Getting ready… please wait.

info@fvu.org.uk

Privacy Policy

Defines how Forth Valley Unity collects, uses, and protects personal data in accordance with privacy laws.

Updated 7 May 2025 6 min read
Contents

1. Introduction

Forth Valley Unity is committed to complying with the UK Data Protection Act 2018 and the UK General Data Protection Regulation (UK GDPR). This Data Protection Policy outlines how we collect, use, store, and protect personal data, ensuring that our practices respect your privacy and comply with all applicable legal requirements in Scotland and the wider UK.

2. Purpose

The purpose of this policy is to ensure that personal data is handled in a compliant and transparent manner, respecting the privacy of individuals and upholding the highest standards of data protection.

3. Scope

This policy applies to all volunteers, staff, and associates who handle personal data on behalf of Forth Valley Unity.

4. Principles

We adhere to the following data protection principles:

  • Lawfulness, Fairness, and Transparency: We process personal data in a lawful, fair, and transparent manner. We rely on the following lawful bases for processing personal data:
    • Consent: When individuals have given clear consent for us to process their personal data for a specific purpose.
    • Contract: When processing is necessary for a contract we have with the individual, or because they have requested specific actions prior to entering into a contract.
    • Legal Obligation: When processing is necessary for us to comply with the law (excluding contractual obligations).
    • Legitimate Interests: When processing is necessary for our legitimate interests or those of a third party, provided these interests are not overridden by the interests or fundamental rights and freedoms of the individual.
  • Purpose Limitation: Personal data is collected for specified, explicit, and legitimate purposes and is not further processed in a manner that is incompatible with those purposes.
  • Data Minimisation: We ensure that personal data is adequate, relevant, and limited to what is necessary for the purposes for which it is processed.
  • Accuracy: We take all reasonable steps to ensure that personal data is accurate and kept up to date.
  • Storage Limitation: Personal data is retained only for as long as necessary to fulfil the purposes for which it was collected, including for legal, accounting, or reporting requirements. For example:
    • Membership Data: Retained for the duration of membership plus five years after termination.
    • Financial Records: Retained for seven years in accordance with financial regulations.
    • Volunteer Information: Retained for the duration of volunteer involvement plus three years.
  • Integrity and Confidentiality: We process personal data securely to maintain its integrity and confidentiality.
  • No Sharing or Selling of Data: We will never share or sell your personal data to third parties without your explicit permission, except where required by law.
  • Data Protection: We take all possible steps to safeguard your data and ensure your privacy is protected to the fullest extent.
  • Email Subscriptions: If you subscribe to our emails, we will only send you communications that align with your subscription preferences. You have the right to unsubscribe at any time.
  • International Data Transfers: We do not transfer personal data outside the UK unless required. If such transfers become necessary, we will ensure that appropriate safeguards are in place, such as standard contractual clauses or adequacy decisions by the relevant authorities.
  • Special Categories of Data: We take extra precautions when processing sensitive personal data, including data related to children. Although the ICO recommends a digital consent age of 13, due to our child protection policies we require individuals to be at least 16 years of age before providing their personal data. Parental consent is required for processing data related to individuals below this threshold.
  • Automated Decision-Making and Profiling: In certain circumstances, decisions about individuals may be made solely by automated processes, including profiling. Where such automated decision-making occurs, we ensure that appropriate safeguards are in place. This includes providing individuals with the right to request human intervention, receive an explanation of the decision, and challenge the decision if necessary.
  • Consent Management: If you wish to manage your consent preferences or withdraw consent, please contact our Data Protection Officer at dpo@fvu.org.uk. We will review and process your request and provide a response within 30 days. Withdrawal of consent will not affect the lawfulness of any processing carried out prior to its withdrawal.

5. Rights of Individuals

Individuals have the following rights regarding their personal data:

  • Right to Access: Request access to their personal data.
  • Right to Rectification: Request correction of any inaccurate or incomplete data.
  • Right to Erasure: Request deletion of their personal data under certain conditions.
  • Right to Restrict Processing: Request limitations on the processing of their data.
  • Right to Data Portability: Receive their data in a structured, commonly used, and machine-readable format.
  • Right to Object: Object to the processing of their personal data.

To exercise any of these rights, please contact our Data Protection Officer using the contact details provided below. We will respond to your request within one month.

6. Data Security

  • Access Control: Personal data is accessible only to authorised personnel.
  • Data Storage: We store personal data securely using encryption and other appropriate security measures.
  • Data Transfer: We use secure methods to transfer personal data to prevent unauthorised access.
  • Regular Security Assessments: We conduct regular assessments to identify and mitigate potential security risks.
  • Data Protection Measures: We implement both technical and organisational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access.
  • Third-Party Processors: We may engage third-party service providers to process personal data on our behalf. These processors are contractually obligated to comply with the UK GDPR and ensure the security and confidentiality of the personal data.

7. Data Breach Procedures

  • Reporting: Any data breach must be reported immediately to the Data Protection Officer.
  • Response: Upon detection, we will promptly assess the breach, contain it, and take steps to mitigate any adverse effects. This includes notifying affected individuals and the Information Commissioner’s Office (ICO) within the required 72‑hour period, where applicable.
  • Investigation: We will conduct a thorough investigation to determine the cause of the breach and implement measures to prevent future occurrences.

8. Training and Awareness

  • Training: All volunteers and staff will receive regular training on data protection principles and best practices to ensure compliance.
  • Continuous Education: We provide ongoing education and updates on data protection laws and policies.

9. Data Protection Impact Assessments (DPIAs)

We conduct Data Protection Impact Assessments (DPIAs) for any processing activities that are likely to result in a high risk to the rights and freedoms of individuals. These assessments help us identify, evaluate, and mitigate potential privacy risks associated with our data processing activities.

10. Policy Review

This policy will be reviewed annually or when significant changes occur to ensure its continued effectiveness and compliance with legal requirements.

11. Cookies and Tracking Technologies

We use cookies and similar tracking technologies to enhance your experience on our platform. For more information, please review our Cookie Policy.

12. Contact Information

For questions or concerns regarding this policy, please contact us at:

Email: info@fvu.org.uk

Data Protection Officer:

Email: dpo@fvu.org.uk

Back to list  Print / PDF