GDPR’s main concepts and principles are much the same as those under the Data Protection Act (DPA). The GDPR applies to any organisation that ‘processes’ personal data. Processing is so widely defined that it means doing virtually anything with personal data – collecting, using, sharing, storing, deleting etc. Personal data is, any data that enables someone to be identified. The main focus of this new legislation for organisations not to hold unnecessary information and to ensure that it is secure, preventing data breaches.
If you would like to know more, or have a subject data access request, please contact:
Deki Data Controller
45-47 Stokes Croft
Email: firstname.lastname@example.org (subject line: Data enquiry)
Phone: 0117 942 8970
Deki follow the eight principles of data protection set out by the Information Commissioners Office (ICO)
1. Personal data shall be processed fairly and lawfully and in a transparent way
Deki processes personal data where there is a reasonable purpose. This is where the individual is a Deki entrepreneur (and therefore part of a Deki loan group) a previous Deki lender, or has donated to Deki in the last six years. This is how long the HMRC require us to keep supporter information for Gift Aid purposes.
Processing is so widely defined that it means doing virtually anything with personal data – collecting, using, sharing, storing, deleting. We collect information when you register to subscribe to our Newsletter, or when you donate directly to Deki or through our sponsorship platform. We ensure that the data we collect is relevant, adequate and not excessive.
2. Personal data shall be obtained for specified and explicit and legitimate purposes.
This principle focuses on the legal right of any organisation for collecting, processing and storing your data. We ensure that we process your personal data in a reasonable way, only when we need to, in order to deliver our commitment to you as Deki donors and supporters.
Deki have applied the following to all data collected and processed. We have asked if you would:
Reasonably expect the processing? – Yes
Object to the processing? – No
Be significantly impacted by this data processing? – No
Be prevented from exercising your rights? – No
Find the data we are processing sensitive? – No
We process your data to follow out these day to day operations:
Deki donors and supporters
Record who has donated money to which Deki loan group.
Record donations that you have made, and when.
Record any emails you send us, to ensure we deliver the best possible customer care.
Record your contact details (email address, postal address and phone number), so that we can keep you informed about Deki’s operations that ensure your donation is delivered and managed. We will also keep you informed about fundraising required to fund Deki operations and your sponsored Deki loan group.
Record your age, to ensure that you are 18 years old or over.
Record your Gift Aid status for HMRC Gift Aid claims. We are required to hold this information for 6 years after the financial year you donate in.
Record personal details recorded in the loan agreement between Deki’s field partners and the entrepreneurs to ensure good loan management.
Record information about the individual that assesses if the individual is living below the poverty line.
Record information about the individual, their savings group and the business they want to set up, so that we can write the profile for the Deki website.
Record loans funded for Deki entrepreneurs.
Record repayments collected from Deki entrepreneurs.
Deki will always ensure there is a purpose for collecting, processing and storing data. We will only collect data that is necessary and reasonable.
3. Personal data shall be adequate for their intended use and kept to a minimum.
Deki does not and will not record sensitive data. Sensitive personal data includes special categories which include genetic data, and biometric data. We do not collect, process or store data for minors.
We only collect personal data which is needed to manage the sponsorship process and to thank people for donations. We ask you for the minimum amount of information needed. This is your name, email address, postal address, phone number, age and gift aid status.
We do not ask you for your bank details. We use third party applications PayPal, GoCardless, Stripe and Crowdfunder to process payments. These are all applications that you can use to donate to other charities, or use for online payments. They have their own privacy statements and protect your payment information.
We store your data securely on the Deki website, which shares data with Mailchimp, the email service provider we use and Donation Manager which we use to process all Gift Aid claims.
4. Personal data shall be accurate and kept up to date.
We will do our best to ensure that your data is kept up to date and is accurate. We will contact you to ask you to confirm your contact details from time to time. You can update your details by logging into your Deki account.
5. Personal data shall not be kept for longer than is necessary.
We only keep your data for as long as necessary to fulfill the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.
By law, we are required to keep basic information about our customers, for six years after they cease being supporters for Gift Aid purposes.
We will retain Deki entrepreneur information for a period defined by each field partner, that is appropriate for their countries’ laws.
6. Your legal rights.
When it comes to your personal data, you have the following rights to:
1. Request access to your personal data
2. Request correction of your personal data
3. Request erasure of your personal data
If you wish to exercise any of these rights, please contact us at email@example.com. Your request will be carried out within a month of receiving your email.
We may charge a reasonable fee if your request is excessive. We are a small charity with limited resources and may have to refuse your request in these circumstances. You have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues (www.ico.org.uk).
We would, however, appreciate the opportunity to deal with your concerns before you approach the ICO, so please contact us in the first instance.
7. Personal data shall be processed in a manner that ensures the security of the personal data
We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. We restrict access to your personal data and it can only be processed with our permission and with a duty of confidentiality.
We have in place, sufficient procedures to deal with any suspected personal data breach and will notify you at the earliest opportunity and any applicable regulator of a breach where we are legally required to do so.
8. Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
We process and store information on servers located in Europe and the United States. Microsoft, Mailchimp and Donation Manager all provide appropriate security measures to protect your personal data.