Our Privacy Notice

Introduction

Pebblebeach Fundraising Limited (Registered Company Number 06584392) (ICO Registration ZA093531) is committed to protecting the privacy and rights of individuals when holding, storing, using or otherwise processing their information.

The purpose of this policy is to outline our approach to protecting the personal data that we collect, process, hold and share as a data controller or processor.

We take privacy and information security seriously and are committed to protecting personal information through a range of data protection measures including policies, procedures, training and ensuring that appropriate technical and organisational measures are implemented and maintained to safeguard and protect any information under our control.

Pebblebeach Fundraising Ltd will be a ‘data controller’ (as we determine ‘how’ and ‘why’ we use the information) for information that we collect and use for our own purposes. This includes personal information obtained on employees for the purposes of recruitment and employment as well as information that we may obtain through our website cookies.

We are also ‘data processors’ (as we process information on behalf of another controller) in that we will process personal information on behalf of our clients for the purposes of supporting them with their direct marketing or other analytical fundraising activities. Where we operate as a data processor, we do so under strict rules that govern what we can and cannot do with the information that is supplied to us. These rules are contained within a data processing agreement that we operate under and in strict compliance with.

Any information that is supplied to us from our clients shall be treated with respect and processed according to the requirements of data protection legislation (together ‘General Data Protection Regulations 2016’ and the ‘Data Protection Act 2018’) and the data processing agreement.

At no time do we use personal information supplied by our clients for any other purpose or for our own purposes. We do not sell or share any information with any other organisation. We may ask suppliers, who operate under strict agreements with us, to process some information on our behalf for service delivery purposes only.

Our Privacy Promise

• Never to sell, share or provide personal information to another organisation for their own commercial purposes
• To be transparent as to how we process personal information
• To protect and maintain technical and organisational measures to ensure a level of security that is appropriate to the risk
• To respect the rights of data subjects
• To comply with data protection legislation
• To process information on behalf of clients or when using suppliers under strict data processing agreements

Information that we process as a Controller

We will collect information about you when you apply to or contact Pebblebeach Fundraising Ltd in relation to a vacancy or recruitment opportunity. We will use the information that you provide to determine suitability for employment as part of the recruitment process and where successful as part of your employment with us.

The table below sets out what personal data we may process, our purpose for doing so, our lawful justification and how long we may retain your information for.

Information processed as a Controller – Recruitment and Employment
What personal data we may process	Our purpose for doing so	Our lawful basis	How long we keep it for	Retention justification
Name, address, contact details, date of birth, previous employment, interest in role, CV, references, right to work	Recruitment process	Steps to entering into a contract	3 months if not short-listed   6 months if short listed	In case the recruitment process is challenged
Name, address, contact details, salary, bank details, car insurance, holiday, sickness, vetting, references, performance	To manage employee relations, to pay salaries, expenses, accounting purposes	Contract, Legitimate interest, Legal requirement	Employment + 6 years	Limitations Act 1980 and should the performance of the contract be challenged
Name, address, injury sustained, sickness	Health and safety at work and employee welfare	Legal obligation	3 years from date of incident in the majority of cases	RIDDOR Limitation for legal proceedings RIDDOR 1995 and Limitation Act 1980 Special rules apply concerning incidents involving hazardous substances

 

As the data controller we may also collect information from our website through the contact page or from the use of cookies.

We use cookies to collect standard Internet information for statistical purposes, to collect information in an anonymous way including the number of website visitors, where they have come from and the pages that they have visited.

We may also use information obtained from Google Analytics for marketing purposes and may contact organisations that have visited our website. Please see our cookie policy for more information.

Our websites may contain links to various third-party websites. We are not responsible for the content or privacy practices of any external websites that are linked from our sites.

Information that we process as a Processor

As a data processor we will process personal information supplied to us by our clients for the purposes listed below. We will not retain any supplied personal information, in an identifiable format, for longer than six months, although it is often shorter than this, after the project is complete.

Processing purpose	Justification
Providing analysis of a client’s database for fundraising and direct marketing purposes. This includes supporting the client to determine who they want to communicate with and why.	This may relate to interactions that the individual has had with that charity, from their previous communications, past donation history, the recency, frequency or value of their interactions and donations.   We may also provide an understanding as to communication and donation responses from fundraising campaigns to help determine how successful a campaign has been, what has worked or not to help guide future communications to ensure that they are efficient, relevant and cost effective.
Data cleansing and address updates from national providers.	This service will only be provided where the client has specifically requested it. In that sense we are facilitating this on behalf of our client as it requires us to approach the national providers to determine address accuracy (Postcode Address File), National Change of Address (NCOA) register and to screen records past national deceased registers to ensure that mailings do not deliberately mail deceased individuals.
Wealth Screening	This service will only be provided where the client has specifically requested it. In that sense we are facilitating this on behalf of our client as it requires us to approach organisations that can provide information as to someone’s potential wealth.   This information predominantly comes from public records such as council tax bands, registers of directors, registers of shareholders, information in the public knowledge, information from the unedited electoral role.   A company that we may be asked by our clients to approach include Prospecting for Gold, Experian and other third-party providers.

Information sharing 

There are occasions where we must share personal information that we process as described below:

Role	Information Shared	Justification
As a Controller	Payroll/HMRC Occupational health ICT support providers Lawyers, accountants Legal obligations	Legal obligation Legitimate Interest Employment law
As a Processor	ICT support and software service providers Suppliers for service delivery Legal obligations	Legal obligation Legitimate interest

 

International transfers

Pebblebeach Fundraising does not transfer or hold data internationally. All data centres are UK based.

Keeping information secure

We process personal information in electronic format. We have implemented a range of technical and organisational measures that ensure an appropriate level of security is maintained and to protect personal information from:

• Unauthorised access
• Improper use or disclosure
• Unauthorised modification
• Unlawful destruction or accidental loss

Employees and service providers who have access to, or are associated with, the processing of personal information must comply with our policies and procedures, use and process information ethically and lawfully and take all reasonable efforts to safeguard and protect it.

General information

Pebblebeach Fundraising Ltd may collect and retain information voluntarily sent by the Data Subject and members of the public and for business administration and invoicing purposes that are not caught by any other section within this policy. Where this occurs, we act as Data Controller for that information. This information will be processed, stored, retained and shared where relevant and appropriate to do so for the purpose of responding to or managing any general or business enquiries or other information received, volunteered or sent to us by the data subject that is or may be connected to any of our activities. This information will be processed in accordance with your rights and our obligations as detailed under Data Protection law and the general principles contained within this policy as well as our Data Protection Statements and Privacy Notices. Contractors and suppliers

Pebblebeach Fundraising Ltd works closely with a range of contractors and suppliers who support the delivery of our services to our clients and for the provision of software services. Any information that they process for or on our behalf is managed according to a strict data processing agreement that covers the requirements contained within data protection legislation and appropriate due diligence is undertaken before they are appointed to ensure that they are capable of ensuring an appropriate level of security to protect the information that they process.

There are occasions where our client will ask us to provide their mailing file to:

• A print and mailing house in order to send out a fundraising mailing campaign or other type of communication campaign.
• A consumer reporting agency, like Experian, in order to check a mailing file against national data cleaning files (such as the National Change of Address register) to remove known deceased records and goneaways.
• A wealth profiling agency to analyse their records against known wealth indicators.

Where we receive such a request from the client, we make clear that we are facilitating their request and that they retain the responsibility for that relationship with the nominated organisation.

Complimentary Individuals Data Analyses undertaken by Pebblebeach Fundraising Ltd do not use third-party organisations to enhance, amend, update, cleanse, add or use profile insights such as Mosaic, wealth screen or combine data sets for additional insight. Our data interrogation and analysis is supported by an external partner who is appointed under a strict data processing agreement to ensure that your rights are maintained and protected by appropriate security safeguards and measures.

Information Rights

Individuals have certain rights under data protection laws that organisations must respect and give effect to. These rights are often a balance between what and why the organisation is processing your information in that way against your right for it not to occur or cause you unnecessary intrusion or negative effects on your right to a private life.

These rights are listed below, however, how we respond to them will depend on whether we are operating as a Data Controller or a Data Processor.

Data Controller: Pebblebeach Fundraising Ltd are accountable and responsible for responding directly to you as a data subject, explaining whether we are processing your information and whether your right can be exercised in full or not. Most rights are only qualified rights, which means if there is a legal reason to process in that way, then this may supersede your ability to enforce the right in full. We will endeavour in all cases to fully engage with you and explain the process along the way. Any rights request received shall be processed within one calendar month timescale.

Data Processor: Pebblebeach Fundraising Ltd.’s core processing activities entail processing personal information on behalf of our clients. We are only entitled and authorised to process your information according to their documented processing requirements. As a processor we are not accountable or responsible for responding directly to you as a data subject. If you contact us with regards to our processing activities on behalf of a client, we are contractually obliged to pass your request on to our client without undue delay. We will work closely with our client to respond to you accordingly, but this will be through our client and not directly to you.

Right available	Description of right	What does this mean?
Right to be informed	Individuals have the right to be informed about the collection and use of their personal data.	The organisation that is collecting and processing your information must provide you with clear and transparent information with regards to their processing activities. This must be in simple and easy to understand language and it is usually contained within a Privacy Notice or Privacy Policy. These terms are often used interchangeably but generally mean the same thing.
Right of access	You have the right to obtain (from the Controller) confirmation from the Controller as to whether or not personal data concerning you are being processed, and, where that is the case, access to that personal data.	This is called a Data Subject Access Request that is sometime shortened to DSAR or SAR.   This right enables you to obtain a copy of your personal data that is held and processed by the organisation.   This will not include information that identifies or makes any other individual identifiable or information regarding how the organisation operates.   Data Protection Legislation permits certain redactions to be made or exemptions to apply. Where organisations exercise redactions/exemptions they should tell you why and its purpose unless by doing so jeopardises a criminal or other lawful investigation.
Right to rectification	You have the right to request (from the Controller) that inaccurate personal data concerning you is rectified. Taking into account the purposes of the processing, you have the right to have incomplete personal data completed by providing a supplementary statement.	This right only applies to inaccurate personal data, information contained on your application form, information that you have provided to us or any flags placed on your record. This will not lead to any personal data which you disagree with being rectified.
Right to erasure (right to be forgotten)	You have the right (under certain circumstances, but not all) to request the Controller to erase personal data concerning you.   This will never include any details that we are required to process under law or to fulfil contractual obligations with the data subject.	The right to be forgotten only applies: ·        Where the personal data is no longer necessary ·        Where you withdraw consent ·        Where the Controller unlawfully holds your personal data ·        Where you successfully object to processing activities ·        Where we must follow a legal obligation to delete.
Right to restriction of processing	You have the right (under certain circumstances, but not all) to request the Controller to restrict processing of your personal data.   For example, you may request this if you are contesting the accuracy of personal data held about you.	This right only applies: ·        Where you contend the accuracy of any personal data until it has been made accurate ·        Where you have objected to any processing whilst the Controller presents their evidence ·        Where the Controller are processing data unlawfully and you do not wish for it to be erased ·        Where the Controller no longer needs the personal data but you require the data to establish, exercise or defend a legal claim.
Right to data portability	You have the right (under certain circumstances, but not all) to request the Controller to provide you with the personal data about you which you have provided to in a structured, commonly used and machine-readable format.   You also have the right to request the Controller to transmit those data to another Controller.	This right only applies to data collected by automated means or provided by you. This is a similar right as to a SAR but limited in scope. In that sense you are not entitled to everything under a portability request.   Pebblebeach Fundraising Ltd does not currently undertake processing, which is wholly automated, we do not see any circumstances in which we would have to comply with this right.   For a copy of your personal data, please carry out a subject access request instead.
Right to withdraw consent	If the lawful basis for processing is consent, you have the right to withdraw that consent. If you wish to withdraw your consent, contact the Data Controller immediately.	Withdrawing consent will not affect the legality of any processing carried until consent was revoked.
Right to object to direct marketing                 Right to object to direct marketing continued	Where your personal data are processed for direct marketing purposes, you have the right to object at any time, which includes profiling to the extent that it is related to direct marketing activity.   This is an absolute right and must be complied with.	This right will apply instantaneously in most instances but should be in effect within one month of your request. Your request to stop any processing of your personal data for direct marketing purposes must be made directly to the Data Controller (the organisation that supplied us with your information).   Where we receive a request from you, we will pass your request on to our client without undue delay for them to address.
Rights in relation to automated decision making and profiling	Pebblebeach Fundraising Ltd does not perform any automated decision-making based on personal data that produces legal effects or similarly significantly affects you.	Your rights in relation to automated decision making and profiling applies whether the decision produces legal effect or similar significant effects on you. Where this occurs, you are entitled to have the decision reviewed by a human rather than a computer.

Contact us

If you have any questions or queries relating to this Privacy Notice or how we may process your personal information for our own purposes or on behalf of our clients, you can contact us on the details below:

Address: Pebblebeach Fundraising Limited, 8 Bond Street, Brighton, BN1 1RD

Email: data-protection@pebblebeachfundraising.com

Call: 01273 323129

Information Commissioner’s Office (ICO)

If you feel that our handling of your personal data under this policy and/or your right to privacy has been compromised, you should contact us immediately using the details provided above.

If you are not satisfied with our response you have the right to lodge a complaint with the Supervisory Authority and the right to a judicial remedy.

In the United Kingdom the Supervisory Authority and Information Rights Regulator is:

Information Commissioner’s Office (ICO)
Address: Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
Telephone: 0303 123 1113
Email: casework@ico.org.uk

Privacy Notice was last updated 05 February 2021