The Congregation of Jesus Trust (“the Trust”) and its trading subsidiary Bar Convent Enterprises Ltd (“Enterprises”) collects a limited amount of data from supporters and customers to enable services to be provided and news and events information to be shared.
This Policy sets out why we collect personal information about individuals and how we use that information. It explains the legal basis for this and the rights you have over the way your information is used.
Please be assured that when you provide your personal data, both Trust and Enterprises will keep your information confidential, will only ask for enough information to enable us to provide the service you requested and we will only do exactly what we said we would do with it. At all times, we adhere to the core principles of the Data Protection Act (DPA) 2018 and UK GDPR that the data that we collect is “Adequate, Relevant and Limited” for the purposes that we collect it. If your information is either inaccurate and you would like us to amend it or change how we use it, then please let us know and we will do so immediately.
We never share your data with others or use it outside of the United Kingdom, and at an appropriate time we will confidentially dispose of your data after fulfilling the purpose that we originally collected it for.
Contacting the Data Protection Contacts
Trust and Enterprises each have a Data Protection Contact for the purposes of the EU General Data Protection Regulation. In simple terms the Trust is responsible for data in conjunction with its charitable activities and Enterprises is responsible for data collected and used for the purposes of business trading.
The Data Protection Contacts are: James Foster and Hannah Thomas.
Either contact can be contacted using the same details, simply provide your query and we will direct it to the appropriate officer for you:
Telephone 01904 643238 or Email email@example.com.
Data Protection Principles
Trust and Enterprises fully support ‘the spirit and the letter’ of data protection. In more detail, this is how Trust and Enterprises have adopted Data Protection principles:
- Data CollectionIs “Adequate, Relevant and Limited”. At each point of data collection, it is our policy to advise you (the data subject) of what information we are collecting and why, what we intend to do with it, how we hold it and for how long, and how you can amend it, change its use or gain access to it as necessary.
- Used For Specific Processing Purposes. Personal data is only used for the express purposes that were stated to you at the point that they supplied it.
- Processed Lawfully, Fairly and Transparently. We operate a clear and transparent approach to obtaining and processing data (without any hidden objective or motive) whilst being in compliance with the law at all times.
- Stored For No Longer Than Necessary and Securely. All personal data is held for the minimum amount of time to enable the stated processing purposes to be performed. Electronic and hard copies of personal data are only available to authorised employees to perform these tasks. All personal data is held securely requiring key access and/or electronic password access using industry standard software. Computers systems comply with our ICT security standards and consumer payment systems comply with the industry’s PCI DSS compliance standards. Backups of essential personal data will be completed at regular intervals with a copy retained in fireproof reciprocals or held securely off site.
- Right to Access Or Amend Your Personal Data. You have the right, on written request (and without charge), to receive an electronic copy of the information we hold about you. You also have the right to demand that any inaccurate data be corrected and to apply any processing restrictions on it. Any of these rights can be exercised by contacting the appropriateData Protection Contact (see above).
- The Right to Be Forgotten. A data subject has the right ‘to be forgotten’ at any time. This means that you have the right to have your information securely destroyed at anytime unless another superior legal or contractual obligation takes precedent. If the data subject doesn’t request to be forgotten during the term advised at the time of initially supplying information then the retention expiry date will eventually be reached. On this retention expiry date information will be routinely deleted. Printed copies of any information will confidentially shredded or if in a larger volume, it will be sent away for confidential disposal (using a commercial secure disposal service) and a certificate of destruction will be retained by the Data Protection Contacts (see above) as evidence on file.
Our Legal Basis for Collecting and Processing Personal Data
The type and amount of information we collect depends on why you are providing it. Data Protection sets out a number of different reasons for an organisation to legitimately collect and process data, we use the following methods:
- Explicit Consent– Where personal data is collected (e.g. when you sign up to receive a newsletter) in a non-contractual context, we prefer to provide clear information enabling you to sign up by ‘ticking’ a box in agreement, then collecting your personal data in a familiar way.
- Contractual– To enable us to book meeting facilities or accommodation we require your information to maintain contact to enable us to provide a service, process payment and for a period thereafter for tax and legal purposes. We collect this in a contractual form, providing clear information in a prominent position in booking processes and terms and conditions. Your agreement to this is recognised by your signature or online booking confirmation. This is also accompanied by an explicit consent ‘tick box’ next to a data collection statement, to make it clear what you are agreeing to.
What, How and Where We Collect Personal Data
We collect personal data when you provide it to us to subscribe to information services or book facilities (e.g. accommodation/a meeting room)
This is usually to enable us to maintain contact with you, so is typically in the form of name, address, telephone or email and if you are booking fee-based services this will include your payment information (e.g. credit and debit card details). We also retain this information to fulfil tax and legal requirements.
We collect personal data:
- Online when you visit our website, or a 3rd party accommodation providers website (e.g. booking.com) to book our accommodation or facilities.
- By telephone by calling to enquire or book accommodation, a meeting room or a group tour.
- In person, by completing a leaflet tear off slip in reception (e.g. to join our supporters group) or to enquire or book any of our facilities face-to-face.
- If you subscribe to join our quarterly newsletter. In the newsletter we send updates about The Bar Convent Living Heritage Centre, event promotions and pictures and occasionally discounted accommodation special offers.
- By donating to us, by completing a gift aid envelope or writing to us concerning a donation or legacy.
- For purchases in our Shop.
- To facilitate entrance into our Exhibition.
- Booking a ticket for an event.
- Posting content onto our social media sites.
- If you volunteer to help us, so we can arrange support and maintain contact.
- On CCTV. We use CCTV in the Centre for the safety/security of our visitors, staff members, and to protect our building.
Who Has Access To Your Information
Only trained staff members or volunteers process your personal information if the Centre is contacted and enquiries and bookings are taken directly.
In today’s growing online accommodation industry, many bookings are made via third parties (e.g. booking.com or Agoda) who sell accommodation on a commission or fee basis in partnership with an accommodation provider. In these circumstances, the accommodation seller usually holds the primary relationship with you and the Centre is a secondary processor of personal data. In this circumstance your booking information is securely forwarded by the third party to Enterprises who manage accommodation. These bookings are received securely and processed with exactly the same care as if the booking was taken directly as outlined in this policy. Only room availability data is reciprocally shared with these partners via secure third party software (Siteminder) to enable the accurate allocation of available rooms.
To facilitate the processing of secure donations, third party online payment services are used. The secure web page is provided by Dataware in partnership with Sage, Sage forward funds to Worldpay payment services who make the deposit into our bank account.
How We Keep Your Information Safe
Staff members are trained to be compliant with Data Protection guidelines by adopting the following procedures:
- We only confirm confidential personal data to data subjects after completing verification checks. We do not provide information to family members of the data subject without the data subject’s explicit (i.e. in writing) and verifiable consent
- Staff members are veryaware that fraud and deception methods are used in order to gain access to personal data and under certain circumstances may choose to send information directly to the contact that we hold on file.
- Personal data is only e-mailed if a secure network (e.g encryption) is in place.
- Our online booking systems are professional industry standard software systems that use encryption solutions to protect your personal information and identity.
- Our staff members are trained to securely and respectfully process your data and keep it confidential at all times. All staff have confidentiality clauses in their contracts and would be subject to disciplinary procedures if any personal data was divulged whatsoever.
- If face-to-face, a staff member may suggest you continue your conversation in a private room (if discussing information of a sensitive nature) if in a public space.
- All personal data is kept securely, either locked away if paper based, or if computerised, behind industry standard password protected systems. We do not leave personal data on desks or in unlocked offices unattended.
Keeping Your Information Up To Date
We appreciate it if you let us know if your contact details change. Please contact the department that you originally supplied your personal data to, or if experiencing any difficulty, the Data Protections contacts.
We are pleased to have supporters of all ages and regularly receive students on educational placements below the age of 16. Where appropriate we ask for consent from a parent or guardian to collect information about any relevant health or dietary issues which may be important for the well-being of a student on placement.
How Long We Keep Your Information
Our approach is to hold your information for as little time as possible, however for contact and taxation reasons this is usually for as long as the relevant activity requires it. For example, for donations we have a statutory obligation to retain information for 6 years for tax purposes, however we only retain personal data for accommodations for a year unless there is a repeat booking during that period.
Making A Complaint
If you are unhappy with the way in which we have processed or dealt with your information then please contact your Data Protection Contact who will seek to rectify your complaint immediately. You can also complain to the Information Commissioners Office on 0303 123 1113.