Policy on processing personal data and privacy
Introduction
This document sets out the Grand Priory of England’s Privacy Policy. The Grand Priory is committed to safeguarding the privacy of its members and associates, and will only use the information it collects about you lawfully. You should check this page from time to time to ensure that you are happy with any changes.
This policy is for our members, other individuals whose personal data we collect from members, individuals who contribute to the Grand Priory, apply for grants, attend our events, hire our facilities, or supply us with services. It explains:
What types of personal data we collect about you, why we collect it, who it is shared with, and how long we keep it;
how we use your personal data;
how we protect your personal data; and
your legal rights in respect of your personal data, including how to access and update the information we hold about you.
For the purposes of the applicable laws and this policy, the Grand Priory of Blessed Adrian Fortescue of the Order of Malta Trust is the controller of the data. i.e. the primary entity who decides the purposes and means for dealing with your data. The Grand Priory of Blessed Adrian Fortescue of the Order of Malta Trust is a charity limited by guarantee and registered as a charity in England and Wales under charity number charity no. 1166645. It has a registered address at 67 Castletown Road London W14 9HG. References to “we”, “us”, or “the Grand Priory” in this document is a reference to The Grand Priory of Blessed Adrian Fortescue of the Order of Malta Trust.
If you have any queries relating to this policy (included any requests to exercise your legal rights in respect of your data, you can contact us at mc@gpesmom.org.
You have the right to make a complaint at any time to the Information Commissioner's Office (ICO), the UK supervisory authority for data protection issues (www.ico.org.uk). We would, however, appreciate the chance to deal with your concerns before you approach the ICO so please contact us in the first instance.
Information we collect about you
Personal information we may collect directly from you (as applicable)
Names;
Postal address(es);
Email address(es);
Mobile and landline telephone numbers;
Date of birth;
Date of membership of the Order and any promotions within it;
Where you have provided them to us, details of your bank account, including account number, sort code, and branch address;
Personal information provided to us if you contact us or make an enquiry, such as your contact details in our records of that correspondence;
Records of which of our events you are interested in and which events you attend;
If you supply further information it may be retained, such as if applying for a grant from or role within the organisation;
Records of decisions and records of meetings may include your name and other information about you;
Contact details of suppliers of products or services.
We will let you know at the point of collecting your information whether this is optional, or whether it is necessary for you to provide this information to meet certain statutory or contractual requirements. If the latter and you do not wish to provide us with this information, this may limit the services we are able to provide you.
If the data we hold about you is inaccurate in any way, please contact us to have your personal information corrected.
Why do we collect your personal information and on what grounds?
We will only use your personal data if we have a permitted lawful basis to do so. Generally, we collect your personal data because is it necessary for:
If you are a member of the Grand Priory, providing the benefits of membership;
Providing you with information about the Grand Priory, the Order, and its other organs, subsidiaries, and associated organisations, including their operations and events;
For handling queries, applications or complaints;
To support and manage our events;
For the administration and advancement of the Grand Priory and the achievement of is charitable aims;
Protecting the Grand Priory and our members by taking appropriate legal action against third parties who have committed criminal acts or are in breach of legal obligations to the Grand Priory;
To effectively handle any legal claims or regulatory enforcement actions taken against the Grand Priory;
To generally run our website, social media, and for internal operations, in order to provide you with an up to date, efficient and reliable service;
Making important communications about your membership;
Maintaining our membership database
You have the right to withdraw your consent to these activities at any time, which will mean (unless another lawful basis applies to your data) that we will cease to process the affected data after consent is withdrawn. However, please note this may result in us being unable to provide you with certain services.
We also use your data to comply with our legal obligations, namely:
To help prevent fraudulent activity;
To comply with our legal and regulatory obligations (including under data protection laws);
For preventing, investigating, and detecting crime, fraud or anti-social behaviour and prosecuting offenders, including working with law enforcement agencies;
To fulfil our duties to our members, associates, colleagues, and other stakeholders.
Where you chose not to provide personal data
Where we need to collect personal data by law, or under the terms of a contract we have with you and you fail to provide that data when requested, we may not be able to perform the contract we have or are trying to enter into with you (for example, when you apply to become a member, attend an event or to use our services). In this case, we may not be able to accept your application for membership or to provide you with services, but we will notify you if this is the case at the time.
Who do we share your information with?
Your personal data is primarily only used within the Grand Priory. However, in certain limited circumstances we may share your information with other third parties particularly where that is necessary to provide our services to you. These include:
Other organs of the Order of Malta where necessary to provide the benefits of membership of the Order;
Our suppliers and contractors where necessary to provide services to us, including the providers of payment, marketing, IT and event management services supporting events;
Third parties we may be required to disclose such personal data in order to comply with our legal obligations or enforce our legal rights, e.g. any relevant authority or enforcement body and fraud protection
We will not sell or pass your personal data to any commercial organisation.
Transfer of personal data outside the EEA
Transfer of Personal Data outside the EEA (European Economic Area). Personal data will only be transferred outside the EEA for specific events. Where this is the case and we are responsible for making such transfer, we will ensure that these are made subject to appropriate safeguards as required by applicable data protection laws, to ensure that a similar degree of protection is afforded to your personal data.
Sensitive Personal Data.
We may collect Special Categories of Personal Data in relation to purposes (a), (c) and (f) set out above, which may including information relating to religious or philosophical beliefs, and personal life. We will not collect any such information without your express prior consent. We may also, where necessary for safeguarding purposes, collect information about criminal convictions and offences. This may include requiring members to undertake a disclosure and barring service check before participating in activities involving vulnerable persons.
Retention of Personal Data.
We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.
To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
In respect of data held in relation to members of the Order, we will retain this personal data while a person is a member of the Order of Malta. Upon leaving or death the Grand Priory will continue to hold relevant details to support the Grand Priory’s historical records.
Data Subject’s Rights.
In certain circumstances you have rights under data protection laws in relation to the personal data we hold about you. These are summarised below:
Right of Access. You are entitled to access your personal data so that you are aware of and can verify the lawfulness of the processing. This is achieved through the mechanism, of a Subject Access Request (SAR) and you have the right to obtain:
Confirmation that your data is being processed (held);
Access to your personal data (copy); and
Other supplementary information that corresponds to the information in this Privacy Notice
Fees and Timings. This information will be provided without charge, without delay and within one month. If an extension is required or requests are considered manifestly unfounded or excessive, in particular because they are repetitive, the Grand Priory may choose to charge a reasonable fee taking into account the administrative costs of providing the information or refuse to respond. The reasons will be formally notified to you and your rights of appeal to the appropriate Supervisory Authority ie. UK Information Commissioner’s Office (ICO) will be highlighted.
Identity Verification. To protect your personal data, the Grand Priory will seek to verify your identity before releasing any information, which will normally be in electronic format. This will normally be a simple process. However, if the SAR comes from a member living overseas, or a former member, or a relative of a deceased member, then additional verification steps are likely.
Right of Rectification. You are entitled to have personal data rectified or corrected if it is inaccurate or incomplete. The Grand Priory will respond within one month of your request. In the unlikely event that the rectification does not take place, the Grand Priory will inform you of your rights to complain or seek judicial remedy.
Right of Erasure. You may request the deletion or removal of personal data where there is no compelling reason for its continued processing. The Right to Erasure does not provide an absolute ‘right to be forgotten’. However, you do have a right to have personal data erased and to prevent processing in specific circumstances:
Where the personal data is no longer necessary in relation to the purpose for which it was originally collected/processed;
When you withdraw consent;
When you object to the processing and there is no overriding legitimate reason for continuing the processing;
The personal data was unlawfully processed;
The personal data has to be erased in order to comply with a legal obligation.
Right to Restrict Processing. Under the Act, you have a right to ‘block’ or suppress processing of personal data. The restriction of processing under GDPR is similar. When processing is restricted, the Grand Priory is permitted to store the personal data, but not process it further. In this event, exactly what is held and why will be explained to you.
Right to Data Portability. You may ask to obtain and reuse your personal data for your own purposes across different services. This allows you to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without hindrance to usability. The Right to Data Portability only applies:
To personal data you have supplied to the Grand Priory;
Where the processing is based upon your consent or for the performance of a contract; and
When processing is carried out by automated means.
In these circumstances, the Grand Priory will provide you with a copy of your data in CSV or PDF format (password protected) free of charge, without delay and within one month. If there is going to be a delay you will be informed.
Right to Object. You have the right to object to:
Processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling)
Direct marketing (including profiling) and
Processing for purposes of scientific/historical research and statistics
Third parties we may be required to disclose such personal data in order to comply with our legal obligations or enforce our legal rights, e.g. any relevant authority or enforcement body and fraud protection
We will not sell or pass your personal data to any commercial organisation.
Security of your data
We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a need to know for one of the purposes set out above. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.
We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
Third party links on our site
Our website may, from time to time, contain links to and from the websites of our affiliates, suppliers and social media pages. If you follow a link to any of these websites, please note that websites have their own privacy policies and that we are not in control of, and do not accept any responsibility or liability for these policies or any third-party website linked to our site. Please check these policies before you submit any personal information through these websites.