The data we collect, and process is needed if your family uses our services and facilities at one of our hospices; you are a supporter of our charity; you are a member staff, a volunteer or a visitor. This processing is undertaken as a data controller.
This means that we are responsible for deciding how we hold and use personal information about you. We are required under data protection legislation to notify you of the information contained in this privacy notice.
We may collect your personal information when:
- you use or visit our website
- you make an enquiry about our activities, services or products
- you seek care, support and assistance from us (e.g. by contacting our referrals team)
- you make a purchase, order products or services from us
- you volunteer with us or apply for a job (including sending us your CV)
- you make a donation, fundraise on our behalf or register for an event
- you are registered as an approved visitor or contractor
- register with us or set up an online account
- request publications, newsletters or other information from us
- otherwise give us personal information (e.g. sensitive information such as your physical or mental health or condition)
- you are a recipient of training or events that we provide.
If you are aged 16 or under, you must get your parent/guardian’s permission before you provide any personal information to us.
We collect special category data, necessary for the care we provide and to meet legal requirements as a Hospice and Charity, but also to help us eliminate gender bias and developing an inclusive culture that values all
Special categories of particularly sensitive personal information require higher levels of protection. We need to have further justification for collecting, storing and using this type of personal information and we do this with either your consent or as permitted by UK and EU data protection legislation
The special category information we collect includes:
Medical records and information
Details of any criminal convictions.
The national data opt-out was introduced on 25 May 2018, enabling individuals to opt-out from the use of their data for research or planning purposes. Demelza will not share your data or information for research purposes, and will only share your data for reasons outlined in this policy and for the purposes of providing individual or direct care.
For more information on the national data opt-out, please visit www.digital.nhs.uk/services/national-data-opt-out. You can find details here for how you can view and manage your choices.
We collect personal information:
- directly from families who use our services and facilities
- directly from our supporters; g when volunteering, donating, making a purchase or supporting our various fundraising activities
- directly from our partners; g grant or commercial funding
- directly from other healthcare professionals; e.g. a GP, nurse or social care
- from publicly available sources; networking, social media, internet services, exhibitions, direct referrals, other corporate bodies
- from guests, contractors or visitors
- from CCTV images.
We may also combine your personal information with other information we collect from third parties (e.g. for our fundraising purposes). We will notify you when we receive information about you from them and the purposes for which we intend to use that information.
We will only ever collect the information we need – including data that will be useful to help improve our services. We collect information as follows:
- Personal information, such as name, postal address, phone number, email address, date of birth (where appropriate), information about your interests and hobbies and online identifiers, such as IP addresses (the location of the computer on the internet),
- Non-personal information such as pages accessed, and files downloaded. This helps us to determine how many people use our website, how many people visit on a regular basis, and how popular our pages are. This information doesn’t tell us anything about who you are or where you live. It simply allows us to monitor and improve our services.
Any processing activities we undertake are fully compliant with UK and European data protection regulations and the Privacy of Electronic Commutations regulation (PECR) where needed for the marketing or promotional approaches we undertake.
The personal data collected is needed in order to:
- Fulfil your requests – such as applications for membership of our lottery, donations, participation in campaigns and provision of information
- Process sales transactions, donations or other payments and verify financial transactions including claiming Gift Aid on your donations
- Handle orders, deliver products and communicate with you about orders
- Provide a personalised service to you when you visit our websites – this could include customising the content and/or layout of our website and webpages for individual users
- Record any contact we have with you
- Provide you with information about other services, events and products we offer that are similar to those that you have already purchased or enquired about
- Prevent or detect fraud or abuses of our websites and enable third parties to carry out technical, logistical or other functions on our behalf
- To carry out research on the demographics, interests and behaviour of our users and supporters, to help us gain a better understanding of them and to enable us to improve our service. This research may be carried out internally by our employees or we may ask another company to do this work on our behalf
- Send you information and communications about what we do and how we can help you, and how you can help us (e.g. our campaigns, volunteering and fundraising)
- If you have agreed to it, provide you with information that we think may be of interest to you
- Carry out our obligations arising from any contracts entered between you and us
- Look into, and respond to, complaints, incidents, near misses, legal matters or any other issues
- Send you information and communication around your employment or volunteering role.
The personal data processing will vary dependent on the team in Demelza you engage with but also on the services you use. If you would like to know more specific details about how we use the data we collect in our main areas of business please click the relevant link below:
For Employees and Volunteers more information about our data processing is available from our HR team.
For anyone applying for a role with Demelza, please see our Employee Recruitment Privacy Notice
The personal data that is used is limited to the information we need and is processed mainly using the legal basis to perform the tasks or services we have agreed with you or as needed for legal requirements.
Additionally, there will be instances where we will process information using our legitimate interests where for example in promoting what we do, but only where this is if interest to you; our legitimate interests will include using data in the relationship or support between us.
We will seek your consent where needed for the processing of special categories of data or where the processing activity is not part of the agreed services.
We also collect personal contacts from our business and corporate stakeholders and collaborative partners for our legitimate interests. Almost entirely, these contacts are corporate or business individuals and while this is still categorised under UK and EU legislation as personal data, we are aware that it can be used for business-to-business purposes, as stipulated by UK and European data protection regulations and the Privacy of Electronic Communications Regulation (PECR) with which we also comply.
Demelza is committed to keeping personal information secure to protect it from being inappropriately or accidentally accessed, used, shared or destroyed, and against it being lost.
In addition, we limit access to your personal information to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal information on our instructions and they are subject to a duty of confidentiality
To prevent unauthorised access or disclosure, we have put in place suitable physical, electronic and managerial procedures to safeguard and secure the information we collect.
Access to your personal information is only allowed when required by law or is required as part of fulfilling our service obligations.
We do make use of third-party service providers to help us fulfil our services and where we do, the third party is required to take appropriate security measures to protect your personal information in line with our policies. We do not allow our third-party service providers to use your personal data for their own purposes and we only permit them to process your personal data for specified purposes and in accordance with our instructions.
We use third party providers to:
• administer our staff and volunteer records
• to help us manage and host our marketing promotions and events
• host and administer our website
• to host our databases in care, retail, fundraising, marketing and for our lottery
• for our IT security and systems
• for legal advice and guidance in matters related to care, data protection and employees
If you would like to know more specific details about where we share your data or the third parties, we use in each area of our organisation please click the relevant link below:
Demelza is a Connected Party of KMCR; while we do not share any data onto the platform, we may access information about you via this source. For further information visit https://www.kmhealthandcare.uk/your-health/kent-and-medway-care-record.
We are a UK based charity and following Brexit we will continue to store and process personal information mainly in the UK or EEA.
Please note though that your data may be exported to as well as stored and processed in countries outside of the country in which you reside, including, without limitation the United States.
For data subjects residing in the UK or EEA, this means that your personal information may be exported, stored, and processed outside of the UK or EEA. Whenever we transfer your personal data out of the UK or EEA, we ensure a similar degree of data privacy and protection is afforded to it by ensuring at least one of the following safeguards is implemented:
- we will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the UK and European Commission
- where we use service providers who are not in territories approved by the UK or EU commission, we will look to implement additional safeguards such as a detailed review of security measures and the use Standard Contractual Clauses (SCCs) approved by the UK and or European Commission
To receive information on the recipients of your data or if you want further information on the specific mechanism used by us when transferring your personal data out of the UK or EEA, please contact us at email@example.com
Our website, email newsletters and promotions may contain links to other websites of interest.
However, you should note that we do not have any control over these other websites. Once you have used any of these links to leave our site, we cannot be responsible for the protection and privacy of any information which you provide whilst visiting these sites and such sites are not governed by this privacy statement.
We will only retain your personal information for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.
Details of retention periods for other aspects of your personal information are available in our Retention Policy which is available from: firstname.lastname@example.org
To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
In some circumstances we may anonymise your personal information so that it can no longer be associated with you, in which case we may use such information without further notice to you. Once you are no longer an employee, worker or contractor of the Institute we will retain and securely destroy your personal information in accordance with our data retention policy or applicable laws and regulations.
Demelza as a Charity are reliant on the generosity and support of our supporters and fundraising activities to supplement the funding for the services we provide
We undertake various marketing activities but only where we believe you will be interested to help us or where we have your agreement.
For further details please read our Marketing Communications and Events section.
Any marketing we undertake is made in a fully complaint manner as governed by UK and European data protection regulations and PECR, with the contacts being given the option to opt out from such contact.
Demelza like most organisations make use of Cookie technology and therefore we capture data using Cookies; a cookie consists of a piece of text sent by a web server to a web browser and stored by the browser. The information is then sent back to the server each time the browser requests a page from the server. This enables the web server to identify and track the web browser.
It is important that the personal information we hold about you is accurate and current. Please keep us informed if your personal information changes during your working relationship with us.
Under certain circumstances, you have rights under UK Data Protection Act 2018 (DPA) and the EU General Data Protection Regulation 2016/679 (GDPR) in relation to your personal information.
You may have the right to:
be informed of how we will use your data as provided by this Policy
access the information held about you. Your right of access can be exercised in accordance with data protection law;
object to us processing or ask us to restrict the processing of your personal information for any of the purposes listed in this Policy, at any time
ask us to update and correct any out-of-date or incorrect personal information that we hold about you free of charge
ask us to erase or delete your personal information (in certain circumstances). We will do our best to respond to such requests, but these are subject to certain limitations such as legal requirements
Request a transfer of your personal information (again in certain circumstances).
If you wish to exercise any of the above rights or to review, verify, correct or question anything detailed in this policy or are unhappy with any aspect of how we use your data please contact us at:
Data Protection Lead, Demelza Hospice Care for Children, Demelza House, Rook Lane, Bobbing, Sittingbourne, Kent, ME9 8DZ.
Or by emailing email@example.com
Or calling 01795 845200.
We will respond to your request promptly and look to resolve any query within 30 days and free of charge. However, we reserve the right to refuse or charge an administrative fee for the furthering of any of the above requests if they are done so in a frivolous, vexatious or excessive manner. We will always notify you if such a charge is being applied
You also have the right to make a complaint at any time and we appreciate the chance to deal with your concerns in the first instance. To register a complaint please email us at firstname.lastname@example.org
If you are unsatisfied by our reply then you have the right to lodge a complaint to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues. You can contact the Information Commissioner’s Office by telephone on 0303 123 1113, or by using the live chat service which is available through the Information Commissioner’s website www.ico.org.uk.
We have appointed external expertise as our data protection officer (DPO).
If you have any questions about this privacy notice or how handle your personal information,
please contact our Data Protection Team email@example.com
You have the right to make a complaint at any time to the Information
Commissioner's Office (ICO), the UK supervisory authority for data protection issues.
Retail e-commerce policy