This policy outlines the use of personal data under the Data Protection Act 2018 and the General Data Protection Regulations (“GDPR”) For the purpose of DPA and GDPR Youth Cymru are the data controller and any enquiry regarding the collection or processing of your data should be addressed to Youth Cymru.

Your personal data – what is it?

Personal data relates to a living individual who can be identified from that data. Identification can be by the information alone, or in conjunction with any other information in the data controller’s possession, or likely to come into their possession.

Information We Collect

Personal information includes identifiers such as; your name, date of birth, email address, postal address, telephone number, as well as information you provide in any communications between us. You will have given us some or all of this information through:

your interactions with us – including; registering on our mailing list, using our website, joining our online forum, making a booking on our website, attending an event or training course and seeking advice / support.

How the Information Collected is used

Youth Cymru complies with its obligations under the “GDPR” by keeping personal data up to date; by storing and destroying it securely; by not collecting or retaining excessive amounts of data; by protecting personal data from loss, misuse, unauthorised access and disclosure and by ensuring that appropriate technical measures are in place to protect personal data.

We will process your personal data based on your consent, and/or because we need to use it in order to fulfil a contract with you (e.g. because you have subscribed to our membership, engaged with our programmes and/or legitimate interest).

Legitimate interest means there is a valid reason for Youth Cymru to do so. This could include; making improvements to our services, to manage relationships with our supporters and to comply with relevant legislation. Whenever we process your information in this way, we ensure that we consider your rights and interests.

We will never sell or swap your details. We may share your information with trusted third parties in the process of managing your engagement with us, such as the payment processing of donations or to partners who manage our events.

We use your personal data for the following purposes:

· To enable us to provide support and advice for the benefit of those working with children and young people within the Youth Sector.

· To administer membership subscriptions and activities;

· To fundraise and promote the interests of the charity;

· To manage our recruitment processes, employees, trustees and volunteers;

· To maintain our own accounts and records;

· To inform you of news, events, activities and services we offer;

Personal information provided to the Charity by you will only be used for the purposes stated when the information is requested. Personal information will not be sold to third parties, or provided to direct marketing companies or other such organisations without your permission.

What is the legal basis for processing your personal data?

Explicit consent of the data subject so that we can keep you informed about news, events, activities and services offered by Youth Cymru.

Processing is necessary for carrying out legal obligations.

Sharing of information with partners or third parties is only done so where consent has been provided.

However, we may disclose your information to regulatory bodies to enable us to comply with the law and to assist fraud protection and minimise credit risk.

Please be advised that we do not reveal information about identifiable individuals to our stakeholders without consent from the data subject, but we may, on occasion, provide them with anonymised information.

Protecting Children and Young People

Where we believe any of our services may attract children and young people under the age of 16, we will clearly provide information notices to try and deter children from providing their personal data without parent or guardian consent.

We do not knowingly intend to send marketing communications to children and young people.

We actively encourage all our staff, whenever they are implementing new initiatives to assess whether these might be attractive to children and young people and if so, will ensure clear information is provided to try and deter children and young people from providing their personal data without parent or guardian consent.

How we Store Information Collected

As part of the services offered to you, for example through our websites, the information you provide to us may be transferred to and stored in countries outside of the European Economic Area (EEA) as we use remote website server hosts to provide the website and some aspects of our service, which may be based outside of the EEA, or use servers based outside of the EEA – this is generally the nature of data stored in “the Cloud”. It may also be processed by staff operating outside the EEA who work for one of our suppliers, e.g. our website server host, or who work for us when temporarily based outside of the EEA.

A transfer of your personal data may happen if any of our servers are located in a country outside of the EEA or one of our service providers is located in a country outside of the EEA. If we transfer or store your personal data outside the EEA in this way, we will take steps to ensure that your privacy rights continue to be protected, as outlined in this privacy policy and in accordance with the DPA and GDPR. If you use our service while you are outside the EEA, your personal data may be transferred outside the EEA in order to provide you with these services.

We do not use or disclose sensitive personal data, such as race, religion, or political affiliations, without your explicit consent.

We may disclose your personal data outside of Youth Cymru e.g. data analysis or newsletter mailings. However, any such transfer will only be on terms that the confidentiality of your personal data is protected and that the terms of this privacy policy will continue to be complied with by the recipient.

We will process, disclose or share your personal data only if required to do so by law, or in good faith believe that such action is necessary to comply with legal requirements, or legal process served on us or our websites.

Security

The transmission of information via the Internet or email is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of data while you are transmitting it to us via our site or formstack applications; any such transmission is at your own risk. Once we have received your personal data, we will use strict procedures and security features to try to prevent unauthorised access.

The Use of Trusted Partners and Suppliers.

We use external companies such as Eventbrite to collect or process personal data on our behalf. We undertake checks on these companies before we work with them and put agreements in place that require them to comply with data protection legislation and ensure that they have appropriate controls in place to secure your information.

You’re Rights and Your Personal Data

Unless subject to an exemption under the GDPR, you have the following rights with respect to your personal data:

1. The right to request a copy of your personal data which Youth Cymru holds about you; where possible this will be provided within 30 days of request. If an extension is required due to the complexity of the request, then this will be agreed in writing by both parties;

2. The right to request that Youth Cymru corrects any personal data if it is found to be inaccurate or out of date;

3. The right to request your personal data is erased where it is no longer necessary for Youth Cymru to retain such data;

4. The right to withdraw your consent to the processing at any time;

5. The right to request that the data controller provide the data subject with his/her personal data and where possible, to transmit that data directly to another data controller, (known as the right to data portability), (where applicable) [Only applies where the processing is based on consent or is necessary for the performance of a contract with the data subject and in either case the data controller processes the data by automated means].

6. The right, where there is a dispute in relation to the accuracy or processing of your personal data, to request a restriction is placed on further processing;

7. The right to object to the processing of personal data, (where applicable) [Only applies where processing is based on legitimate interests (or the performance of a task in the public interest/exercise of official authority); direct marketing and processing for the purposes of scientific/historical research and statistics]

8. The right to lodge a complaint with the Information Commissioners Office, https://ico.org.uk

Further processing

If we wish to use your personal data for a new purpose, not covered by your consent, then prior to commencing the processing we will provide you with a new notice setting out the relevant purposes and processing conditions. Where and whenever necessary, we will seek your prior consent to the new processing.

Controlling the use of Your Data

If you have given us consent to use your data for a purpose you can revoke or vary that consent at any time. If you do not want us to use your data, or want to vary the consent that you have provided you can email dataprotection@youthcymru.org.uk

Changes to our Privacy Policy

From time to time, we may use your information for new, unanticipated uses not previously disclosed in our privacy policy. If our information practices change at some time in the future we will post the policy changes on our website.