How Virgin Money Giving holds and uses information about you.
This notice explains how Virgin Money Giving holds and uses your personal information when you are registered as an account holder for the charity you represent.
By "information" we mean all of the personal and financial information about you that we collect, use, share and store. We collect information about you when you register with us on behalf of your charity. We may also collect information when you voluntarily contact us by email, telephone or social media networks, complete customer surveys or participate in competitions or other public sources. It can include but isn’t limited to:
- Information about you and the charity you represent and your identification (e.g. your name, date of birth, home address, contact details, residence and copies of identification documents (such as a passport or driving licence)).
- Unique identifiers and reference numbers that we or others have allocated to you (e.g. passport or driving licence numbers and online usernames).
- Your financial and payment information, including where relevant, details of your income, bank details and transactions with us and other organisations.
Data Protection law requires us to have one or more of the following reasons for using your information:
1. "Contract" – where the information is needed to administer and provide the online fundraising service we provide.
2. "Legal obligation" – where we are required by law to process your information, e.g. to verify your identity.
3. "Legitimate interest" – in some cases we're allowed to use your information where, on balance, the benefits of us doing so are legitimate and not outweighed by your interests or legal rights e.g. for our own management analysis and reporting purposes.
These are the main ways we'll use your personal information (and the reasons for doing so):
We use the information about you to fulfil our obligations to your charity under the terms of our agreement, to promote the aims of your charity, encourage and enable online fundraising and to collect and administer donations. We use the information about you to provide you with secure access to restricted parts of our website specifically for our charity customers, to administer your account, and to personalise your repeat visits to our website and content you see from us on social media networks. We may send you service emails to help you administer your account or to tell you and your charity about changes to our service. (Contract)
Whilst you're a registered with us, we will use your information to send your emails and reach you with content on social networking sites, all designed with the sole purpose to help you and your charity get the most out of the membership you have with us, but you can opt out of these at any time. However, if you do, you and your charity will miss out on important fundraising tips, alerts, reminders and any rewards we provide from time to time to our members, as well as these communications. (Contract)
To combat the threats posed to our society by terrorism and money-laundering and to avoid losses caused by financial crime such as fraud. We may use information about you (including information about criminal proceedings) for the purpose of preventing, detecting and prosecuting financial crime and the funding of terrorism. (Legal obligation/Legitimate interest). This may include collecting information that the law regards as being in a special category because of its sensitivity to you (including, racial or ethnic origin, religious or philosophical beliefs, trade union membership) and/or information about criminal convictions and offences. We will only use this kind of information where the processing is in the in the public interest and for the following purposes:
- Prevention or detection unlawful acts;
- Protecting the public against dishonesty;
- Regulatory requirements;
- Preventing fraud; and/or
- Suspicion of terrorist financing or money laundering.
To run our business in a correct and commercially sensible way and to comply with our legal and regulatory responsibilities, we may use the information about you to help us do this, e.g. to analyse the performance of our marketing, products and any trends or behaviours. (Legitimate interest)
We may also use the information about you to help us develop and test our systems (including new technologies and services) to ensure that they are safe and will work in the ways in which we expect them to. When we do this we'll use processes and technologies that are designed to keep this information secure. (Legitimate interest)
We may need to transfer your information outside the UK and the EEA to other Group companies, service providers, agents, subcontractors and regulatory authorities in countries where data protection laws may not provide the same level of protection as those in the UK and the EEA, such as the USA. In these cases we’ll take all reasonable steps necessary to make sure your information is protected to UK standards. This may be through only allowing transfers to countries which the EU Commission has decided ensures an adequate level of protection for your information (an "adequacy decision"), or we have put in place our own measures to ensure adequate security as required by data protection law.
These measures include having recognised safeguards in place with our commercial partners, such as carrying out strict security checks on our overseas partners and suppliers, backed by strong contractual undertakings approved by the relevant regulators such as the EU style model clauses or where our commercial partner is a signatory to a recognised and binding code of conduct. You can find out more information about standard contractual clauses as detailed by the ICO. Visit their website at ico.org.uk and search for 'International Transfers'.
To find out more about any particular uses of information in countries outside the EEA, the existence of an “adequacy decision” for that country or the safeguards we have put in place, please contact our DPO.
The United Kingdom left the European Union on 31 January 2020 and so we will need to transfer your personal information to the UK and to other jurisdictions outside of the European Economic Area so that you can continue to use our products and services. Transfers of your personal data from the EU to the UK will proceed on the basis of an Adequacy Decision by the European Commission in favour of the UK or on the basis of adequate protections which comply with EU GDPR and we will need to continue to comply with EU GDPR in relation to how we process your personal data. In particular, we will continue to keep your data secure.
Should you wish to contact us with any questions you have on how we use your information or about your data rights and our obligations as a Data Controller, you can contact our EU representative The Data Warehouse by post at Keizersgracht 482, 1017EG, Amsterdam, Netherlands or by email at firstname.lastname@example.org. You can also contact our Data Protection Officer by email at CYBG.email@example.com or by post at Group Data Protection Officer, Group Risk, Level 3, 51 West George Street, Glasgow, UK, G2 2JJ.
You have the right to access the information we hold about you, ask us to rectify any of that information, erase it, restrict or object in whole or part to the processing of it and ask us to make the information we hold about you portable. If you want to exercise any of these rights, please send an email to firstname.lastname@example.org
We'll retain information for no longer than is necessary and this will mean that we'll continue to hold some information for a period of time after our relationship has ended. This is to comply with our legal and regulatory obligations to keep records of our relationship, to resolve disputes or where it may be needed for future legal proceedings.
If for whatever reason you are unhappy with any way we are using your personal data you should contact us in the first instance so that we can understand your issue and try and resolve it. We may ask our Data Protection Officer to look at your situation. You can contact our Data Protection Officer by email at CYBG.email@example.com or by post at Group Data Protection Officer, Group Risk, Level 3, 51 West George Street, Glasgow G2 2JJ.
If we can't resolve the issue you have the right to complain to the Information Commissioners Office (ICO). The ICO is the UK's independent body set up to uphold information rights. For further information visit ico.org.uk