Boarding School Survivors – Support (“BSS-Support” / “we” / “our” / “us”) is committed to protecting and respecting your privacy. This policy sets out the basis on which any personal data will be processed, including personal data that we collect from you, or that you provide to us as an individual supporter of our organisation or through using our website (bss-support.org.uk), booking one of our events, courses, or otherwise interacting with us.
- About us
- Information we may collect and how we use it
- Change of purpose
- Sharing your information
- Storing your information
- Keeping your information secure
- Your rights
- Other websites
- How to contact us
Please read the following carefully to understand how we will treat your personal data.
Boarding School Survivors – Support is a non-profit organisation whose contact address is 40 Lavengro Road, Tulse Hill, London SE27 9EG, website bss-support.org.uk and is the data controller in respect of your personal data. This means that we are responsible for deciding how we hold and use personal data about you.
Information we may collect and how we use it
We collect personal data so that we can operate effectively and provide you with the best possible service. The information we collect depends on the context of your interactions with us and how you use our services. We will only use your personal data where we have a valid lawful basis to do so.
The table below summarises what information we collect about you, explains how we intend to use it and what our legal basis is for using it.
Information we may collect about you and how we do it
Reasons for processing information about you
Lawful basis for processing information about you
Name and contact information (including address, email address and phone number)
We will collect this information from you:
- when you sign up to be a member or supporter of our organisation;
- when you apply to attend one of our events;
- when you make a donation to us;
- when you contact us or otherwise interact with us.
If you are an individual in a third party support organisation, we may also collect this information when your name is provided to us by other individuals in the context of offering support.
We process this information in order to:
- perform essential business operations;
- provide support, including dealing with enquiries, correspondence and complaints;
- complete any transactions that you make with us;
- request payment for events;
- provide and administer events that you have chosen to attend;
- communicate with you and provide you with any services you request from us;
- perform valuable research;
- invite you to events;
- request donations to our organisation;
- otherwise interact with you in order to fulfil the aims of our organisation.
We process your personal contact information in order to enable us to pursue our legitimate interests to run our organisation and fulfil the purposes set out in the previous column. Where your information is being used for direct marketing purposes (e.g. for the purpose of sending out newsletters or event invitations), we will do so on the basis of your explicit and informed consent.
We will collect this information from you when you:
- make a donation;
- make a payment for one of our events.
We process this information in order to:
- provide you with services;
- collect donations from you as a supporter.
We process your payment information in order to enable us to pursue our legitimate interests in running our organisation and fulfilling the purposes set out in the previous column.
Feedback, questions and other information you provide us when you contact us
We will collect this information when you interact with us in any way.
We process this information in order to:
- perform essential business operations;
- deal with your queries and / or complaints;
- provide support;
- provide and improve our services;
- otherwise to communicate with you.
We process information that you provide us with in order to enable us to pursue our legitimate interests in running our organisation and fulfilling the purposes set out in the previous column.
Website usage information and account information
We collect this information automatically when you visit our website.
We process this information in order to run our website and protect the security of our website. We also use this information in order to prevent fraud.
We process website usage / account information in order to pursue our legitimate interest in running our organisation, maintaining the security of our computer systems and in order to fulfil the purposes set out in the previous column.
Special category data
We will not routinely collect any special category data from you. The only circumstances in which we might collect and store special category data are where you have provided information to us which is necessary for us to facilitate your access to events or to our services or for onward referral. We will collect this information on the basis of your consent. For example, we might retain information about your mobility, dietary requirements or any needs arising from your religious beliefs. This information will be retained securely and only used for the purpose set out above. You may ask us to remove this information from our records at any time.
More about the information we collect and why
We have a duty to process personal data fairly, lawfully and in a manner that you would expect given the nature of our relationship with you.
If you have any questions or require any further information regarding our use of your personal data please contact us using the information set out in the section How to contact us below.
Change of purpose
We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is lawful and compatible with the original purpose.
Sharing your information
We may share your personal data with selected third party service providers that support us in certain circumstances. For example, when you make a payment, we will share payment information with banks and other entities that process payment transactions.
We may also share your personal data with other third parties, for example where we are required to provide the names of delegates on a training course or conference to a venue or host. We may also need to share your personal data with a regulator or otherwise to comply with the law.
We require all our third party service providers to take appropriate and stringent security measures to protect your personal data in line with our policies. We do not allow our third party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes in accordance with our instructions.
Which third parties process my personal data?
We may share your personal information with the following third party organisations:
- External auditors
- Our service providers:
- Infrastructure and IT service providers
- Bulk mail providers (e.g. MailChimp)
- Event venues (provision of access and course content)
- Other support organisations where a referral is requested by you
- Third parties permitted by law
Storing your information
The personal data that we collect from you may be transferred to a destination outside the European Economic Area (“EEA”) or United Kingdom. It may also be processed by staff operating outside the EEA who work for one of our service providers. By providing us with your personal data, you agree to this transfer, storing or processing. We will take all steps reasonably necessary to ensure that your personal data receives an adequate level of protection and is treated in a way consistent with UK laws on data protection, including, where relevant, entering into UK standard contractual clauses (or equivalent measures) with the party outside the EEA receiving the personal data.
We will only retain your personal data for as long as is necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting or reporting obligations or to the extent permitted by applicable laws.
Unless we inform you otherwise (or you request that we erase your personal data) we will retain your personal data for as long as you continue to be an individual supporter of BSS-Support or to attend our events. If you cease to be a supporter for two years then we will delete your information. In some circumstances we may anonymise your personal data so that it can no longer be associated with you, in which case we may use such information without further notice to you.
Keeping your information secure
We have implemented technical and organisational security measures in an effort to safeguard personal information in our custody and control. All information that you provide to us is stored on secure servers and computers. We do not retain credit and debit card information. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.
While we endeavour always to protect our systems, sites, operations and information against unauthorised access, use, modification and disclosure, due to the inherent nature of the Internet as an open global communications vehicle and other risk factors, we cannot guarantee that any information, during transmission or while stored on our systems, will be absolutely safe from intrusion by others, such as hackers. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access or inadvertent disclosure.
To provide you with increased security, certain personal information stored in your online account (if any) is only accessible via your username and password. You are responsible for keeping confidential any passwords that you use to access our services. Please do not share your password(s) with anyone else. We will never ask you for your password in any unsolicited communication. Please notify us immediately of any unauthorised use of your online account credentials or any other suspected breach of security.
We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.
Your rights in respect of your personal information
You have various rights in connection with our processing of your personal information, each of which is explained below.
- Access. You have the right to request a copy of the personal information we are processing about you. For your own privacy and security, in our discretion we may require you to prove your identity before providing the requested information.
- Rectification. You have the right to have incomplete or inaccurate personal information that we process about you rectified.
- Deletion. You have the right to request that we delete personal information that we process about you, excepting that we are not obliged to do so if we need to retain such data in order to comply with a legal obligation or to establish, exercise or defend legal claims.
- Restriction. You have the right to restrict our processing of your personal information where you believe:
- such data to be inaccurate;
- our processing to be unlawful; or
- that we no longer need to process such data for a particular purpose and we are not able to delete the data due to a legal or other obligation or because you do not wish for us to delete it (in such case, we would mark stored personal information with the aim of limiting particular processing for particular purposes in accordance with your request, or otherwise restrict its processing).
- Portability. You have the right to obtain personal information we hold about you, in a structured, electronic format, and to transmit such data to another data controller, where:
- this is personal information which you have provided to us; and
- if we are processing that information on the basis of your consent (such as for direct marketing communications) or to perform a contract with you.
- Objection. Where the legal justification for our processing of your personal information is our legitimate interest, you have the right to object to such processing on grounds relating to your particular situation. We will abide by your request unless we have compelling legitimate grounds for the processing which override your interests and rights, or if we need to continue to process the data for the establishment, exercise or defence of a legal claim.
- Withdrawing Consent. If you have consented to our processing of your personal information, you have the right to withdraw your consent at any time, free of charge. If you would like to withdraw consent, including if you would like to opt out of receiving marketing correspondence from us, please contact us at email@example.com; or for marketing follow the unsubscribe instructions located in the email (as relevant). Please understand that if you opt out of receiving promotional correspondence from us, we may still contact you in connection with your online account (if any), relationship, activities, transactions or communications with us. Additionally, if you do request that we stop sharing your personal information with third parties for their direct marketing purposes, it is also prudent that you opt out from, or otherwise contact, that third party directly.
- Make a Complaint. You have the right to lodge a complaint with the local data protection authority if you believe that we have not complied with applicable data protection laws (see below).
Note that the rights outlined above only extend to personal data.
You can see, review and change most of your personal data or ask us to stop using your personal data by contacting us through our website. This may mean that we can no longer provide you with some or all of our services.
No fee usually required
You will not have to pay a fee to access your personal data, nor to exercise any of the other rights. However, we may charge a reasonable fee if your request for access is manifestly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.
What we may need from you
We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is another appropriate security measure to ensure that personal information is not disclosed to any person who has no right to receive it.
- Technical information, including your IP address, your login information, browser type and version, device identifier, location and time zone setting, browser plug-in types and versions, operating system and platform, page response times and download errors.
In general, cookies are used to retain user preferences and provide anonymised tracking data to third party applications like Google Analytics.
How to contact us
If you are unhappy about our use of your data, we ask that you first make contact with us at firstname.lastname@example.org.
If you are still not happy, and you are based in the UK, or the issue relates to the UK, you have the right to make a make a complaint to the Information Commissioner’s Office:
Telephone: +44 0303 123 1113
Address: Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
If you are based in, or the issue you would like to complain about took place elsewhere in, the European Economic Area (EEA), please click here for a list of local data protection authorities.