Spiritualgradient.com Data Protection and Privacy Policy
Effective date: Apr 2022
Purpose of this policy
The purpose of this policy is to communicate to staff, volunteers, donors, non-donors, supporters and clients of Spiritual Gradient the approach that Spiritual Gradient intends to take when handling the personal data of any person.
This document applies to the operation of Spiritual Gradient in England and Wales.
Spiritual Gradient must comply with data protection law. The law prior to 25.05.18 is derived from the Data Protection Act 1998 (“the ‘98 Act”) and from 25.05.18 will be derived from the General Data Protection Regulation (Regulation 2016/679/EU) (“GDPR”) which came into force on 25.05.16 and which becomes applicable on 25.05.18.
Every person who is employed by, works with or volunteers for Spiritual Gradient is required to adhere to this policy to the best of their ability. If there are any concerns regarding the application of this policy it is the responsibility of the person with the concern to contact the Spiritual Gradient data protection manager at the first opportunity either directly or in writing.
Definitions
This document uses definitions applicable to GDPR as these supersede any existing law from 25.05.18.
“Data Subject” The “data subject” is any natural person about whom information is obtained, stored and/or processed by Spiritual Gradient or any person or organisation acting on Spiritual Gradient’s behalf for any reason associated with Spiritual Gradient.
Data subjects include officers, employees, servants and agents of Spiritual Gradient, volunteers, donors and any other person whose personal data (see below) is collected and processed by or on behalf of Spiritual Gradient for any reason.
“Natural Person” A living person. A human being. The term “natural person” does not include any “legal person” such as a company, partnership or corporation.
“Personal Data” Any information relating to an identified or identifiable natural person is “personal data”. This includes, but is not limited to, name, identification number, location, online identifier or any physical, physiological, genetic, mental, economic, cultural or social identity of a natural person.
“Special Category Data” Certain data is considered to be sensitive in nature and is referred to as “special category” data. Special category data is any data which reveals the racial or ethnic origin, the political opinions, the religious or philosophical beliefs, any trade-union memberships or any natural person. Any data such as genetic or biometric data which can uniquely identify a natural person or data concerning the sex life or
the sexual orientation of a natural person is also special category data.
“Controller” The “controller” for the purposes of this policy is Spiritual Gradient. The controller is the natural or legal person who either alone or jointly with others determines the purposes and means of the processing of personal data.
“Processor” A “processor” is a natural or legal person who processes personal data under the direct and express instructions of a controller.
“Processing” Any operation which is performed on personal data such as but not limited to collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction amounts to processing of that personal data.
Data Protection Principles
Every person working for, with or on behalf of Spiritual Gradient must adhere to the following principles when dealing with personal data.
Personal data must only be:
A. Processed lawfully, fairly and in a transparent manner in relation to the subject (‘lawfulness, fairness and transparency’)
B. Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (‘purpose limitation’)
C. Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’)
D. Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’)
E. Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which personal data are processed (‘storage limitation’)
F. Processed in a manner that ensures appropriate security of personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage using appropriate technical or organisational measures (‘integrity and confidentiality’)
Data Subject Rights
Every data subject has the following rights which must be upheld in a timely manner in order to comply with the law:
Right of access – the right to obtain a copy of personal data of the data subject and the details of processing carried out by or on behalf of Spiritual Gradient;
Right of rectification – the right to ensure that errors in data held by Spiritual Gradient are corrected;
Right to erasure – the right, under certain circumstances, to ensure that personal data held by Spiritual Gradient on that natural person is erased;
Right to restriction – the right to restrict the processing of personal data under certain circumstances;
Right to portability – the right to obtain a copy of personal data obtained by the controller from the data subject in a portable machine-readable form and also to have it transferred to another controller if so desired; and
Right to objection – the right to object to the processing of their personal data under certain circumstances.
Each of these data subject rights is, in effect, a controller obligation. It is incumbent on the controller to facilitate the exercise of these rights. From 25.05.18 the controller can only charge a fee following a request to exercise the right of access under very limited circumstances.
The controller must respond to a request to access a copy of personal data within one calendar month.
Any employee, servant or agent of Spiritual Gradient who receives or becomes aware of any request from a data subject must forward that request to the data processing manager immediately.Data subjects seeking to exercise any of the above data subject rights are requested to make their request to the data processing manager at Spiritual Gradient to ensure a prompt and effective response.
Controller Obligations
In addition to the data subject rights, which themselves amount to controller obligations, the controller must comply with other obligations when processing the personal data of natural persons.
These include: Data Minimisation:
Spiritual Gradient will only collect such personal data as is required to do the required processing. This will differ depending upon whether the data subject is an employee, a volunteer or a donor.
Data Retention:
Spiritual Gradient will only retain personal data for as long as is reasonably required by law or good practice following the last contact with the data subject. This retention period differs depending upon whether the data subject is an employee, a volunteer or a donor. Spiritual Gradient has a policy of carrying out a data cleansing exercise annually and as a result data will be retained for no longer than one year in excess of the required retention period. Otherwise, it would be excessively cumbersome for Spiritual Gradient to manage the data cleansing process effectively.
Privacy by Design:
Spiritual Gradient has a responsibility to design and engineer its systems so that personal data is not misused and so that it is stored and processed in a manner which is consistent with minimising the opportunity for data loss and data being processed in a manner which has no lawful basis.
Article 13 and Article 14 notifications:
Where personal data has been obtained from the data subject directly, it is Spiritual Gradient’s responsibility to provide the data subject with the following information if the data subject does not already have it:
A. The identity and the contact details of the controller;
B. The contact details of the data protection officer if such a person has been appointed;
C. The purposes of the processing and the legal basis for that processing;
D. What, if any, legitimate interest of Spiritual Gradient or of a third party is relied on as the legal basis of the processing;
E. The recipients or categories of recipients of the personal data, if any;
F. If the transfer of the data to a third country or to an international organisation is intended, whether or not there is an adequacy decision of the European Commission in force in respect of that country or any appropriate or suitable safeguards which are relied upon and how the data subject can obtain a copy of those safeguards;
G. For how long the personal data will be stored or the criteria used to determine that period;
H. The existence of the right of the data subject to request from Spiritual Gradient access to and rectification of or erasure of the personal data or restriction of processing concerning the data subject or to object to the processing as well as the right to data portability;
I. Where the processing is based on the data subject’s consent the fact that the data subject may withdraw that consent at any time unless prevented from doing so by law;
J. The right of the data subject to lodge a complaint with a supervisory authority (regulator);
K. Where the provision of the personal data is a statutory or contractual requirement or a requirement necessary to enter into a contract, the data subject must be informed of this and whether he or she is required to provide the personal data and of the consequences of non-compliance with this requirement;
L. If any automated decision making or profiling is carried out using the personal data then the data subject must be informed about this and provided with a meaningful explanation as to the logic involved and the envisaged consequences of this processing for the data subject;
M. Where Spiritual Gradient intends to process the data for a purpose other than that for which the data were collected, Spiritual Gradient must provide the data subject with a further notification including reminding him or her of his or her statutory rights in respect to that processing.
N. Where Spiritual Gradient obtained personal data of a data subject other than directly from the data subject Spiritual Gradient must provide the data subject with the information outlined above together with:
O. The name and contact details of the source of the personal data and, if applicable, whether it came from publicly accessible sources.
In this second case, Spiritual Gradient must provide this information to the data subject no later than one month after obtaining it or when it is first used to communicate with the data subject (if that is its purpose) whichever is the sooner.
Spiritual Gradient is also required to communicate the above information to a data subject no later than when it is disclosed to another recipient.
As a matter of policy, Spiritual Gradient does not disclose personal data to third parties for any other purpose than for the processing of that data in relation to the payment of wages, salaries, expenses or the processing of donations and for that purpose alone.
Where the data subject is attending a Spiritual Gradient function, Spiritual Gradient may need, in order to facilitate the operation of that function and the attendance of the data subject, Spiritual Gradient does not sell or transfer personal data to any organisation for the purpose of direct marketing or for any other purpose other than for processing of payments or booking of accommodation or travel as outlined above.
Recordkeeping.
Spiritual Gradient as the controller has a responsibility to keep written records (which may be stored in electronic form) in accordance with Article 30. These records are (as applicable to Spiritual Gradient):
A. name, contact details of Spiritual Gradient as controller;
B. the purposes of the processing;
C. description of the categories of data subjects and of the categories of personal data;
D. categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organisations;
E. where applicable, transfers of personal data to a third country (outside of the EEA) or an international organisation, including the identification of that third country or international organisation and, in the case of transfers carried out in relation to the performance of a contract between [Insert Organisation Name] and the data subject, a description of suitable safeguards in place to protect the rights and freedoms of the data subject;
F. where possible the envisaged time limits for the retention of the different categories of data;
G. a general description of the technical and organisational security measures in place
H. to safeguard the rights and freedoms of the data subject.
I. These records may be made available to the regulator on request.
Information Security Measures
Spiritual Gradient has put in place and will continue to monitor and maintain a number of systems, processes and procedures to ensure and assure that the personal data of data subjects, be they employees, volunteers, donors or clients, is kept securely and safely at all times.
These measures include but are not limited to: encryption of all data sets at rest, control of all backup datasets which are in any event encrypted; and maintaining physical and logical security in relation to access to any personal data.
Data Protection Breaches
A data protection breach is defined as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.
Any employee, servant, or agent of Spiritual Gradient or any volunteer working with Spiritual Gradient who becomes aware of a data protection breach or a possible data protection breach is required to inform the data protection manager as soon as possible.
On becoming aware of a breach, Spiritual Gradient as the controller is obliged to inform the regulator within 72 hours.
Data subjects must be informed of any breach affecting their personal data within 5 days unless Spiritual Gradient is able to demonstrate that the data breach is unlikely to result in a risk to the rights and freedoms of the data subjects.