ category of recipient. A ‘corporate subscriber’ includes companies as defined by the Companies Act 1985, companies incorporated in pursuance of a royal charter or letters patent, corporations sole, partnerships in Scotland, and any other corporate body or entity (including charities) which is a legal person distinct from its members. At all times, the basis of the communication should be relevant to the individual’s work/role within the organisation and could include an invitation to discuss a collaboration or attend an event, or a direct fundraising request where this is deemed relevant to the products, aims or priorities of a company.
Communications to corporate subscribers do not require consent as long as the 3-step test for legitimate interest is applied.
Individual representatives of any company have a right to ask WDC to stop using their personal contact details or sending marketing to their work email address. Under PECR requirements, WDC must ensure that any individual being contacted has the full contact details of the WDC staff member contacting them in order for them to be able to request to stop marketing where they wish to. In the case that we receive such a request, WDC will fully comply with this request.
6.0 Provision of work contact details for personal communications
There are occasions where a person may will give their work email address to WDC as part of a personal donation, as that is their preferred way to hear from the charity in the future. In these cases, the normal rules about needing affirmative consent or relying on legitimate interest would apply for future direct marketing in the context of cultivating a partnership.
In the event that WDC works with a partner or business on a staff event WDC would only look to contact individuals with further information about our work after obtaining direct consent, via a sign-up sheet or similar, or by the circulation of information to a named contact at the company who can share with relevant or interested staff as required.
7.0 Use of LinkedIn and social media
As part of our research into potential partnerships and contacts WDC’s partnerships team may view public profiles on sites such as LinkedIn to assess the relevant team or role to contact. In these cases, the rules around obtaining consent or proving legitimate interest and only publicly available information provided by the individual will be reviewed and people will only be contacted through these sites where they have provided clear details and opted in for these communications.
WDC’s partnerships team may also view the public profiles of individuals on social media; however, this will only be carried out where this is deemed relevant, where the profile is public and where their job role is included in their bio/description.
8.0 Commercial participator agreements and information shared between organisations
It is a legal requirement (included in the Code of Fundraising Practice) to have a written agreement with any organisation that falls within the definition of a ‘Commercial Participator’. Broadly speaking a ‘Commercial Participator’ is any person who carries on a business and in the course of that business represents that it will make donations to a charity. For example, a manufacturer that advertises a product with the promise that a contribution will be made to charity for each product sold would be a commercial participator.
WDC’s commercial participator agreements include reference to the policies and procedures that the two organisations will adhere to for the processing of any personal data.
9.0 Introductions, customers and competition winners
A personal or professional introduction or referral made by an existing contact or partner to a new contact generally falls under legitimate interest; however, WDC will ensure that requests to cease communications following an introduction are honoured immediately.
There are other instances where WDC may be passed personal information by a third party including but not limited to customer/supporter complaints or enquiries made directly to a partner for action by WDC (or vice versa) and the fulfilment of giveaways and competitions, which generally require contact with the winner by either WDC or the partner/contact and potential transfer of personal data between the parties to ensure this happens successfully.
Where WDC is the party leading on this resolution or fulfilment the partnerships team (and other potentially relevant teams, such as Supporter Relations) will ensure that prior consent is obtained for the transfer of contact details outside of WDC for agreed and clearly stated purposes; either through the creation of clear T&Cs and opt ins (for example for online forms) or directly obtained consent. Where WDC is passed this information by a partner or third party WDC will confirm with them that the relevant consents have been obtained.
10.0 Use of video calling and conferencing
Zoom, Teams and other video conferencing tools also have the ability to collect personal data when these calls are recorded and stored. When WDC’s Partnerships team hosts meetings, within the meaning of the General Data Protection Regulation (GDPR), we are classified as the ‘data controller’ and this requires us to comply with Article 5. This means:
- We must collect only the data you need for the specific aims of the act of recording.
- We must ensure the recording is stored securely and access to it is limited.
- We must ensure the recording must be processed lawfully, fairly and in a transparent manner.
For calls with external contacts, WDC’s Partnerships teams uses 2 main video conferencing and calling tools:
It is rare that Partnerships team external calls are recorded – this function is usually limited to events such as webinars (where people may not be able to attend but would like to access a recording. In all cases where the session is to be recorded it will be signposted clearly to all attendees (including the reason for recording the call), ideally through a link in the meeting invitation (or direct request in an email invite) in addition to a clear verbal signpost at the start of the call, before recording starts.
Our use of Zoom for recorded calls means that we are required for each attendee to give consent for a recording to start (meaning if you don’t consent you will automatically leave the meeting).
11.0 How WDC’s partnerships team ensure compliance with GDPR
WDC’s partnerships team are committed to ensuring full compliance with GDPR and the data rights for individuals under this new legislation. For all partners, potential partners and contacts within the EU WDC will ensure the following:
- That all WDC partnerships staff have full name and contact details within their email signature for all external contacts.
- That email signatures will also contain a link to a privacy notice, to be sited on the partnerships pages of the WDC website and clearly stating how we use people’s data and why, how and for how long this will be stored, as well as clear information about requesting that we cease communications.
- That researching individuals who work at companies will only use data that they have chosen to make publicly available via work-related and personal social media and networking accounts
- That all approaches to new potential partners and individuals or approaches to existing contacts about significantly different activities or making significantly different requests to those contained in the partnership agreement with that company or individual (consent), are tested for legitimate interest using the 3-step test. This will be recorded in Asana with the name of the person who assessed this, the date and any relevant information required.
- That all stored communications containing personal data will be password protected, including individual documents such as letters.
- That with all video call recordings, we will store the recording securely, retain the recording and data for no longer than absolutely necessary; and provide every participant with a right to access, rectify or erase the data.
- That any transfer of personal data to WDC by a third party or vice versa has direct consent.
- That the privacy notice and all other relevant documents will be reviewed and updated on at least an annual basis (next due April 2023).