Introduction

This privacy notice applies to both Sight Scotland and Sight Scotland Veterans. Although the charities are separate legal entities, they share board members and corporate services and where it makes sense to do so, the charities also share policies and procedures. Therefore, any references to “the charity”, “we”, “our”, or “us” should be interpreted as meaning the charity that provides the service you are enquiring about or receive. 

Both charities are registered in Scotland (Sight Scotland is a registered charity No SC017167, Sight Scotland Veterans is a Scottish Charitable Incorporated Organisation, Charity No SC047192) at 2a Robertson Avenue, Edinburgh, EH11 1PZ. We are registered with the Information Commissioner’s Office (Ref: Z5603032 & ZA370709).

We are the Data Controller over any personal data we process about you for the purposes set out in this Privacy Notice (see below).  This notice outlines what personal data the charity collects and processes about you in various situations, which we have explained below.  This notice does not cover personal data we process about our staff. The categories of data subjects whose personal data is covered by this privacy notice include; our members, supporters, fundraisers, donors, customers, users of our website, and individuals who use or make enquiries via our website or over the phone or email.

If you have any questions about this privacy notice or the way the charity processes your personal data, please contact our Data Protection Officer Stephen Coulter.

What is personal data?

Personal Data: means any information that relates to and could be used to identify a living individual known as a ‘data subject’. Examples of personal data include; name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of a data subject.

Special Category of Data: is information about a data subject which is considered more sensitive and requires greater protection. Examples of special category data include data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.

When we use the term ‘personal data’ we mean both personal data and special category of data.

Our Processing

Your personal data is processed in different ways dependent on your interaction with the charity.  The section below sets out what personal data we process about you, where we get it from, why we use it, our lawful basis for processing your data and who we may share it with. Where we share personal data with third parties, we ensure that we have a valid contract in place which contains data sharing and/or data processing provisions, obligations, and safeguards to protect your information. 

How We Use Personal Data

Personal Data

  • Name, email address, social media handle, telephone number, any information you provide to us.

Where do we get it from?

  • When you submit an enquiry on our website, use our online forms, email, telephone, post or when we meet you face to face.

Legal Basis

  • Processing is necessary for the purpose of our legitimate interests to respond to your enquiries.

Who may we share it with?

  • Organisations that support our day-to-day operations, including IT software and maintenance.

Personal Data

  • Name, email address, telephone number, health data, address, any information you provide to us.

Where do we get it from?

  • From you, the data subject; and when you submit an order request on our website, email, or telephone.

Legal Basis

  • We may process your personal data where is it necessary for us to fulfil the performance of our contract with you.
  • We may process special category data i.e. health data where it is necessary for the purposes of the provision of health or social care or treatment or the management of health and for ‘Health or Social Care Purposes’ under Schedule 1, Part 1(2) of the Data Protection Act 2018 and Article 9 (2) (d) Not for Profit bodies, in the context of delivering our services to you, to protect you or another person from harm, or where we have your explicit consent

Who may we share it with?

  • Organisations that support our day-to-day operations, including IT software and maintenance.

Personal Data

  • Name, email address, telephone number, social media, any additional information you provide to us.

Where do we get it from?

  • Listening to, recording of, viewing of, intercepting of, or taking and keeping records (as the case may be) of calls, email, text messages, social media messages, in person (face to face) meetings and other communications.

Legal Basis

  • Processing is necessary for the purpose of our legitimate interest to protecting the security of our communications systems and procedures and for quality control and staff training purposes.

Who may we share it with?

  • Organisations that support our day-to-day operations, including IT software and maintenance.

Personal Data

  • Name, email address, telephone number, any information you provide to us.

Where do we get it from?

  • When you submit an order request on our website, email, or telephone.

Legal Basis

  • Processing is necessary for the performance of a contract.            

Who may we share it with?

  • Organisations that support our day-to-day operations, including IT software and maintenance and delivery companies.

Personal Data

  • Name, email address, telephone number, social media, address.

Where do we get it from?

  • From you, the data subject.        

Legal Basis

  • Consent where we market to you by electronic methods.
  • Processing is necessary for the purpose of our legitimate interest to issue marketing materials to you by post.

Who may we share it with?

  • Market research companies who help us develop our products and services.

Personal Data

  • Name, address, email address, telephone number.

Where do we get it from?

  • From you, the data subject, and publicly available sources such as the Royal Mail’s National Change of Address database.   

Legal Basis

  • Processing is necessary for the purpose of our legitimate interests of keeping our database up to date, accurate and relevant.             

Who may we share it with?

  • Market research companies who help us develop our products and services.

Personal Data

  • Name, postal address, email address, telephone number, bank details, the fact you are a UK taxpayer, the reason for your donation and whether it is in memory of another person.

Where do we get it from?

  • From you, the data subject.        

Legal Basis

  • Processing is necessary for the purpose of our legitimate interest to process donations for benefit of charity.
  • Processing is necessary to fulfil our legal obligation to process direct debit under direct debit agreement.              

Who may we share it with?

  • HMRC for purposes of Gift Aid; Payment bureau provider administering the payment.

Personal Data

  • Name, postal address, email address, telephone number, hours volunteered, hours worked, events attendance, and emergency contact details of next of kin.    

Where do we get it from?

  • From you, the data subject.

Legal Basis

  • Processing is necessary for the performance of a contract.

Who may we share it with?

  • Event organisers, third party service providers.

Personal Data

  • Technical data about your use of our website.           

Where do we get it from?

  • From you, the data subject.

Legal Basis

  • Processing is necessary for the purpose of our legitimate interest to use cookies to support the functionality of our website. Consent for non-essential cookies.  Please visit our Cookie Notice for further information.              

Who may we share it with?

  • Google Analytics, where you provide your consent.

Personal Data

  • Name, contact details, date and time of visit, vehicle registration number.

Where do we get it from?

  • From you, the data subject.

Legal Basis

  • Processing is necessary for the purpose of our legitimate interest to document visitors to our premises for security and fire safety purposes.

Who may we share it with?

  • External organisations such as Police Scotland who may have a legitimate reason to access the data for the investigation to fulfil a legal or regulatory obligation.

Personal Data

  • Special category data specifically information relating to your health, wellbeing.        

Where do we get it from?

  • From you, the data subject; Healthcare provider.

Legal Basis

  • Where it is necessary for the purposes of the provision of health or social care or treatment or the management of health and for ‘Health or Social Care Purposes’ under Schedule 1, Part 1(2) of the Data Protection Act 2018, and GDPR UK Article 6 (b) Contract and Article 9 (2) (d) Not for Profit bodies; Where it is necessary to protect you or another person from harm; Where it is necessary for processing to be carried out in the course of our legitimate activities with appropriate safeguards in place; and in limited circumstances, with your explicit written consent.

Who may we share it with?

  • Legal advisors, insurers police, and other official authorities.

Personal Data

  • Personal data and special category data.       

Where do we get it from?

  • From you, the data subject.

Legal Basis

  • Processing is necessary to fulfil a legal or regulatory obligation.          

Who may we share it with?

  • Police and other official authorities.

Will we share your Personal Data outside of the UK or EEA?

Your personal data will not normally be transferred outside the European Economic Area. Where we transfer, store, and process your personal data outside of the UK or European Economic Area ("EEA") we will transfer any personal data to and from the EEA and UK on the basis of the adequacy decisions for the UK and EU. Where this happens and the recipient country is not deemed inadequate by the UK Government, then we will use legally provided mechanisms to lawfully transfer data across borders.

Retention

We shall keep your personal data for as long as is necessary for a specific business purpose and in line with legal and regulatory requirements, our reporting obligations and ICO guidance.

You have certain rights under data protection law, which are summarised below.  You can exercise these by contacting our Data Protection Officer Stephen Coulter.

  • You can withdraw your consent (including for marketing) at any time, at which point we shall stop processing your personal data in that way.  Please note this does not affect the legality of our processing up to the date of your withdrawal of consent.
  • You can seek to restrict our processing of your personal data, ask us to rectify any personal data we hold about you or object to us processing your personal data for the purposes stated above. 
  • You have the right to access personal data held by us about you.
  • In certain circumstances you have the right to ask us to provide you with your personal data in a structured, commonly used and machine-readable format to allow you (or us on your behalf) to transmit this information to another party. 
  • In certain circumstances you have the right to ask us to erase the personal data we hold about you.  We will consider any such request in line with UK GDPR.  Please note this is not an absolute right and there may be circumstances where we choose not to delete all of the personal data we hold about you. 
  • You have rights in relation to automated decision-making, including profiling, which enable you to ask us not to use your personal data in this way.
  • You have the right to lodge a complaint with the Information Commissioners Office (ICO) if you think that we have infringed your rights. You can find more information about reporting a matter to the ICO by visiting the Information Commissioners Office website.

Our website Sight Scotland may contain links to other websites.  Please note that Sight Scotland has no control of websites outside our domain. The charity is not responsible for the protection and privacy of any sensitive information provided to a website linked to Sight Scotland.

We reserve the right to amend this privacy notice from time to time.