Privacy notice for a charity (GDPR compliant)
This Privacy notice for a charity (GDPR compliant) template is designed to
provide data subjects with important information about a charity’s use of
personal data, as required by the GDPR and the Data Protection Act 2018,
and it has been written in the light of best practice established since the
GDPR came into effect. It is intended to be an aid to help charity trustees
draft a privacy notice appropriate to their charity. It includes a template
Subject Access Form (at the end of the Notice) which may be included if
This template provides detail to data subjects in a number of key areas,
including how personal data is collected by the charity, the source of that
data, how it is used, and how it is shared. It is designed primarily for use offline (or at
least with offline data collection).
The document, as a template, has been designed for general application, the
provisions included in it are broad, and they will not necessarily apply to
all situations. It can therefore only be a starting point in the drafting
process and a charity’s trustees will need to tailor the template to the
particular circumstances and needs of their charity.
Some of the optional wording in square brackets in this template relates to
‘special category’ (‘sensitive’) personal data, data relating to criminal
convictions, and children’s personal data. If your charity will process any
such data you may require specific legal advice as to the appropriate
wording to be included in this document and about additional measures that
may be required.
The document assumes that no data will be stored or transferred by the
charity outside the EEA. If, however, any data will be stored or
transferred outside the EEA by your charity, you will need to take advice
as to suitable provisions to be added to the template and any other
measures to be taken.
This template also assumes that there will not be any automated
decision-making and/or profiling by the charity, and so it does not include
any provisions relevant to automated decision-making and/or profiling. The
law features additional restrictions and rights relating to this kind of
data processing, and if there will be any such data processing by your
charity, you should seek guidance and advice on automated decision-making
and profiling. Information that topic is available on the ICO website.
When completing this template, ensure that your privacy notice accurately
reflects the types of personal data that your charity collects, how it is
collected, how your charity actually uses the personal data that it
collects, and associated procedures. Where data is sourced by your charity
from a third party, it is important that you specify what type of
organisation that third party is, and whether it is a private or public
organisation. Whilst it is important to set this all out in some detail, it
is also important that the privacy notice should be user-friendly, and as
clear and simple as possible.
It is also important to explain the ‘lawful basis’ which allows your
charity to collect and uses personal data. There are several lawful bases
to choose from, as explained on the ICO website. Consent, the data being
necessary for a contract, or ‘legitimate interests’ are, we suggest, the
most likely bases for many charities. However, it is important to take care
when choosing. ‘Consent’ may appear to be the most straightforward, but
this is often not the case. Furthermore, if you opt to rely on ‘legitimate
interests’, it is important to explain what those interests are in your
charity’s privacy notice.
How long does your charity keep personal data? This is an important
question to which individuals need to know the answer. When dealing with
this in your charity’s privacy notice, it is important to be as specific as
possible. It is also important to keep in mind that some data retention
periods may be specified by law, but this will not apply in many cases.
Legal advice should always be sought if there is any doubt. Please note
that example retention periods are not included in this template.
A further important point to note relates to your charity’s data security
arrangements. Users should be able to understand what your charity is doing
to keep their personal data safe. When setting out measures such as
encryption, ensuring on-going confidentiality, and recovering data in the
event of loss, be sure to use user-friendly language.
Optional phrases / clauses are enclosed in square brackets. These should be
read carefully and selected so as to be compatible with one another. Unused
options should be removed from the document.
This Privacy Notice contains the following parts:
1. Information about us
2. What does this Notice cover?
3. What Is “personal data?
4. What are my rights?
5. What personal data do you collect and how?
6. How do you use my personal data?
7. How long will you keep my personal data?
8. How and where do you store or transfer my personal data?
9. Do you share my personal data?
10. How can I access my personal data?
11. How do I contact you?
12. Changes to this privacy notice
Schedule - Subject Access Request Form
This Privacy Notice is in open format. Either enter the requisite details
in the highlighted fields or adjust the wording to suit your purposes.
Once you have purchased access to the Corporate document folder click on
the “Download Document” link below. You will be asked what you want to do
with the file. It is recommended that you save the document to a location
of your choice prior to viewing.