Roseland Environment Action Community Team (REACT)
General Data Protection Regulation Policy
- Introduction
REACT is committed to protecting the privacy and security of your personal data. This GDPR policy explains how we collect, use, store, and share your personal information in accordance with the General Data Protection Regulation (GDPR) and the UK Data Protection Act 2018.
We are the data controller for the personal data we process.
This policy applies to all individuals whose personal data we process, including our donors, volunteers, beneficiaries, supporters, and website users.
- What Personal Data We Collect
We collect different types of personal data depending on your relationship with REACT. This may include:- Identity Data: Name, title, date of birth, gender.
- Contact Data: Address, email address, telephone number.
- Financial Data: Bank account details (for donations), payment history.
- Donation Data: Details of donations made, including amounts and frequency.
- Volunteer Data: Information provided in volunteer applications, roles undertaken, hours volunteered.
- Beneficiary Data: Information relevant to the support and services we provide.
- Marketing and Communications Data: Your preferences for receiving communications from us.
- Website Usage Data: IP address, browser type, operating system, pages visited, and other information collected through cookies (please see our separate Cookie Policy).
- Event Data: Information provided when registering for or attending our events.
- Employment Data: Information provided in job applications and during employment (if applicable).
- Safeguarding Data: Information collected and processed to ensure the safety and well-being of individuals, particularly children and vulnerable adults. This may include
- Special Category (Sensitive) Personal Data.
- Special Category (Sensitive) Personal Data
Unless for Safeguarding purposes, we do NOT collect and process special categories of personal data, also known as sensitive personal data. This includes information about your:- Race or ethnic origin
- Political opinions
- Religious or philosophical beliefs
- Trade union membership
- Health
- Sex life or sexual orientation
- Genetic data
- Biometric data (for identification purposes)
- How We Collect Your Personal Data
We collect your personal data in various ways, including:- Directly from you: When you make a donation, sign up to our mailing list, volunteer, register for an event, apply for a job, or communicate with us.
- Indirectly: Through third-party fundraising platforms (with your permission), publicly available information, or referrals (where appropriate and lawful).
- Through our website: Using cookies and similar technologies (as detailed in our Cookie Policy).
- How We Use Your Personal Data
We will only use your personal data when the law allows us to. Most commonly, we will use your personal data for the following purposes:- To process your donations and provide receipts.
- To manage your volunteering activities.
- To provide support and services to our beneficiaries.
- To communicate with you about our work, campaigns, and fundraising activities (where you have provided consent, or we have a legitimate interest).
- To manage our events and activities.
- To respond to your enquiries and requests.
- To comply with our legal and regulatory obligations.
- To safeguard children and vulnerable adults.
- To improve our website and services.
- For administrative and operational purposes.
- Lawful Basis for Processing Your Personal Data
Under the GDPR, we must have a lawful basis for processing your personal data. These bases include:- Consent: You have given us clear consent to process your personal data for a specific purpose. You have the right to withdraw your consent at any time (see section 10).
- Contract: The processing is necessary for a contract we have with you, or because you have asked us to take specific steps before entering into a contract.
- Legal Obligation: The processing is necessary for us to comply with a legal obligation.
- Vital Interests: The processing is necessary to protect the vital interests of you or another person.
- Public Task: The processing is necessary for us to perform a task in the public interest or for our official functions, and the task has a clear basis in law.
- Legitimate Interests: The processing is necessary for our legitimate interests or the legitimate interests of a third party, provided your interests and fundamental rights do not override those interests. Our legitimate interests include:
- Fundraising and promoting our charitable aims.
- Managing our operations effectively.
- Communicating with our supporters.
- Conducting research and analysis to improve our services.
- Sharing Your Personal Data
We may need to share your personal data with third parties for the purposes outlined in this policy. These third parties may include:- Service providers: Organisations that provide services on our behalf, such as payment processors, mailing houses, IT support, and website hosting.
- Volunteers: Where necessary for their assigned tasks.
- Regulatory bodies: Such as HMRC, and law enforcement agencies, where we are legally required to do so.
- Charities or organisations: Where we are working in partnership and have a legitimate reason to share data (e.g., for joint projects or referrals, with your consent where appropriate).
- Safeguarding agencies: Where there are concerns about the safety and well-being of individuals.
- Keeping Your Personal Data Secure
We are committed to ensuring the security of your personal data. We have implemented appropriate technical and organisational measures to protect your personal data against accidental loss, destruction, misuse, alteration, or unauthorised access. These measures include:- Secure storage of electronic and paper records.
- Restricting access to personal data to those who need it for their work.
- Regular staff training on data protection and security.
- Use of encryption where appropriate.
- Regular review and updating of our security measures.
- Retaining Your Personal Data
We will only retain your personal data for as long as necessary to fulfil the purposes for which it was collected, including for the purposes of satisfying any legal, accounting, or reporting requirements.
The specific retention periods will vary depending on the type of personal data and the purposes for which it is processed. For example, we may retain donor records for a longer period to comply with tax regulations and for our own financial record-keeping.
When deciding how long to keep your personal data, we will consider:- The requirements of applicable laws and regulations.
- The purposes for which we collected the data and whether the data is still needed for those purposes.
- Our legitimate interests in retaining the data.
- Once the retention period has expired, we will securely delete or anonymise your personal data.
- Your Rights Under the GDPR
Under the GDPR, you have several rights regarding your personal data:- The right to be informed: You have the right to receive clear and transparent information about how we process your personal data (which is what this policy aims to do).
- The right of access: You have the right to request access to the personal data we hold about you and to receive a copy of it.
- The right to rectification: You have the right to request that we correct any inaccurate or incomplete personal data we hold about you.
- The right to erasure ('right to be forgotten'): You have the right to request that we delete your personal data in certain circumstances.
- The right to restrict processing: You have the right to request that we restrict the processing of your personal data in certain circumstances.
- The right to data portability: You have the right to receive your personal data in a structured, commonly used, and machine-readable format and to transmit that data to another controller.
- The right to object: You have the right to object to the processing of your personal data in certain circumstances, including for direct marketing purposes.
Rights in relation to automated decision making and profiling: You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you.
10.1 Exercising Your Rights:
If you wish to exercise any of your rights, please contact us using the contact details provided in section 12. We will respond to your request within one month, although this period may be extended in complex cases. We may need to verify your identity before fulfilling your request.
- Changes to This Policy
We may update this GDPR policy from time to time to reflect changes in our practices or legal requirements. We will notify you of any significant changes by posting the updated policy on our website or by other appropriate means. The date of the latest update will be indicated at the bottom of this policy.
- Contact Us
If you have any questions or concerns about this GDPR policy or our processing of your personal data, please contact us:- By email: cioadmin@react
- By post: Roseland Environment Action Community Team (REACT) Highfield House Portscatho, Truro, TR2 5EJ
- Right to Lodge a Complaint
You have the right to lodge a complaint with the Information Commissioner's Office (ICO) if you believe that we have not complied with the GDPR. The ICO is the UK's independent authority upholding information rights. You can contact the ICO at:
Information Commissioner's Office Wycliffe House Water Lane Wilmslow Cheshire SK9 5AF
Website: https://www.ico.org.uk Helpline number: 0303 123 1113
This GDPR policy is designed to be clear and easy to understand. If you have any difficulties understanding any part of this policy, please do not hesitate to contact us for clarification.
Last Updated: 22 August 2025