Clan Donald Lands Trust Privacy Notice
Clan Donald Lands Trust (CDLT) is a Scottish Registered Charity SC007862, registered address Armadale Castle, Armadale, Sleat, Isle of Skye IV45 8RS. This Privacy Notice sets out the way we process your personal information.
What this Notice covers
The Clan Donald Land Trust is committed to protecting the privacy and security of your personal information.
This Privacy Notice describes how we collect and use personal information about you during and after your relationship with us, in accordance with the General Data Protection Regulation (GDPR) and data protection legislation.
It applies to all Friends of Armadale Castle, website users, library and museum users, current and former employees, workers and contractors as well as users of the public Wi-Fi.
Identity of the data controller
The CDLT is a ‘data controller’. This means that we are responsible for deciding how we hold and use personal information about you. We are required under data protection legislation to notify you of the information contained in this privacy notice.
This notice does not form part of any contract to provide services. We may update this notice at any time.
It is important that you read this notice, together with any other privacy notice we may provide on specific occasions when we are collecting or processing personal information about you, so that you are aware of how and why we are using such information.
Categories of personal data we process
- Friends memberships – we collect and store personal contact details such as name, title, address and email address.
- Employment applications – the Clan Donald Lands Trust has a separate Employee Privacy Notice. Please see below for our data retention policy.
- Museum and library enquiries – we collect and store information relating to the administration of museum collections i.e. loans, donors and acquisitions in our collection management system. Personal enquiries, for example genealogy, are reviewed in line with our retention policy and any retained information de-personalised.
- Our Wi-Fi provider collects name and email addresses to run the service; you can access the information they have via https://purple.ai/full-privacy-policy.
Who has access to your data
We may share your personal information with third parties where required by law, where it is necessary to administer the working relationship with you or where we have another legitimate interest in doing so.
Security of your data
We have put in place appropriate security measures to prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal information to those employees, agents, contractors and other third parties who have a business need to know, such as password protected documents and files.
We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.
How we decide how long to retain your data
We will only retain your personal information for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.
To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
Lapsed membership data will be held for six years for accounting purposes.
Job applicant information, if unsuccessful, will be held for one year. Job applicant information if successful will be held for the duration of employment plus one year.
Donor and memorial information will be held for six years for accounting purposes, at which time they are reviewed.
E-newsletter subscriber information will be held for one-month post request for deletion.
There are some communications which are essential to the operation of the CDLT, for example the Friends of Armadale Castle membership reminders and invitations to special events. These operate through prior consent, for example where you have given us your email or postal address.
Transitional data such as payments will also be sent without your consent to ensure you have receipts.
The newsletter for the CDLT is an opt-in process, whereby you opt in twice to receive this communication.
You have the right to:
- Request access to, and a copy of, your personal information.
- Request correction of the personal information that we hold about you.
- Request erasure of your personal information.
- Object to processing of your personal information where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing. You also have the right to object where we are processing your personal information for direct marketing purposes.
If you believe we have not complied with your rights, you can complain to the Information Commissioner.
How to find out more about privacy and GDPR
You can find additional information on The Information Commissioners Office website.
Changes to this Privacy Notice
CDLT reserves the right to update this privacy notice at any time. When we do, we will update this webpage with the date of the update. We may also notify you in other ways from time to time about the processing of your personal information.
Updated: 5 December 2018