The new General Data Protection Regulation (GDPR) gives you more control over how your personal information is used. And it makes it quicker and easier for you to check and update the information we and other organisations we work with, hold about you.

This statement outlines:

  • What data we collect
  • How we may use it
  • How we keep your data safe

Who we are

YMCA is a federated organisation and works with and for 112 independent local YMCAs across England and Wales and each YMCA affiliates to YMCA England & Wales. These 112 YMCAs will have their own data protection policies and procedures. We are a charity (No 212810) and a limited Company (No 73749) and our registered office is 10-11 Charterhouse Square, London EC1M 6EH.

YMCA England & Wales is a data controller in respect of personal information that we process in connection with our activities.

We are committed to protecting both your data and your privacy and we want you to feel assured that any information you give us is held securely and safely, whether you are working for us, supporting us through campaigning, donations, volunteering, fundraising or events.

Getting in touch

You have the right to ask for a copy of the information we hold about you and to have any inaccuracies in your information corrected. You also have the right to ask us to delete any personal information we hold about you. In some cases, we may be unable to delete data, such as if it is required for tax or Gift Aid purposes. In these cases, we will ensure that you are removed from future communications and processing. You can access your personal data held by us or request to receive your information in part or its entirety in machine readable format.

For all questions or concerns regarding the processing of your personal information, please do get in touch. You can write to:

YMCA England & Wales
Data Protection Lead
10-11 Charterhouse Square
London EC1M 6EH

You can email on dataprotection@ymca.org.uk or call 020 7186 9500.

The Information Commissioner’s Office is the regulator for such activity and further information can be found at https://ico.org.uk

Why and how we collect your data

When you give it to us directly

The vast majority of personal data we hold is given to us directly by our staff, campaigners, supporters, and volunteers in the course of them interacting with our services, websites or activities.

When we are working with a third party

We may work with other independent parties such as life assurance companies for staff or for events, such as the Great North Run or London Marathon, or fundraising sites such as Just Giving or Virgin Money Giving. These independent third parties will only share your data with us when you have given permission for YMCA England & Wales  to contact you.

When your information is available publicly

We may combine information that we already have about you with information available publicly or information available from external sources to gain a better understanding of you. This includes the use of profiling and screening techniques to ensure communications are relevant and timely, and to provide an improved experience for our staff and supporters. Profiling also allows us to target our resources effectively, which supporters consistently tell us is a key priority for them. We do this because it allows us to understand the background of the people who support us and helps us to make appropriate requests to supporters who may be able and willing to give more than they already do. Importantly, it enables us to raise monies for the work YMCA undertakes with young people and their communities.

When building a profile of donors and supporters, we may analyse geographic, demographic and other information relating to you in order to better understand your interests and preferences in order to contact you with the most relevant communications. In doing this, we may use additional information from third party sources when it is available. Such information is compiled using publicly available data about you, such as Companies House, the Land Registry website or information that is published in articles and newspapers. We also undertake this to help us identify potential donors and supporters.

In some situations, we may update our supporters, clients and volunteers’ personal information using external organisations, for example, to check we have a valid and deliverable postal address, or to check if you are registered with the Telephone Preference Service (TPS) or Fundraising Preference Service (FPS).

Depending on your settings or the privacy policies for social media and messaging services like Facebook or Twitter, you might give us permission to access information from those accounts or services.

You can opt out of your data being used in any of the above-mentioned ways at any time by contacting us at dataprotection@ymca.org.uk or calling 020 7186 9500.

What data we collect

Personal information is any data that can be used to identify you. It can include, but is not limited to, any of the data listed below.

Data protection law recognises that there are sensitive categories of personal information, such as health information, racial or ethnic origin, or religious beliefs or other beliefs. We would only collect sensitive personal information where there is a clear need to do so. Before we collect any sensitive personal information, we will make it clear what information we are collecting and the purpose we are collecting it for.

Information we collect from you directly or from third parties with whom we work may include:

  • name
  • address
  • email address
  • telephone number
  • contact preferences
  • bank account or credit card details where required
  • in relation to fundraising, employer details for processing a payroll gift and taxpayer status for claiming Gift Aid
  • National Insurance number
  • marital status
  • health history where required
  • date of birth, age, and/or gender.

We do not use cookies to collect this type of information.

We may also collect and process information about your interactions with us, including details about our contacts with you through email, SMS, post, on the phone or in person. This might include the date, time, and method of contact, details about donations you make to us, events or activities that you register for or attend or any request for support.

We may also collect and record other relevant information you share with us about yourself, such as your interests or your affiliations with other charities, including local YMCAs, community or campaign groups.

How we use your data

Delivering the services we do is something we cannot do without the help of people who share our passion for working with young people to enable them to truly belong, contribute and thrive. Supporting the work of YMCA England & Wales such as being employed by us, supporting us in a variety of ways including raising funds, running campaigns and involving as wide a range of people as we can in our activities is hugely important to us.

We will only use and share your information where it is necessary for us to lawfully carry out our work.

The law allows personal data to be legally collected and used by an organisation if it is necessary for a legitimate business interest of the organisation – as long as its use is fair and balanced and does not unduly impact the rights of the individual concerned.

Where you give us your consent, we will also use your personal data in order to send you marketing and fundraising communications in connection with marketing and fundraising activities and services. This includes supporter newsletters and updates, plus appeals and fundraising activities.

Data sharing with third parties

We will not share your information with anyone outside YMCA England & Wales except:

  • Where we have your permission
  • Where we are required by law and by law enforcement agencies, judicial bodied, government entities, tax authorities or regulatory bodies as required.
  • To protect YMCA England & Wales, for example in cases of suspected fraud or defamation
  • Where we have legitimate situations with third parties, including fundraising agencies, whom we have contracted to fulfil specific services for us such as direct communication.

In all of these situations we set up a written contractual agreement that will ensure that those organisations can only use the data provided for the specific purposes we direct them to do, and that they have in place strict security requirements in order to protect your personal information and comply with GDPR.

To deliver services or manage our relationship with you, it is sometimes necessary for us to share your Personal Data outside the European Economic Area (EEA), e.g. – when your or our service providers are located outside the EEA; or if you are based outside the EEA.

Many non-EEA countries do not have the same data protection laws as the United Kingdom and EEA. We will, however, take reasonable steps to ensure any such supplier has in place appropriate measures to protect your information and any contract includes appropriate clauses about the use of data e.g. if the company is based in the USA, we will confirm whether it is accredited under the EU-US Privacy Shield.

Keeping your personal information safe

We take appropriate physical, electronic and managerial measures to ensure that we keep your information secure, accurate and up to date.

We also have procedures in place to deal with any suspected Data Security Breach. We will notify you and any Professional Regulators or other applicable regulator of a suspected Data Security Breach where we are legally required to do so.

How long will we keep your data?

We remove personal data from our systems in line with our data retention policy. The length of time each category of data will be retained will vary on how long we need to process it, the reason it is collected, and in line with any statutory requirements.

After this point the data will either be deleted or rendered anonymous. In certain specific situations, for example where a supporter has kindly pledged a legacy to us in their Will, we will maintain their details up to the time when we need to carry out the legacy administration and communicate effectively with their family.

Where we believe data might be relevant to a future safeguarding enquiry we reserve the right to retain data securely for up to 50 years to comply with our insurance and safeguarding guidance.

To find out more about our our data retention policy, please contact us using the details above.

Social Media

Depending on your settings or the privacy policies for social media and messaging services like Facebook, WhatsApp or Twitter, you might give us permission to access information from those services, for example when you publicly tag us in an event photo.

May 2018