Clan Donald Lands Trust Privacy Notice
Clan Donald Lands Trust (CDLT) is a Scottish Registered Charity SC007862, registered address Armadale Castle, Armadale, Sleat, Isle of Skye IV45 8RS. This Privacy Notice sets out the way we process your personal information.
What this Notice covers
The Clan Donald Land Trust is committed to protecting the privacy and security of your personal information.
This Privacy Notice describes how we collect and use personal information about you during and after your relationship with us, in accordance with the General Data Protection Regulation (GDPR) and data protection legislation.
It applies to all Friends of Armadale Castle, website users, library and museum users, current and former employees, workers and contractors as well as users of the public Wi-Fi and buildings.
Identity of the data controller
The CDLT is a ‘data controller’. This means that we are responsible for deciding how we hold and use personal information about you. We are required under data protection legislation to notify you of the information contained in this privacy notice.
This notice does not form part of any contract to provide services. We may update this notice at any time.
It is important that you read this notice, together with any other privacy notice we may provide on specific occasions when we are collecting or processing personal information about you, so that you are aware of how and why we are using such information.
Categories of personal data we process
- Friends memberships – we collect and store personal contact details such as name, title, address and email address.
- e-newsletter subscriptions – we collect and store email addresses in a third-party database. Our distribution lists are used solely for the sending of our e-newsletter and are not sold to a third party. Mailchimp store our e-newsletter details; their privacy policy can be seen here.
- Employment applications – the Clan Donald Lands Trust has a separate Employee Privacy Notice. Please see below for our data retention policy.
- Visitors to our website – please see our separate cookie policy and be aware that our website is hosted by a third party.
- Museum and library enquiries – we collect and store information relating to the administration of museum collections i.e. loans, donors and acquisitions in our collection management system. Personal enquiries, for example genealogy, are reviewed in line with our retention policy and any retained information de-personalised.
- Donor and memorial information – we collect and store information relating to the administration of memorial services (memorial tree and Book of Rembrance); our Adopt a Tree programme; and our donor programme.
- Accommodation booking – we use a third party to manage our booking system. This is password protected software with limited access. Please see our partner’s privacy policy as a data controller.
- Our Wi-Fi provider collects name and email addresses to run the service; you can access the information they have via https://purple.ai/full-privacy-policy.
- We have CCTV cameras installed at selected buildings which will capture images in real time wherever the cameras are pointed. These cameras may capture footage of you whilst you are on the premises. There are signs in place to inform you where cameras are in use. All cameras are installed for the security of staff, visitors and contractors, as well as to enhance building security.
Who has access to your data
We may share your personal information with third parties where required by law, where it is necessary to administer the working relationship with you or where we have another legitimate interest in doing so.
Security of your data
We have put in place appropriate security measures to prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal information to those employees, agents, contractors and other third parties who have a business need to know, such as password protected documents and files.
We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.
How we decide how long to retain your data
We will only retain your personal information for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.
To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
Lapsed membership data will be held for six years for accounting purposes.
Job applicant information, if unsuccessful, will be held for one year. Job applicant information if successful will be held for the duration of employment plus one year.
Donor and memorial information will be held for six years for accounting purposes, at which time they are reviewed.
E-newsletter subscriber information will be held for one-month post request for deletion.
Marketing preferences
There are some communications which are essential to the operation of the CDLT, for example the Friends of Armadale Castle membership reminders and invitations to special events. These operate through prior consent, for example where you have given us your email or postal address.
Transitional data such as payments will also be sent without your consent to ensure you have receipts.
The newsletter for the CDLT is an opt-in process, whereby you opt in twice to receive this communication.
Your rights
You have the right to:
- Request access to, and a copy of, your personal information.
- Request correction of the personal information that we hold about you.
- Request erasure of your personal information.
- Object to processing of your personal information where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing. You also have the right to object where we are processing your personal information for direct marketing purposes.
If you believe we have not complied with your rights, you can complain to the Information Commissioner.
How to find out more about privacy and GDPR
You can find additional information on The Information Commissioners Office website.
Changes to this Privacy Notice
CDLT reserves the right to update this privacy notice at any time. When we do, we will update this webpage with the date of the update. We may also notify you in other ways from time to time about the processing of your personal information.
Updated: 11 March 2021