Protecting the privacy and personal data of our customers is of utmost importance to us. This notice explains how we collect and process your personal data, your rights and how we comply with the law when handling your data.
Who we are (the Controller)
The National Forest Company
Company Registration Number: 02991970
Registered Charity Number: 1166563
Data Protection Officer: Lucy Warren, Systems & Administration Manager
What information do we collect?
When you request information or services from us, to buy any products, book to attend events, give a donation or create an online account, we need to obtain details from you to fulfil your request. We only collect and store the information that is relevant to our relationship with you. This can include but is not limited to:
- Personal data including your name and contact information.
- The products, services or information you have requested.
- The amount of money you have paid for a product and/or donated to the charity and whether you have given a Gift Aid Declaration on your donation.
- Any agreements or memberships you have engaged with e.g. website advertising, regular donations.
- Any relationships you have disclosed to other contacts on our database eg if you have provided your data as an employee of an organisation.
- Any contact preferences you have provided on how you would like to be communicated with or any mailings you have subscribed to.
- Any communications you have sent to us or received from us including the date and the subject.
- Events or activities that you have booked on to or attended.
- If you create an online account, your profile data including your username and password.
We also gather analytical information when you visit our website. We do this in ways which are secure and in line with industry standards. We measure visitor activity on our site but we do so in ways that keep the information anonymous. We use the information that we collect to measure the performance of our site and to help us continually improve it and make it more useful to visitors.
How do we use your data?
We process your data only for the specific and limited purposes for which it was intended. We ask only for data that is adequate, relevant and not excessive for those purposes. We store your data on our Customer Relationship Management (CRM) system and use it to:
- Send you the information or product(s) you have requested or bought.
- Invite you to events or activities that you have expressed an interest in attending.
- Contact you occasionally to inform you of new services we will be providing, or events or articles we think will be of interest to you.
- Send you newsletters or updates on the National Forest and products and services offered by the National Forest Company.
- Send you promotional emails that you have requested to receive or which we may send in accordance with our legitimate interests described in the section below where you have not opted out of receiving them.
- Monitor customer interests and performance of our activities for analytical and statistical purposes ie to track tree planting through particular schemes or the take up of supporter or donation schemes.
- Comply with our legal or regulatory obligations, including the prevention of crime.
Lawful basis of processing data
Under the UK data protection legislation (including the Data Protection Act 2018 and the retained version of the General Data Protection Regulations (“UK GDPR”)), we typically process our data under three of the six lawful processing bases. These are:
- Consent – If you have signed up to a particular marketing mailing or subscribed to a newsletter. You can opt out at any point and will be given the option to unsubscribe on all communications. Where you opt out, this will not affect the lawfulness of any communications sent before that time.
- Contractual – To process orders and send you products you have requested and any related or subsequent materials relating to the product(s). To register you as a customer/donor and send billing and payment information or gift aid declaration confirmations and correspondence. To provide the service or contract you have entered into with us.
- Legitimate Interest – If we consider the information, service or product is relevant and beneficial to you or if we think you would be genuinely interested in the content of the correspondence due to it being linked with, or related to, our relationship with you. This is in our legitimate in growing and developing the charity, including our products and services. As noted above, you can opt out at any point and will be given the option to unsubscribe on all communications. Where you opt out, this will not affect the lawfulness of any communications sent before that time.
Who we share your data with
Employees of the National Forest Company who need to access your data to perform the tasks required to fulfil our service to you, eg to send you the mailing you have subscribed to or to contact you about your contract with us.
Where we have a legal obligation to do so, we will share your data with the appropriate authorities such as the police or law enforcement agencies if, for example, it was required in relation to a criminal offence or for the detection or prevention of fraud. We may also share your personal data with third parties in order to protect the rights, property or safety of our business, our employees and workers, customers, suppliers and others.
We share your information with organisations and agencies that we use to process your data on our behalf, eg email service providers to send out our newsletters mailings or analytics providers to help us monitor and understand data and relationships with our customers.
We also work with organisations and contractors that may have access to your data through our systems eg support companies who assist us in managing our databases and IT infrastructure.
Where third parties access or process your data on our behalf, we ensure that they respect the security and privacy of your data and treat it in accordance to the law.
We have robust systems and procedures in place to ensure your data is kept secure during the course of collection, storage and processing. Our Information Security Policy gives further details on our security procedures.
The transmission of information via the internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted to our website; any transmission is at your own risk. Once we have received your personal data, we will use strict procedures and security features to try to prevent unauthorised access. We urge you to take every precaution to protect your personal data when you are on the internet.
Transferring data internationally
Some of our external third parties are based outside the UK so their processing of your personal data will involve a transfer of data outside the UK. For example, we use US company, MailChimp, as an email service provider.
Whenever we transfer your personal data out of the UK, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:
• We will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data.
• Where we use certain service providers, we may use specific contracts approved for use in the UK which give personal data the same protection it has in the UK.
Please contact us if you want further information on the specific mechanism used by us when transferring your personal data out of the UK.
How long we keep your data
We store and retain personal data for various periods of time in line with our legal obligations, financial regulations and internal requirements identified in our Data Retention Policy.
You have the right to request the personal data we hold on you, this is commonly known as a Subject Access Request.
You also have the right to ask us to correct or change the data we hold about you if you believe it to be inaccurate, incomplete or out of date.
You can request your personal data to be removed or deleted from our records if you feel there is no good reason for us to continue to process it. We will, however, sometimes need to keep your data to comply with legal or statutory requirements. It is also important for us to retain data so that we can record and document the progress of the creation of the National Forest. In these circumstances, we will, wherever possible, we will anonymise the record so that your personal details are removed but the record remains on the system for our analytical recording.
You can request that your data be restricted from processing by us. This means we will no longer be able to use your data for the purpose you originally supplied it to us but we may retain your details on our system.
You can also object to your personal data being processed if you feel it is being used unlawfully or otherwise impacts on your fundamental rights and freedoms, eg if you object to the direct marketing emails being processed under Legitimate Interest referred to above. Please be aware that in some cases, we may demonstrate that we have compelling legitimate grounds to process your personal data which override your fundamental rights and freedoms.
If you need to reuse the data we hold about you for a different service, you can request the transfer of your data to either yourself or a third party. In such cases we will provide the data to you in a safe and secure format which is readable by a commonly used platform.
As noted elsewhere in this privacy notice, you have the right to withdraw consent at any time where we are relying on consent to process your data. This will not affect the lawfulness of any processing carried out before your consent is withdrawn. If you withdraw your consent, we may not be able to provide certain products or services to you and will advise you if this is the case at the time you withdraw your consent. You can ask us to stop sending you marketing messages at any time by following the “unsubscribe” (or similar) links on any marketing message sent to you or by contacting us at any time. Where you opt out of receiving marketing messages, this will not apply to personal data provided to us as a result of a purchase, product/service experience or other transactions.
Requests to exercise your rights can be made verbally or in writing and we will endeavour to respond to legitimate requests within 30 days of receipt.
Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.
We will aim to respond to all requests but if we consider a request to be unreasonable or excessive we can refuse to do so, or may consider charging a fee. If we need to do this, we will advise you.
For security reasons, we may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). We may also contact you to ask you for further information in relation to your request to speed up our response.
If you have any concerns about the way we process your personal data or wish to exercise your rights please let us know by contacting our Data Protection Officer named above. You also have the right to make a complaint to the Information Commissioner’s Office (ICO) if you feel that your data has been processed in a way that is not compliant with the procedures set out above or in accordance with the UK GDPR and/or Data Protection Act 2018. You can contact the ICO by visiting their website at https://ico.org.uk/make-a-complaint/ or by calling 0303 123 1113.
Notification of Changes
This privacy notice was revised in July 2023. We may at any time revise this privacy notice without notice. Please check our website at www.nationalforest.org for an up to date or any revised versions of this notice.