[A registered charity in England and Wales (number [NUMBER])]

Adopted by the Charity Trustees on [DATE]

[Last reviewed on [DATE]] 

This policy applies to the charity trustees of Connected Conservation Foundation (the Charity).

The Charity is committed to ensuring full compliance with the data protection laws. The Charity is a 'controller' as defined in the General Data Protection Regulation (GDPR). 

The Charity will ensure that both it, via its staff, consultants, and its suppliers (where appropriate) comply with the six data protection principles set out in the GDPR as follows:

  1. Personal data should be:
    1.1 processed lawfully, fairly and in a transparent manner in relation to the data subject;
    1.2 collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
    1.3 adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed;
    1.4 accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that where personal data is inaccurate, having regard to the purposes for which it is processed, is erased or rectified without delay;
    1.5 kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed; and
    1.6 processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
  2. To comply with these principles we must ensure that:
    2.1 we do not collect and hold more personal data than is necessary;
    2.2 we only hold personal data for as long as it may reasonably be required;
    2.3 we review personal data at appropriate intervals to ensure it is accurate and up to date;
    2.4 we do not disclose to the police or other public authority any personal data unless [senior data protection risk owner] has agreed to that disclosure; and
    2.5 we do not transfer personal data outside the Charity or the European Economic Area without the data subject's consent or without putting appropriate safeguards in place.
  3. The Charity expects all staff and consultants to:
    3.1 abide by the six data protection principles;
    3.2 ensure so far as reasonably practicable when collecting personal data from data subjects that they have authority to hold that data in the first place;
    3.3 understand what is meant by processing 'special categories of data' (also sometimes referred to as “sensitive personal data” i.e. data relating to a person's health, ethnicity, religious, political or philosophical views, sex life, sexuality or trade union membership) and any personal data relating to criminal convictions or investigations;
    3.4 anonymise documents and redact personal data where appropriate (e.g. when disclosing a document containing the personal data of a third party or sharing a document as internal know how);
    3.5 recognise a Subject Access Request (SAR), erasure request, rectification request, objection requests or restriction request under GDPR and know whom to contact within The Charity
    3.6 recognise what a personal data breach is, and how to respond.
  4. Data subject's rights
    4.1. The Charity upholds a data subject's right:
       4.1.1 to be informed (articles 13 and 14 of GDPR). We are fully committed to our obligations to handle personal data in a transparent  way, and will aim, where an exemption does   
        not apply, to give privacy notices to data subjects appropriate to the processing being undertaken;
       4.1.2 of access (generally referred to as a Subject Access Request (SAR)). We will take care to establish the identity of the applicant. If there is any uncertainty about the identity of
       the applicant, we must ask for supporting documentation. We will also take into account other individual's rights to privacy;
       4.1.3 to rectification. We will, when requested by a data subject, rectify any inaccuracies in personal data of which we were previously unaware; and
       4.1.4 to erasure, to object to or to restrict processing. We will, unless there is a specific and justifiable reason not to, erase personal data on request, and respect requests to object
       to or restrict processing.

    4.2 If you are in any doubt about the effect of this policy, please contact [insert]