Protecting the privacy and personal data of our customers is of utmost importance to us. This notice explains how we collect and process your personal data, your rights and how we comply with the law when handling your data.
Who we are (the Data Controller)
The National Forest Company
Company Registration Number: 02991970
Registered Charity Number: 1166563
Data Protection Officer: Lucy Warren, Information Systems Officer
What information do we collect?
When you request information or services from us, to buy any products, book to attend events, give a donation or create an online account, we need to obtain details from you to fulfil your request. We only collect and store the information that is relevant to our relationship with you. This can include but is not limited to:
- Personal data including your name and contact information.
- The products, services or information you have requested.
- The amount of money you have paid for a product and/or donated to the charity and whether you have given a Gift Aid Declaration on your donation.
- Any agreements or memberships you have engaged with e.g. website advertising, regular donations.
- Any relationships you have disclosed to other contacts on our database eg if you have provided your data as an employee of an organisation.
- Any contact preferences you have provided on how you would like to be communicated with or any mailings you have subscribed to.
- Any communications you have sent to us or received from us including the date and the subject.
- Events or activities that you have booked on to or attended.
We also gather analytical information when you visit our website. We do this in ways which are secure and in line with industry standards. We measure visitor activity on our site but we do so in ways that keep the information anonymous. We use the information that we collect to measure the performance of our site and to help us continually improve it and make it more useful to visitors.
How do we use your data?
We process your data only for the specific and limited purposes for which it was intended. We ask only for data that is adequate, relevant and not excessive for those purposes. We store your data on our Customer Relationship Management (CRM) system and use it to:
- Send you the information or product(s) you have requested or bought.
- Invite you to events or activities that you have expressed an interest in attending.
- Contact you occasionally to inform you of new services we will be providing, or events or articles we think will be of interest to you.
- Send you newsletters or updates on the National Forest and products and services offered by the National Forest Company.
- Send you promotional emails that you have requested to receive.
- Monitor customer interests and performance of our activities for analytical and statistical purposes ie to track tree planting through particular schemes or the take up of supporter or donation schemes.
- Comply with our legal or regulatory obligations, including the prevention of crime.
Lawful basis of processing data
Under the General Data Protection Regulations (GDPR), we typically process our data under three of the six lawful processing bases. These are:
- Consent – If you have signed up to a particular marketing mailing or subscribed to a newsletter. You can opt out at any point and will be given the option to unsubscribe on all communications. Where you opt out, this will not affect the lawfulness of any communications sent before that time.
- Contractual – To send you products you have requested and any related or subsequent materials relating to the product(s). To send billing and payment information or gift aid declaration confirmations and correspondence. To provide the service or contract you have entered into with us.
- Legitimate Interest – If we consider the information, service or product is relevant and beneficial to you or if we think you would be genuinely interested in the content of the correspondence due to it being linked with, or related to, our relationship with you.
Who we share your data with
Employees of the National Forest Company who need to access your data to perform the tasks required to fulfil our service to you, eg to send you the mailing you have subscribed to or to contact you about your contract with us.
Where we have a legal obligation to do so, we will share your data with the appropriate authorities such as the police or law enforcement agencies if, for example, it was required in relation to a criminal offence or for the detection or prevention of fraud.
We share your information with organisations and agencies that we use to process your data on our behalf, eg email service providers to send out our newsletters mailings or analytics providers to help us monitor and understand data and relationships with our customers.
We also work with organisations and contractors that have access to your data through our systems eg support companies who assist us in managing our databases and IT infrastructure.
Where third parties access or process your data on our behalf, we ensure that they respect the security and privacy of your data and treat it in accordance to the law.
We have robust systems and procedures in place to ensure your data is kept secure during the course of collection, storage and processing. Our Information Security Policy gives further details on our security procedures.
Transferring data internationally
We do not transfer your personal data outside of the European Economic Area.
How long we keep your data
We store and retain personal data for various periods of time in line with our legal obligations, financial regulations and internal requirements identified in our Data Retention Policy.
You have the right to request the personal data we hold on you, this is commonly known as a Subject Access Request.
You also have the right to ask us to correct or change the data we hold about you if you believe it to be inaccurate, incomplete or out of date.
You can request your personal data to be removed or deleted from our records if you feel there is no good reason for us to continue to process it. We will, however, sometimes need to keep your data to comply with legal or statutory requirements. It is also important for us to retain data so that we can record and document the progress of the creation of the National Forest. In these circumstances, we will, wherever possible, we will anonymise the record so that your personal details are removed but the record remains on the system for our analytical recording.
You can request that your data be restricted from processing by us. This means we will no longer be able to use your data for the purpose you originally supplied it to us but we may retain your details on our system.
You can also object to your personal data being processed if you feel it is being used unlawfully or otherwise impacts on your fundamental rights and freedoms, eg if you object to the direct marketing emails being processed under Legitimate Interest referred to above. Please be aware that in some cases, we may demonstrate that we have compelling legitimate grounds to process your personal data which override your fundamental rights and freedoms.
If you need to reuse the data we hold about you for a different service, you can request the transfer of your data to either yourself or a third party. In such cases we will provide the data to you in a safe and secure format which is readable by a commonly used platform.
Requests to exercise your rights can be made verbally or in writing and we will endeavour to respond to legitimate requests within 30 days of receipt. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.
We will aim to respond to all requests but if we consider a request to be unreasonable or excessive we can refuse to do so, or may consider charging a fee. If we need to do this, we will advise you.
If you have any concerns about the way we process your personal data please let us know by contacting our Data Protection Officer named above. You also have the right to make a complaint to the Information Commissioner’s Office (ICO) if you feel that your data has been processed in a way that is not compliant with the procedures set out above or in accordance with the GDPR and/or Data Protection Act 2018. You can contact the ICO by visiting their website at ico.org.uk/concerns or by calling 0303 123 1113.
Notification of Changes
This privacy statement was revised in May 2018. We may at any time revise the privacy statement without notice. Please check our website at www.nationalforest.org for an up to date or any revised versions of this notice.