Guidance

Change charity financial year privacy notice

Published 12 November 2018

This privacy notice explains how the Charity Commission processes personal data submitted through the ‘Change Financial Period’ service (‘the Service’).

This notice is supplemented by our main privacy notice which provides further information on how the Charity Commission processes personal data, and sets out your rights in respect of that personal data.

It is drafted to be as easy to read as possible and does not provide exhaustive detail of every aspect of how we collect or use personal data. If you need further information please contact our Data Protection Officer.

What personal data does the Commission collect when you use the Service?

When you submit a change to your charity’s financial year end to us we collect the user’s identity details including:

• name
• contact number
• email address
• role in / relationship to charity

Why we need the information and what happens if you do not provide it?

We need your name and contact details because:

• we need a record of the individual submitting the changes to the charity’s financial period in case the change is ever challenged
• we may need to contact you about your submission if we require any clarification or further information
• by entering the service you are declaring that you have the authority to access the charity account
• when you provide us with information you are obliged to comply with S60 Charities Act 2011 which means that it is a criminal offence to provide the Commission with information used in the discharge of its functions which is false or misleading

Providing these details allows us to ensure that these requirements are complied with.

If you do not provide the contact information we need we will not be able to process your request.

How will the Commission process personal data provided through the service?

Personal Data submitted through the service is transferred into the Charity Commission’s internal database where it will be stored, reviewed and used by the Commission in furtherance of its statutory functions and objectives. Further information on how we process personal data can be found in our main privacy notice.

Third Party processors

In order to provide the Service we use data processors who are third parties who provide technology and data services to us. Although your personal data may be transferred to these third parties, we have contracts in place with our data processors which mean that they cannot do anything with your personal information unless we have instructed them to do it.

Sharing information

We may share personal data submitted through the service:

• where it is necessary to share the information in order to further our statutory objectives or functions
• with other Government Departments, Public Authorities, Law Enforcement Agencies and Regulators
• in response to requests for information, for example pursuant to the FOIA, the EIR, or our common law powers of disclosure
• with third party processors and service providers
• to a court, tribunal, party or prospective party where the disclosure necessary in order to exercise, establish or defend a legal claim
• where we are ordered to by a court or tribunal or where we are otherwise required to do by law

You can find out more information about data sharing and further processing in the Commission’s main privacy notice.

The legal basis for processing personal data

The table below sets out the primary legal bases we rely on for processing data we obtain through the service. However we may process your data further for a compatible purposes and/or on other legal bases, further information is available in our main privacy notice.

	Legal basis for processing
Categories of personal data	Personal Data (Article 6(1) GDPR)	Special categories of personal data / criminal conviction data
Name, contact number, email address, role in / relationship to charity	Processing for updating register particulars (c) processing is necessary for compliance with a legal obligation to which the controller is subject Other Processing (e) Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller	Article 9(2) GDPR (g) Processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject Conditions under Part 2 of Schedule 1 of the Data Protection Act 2018: Statutory etc and government purposes; Preventing or detecting unlawful acts; Protecting the public against dishonesty etc; Regulatory requirements relating to unlawful acts and dishonesty etc.

We may process your personal data on more than one basis depending upon the purpose for which we are using your data. Please email us at RIGA@charitycommission.gov.uk if you need details about the specific legal basis we are relying on to process your personal data.

How long we will hold your personal data for?

The Commission routinely deletes personal data submitted through the service for a period of seven years from submission. However, it may be necessary to retain personal data for longer, for example if we are conducting an investigation into the charity at the end of the seven year period.

You should be aware that we will hold personal data even if the charity is removed from the Register or after you are no longer involved with the charity.

Your rights

You have a number of rights under the General Data Protection Regulation (GDPR), including the right to access your data and the right to restrict or object to further processing and the right to complain to the Information Commissioner’s Office. You can find out more about your rights as a data subject, and details of how to contact our Data Protection Officer and the Information Commissioner’s Office (ICO), in our main privacy notice.