2. Who are Breaking Barriers?
Breaking Barriers is a charitable incorporated organisation (CIO) and registered charity in England and Wales (registered charity number 1161901). In this policy ‘Breaking Barriers’ also refers to Breaking Barriers Trading Ltd – a wholly-owned subsidiary of Breaking Barriers CIO set up to provide employment-related services to refugees. In this policy the terms ‘we’, ‘us’ and ‘our’ refer to Breaking Barriers.
Breaking Barriers is a “data controller” for the purposes of the Data Protection Act 2018 and the UK General Data Protection Regulation (“Data Protection Law”). This means we are responsible for determining the purposes and means of processing of personal information.
Email: [email protected]
Call: 020 4541 0155 (choosing the menu option for ‘Supporter Care’)
Write to: Data Protection Officer, Breaking Barriers, WeWork, Aldwych House, 71-91 Aldwych, London, WC2B 4HN
The lead Data Protection Authority for Breaking Barriers is the Information Commissioner’s Office, Wycliffe House, Walter Lane, Wilmslow, Cheshire SK9 5AF, UK (ico.org.uk). If you feel that your data is not being managed in an appropriate manner, please contact us. You can also raise a concern with the Information Commissioner’s Office.
3. What personal information do we collect?
The type of personal information that we may collect about you includes:
- Name & Title
- Postal address
- Phone number
- Email address
- Social media profiles
- Date of birth
- IP Address (an identifying number associated with a computer or computer network) and other publicly-available information associated with that IP address (eg, location).
- Status as a UK taxpayer (we use this for Gift Aid administration only)
- Details of any contact that we may have with you
- How you heard about us
- How we communicate with you and any communication preferences you may have
- Details of any donations you make to us, or other ways you support us (e.g. volunteering, leaving a gift in your Will)
- Details of any services we provide/have provided to you
- Financial details relevant to any donations you make, or any payments we make to you (including bank details where relevant). Note: We do not store payment card details for donations. Online donations are processed securely via our online donation platform, Fundraise Up. If you donate with a credit or debit card by post or phone, this payment is processed via our Virtual Terminal account and we do not keep a record of your card details once we have processed the donation.
- Details about any campaigns you choose to support
- Photographs or digital images (e.g. in photos taken at our events)
- Relationships with other people or organisations on our database (e.g. if you tell us you are employed by one of our corporate partners)
Special category data
Under data protection law, certain categories of personal information are recognised as sensitive. For example, information related to health, race, ethnic origin, sexual orientation, religious beliefs and political opinions.
We will only collect and use special category data:
- With your explicit consent, or
- If you are employed by us, where it is necessary to carry out our obligations, or to exercise either your rights or ours, in the course of this employment, or
- Where it is necessary to protect the vital interests (the life) of you or another person, where you are not able to give consent.
4. When and how do we collect your personal information?
We collect your personal information when you engage with us directly, or interact with us via a third party, to:
- Make an enquiry to us
- Sign up to receive emails from us
- Receive a service or grant from us, or enter into communication with us regarding a service or grant
- Make a donation to us (see Fundraise Up for more information regarding online donations)
- Volunteer for us, or apply to volunteer
- Apply to work for us or take up employment with us
- Take part in one of our campaigns
- Engage with us on social media
- Enquire about, or advise us of, a gift to be left to us in your Will
- Register for, or attend, an event, training course or workshop with us
- Connect with us online by visiting our website or social media channels, or engaging with an email we send you
- Share with us your story of being a refugee and/or being a Breaking Barriers client or supporter
- In certain circumstances, to improve our communications and fundraising approaches, we will conduct our own research and gather information that is available within the public domain (for example, on social media or in the news) or through third party subscription services (e.g. wealth screening)
Breaking Barriers uses Fundraise Up as its online donation platform. All donation data collected is subject to the provisions of the General Data Protection Regulation (“GDPR”), the California Consumer Privacy Act of 2018 (“CCPA”), and other applicable privacy laws. Financial information such as banking information or credit card number, name, CVV code or date of expiration, is collected and stored by a third party payment processor. Financial information is not stored by Fundraise Up Inc.
When making a donation, information collected may include:
- Contact and account information such as name, email address, physical address, location data, phone number, and social media information;
- Technical information such as standard web log entries that contain IP address, cookies (first party, third party, session, persistent, and flash), web beacons, page URL and timestamp.
5. How and why do we use your personal information?
We may use your personal information for the following purposes:
- To respond to any correspondence you enter into with us.
- To manage, process and acknowledge any donations you make and/or any other way you support us, and keep a record of this relationship.
- To provide, and keep a record of, any services or support you request or receive from us, to help us assist you effectively.
- To keep you updated on the work we are doing, tell you how any donations you make are being used and share the impact of your support.
- To ensure we act on any requests you make about how we do/don’t contact you.
- For fundraising and campaigning purposes (see Marketing for more details).
- To personalise or tailor our communications and parts of our website (e.g. donation forms), to make them more appropriate or relevant to you, and to improve their effectiveness in contributing to our mission.
- If you are volunteering or working for us, or receiving a service from us, to make reasonable adjustments to accommodate your needs.
- Where you sign a petition or otherwise take action, your details maybe sent on to the campaign target, or an email be sent on your behalf, as indicated when you take action.
- To help us analyse, report on and improve our services to refugees. Information that could identify specific individuals is never made public without explicit consent.
- To help us analyse and understand our online audiences. We use Google Analytics and Google Signals to collect information about online behaviour on our website (including our Fundraise Up donation platform). This allows us to make improvements to our services to refugees, our fundraising and campaigning, and our services to supporters. You can control what Google records and which ads it shows you by visiting https://myadcenter.google.com.
- For research and analysis, to help us to grow the movement to support refugees into meaningful employment, by finding new audiences and like-minded people who have similar interests and characteristics. Where research requires your direct involvement, participation will always be optional.
- To help us identify those who may be able to help us financially, and contact relevant people in the most appropriate way.
- For administration purposes. E.g. for the management of feedback or complaints, or the preparation and auditing of our accounts.
- To allow us to verify your identity if we are required to do so, to be able to comply with laws and regulations, and to protect our organisation and your personal information from fraudulent activities.
- For legacy administration purposes (where you are involved, for example as an Executor, in the administration of an Estate that includes a bequest to Breaking Barriers).
- To comply with our legal obligations and to share data with law enforcement agencies if required to do so.
6. What legal bases do we use to process your personal information?
Consent: This is where we have your specific agreement to processing your personal information. For example, we use consent to feature the stories of people of refugee background in our communications, and we may process sensitive personal data with consent in order to provide you with our services. We also use consent to communicate with you about our fundraising via your personal email address, SMS/text or phone. You can withdraw your consent at any time. All our marketing emails include an unsubscribe link.
Performance of a Contract: This is where we need to process personal information to deliver a service we are contracted to provide you with. Or, before you have entered into a contract with us, because you have asked us to do something related to a potential contract.
Legal Obligation: This is where we need to process personal information to comply with the law or a statutory obligation. For example, where you are employed by Breaking Barriers, to disclose your salary details to HMRC. Or, where you have made a Gift Aid declaration, we are legally required to retain personal data associated with this declaration for a minimum period of time.
Vital Interests: This would apply only if we needed process personal information to protect someone’s life. For more information, see Safeguarding.
Legitimate Interest: This only applies if no other legal basis for the processing applies. It refers to the processing of personal information where we have a legitimate interest in doing so to achieve our vision that every refugee can access meaningful employment.
Some examples of where we have a legitimate interest in processing personal information include recording and responding to your correspondence with us, data analysis to improve our services or better understand our clients and supporters, and contacting individuals about our work by post (you can opt-out of postal mailings at any time).
Whenever we process your personal information on the basis of our legitimate interests, we make sure we take your rights and interests into account. We will not process your information if it is not necessary for our legitimate interest, or we feel your rights and interests are in opposition to and outweigh ours.
As a charity we communicate with individuals to raise money to fund our work, and to attract other types of support. We send these ‘marketing’ communications in a variety of ways:
By email, SMS (text message) & phone:
We will only send you marketing communications via these channels to ‘individual subscribers’ (i.e. your personal contact details) if you have given us your consent. You have the right to withdraw your consent for any method of communication at any time. All our marketing emails include an unsubscribe link, and you can also contact us via the details above.
In certain circumstances, we may use these channels to communicate with individuals via corporate contact details (e.g. a work email address for a named staff member) on the basis of our legitimate interests. Such marketing emails will always include an unsubscribe link.
By post: We may send marketing in the post on the basis of our legitimate interests. You will not receive mail from us if you have specifically requested not to. If you would prefer NOT to receive communications from us in the post, you can let us know via the form included with any of our marketing letters, or by using the contact details above. Please note, some mailings are prepared in advance, but we will aim to record and act on your preferences within 28 days.
By social medial advertising:
If you have supported us, and haven’t opted out, we may contact you via social media advertising. We may also use your profile anonymously, in conjunction with many other profiles, to identify audiences that are likely to engage with our mission.
Please also see Cookies for information on how we may use these for marketing purposes.
Cookies are small text files on your computer, smart phone, tablet or other device. They are made by your web-browser when you visit a website. Every time you go back to that website, your browser will send the cookie file back to the website’s server.
Cookies, and other similar technologies – also known as tags, pixels, beacons and floodlights – do lots of different jobs. For example, letting you navigate between pages efficiently, remembering your preferences and improving the user experience.
Cookies also help Breaking Barriers to understand which parts of our website people are using, personalise content and digital ads, reach more relevant audiences with our ads, and offer social media features. Information supplied in cookies also allows us to measure the effectiveness of online marketing campaigns so that we can become more efficient.
A cookie, by itself, can’t be used to identify you. We cannot and do not link it with personal information we hold about you (e.g. your name, address, email address).
Some cookies that are essential for the proper functioning of our website. You can choose to accept or reject other types of cookies by clicking on the cookie banner on our website. You can also find out how to control and delete cookies in your browser. If you choose to refuse all cookies, our website might not work as well.
Meta is the company that owns Facebook and other online social media and communications platforms, including Instagram.
We use Meta cookies so we can collect and send information to Meta about actions taken by visitors on our website. We also use Meta cookies to measure the effectiveness of our Meta ad campaigns which, in turn, helps ensure that we’re using our resources effectively.
Meta uses this information to provide services to us and also for further processing for its own business purposes. We and Meta are joint controllers of the processing involved in collecting and sending your personal information to Meta using cookies and similar technologies as each of us has a business interest in Meta receiving this information. The services we receive from Meta that use this information are delivered to us through Meta’s Business Tools. These tools allow us to target advertising to you within Meta’s social media platforms by creating audiences based on your actions on our website and allow Meta to improve and optimise the targeting and delivery of our advertising campaigns for us.
Our relationship with Meta: As we are joint controllers with Meta for certain processing, we have:
- entered into an agreement in which we have agreed each of our data protection responsibilities for the processing of your personal information described above;
- agreed that Meta is responsible for responding to you when you exercise your rights under data protection law in relation to its processing of your personal information as a joint controller.
Meta also processes, as our processor, personal information that we submit for the purposes of matching, online targeting, measurement, reporting and analytics purposes. These services include processing carried out on the platform when they display our advertisements to you in your news feed at our request after matching contact details for you that we have uploaded to them. These advertisements may include forms through which we collect contact information you give to us.
Further information: The Meta company that is a joint controller of your personal information is Meta Platforms, Inc., 1601 Willow Road, Menlo Park, CA 94025, USA. For further information regarding Meta and their use of your personal information, please see:
- Meta’s UK Controller Addendum for Business Tools which include information regarding how our and Meta’s responsibilities to you are allocated as controllers of your personal information; and
- Meta’s Data Policy at https://www.facebook.com/about/privacy which includes details of the legal reasons (known as ‘lawful bases’) on which the platform relies to process your personal information, together with details regarding your data protection rights.
9. How long do we keep your information?
Your data is retained for as long as is necessary for the purpose for which it was collected. We are obliged to keep certain data to fulfil legal obligations and matters of record keeping (e.g. we are required to keep certain financial records for 6 years). We will securely delete all data when it is no longer required.
10. When will we share your information?
We will never sell your personal information to other organisations so that they can contact you for their own marketing purposes.
Breaking Barriers works with contracted suppliers and, where applicable, we will share your information with them. Except under the terms of our marketing agreement with Meta, your data will only be used under our explicit instructions and only for the purposes we specify, to carry out necessary operations for us, such as sending letters or processing financial transactions.
We review the policies and procedures of all third-party suppliers to ensure we are satisfied with the level of their compliance with data protection laws, and that their systems are secure. Where appropriate, we also have separate signed agreements which require them to respect the security of your personal information.
Where we receive grant income under a contract with a statutory funder (for example, a government department), we may share personal information in our reports to the funder where we have explicit consent to do so.
We may disclose your personal information if required to do so by law. For example, where required by regulatory and government bodies or by law enforcement agencies.
11. How do we keep your information safe?
We are committed to keeping your personal information safe, and we have appropriate physical, technical and organisational measures in place to protect information under our control from improper access, processing, destruction or loss.
Data is only accessible by staff, volunteers and third-party service providers who are bound by appropriate policies and procedures to protect your information and comply with Data Protection laws.
12. Protecting children & vulnerable individuals
Supporters in vulnerable circumstances: We’re committed to offering the very best standards of supporter care and protecting our supporters’ privacy, dignity and wellbeing. If we believe that a supporter may be in vulnerable circumstances that could affect their capacity to make a decision about supporting us financially, or in other ways, we will do all we can to protect that supporter. See our policy for assisting supporters in vulnerable circumstances.
Safeguarding: We have a duty, wherever possible, to share any concerns about the safety of individuals with the relevant authorities. This means, where necessary, we may share personal information (including names and contact details, and conversations, emails, posts, messages, replies, questions, or comments that indicate someone might be at risk). This includes references to, or indications of, abuse or neglect.
Wherever possible we will notify individuals about our concerns and/or decisions affecting them. However, we reserve the right to share information with external agencies without checking with the individual first. Especially if it is thought that sharing our concerns with an individual might put others at risk, or increase the risks identified, or interfere with a police process, and/or where we are under a legal reporting obligation.
13. Your rights
We want to ensure that your rights are upheld in respect of any personal information we process. These rights include:
The right to be informed: You have the right to be informed about the collection and use of your personal information.
The right of access: You can request a copy of the information that we have about you. This is called a ‘subject access request’. Information will be provided free of charge in most cases. Please let us have details of the personal data you want to see and proof of your identity. You can make this request via the contact details above.
The right to rectification: You can ask us to correct any of your personal information that is out of date, incomplete or incorrect.
The right to erasure: You can ask us to delete your personal information. Please note, for legal reasons we may be required to keep certain information (e.g. financial details that we are duty-bound to keep for 6 years).
The right to restrict processing: In certain circumstances, you have the right to limit the way we use your personal information. For example, when you have advised us that information is incorrect and we are in the process of verifying this.
The right to data portability: You have the right to receive personal information you’ve provided to us in a structured, commonly used and machine-readable format, and to request that we transmit this information to another data controller.
The right to object: You have the absolute right to object to the processing of your personal information for direct marketing purposes. We will therefore stop all marketing communications set out in the Marketing section of this policy on request. On request we will also stop (or, in the case of cookies, advise you how to stop) any profiling related to direct marketing that uses your personal data.
You also have a right to object to some other types of processing of your personal information, including processing on the basis of our legitimate interests. Although this is not an absolute right, we will comply with your request other than in exceptional circumstances where, for example, we are processing data in defence of a legal claim.
Rights related to automated decision-making: Automated decision-making is a decision made by automated (e.g. electronic) means without human intervention. You have a right not to be subject to automated decision-making that has legal, or similarly significant, effects except where you have given consent, it is authorised by law, or it is necessary for a contract between you and an organisation.
Breaking Barriers does not carry out any automated decision-making with legal, or similarly significant, effects. However, please refer to your Right to object for information on your rights in respect of profiling (which is a form of automated decision-making) related to direct marketing.
If you have any requests related to your rights regarding our use of your personal information, please contact us via the details above.