Personal Data Protection Policy
GDPR, the Data Protection (Jersey) Law 2018 and the Data Protection Authority (Jersey) Law 2018 come into force on 25 May 2018. For more information on the please the link below:
Source: Office of the Information Commissioner - Jersey
“consent” (of the Data Subject)
Any freely given, specific, informed and unambiguous indication of his or her wishes by which the Data Subject, either by a statement or by a clear affirmative action, signifies agreement to Personal Data relating to them being processed.
The natural or legal person […] or any other body which […] determines the purposes and means of the processing of Personal Data.
JRD is considered a Data Controller.
A natural or legal person […] or any other body which processes Personal Data on behalf of the Data Controller.
JRD is considered a Data Processor.
The natural person to whom the Personal Data relates.
General Data Protection Regulation (EU Regulation 2016/679), as amended or revised from time to time.
A natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.
Jersey Rescue Dogs, is an unincorporated association registered with the Association of Jersey Charities (Membership Number: AJC334).
JRD’s main objectives are the rescuing and rehoming of dogs in England, Ireland and the Channel Islands.
Any information relating to an identified or identifiable natural person.
“Personal Data Breach”
A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data […]
“Personal Data Register”
A register containing details of the processing of Personal Data as further described in section 4 of this Policy and included Appendix A.
Jersey Rescue Dogs – Personal Data Protection Policy
“Privacy Impact Assessment”
A data protection impact assessment as further described in the GDPR.
Privacy notices are used to informa Data Subjects about the nature and extent of the processing of their Personal Data.
Any operation […] performed upon Personal Data […], whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
“special categories of data”
Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation.
Note that although not directly covered by GDPR, data relating to criminal offences and convictions will generally be treated as if it is a special category of data.
Compliance with GDPR
Below are the core principles of GDPR:
Source: Mthree (April 2017): https://www.mthreeconsulting.com/blog/2017/04/the-6-privacy-principles-of-gdpr
Personal Data should be:
processed lawfully, fairly and in a transparent manner in relation to individuals;
JRD maintains appropriate policies and procedures for collecting and processing Personal Data;
JRD maintains a Personal Data Register that sets out the Personal Data for which it is Data Controller/Processor and confirms there is a lawful basis for processing this data and it is being processed fairly;
Privacy Impact Assessments are conducted when new types of Personal Data or new methods of processing Personal Data are being evaluated by JRD;
Where required, compliant Privacy Notices are issued to Data Subjects;
Policies and processes are in place for responding to Data Subjects’ requests to view, correct or delete their data;
JRD has adequate processes in place for the destruction or anonymisation of Personal Data when they are no longer required (for legal or business reasons)
collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that Personal Data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
kept in a form which permits identification of Data Subjects for no longer than is necessary for the purposes for which the Personal Data are processed;
processed in a manner that ensures appropriate security of the Personal Data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
Data Storage and Security
Personal Data should be stored in compliance with the Data Protection Principles set out above in section 3.
JRD will or will require that its delegates will take appropriate technical and organisational security measures, taking into account the risks presented by the processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data transmitted, or stored.
In the course of the JRD’s business, the JRD may collect and process the Personal Data set out in the Personal Data Register in Appendix A. This may include data that JRD receives directly from a Data Subject (for example, by completing forms or by corresponding with JRD by mail, phone, email or otherwise) and data that JRD receives from other sources.
JRD will only process Personal Data for the specific purposes set out in Appendix A or for any other purposes specifically permitted by the GDPR.
If it is to be processed in any other way or for any other purpose, JRD will evaluate whether this is compatible with the information provided to Data Subjects (e.g. Privacy Notices) or, if applicable, consent received from Data Subjects, and with any Privacy Impact Assessments that have been performed or may be required.
JRD will take (or require its service providers to take) reasonable steps to ensure that Personal Data JRD holds are accurate and kept up-to-date. JRD will take (or require its service providers to take) reasonable steps to check the accuracy of any Personal Data at the point of collection and at regular intervals afterwards. JRD will take (or require its service providers to take) all reasonable steps to amend or destroy inaccurate or out-of-date Personal Data.
JRD will ask for consent for storing Personal Data and consent to its use (please see section 6). For example, JRD will only contact a Data Subject about our fundraising activities if we have an accurate record of your recent and freely given consent to do so.
You can withdraw your consent at any time by emailing firstname.lastname@example.org.
There are times when it is not practical to obtain and record consent. At those times, we will only process personal information if that processing would meet another legal or business reason legal in which case we would only process in accordance with GDPR, the Data Protection (Jersey) Law 2018 and the Data Protection Authority (Jersey) Law 2018
Privacy Notices are used to inform Data Subjects about the nature and extent of the processing of their Personal Data. JRD’s Privacy Notice is in Appendix B
If the Personal Data is obtained directly from the Data Subject, Privacy Notices will be provided at the time the data is obtained.
If the Personal Data is not obtained directly from the Data Subject, Privacy Notices will be provided:
Always within a reasonable period of having obtained the data (and, in any event, within one month);
If the data are used to communicate with the individual, at the latest, when the first communication takes place; or
If disclosure to another recipient is envisaged, at the latest before the data are disclosed.
Privacy Notices will be provided clearly and separately from any other information provided to the Data Subject (in practice, typically this means the Privacy Notice will be a separate document rather than integrated into Disclaimers, Terms and Conditions etc.).
Where the JRD intends to process the Personal Data for a further purpose, other than that for which the Personal Data were collected, JRD will provide the Data Subject prior to that further processing with information on that purpose.
Personal Data destruction or anonymisation
Personal Data will be kept in a form that permits identification of Data Subjects for no longer than is necessary for the purposes for which the Personal Data are processed. In practice, this means the data must be destroyed or anonymised when either:
JRD has no legal basis to keep them; or
JRD has neither a business requirement nor a legal requirement to keep them.
JRD will only share Personal Data where necessary and the Data Subject is aware. For example with another charity in relation to a dog they are helping. JRD will not share Personal Data for marketing purposes
Where a Personal Data Breach involving Personal Data has occurred:
JRD will keep records of all Personal Data Breaches (facts, effects and remedial action); and
JRD will determine as soon as possible (generally within 24 hours) whether or not the breach is unlikely to result in any harm to Data Subjects, and therefore whether or not there is a need to notify the relevant supervisory authority within 72 hours.
If a notification is made it must contain:
a description of the breach, including approximate number of Data Subjects affected and categories of data;
the name and contact details of the relevant point of contact at JRD;
the likely consequences of the breach; and
any measures taken to remedy or mitigate the breach.
Note that in situations where JRD is the Data Controller, and a breach has occurred at a Data Processor, JRD is required to be informed of the breach by the Data Processor without undue delay and the process above must still be applied.
Where the Personal Data Breach is likely to result in a high risk to the rights and freedoms of natural persons, the Directors shall communicate the Personal Data Breach to the Data Subject without undue delay.
To discuss the Policy, Personal Data Register and Privacy Notice further or to request a different delivery format please contact email@example.com.
Updates to this policy and the Privacy Notice will be made available at www.jerseyrescuedogs.com
Personal Data Register
Type of personal data
Categories of data subject (noted that an individual can be more than one data subject)
Types of processing
Purpose of processing
Categories of receipien to whom personal data is transferred
Name, gender, date of birth, age, address, phone number, email, address and other contact details, bank account details, documentation to verify identity,
Member, Adopter, Fosterer, Volunteer, other charitable cause
Collecting, reviewing, verifying, storing and communicating data
Contacting, settling payments.
12 months after the relationship with the person ceases ie. the lifetime or time a dog is in the care of the person
Name, gender, address, phone number, email, address and other contact details, bank account details, documentation to verify identity,
Collecting, reviewing, verifying, storing
Contacting, settling payments.
12 months after the relationship with the person ceases ie. the last invoice
Name, gender, address, phone number, email, address and other contact details, bank account details, documentation to verify identity
Collecting, reviewing, verifying, storing
Contacting, settling payments.
12 months after the relationship with the person ceases ie. the last invoice
JERSEY RESCUE DOGS PRIVACY NOTICE
This Privacy Notice (the “Notice”) explains how Jersey Rescue Dogs (“JRD”) process your personal data and your rights in relation to the personal data they hold in connection with JRD.
JRD is both a data controller and data processor of your personal data. Reference to "us" and "we" are references to JRD.
This Notice is effective on 25 May 2018 and supersedes any previous privacy notice or similar terms provided by, or on behalf of, the JRD in connection with the JRD.
Your rights under the Data Protection Legislation
From 25 May 2018 you will have the following rights:
To obtain access to, and copies of, the personal data we hold about you;
To require that we cease processing your personal data if the processing is causing you damage or distress;
To require us not to send you marketing communications;
To require us to erase your personal data;
To require us to restrict our data processing activities in relation to your personal data;
To receive from us the personal data we hold about you, which you have provided to us, in a reasonable format specified by you, including for the purpose of transmitting that personal data to another data controller; and
To require us to correct the personal data we hold about you if it is incorrect.
Please note that the above rights are not absolute, and requests may be refused where exceptions apply.
If you have any questions about these rights or how your personal data is used by us, please contact us at firstname.lastname@example.org.
If you are not satisfied with how your personal data is used by JRD you can make a complaint to the JRD’s local data protection regulator.
How your personal data is collected
JRD collect your personal data in the following ways:
From application forms submitted by you in relation to JRD;
From meetings, correspondence or other communications you have with JRD or delegates of JRD;
From publicly available sources or from other applicable third parties.
From the membership application form submitted by you in relation to JRD
The categories of personal data collected
The following categories of personal data about you may be collected by JRD:
Name, and contact information such as residential address, email address and telephone number;
Identification information such as date of birth, passport and driver's licence data, tax ID, social security number or government issued identification documentation;
Copies of identity documents (such as a passport) and proof of address (such as utility bills);
Biographical information and information about your background including occupation; and/or
Information relating to your financial situation such as banking information including your bank details.
Why and how we process your personal data and whom it is shared with
(i) Performance of a Contract with you
Your personal data will be processed by the JRD for the performance of a contract to which you are a party or in order to take steps at your request prior to entering into a contract.
In this respect, your personal data is used for the following:
In this respect, personal data will be shared with the following:
(ii) Legitimate Interests
Your personal data will also be processed because it is necessary for JRD’s legitimate interests or the legitimate interests of a third party.
In this respect, personal data will be used for the following:
Data Analysis: In order to communicate with you more effectively, better understand your preferences and ability to support our work, we may analyse your data. We like to find out about your personal motivation for supporting Jersey Rescue Dogs and your experiences as a supporter. This helps us to give you the information about products and services most relevant to you. In some instances, we may carry out research and/or analysis of the personal information that you have provided to us and add publicly available information (such as public records or social media) to help us tailor our communications to you,
In this respect your personal data may be shared with the following:
(iii) Legal Obligations
Your personal data will also be processed by JRD compliance with legal obligations.
In this respect, your personal data will be used to meet compliance and regulatory obligations,
In this respect, your personal data will be shared with the following:
Further details of any third party processors are available from JRD on request from email@example.com.
JRD may send you information about other potential charitable causes.
If you object to receiving marketing from JRD at any time, you should contact JRD at firstname.lastname@example.org.
If you object to JRD sharing your data in this way, you should contact JRD at email@example.com.
International transfers of data
When sharing your personal data with third parties as set out in this Notice, some of those third parties may be located outside the European Economic Area (EEA). In these circumstances, your personal data will only be transferred on one of the following bases:
The transfer is to a recipient in a country or territory approved by the European Commission as providing an adequate level of protection for personal data;
The transfer is to a recipient that has entered into European Commission standard contractual clauses with us;
The transfer is to a recipient in the United States of America who has registered under the EU/US Privacy Shield; or
You have explicitly consented to the transfer.
Retention of your data
JRD will retain your personal data relating to JRD for a period of 12 months following the date on which your relationship with JRD ceases.
However, if required JRD will retain such of your personal data as is necessary, and for such reasonable additional period.
Please indicate whether you consent to the Notice by completing the details below.
Please note that if you do not consent to some or all of these processing activities, as listed above, then we may not be able to engage with you.
You may also withdraw your consent at any time. If you wish to do so please contact us at firstname.lastname@example.org.