Partnerships privacy policy

Your privacy is important to us. To better protect the privacy of our partners and contacts we provide this notice explaining our information practices and the choices you can make about the way your information is collected and used.

1.0 WDC’s partnerships privacy policy

Your privacy is important to us, and we are committed to protecting your personal information whilst providing you with the support and engagement that you expect from WDC.

To better protect your privacy, we provide this notice explaining our online information practices and the choices you can make about the way your information is collected and used.

In this policy, whenever you see the words ‘we’, ‘us’ or ‘our’, it refers to WDC, Whale and Dolphin Conservation and in this context, specifically to members of the Partnerships team that is part of WDC’s wider fundraising team; whose remit is to manage WDC’s collaborations, affiliations and sponsorships with brands, businesses and high-profile individuals.

We are a registered charity and company wholly owned and operated by WDC. A company registered in England and Wales with company number 2737421 and a charity registered in England and Wales with charity number 1014705, and in Scotland with charity number SC040231. Our registered address is Brookfield House, 38 St Paul Street, Chippenham, Wiltshire SN15 1LJ.

WDC (Trading) Limited sells a range of goods through its shop and café based in Scotland, enters into corporate partnership agreements, and runs a raffle. All of its profits are passed to WDC. WDC (Trading) is wholly owned and controlled by WDC, and all staff are employed by WDC.

We may make changes to this policy from time to time. If we do so, we will post the changes on this page, and they will apply from the time we post them.

This policy was last changed on April 1^st, 2022.

1.1 Background

The General Data Protection Regulation (GDPR) came into effect on 25th May 2018 to update the existing data protection framework in the UK. The legislation covers every sector and every organisation, which means that people in different organisations have to think about what personal data they might be processing and put the principles into practice in their area of work.

With regards to WDC’s corporate and partnerships work, GDPR applies to all activities that result in the development of a relationship between a company and a charity. That could be for a charity of the year partnership, a specific fundraising campaign, employee fundraising or other support.

2.0 Geographic scope of GDPR

The GDPR is a set of rules agreed across Europe and applies to the data of EU citizens only. All partners and their staff residing within the EU will be subject to fully GDPR-compliant practices, as outlined in this document.

Where WDC is working with a partner outside of the EU the GDPR rules no longer apply however WDC will ensure at all times that all personal data for these companies and individuals is subject to relevant data protection rules and general good practice.

Where documents such as contact of mailing lists are generated that may include a combination of EU and non-EU data, these will be managed in accordance with GDPR rules.

The Information Commissioner's Office (ICO) will be responsible for enforcing GDPR.

3.0 Personal data

The GDPR applies to ‘personal data’, meaning any information relating to a living individual who can be directly or indirectly identified from it – this includes name, address and contact details but could also include two or more non-specific pieces of information that when combined could identify specific individuals, including, for example, a combination of gender, birth date, geographic indicator and other descriptors.

A fuller definition of ‘personal’ data can be found at https://ico.org.uk/.

In the course of its work, WDC’s partnerships team may process personal data from companies and brands in the course of our activities including:

Carrying out external research to identify individuals within those organisations who may have a particular link to our charitable cause or who we may wish to approach regarding a collaboration or partnership. This may include looking at the backgrounds and influences of those individuals to understand their interests and role. We will ensure at all times that consideration is given as to how much within someone’s reasonable expectations the processing of publicly available information is – for example, our research will ensure that public profiles of individuals on social media are only reviewed where their job role is included in their bio/description and will focus solely on information pertinent to our research.
Making contact with company representatives to find out more about their policies on charitable giving, their plans, priorities and interests and to discuss partnership opportunities.
Storing contact information of relevant individuals within the company.
Follow up communications, including thank you messages, gifting and other means of keeping the partner informed of WDC’s work, campaigns and actions and progress with projects they may support directly.

Our partnerships include those with both companies and high-profile individuals. With companies and brands, individuals associated with those organisations have rights in relation to any corporate data which identifies them specifically. Personal data include corporate email addresses and other contact details where they identify individuals directly (i.e., an email address using their full name) meaning that we are processing personal data when we work with both companies and high-profile individuals.

When processing personal data, we consider two key factors:

What purposes we process the data for; and
Demonstrating clearly that data has been processed lawfully.

Personal data will only be kept by WDC’s partnerships team as long as necessary to fulfil the purpose for which they were processed, which will be clearly stated in the privacy policy. For partners and contacts this will be a maximum of 2 years from the date of last direct contact from the partner/contact. Where this relates to individuals such as competition winners or customers/supporters who have made enquiries or complaints this is set at 6 months from the date of last direct contact, to allow for full resolution of any ongoing or complex issues.

4.0 Lawful basis for contact

Elements of WDC’s partnerships work includes ‘direct marketing’ – contacting individuals at a company to promote our cause and charitable objectives or carrying out research on company representatives for the purpose of making a partnership approach in future.

In these cases, there are two ways that WDC can demonstrate compliance with GDPR’s requirement for lawful basis for contact: obtaining the individual’s affirmative consent or demonstrating ‘legitimate interest’ as a basis to contact a member of staff at the company in question.

Consent includes cases where an individual has directly provided WDC with their contact details with specific consent for us to contact them for a particular purpose.

In many circumstances WDC’s partnerships team may be approaching a company contact without a prior introduction and would need to comply with the requirements to demonstrate legitimate interest – specifically the ‘3 step test’ for whether the communication is lawful. This requires:

Showing we have considered the individual’s interests against our own by doing a legitimate interest assessment
Advising the individual concerned know that we are processing their data and for what purpose
Offering them the opportunity to opt out of further communications if they wish to do so.

To ensure compliance with the 3-step test, WDC’s partnerships team will ensure the following:

Recording our basis for contacting an individual on a dedicated Asana thread, confirming a legitimate interest assessment has been carried out, when and by whom.
A clear privacy notice outlining how we process the individual’s personal data and how they can opt out on our website, with a link to this in our email signatures.

5.0 Corporate subscribers

Sending e-mail or SMS marketing to individual subscribers requires the individual’s consent under the Privacy and Electronic Regulations 2003 (PECR).

When approaching companies, WDC’s partnerships team may lawfully use legitimate interest to send direct marketing communications by email under the ‘corporate subscriber’ category of recipient. A ‘corporate subscriber’ includes companies as defined by the Companies Act 1985, companies incorporated in pursuance of a royal charter or letters patent, corporations sole, partnerships in Scotland, and any other corporate body or entity (including charities) which is a legal person distinct from its members. At all times, the basis of the communication should be relevant to the individual’s work/role within the organisation and could include an invitation to discuss a collaboration or attend an event, or a direct fundraising request where this is deemed relevant to the products, aims or priorities of a company.

Communications to corporate subscribers do not require consent as long as the 3-step test for legitimate interest is applied.

Individual representatives of any company have a right to ask WDC to stop using their personal contact details or sending marketing to their work email address. Under PECR requirements, WDC must ensure that any individual being contacted has the full contact details of the WDC staff member contacting them in order for them to be able to request to stop marketing where they wish to. In the case that we receive such a request, WDC will fully comply with this request.

6.0 Provision of work contact details for personal communications

There are occasions where a person may will give their work email address to WDC as part of a personal donation, as that is their preferred way to hear from the charity in the future. In these cases, the normal rules about needing affirmative consent or relying on legitimate interest would apply for future direct marketing in the context of cultivating a partnership.

In the event that WDC works with a partner or business on a staff event WDC would only look to contact individuals with further information about our work after obtaining direct consent, via a sign-up sheet or similar, or by the circulation of information to a named contact at the company who can share with relevant or interested staff as required.

7.0 Use of LinkedIn and social media

As part of our research into potential partnerships and contacts WDC’s partnerships team may view public profiles on sites such as LinkedIn to assess the relevant team or role to contact. In these cases, the rules around obtaining consent or proving legitimate interest and only publicly available information provided by the individual will be reviewed and people will only be contacted through these sites where they have provided clear details and opted in for these communications.

WDC’s partnerships team may also view the public profiles of individuals on social media; however, this will only be carried out where this is deemed relevant, where the profile is public and where their job role is included in their bio/description.

8.0 Commercial participator agreements and information shared between organisations

It is a legal requirement (included in the Code of Fundraising Practice) to have a written agreement with any organisation that falls within the definition of a ‘Commercial Participator’. Broadly speaking a ‘Commercial Participator’ is any person who carries on a business and in the course of that business represents that it will make donations to a charity. For example, a manufacturer that advertises a product with the promise that a contribution will be made to charity for each product sold would be a commercial participator.

WDC’s commercial participator agreements include reference to the policies and procedures that the two organisations will adhere to for the processing of any personal data.

9.0 Introductions, customers and competition winners

A personal or professional introduction or referral made by an existing contact or partner to a new contact generally falls under legitimate interest; however, WDC will ensure that requests to cease communications following an introduction are honoured immediately.

There are other instances where WDC may be passed personal information by a third party including but not limited to customer/supporter complaints or enquiries made directly to a partner for action by WDC (or vice versa) and the fulfilment of giveaways and competitions, which generally require contact with the winner by either WDC or the partner/contact and potential transfer of personal data between the parties to ensure this happens successfully.

Where WDC is the party leading on this resolution or fulfilment the partnerships team (and other potentially relevant teams, such as Supporter Relations) will ensure that prior consent is obtained for the transfer of contact details outside of WDC for agreed and clearly stated purposes; either through the creation of clear T&Cs and opt ins (for example for online forms) or directly obtained consent. Where WDC is passed this information by a partner or third party WDC will confirm with them that the relevant consents have been obtained.

10.0 Use of video calling and conferencing

Zoom, Teams and other video conferencing tools also have the ability to collect personal data when these calls are recorded and stored. When WDC’s Partnerships team hosts meetings, within the meaning of the General Data Protection Regulation (GDPR), we are classified as the ‘data controller’ and this requires us to comply with Article 5. This means:

We must collect only the data you need for the specific aims of the act of recording.
We must ensure the recording is stored securely and access to it is limited.
We must ensure the recording must be processed lawfully, fairly and in a transparent manner.

For calls with external contacts, WDC’s Partnerships teams uses 2 main video conferencing and calling tools:

Teams (for calls that are generally not recorded)
Zoom (for calls that may be recorded)

The links above take you to the platform provider’s GDPR statement and/or privacy policy.

It is rare that Partnerships team external calls are recorded – this function is usually limited to events such as webinars (where people may not be able to attend but would like to access a recording. In all cases where the session is to be recorded it will be signposted clearly to all attendees (including the reason for recording the call), ideally through a link in the meeting invitation (or direct request in an email invite) in addition to a clear verbal signpost at the start of the call, before recording starts.

Our use of Zoom for recorded calls means that we are required for each attendee to give consent for a recording to start (meaning if you don’t consent you will automatically leave the meeting).

11.0 How WDC’s partnerships team ensure compliance with GDPR

WDC’s partnerships team are committed to ensuring full compliance with GDPR and the data rights for individuals under this new legislation. For all partners, potential partners and contacts within the EU WDC will ensure the following:

That all WDC partnerships staff have full name and contact details within their email signature for all external contacts.
That email signatures will also contain a link to a privacy notice, to be sited on the partnerships pages of the WDC website and clearly stating how we use people’s data and why, how and for how long this will be stored, as well as clear information about requesting that we cease communications.
That researching individuals who work at companies will only use data that they have chosen to make publicly available via work-related and personal social media and networking accounts
That all approaches to new potential partners and individuals or approaches to existing contacts about significantly different activities or making significantly different requests to those contained in the partnership agreement with that company or individual (consent), are tested for legitimate interest using the 3-step test. This will be recorded in Asana with the name of the person who assessed this, the date and any relevant information required.
That all stored communications containing personal data will be password protected, including individual documents such as letters.
That with all video call recordings, we will store the recording securely, retain the recording and data for no longer than absolutely necessary; and provide every participant with a right to access, rectify or erase the data.
That any transfer of personal data to WDC by a third party or vice versa has direct consent.
That the privacy notice and all other relevant documents will be reviewed and updated on at least an annual basis (next due April 2023).

Cookie	Duration	Description
_GRECAPTCHA	5 months 27 days	This cookie is set by the Google recaptcha service to identify bots to protect the website against malicious spam attacks.
AWSALBCORS	7 days	This cookie is managed by Amazon Web Services and is used for load balancing.
CookieLawInfoConsent	1 year	Records the default button state of the corresponding category & the status of CCPA. It works only in coordination with the primary cookie.
crumb	session	Squarespace sets this cookie to prevent cross-site request forgery (CSRF).
datadome	session	This is a security cookie set by Force24 to detect BOTS and malicious traffic.
PHPSESSID	session	This cookie is native to PHP applications. The cookie is used to store and identify a users' unique session ID for the purpose of managing user session on the website. The cookie is a session cookies and is deleted when all the browser windows are closed.
server_session_id	session	This cookie is set by Twitch to help in load balancing and optimizing the visitor experience.
viewed_cookie_policy	1 year	The cookie is set by the GDPR Cookie Consent plugin to store whether or not the user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
_hjIncludedInSessionSample_2773626	2 minutes	Used by HotJar to support the analysis of user interactions with the website
_hjSession_2773626	30 minutes	Used by HotJar to support the analysis of users interactions with the website
_hjSessionUser_2773626	1 year	Used by HotJar to support the analysis of user interactions with the website
_simpleauth_sess	3 months	No description
COMPASS	1 hour	No description
experiment_overrides	1 year 1 month 1 day	No description
ga__12_abel	1 day	No description
ga__12_abel-ssn	1 day	No description
ITSWEB6	session	No description
KP_UIDz	1 day	No description available.
KP_UIDz-ssn	1 day	No description
Path	session	No description

Cookie	Duration	Description
__Host-GAPS	2 years	This cookie allows the website to identify a user and provide enhanced functionality and personalisation.
IDE	1 year 24 days	Google DoubleClick IDE cookies are used to store information about how the user uses the website to present them with relevant ads and according to the user profile.
muc_ads	1 year 1 month 4 days	Twitter set this cookie to collect visitor navigation data to optimise ad relevance.
NID	6 months	NID cookie, set by Google, is used for advertising purposes; to limit the number of times the user sees an ad, to mute unwanted ads, and to measure the effectiveness of ads.
personalization_id	1 year 1 month 4 days	Twitter sets this cookie to integrate and share features for social media and also store information about how the user uses the website, for tracking and targeting.
test_cookie	15 minutes	The test_cookie is set by doubleclick.net and is used to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	5 months 27 days	A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface.
YSC	session	YSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt-remote-device-id	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt.innertube::nextId	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.

Cookie	Duration	Description
_ga	1 year 1 month 4 days	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_ga_*	1 year 1 month 4 days	Google Analytics sets this cookie to store and count page views.
_gat_UA-*	1 minute	Google Analytics sets this cookie for user behaviour tracking.
_gcl_au	3 months	Provided by Google Tag Manager to experiment advertisement efficiency of websites using their services.
_gid	1 day	Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.
_hjAbsoluteSessionInProgress	30 minutes	Hotjar sets this cookie to detect the first pageview session of a user. This is a True/False flag set by the cookie.
_hjFirstSeen	30 minutes	Hotjar sets this cookie to identify a new user’s first session. It stores a true/false value, indicating whether it was the first time Hotjar saw this user.
_tq_id.TV-81812718-1.5b39	1 year 1 month 4 days	This cookie is set by TVSquared to measure impressions, reach and outcomes across linear and digital TV.
AnalyticsSyncHistory	1 month	Linkedin set this cookie to store information about the time a sync took place with the lms_analytics cookie.
CONSENT	2 years	YouTube sets this cookie via embedded youtube-videos and registers anonymous statistical data.
DotMetrics.DeviceKey	1 year	Dotmetrics sets this cookie for the implementation of the technical part of the MOSS measurement.
DotMetrics.UniqueUserIdentityCookie	1 year	Dotmetrics sets this cookie for the implementation of the technical part of the MOSS measurement.
referrer_url	30 minutes	This cookie is used to detect how the user reached the website by registering their last URL-address.
vuid	1 year 1 month 4 days	Vimeo installs this cookie to collect tracking information by setting a unique ID to embed videos to the website.

Cookie	Duration	Description
__cf_bm	30 minutes	This cookie, set by Cloudflare, is used to support Cloudflare Bot Management.
api_token	1 year 1 month 1 day	This cookie is set by Twitch to display the embedded video and the services required to function the same.
bcookie	1 year	LinkedIn sets this cookie from LinkedIn share buttons and ad tags to recognize browser ID.
bscookie	1 year	LinkedIn sets this cookie to store performed actions on the website.
li_gc	5 months 27 days	Linkedin set this cookie for storing visitor's consent regarding using cookies for non-essential purposes.
lidc	1 day	LinkedIn sets the lidc cookie to facilitate data center selection.
S	1 hour	Used by Yahoo to provide ads, content or analytics.
UserMatchHistory	1 month	LinkedIn sets this cookie for LinkedIn Ads ID syncing.

Your privacy is important to us. To better protect the privacy of our partners and contacts we provide this notice explaining our information practices and the choices you can make about the way your information is collected and used.

Follow us on social media

Sign-up for our enewsletter