Last Updated: 17th July 2023
1. Who we are?
The Sustainable Food Trust (“SFT”) are a limited company registered in England and Wales under registration number 7577102 with a registered office at 38 Richmond Street, Totterdown, Bristol, BS3 4TQ. The Sustainable Food Trust are the ‘Data Controller’ of any personal information we collect about you.
The SFT is a charity (registration number 1148645) and what we do can be found on our website.
We must process personal data (this may at times also include sensitive personal data) so that we can provide our services, in doing so, the Sustainable Food Trust acts as a data controller.
The Sustainable Food Trust will process your personal information in accordance with all applicable laws, including the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA 2018).
2. What is Personal Data?
The term “Personal Data” means any information relating to you that identifies you, or through which you can be identified, directly or indirectly. In particular, by reference to an identifier such as a name, an identification number, location data, or an online identifier or to one or more factors specific to your physical, physiological, genetic, mental, economic, cultural or social identity.
3. The purpose of this Privacy Notice
The purpose of this Privacy Notice is to let you know how we process your Personal Data when you visit our website or share information with us as a participant in one of our projects. This Privacy Notice therefore explains what Personal Data we collect from you and how we collect, use, store and disclose it when you use our website. This Privacy Notice also contains information about your rights under applicable data protection legislation.
We are committed to compliance with data protection laws. We believe that ensuring data protection compliance is the foundation of trustworthy business relationships.
It is important that you read this Privacy Notice together with any other Privacy Notice we provide on specific occasions when we are collecting or processing Personal Data about you so that you are fully aware of how and why we are using your data. This Privacy Notice supplements the other notices and is not intended to override them.
4. How do we use your personal data?
In order to carry out our work and to reach the charity’s objectives, we collect personal information about our donors, volunteers, supporters and service providers. For example, we may obtain information about you when you enquire to receive information about our services.
This data includes, but is not limited to:
Identity Data – includes first name, last name, username or similar identifier, and date of birth.
Contact Data – includes email address and telephone numbers, and mailing address.
Technical Data – includes internet protocol (IP) address, unique Cookie ID, Device ID, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access the Service.
Usage Data – includes information about how you use our site.
Situations where we collect data, but not limited to:
If you have donated with us or make an ongoing donation, we may have records of previous support and donations.
If you attend our events, we may have records of event bookings, including volunteers and supporters, we may hold an image of you in a photo or video to use on our website or in other fundraising and marketing materials to promote the charity.
A photo will be necessary for staff and volunteers to be used for DBS and right to work checks.
Your bank or credit card details if you make a purchase or if you donate to us. Your card information is not held by us, it is collected by our third-party payment processors, who specialise in securing your information and processing of debit/credit card transactions.
Any other personal information that may be shared with us and information to assist us in providing our services.
We collect no Sensitive personal data from external data subjects, also referred to as Special Category Personal Data, which is defined as data that needs more protection due to its sensitive nature.
We will only use your Personal Data for the purpose we collected it and in accordance with the law. We will not use your Personal Data for any other purpose without your prior consent. The only exception to this is if it is required or permitted by law, such as where it is necessary for the prevention, investigation, detection or prosecution of criminal offences or the enforcement of civil law matters.
5. We may share your personal data as follows:
We may share your personal data with third parties where you have provided your consent for us to do so.
We may share your personal data with our third-party service providers who provide services such as payment processing, information technology, data analytics and related infrastructure provision.
These third parties are:
123 reg – who provide our email and web hosting service.
Mailchimp – where our subscriber lists, and email templates are stored.
Marketcircle Inc. trading as Daylite – CRM system we use for storing business contacts and tracking the history of our relationships.
Paypal – for receiving individual donations.
Quickbooks – where all our financial activity and processing takes place.
They are only permitted to use your personal data to the extent necessary to enable them to provide their services to us and are required to follow our express instructions and to comply with appropriate security measures to protect your personal data.
When we are required to share your data with third parties on the basis that we are jointly undertaking the provision of a service to you. If and when we sell or transfer of all or a part of our business or assets. These deals can include any merger, financing, acquisition, or bankruptcy transaction or proceeding.
We have performed a third-party supplier assessment on all our suppliers and have identified a low risk for these organisations. Such decisions are assessed on a regular basis and our findings are kept for record purposes.
We may share personal data as we believe necessary or appropriate to comply with applicable laws; to comply with lawful requests and legal process, including to respond to requests from public and government authorities to meet national security or law enforcement requirements; to enforce our Policy; and to protect our rights, privacy, safety or property, and/or that of you or others.
6. How do we collect your Personal Data?
Most of the personal information we process is provided to us directly by you for one of the following reasons:
- Where we need to perform the contract that we are about to enter or have entered into with you. Such as the provision of services or applying for a job.
- Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests. This includes using your details to send you a monthly newsletter about our work and farming issues or you are contracting for the provisions of good and services.
- Where we need to comply with a legal or regulatory obligation. Such as our obligations to collect personal data in relation to HMRC in employment circumstances.
- Where you have provided your consent to such use. An example of this would be where you join the Global Farm Metrics project.
To do this please follow the link at the end of the newsletter which says ‘Update subscription preferences’. If you wish to unsubscribe from a mailing list or newsletter which you have signed up to via our website, you can click the unsubscribe button at the bottom of the email or you can get in contact with us any time and we can do this for you.
Information you give to us
This includes personal data:
- You provide when you register to receive emails, through our website(s).
- You provide when you correspond with us by phone, email or otherwise.
- You provide when signing up to an event, such as your name, contact details, and organisation.
- Any data that may be contained in a video, photograph, comment, a job, or volunteering opportunity, news article, or other content or submission you post to our website, send via email or social media.
- Any data that may be contained in a video, photograph, or other media, taken by an SFT member of staff, for example at one of our events (this will only ever be shared with your consent).
7. Our Legal Bases for processing your Personal Data
The UK GDPR, (Our Global standard of compliance) requires that a Controller must have a legal basis for processing Personal Data.
Specific and informed Consent
Where you have provided your consent to use your personal information for a certain purpose, for example:
- If you fill in one of our consent forms.
- To send you email communications.
- To use a photo or video to promote our charitable purposes.
Where it is necessary to achieve our and others’ objectives as a charity with good reason if we can demonstrate that the use is fair and with your reasonable expectations. This might include but is not limited to:
- To send you communications through the post which we believe might be of interest to you.
- To personalise, enhance, modify and improve our services and communications to you to benefit our customers.
- To understand how people interact with our website, the effectiveness of our services, our promotional marketing campaigns and our advertising.
Whenever we use Legitimate Interest to process data, we perform a Legitimate Interest Balancing Assessment (LIA) to enable us to consider any potential impact on you (both positive and negative), and your rights under data protection laws. Your information will not be processed if our interests as a charity override your fundamental rights and freedoms according to the law.
We will use this condition to process personal information where we are required by law, such as to process information about employees.
Performance of a contract
Where we are entering into a contract with you, for example where you may purchase a ticket and attended an event we have organised.
Where it is necessary to protect your life or your health. An example would be in the case of a medical emergency by an individual attending one of our events.
We may use your Consent or our Legitimate Interest to send you fundraising or marketing communications by post. If you prefer not to hear from us this way, please get in contact and let us know by any of the contact details listed in the ‘Your Choices’ section below.
If you have provided us with your telephone number or email address, for example, when you contacted us directly and expressed interest in our charity, we may get in contact with you via phone, email, or text to provide you with further information about our services. If the nature of your enquiry relates to marketing or fundraising, we will ask for your consent to continue to process your data.
8. Fundraising and Marketing Communications
We will only send you fundraising and marketing communications by email, text and telephone if you have explicitly provided your consent. You may opt-out of our fundraising and marketing communications at any time by clicking the unsubscribe link at the end of our marketing emails. Alternatively, you can get in touch via any of the contact details listed in the ‘Your Choices’ section below. Your contact details may be used to provide you with information about our newsletter or our fundraising opportunities to support us, or other marketing campaigns.
When you give us consent to receive marketing and fundraising communications, we will monitor consent and ensure that you still wish to receive such communications by occasionally reaffirming your consent with us. Our approach is designed to uphold your privacy and information rights, to respect your choices, and to ensure we are not intrusive.
Collecting your email address to store on Mail Chimp
We use a company called WordPress for our website. WordPress is a content management system (CMS) that allows you to host and build websites. WordPress contains plugin architecture and a template system; this enables the organisation to customise the website to fit its needs. A WordPress plugin is a piece of software that “plugs into” the organisations WordPress site. Plugins adds new features to websites and extends functionality. We use a plug in which enables us to collect email addresses from our website and store them on Mail Chimp.
We respect and value your choices. You have a choice whether or not you wish to receive information from us, and we are committed to putting you in control of your data. You are free to change your fundraising and marketing preferences at any time, including if you do not want to receive further contact regarding fundraising and marketing purposes. Please contact us and we will be sure to amend your preferences:
Email us: firstname.lastname@example.org
Telephone us: +44 (0) 117 987 1467
Write to us: 38 Richmond Street, Totterdown, Bristol, BS3 4TQ
9. How long we will keep your Personal Data
We will only keep your Personal Data for as long as is necessary to fulfil the purposes we collected it for, which may include satisfying any legal, accounting, or reporting requirements, for example, we may keep employment information for 6 years as our legal obligation. The retention period depends on the type of Personal Data and the reason we are processing it. Further details of retention periods are set out in the Schedule of Processing which can be found at the end of this document.
When calculating the appropriate retention period for your data, we consider the nature and sensitivity of the data, the purposes for which we are processing the data, and any applicable statutory retention periods. Using these criteria, we regularly review the Personal Data which we hold and the purposes for which it is held and processed.
When we determine that Personal Data can no longer be retained (or where we must comply you request us to delete your data in accordance with your right to do so) we ensure that this data is securely deleted or destroyed.
10. Security of your Personal Data
To protect your Personal Data, we put in place appropriate organisational and technical security measures. These measures include ensuring our internal IT systems are suitably secure and implementing procedures to deal with any suspected data breach.
In the unlikely event of a data breach, we will take steps to mitigate any loss or destruction of data and, if required, will notify you and any applicable authority of such a breach.
Although we use appropriate security measures once we have received your Personal Data, you will appreciate that the transmission of data over the internet (including by email) is never completely secure. We endeavour to protect Personal Data, but we cannot guarantee the security of data transmitted to or by us.
11. Location of your data
Information is stored on our secure servers in the UK and we have implemented the appropriate measures to protect it from improper access, destruction, tampering and loss. Data held by the SFT is accessible to all our staff members and contractors so that we can provide thorough and personalised support. The SFT has an internal data protection policy which requires staff and contractors to not share information (other than on the third-party sites listed above) unless required to do so by law.
12. Your Rights
You have rights under the data protection legislation and, subject to certain legal exemptions, we must comply when you inform us that you wish to exercise these rights. There is no charge, unless your requests are manifestly unfounded or excessive. In such circumstances, we may make a reasonable charge or decline to act on your request. Before we action your request, we may ask you for proof of your identity. Once in receipt of this, we will process the request without undue delay and within one calendar month. To exercise your rights, please contact the Data Protection Manager at email@example.com.
You can contact us if you wish to complain about how we collect, store and use your Personal Data. It is our goal to provide the best possible remedy regarding your complaint.
However, if you are not satisfied with our answer, you can also contact the relevant competent supervisory authority. In the UK, the relevant supervisory authority is the ICO, contact details of which can be found below.
Your rights in connection with personal information are set out below:
Right to be Informed
You have the right to be informed as to how we use your data and under what lawful basis we carry out any processing. This Privacy Notice sets this information out however if you would like further information or feel that your rights are not being respected, please get in contact with any of the details listed above.
Right of Erasure
You may ask us to delete some or all your information we hold about you. Sometimes where we have a legal obligation or where we may be exempt to the law, we cannot erase your personal data.
Right to Object
You have the right to object to processing where we are using your personal information such as where it is based on legitimate interests or for direct marketing.
Inaccurate personal information corrected
Inaccurate or incomplete information we hold about you can be corrected. The accuracy of your information is important to us and we are working on ways to make this easier for you to review and correct the information that we hold about you. We will also carry out an annual accuracy check. If any of your information is out of date or if you are unsure of this, please get in touch through any of the contact details listed in this notice.
Right of restriction
You have a right to restrict the processing of some or all your personal information if there is a disagreement about its accuracy, or we are not lawfully allowed to use it.
Right to Access your information
You have a right to request access to a copy of your personal information that we hold about you, along with the information on what personal information we use, why we use it, who we share it with, how long we keep it for and whenever it has been used for automated decision making. You can make a request for access free of charge and proof of identity is required.
Automated decision making
Automated decision-making takes place when an electronic system uses personal information to make a decision without human intervention. You have the right to question the outcome of automated decisions that may create legal effects or create a similar significant impact on you. We currently do not undertake automated decision making.
You can ask us to provide you or a third party with some of the personal information that we hold about you in a structured. Commonly used, electronic form so it can be easily transferred.
To exercise your right to withdraw consent contact us at firstname.lastname@example.org
Right to complain
If you are unhappy with the way in which your personal information has been or is being processed, you have the right to make a complaint about it to the Information Commissioner’s Office (ICO). They can be contacted at:
Information Commissioner’s Office
13. Your obligations
If any of your Personal Data changes whilst you are a user of our services, it is important that you update the information within your account to ensure that the data we hold about you is accurate and up to date.
If you wish to contact us regarding your personal data or any information in this policy, there are a number of ways to get in touch.
Sustainable Food Trust
38 Richmond Street
Telephone: +44 (0) 117 987 1467
14. The Data Protection Principles
We will comply with the EU GDPR, UK GDPR and the DPA 2018. Article 5 of the UK and EU GDPR contains the data protection principles, which require that Personal Data shall be:
- Processed lawfully, fairly and in a transparent way.
- Collected for specified, explicit and legitimate purposes and not used in any way that is incompatible with those purposes.
- Adequate, relevant and limited to what is necessary.
- Accurate and, where necessary, kept up to date.
- Kept for no longer than is necessary for the purposes we have told you about.
- Kept securely.
We operate according to the principles of the UK and/or EU GDPR, and PECR, regardless of the location of the data subject.
15. Cookies and information we may collect from you
Information from social networking sites
Our Site includes interfaces that allow you to connect with social networking sites (“SNS”).
We post content on Twitter, LinkedIn, YouTube, Instagram, Facebook and Vimeo, and advise you check their privacy policies. If you connect to an SNS through our Site or other Services, you authorise us to access, use and store the information that you agreed the SNS could provide to us based on your settings on that SNS. We will access, use and store that information in accordance with this Policy. You can revoke our access to the information you provide in this way at any time by amending the appropriate settings from within your account settings on the applicable SNS.
We monitor our SNS activity through the SNS, for example Facebook Insights and Twitter Analytics. By interacting with us on the SNS listed above you are agreeing to your social media account details being logged by these programs. They allow us to monitor individuals interacting with us and we use this information to improve our services.
Information we get from others
Information automatically collected
Using Google Analytics, some information is automatically logged when you access our site. For example, we may log your computer or mobile device operating system name and version, manufacturer and model, browser type, browser language, pages you viewed on our site, how long you spent on a page, access times and information about your use of and actions on our Site.
No personal data – which could identify you from another person – is stored via this method.
Like many other websites, this website uses ‘cookies’. ‘Cookie’ is a name for a small file, usually of letters and numbers, which is downloaded onto your device such as your computer, mobile phone or tablet. Cookies allow websites recognise your device so that the sites can work more efficiently, and gather information about how you use the site.
The Cookies we use
We use the categorisation set out by the International Chamber of Commerce in their UK Cookie Guide. We use all four categories of Cookies:
- Strictly necessary Cookies are essential for you to move around our website and use its features.
- Performance Cookies collect anonymous information about how you use our site, like which pages are visited most.
- Functionality Cookies collect anonymous information that remembers choices you make to improve your experience, like your text size or location. They may also be used to provide services you have asked for such as watching a video or commenting on a blog.
- Targeting or Advertising Cookies collect information about your browsing habits in order to make advertising relevant to you and your interests
No Cookies, please.
16. Changes to this Privacy Notice
We reserve the right to update this Privacy Notice from time to time. Updates to this Privacy Notice will be published on our website. To ensure you are aware of when we make changes to this Privacy Notice, we will amend the revision date at the top of this page. Changes apply as soon as they are published on our website. We therefore recommend that you visit this page regularly to find out about any updates that may have been made.
All policies should be reviewed at least annually or when significant change occurs to the policy subject matter.
Next Review Date
All policies should be reviewed at least annually or when significant change occurs to the policy subject matter.
The next review date for this policy is January 2024.