Our GDPR Policies
Please note that we respect your privacy and take protecting it seriously. Any information you provide is held in strict confidence. It has always been our policy not to share our supporters' names or personal information with any other organisation.
If you should have any concerns, questions or wish to opt-out from communications from the MLT, please do not hesitate to contact our Office Manager, Carey Bates, at the office email at firstname.lastname@example.org or use our contact form. (Please note Carey works part-time but will reply to you as soon as possible).
The Maple Leaf Trust is committed to protecting and respecting your privacy. For the purposes of the
General Data Protection Regulations (GDPR) and any subsequent UK legislation covering data
protection the Data Controller is Carey Bates.
This Policy sets out why we collect personal information about individuals and how we use that
information. It explains the legal basis for this and the rights you have over the way your information is used.
This Policy covers The Maple Leaf Trust in relation to the collection and use of the information you
give us. We may change this Policy from time to time. If we make any significant changes we will
advertise this on the website or contact you directly with the information. Please check this page
occasionally to make sure you are happy with any changes.
If you have any questions about this Policy or concerning your personal information please contact
Carey Bates at email - email@example.com or at Tel. 0207 930 3889 or by post to Carey Bates,
Maple Leaf Trust, Canada House, Trafalgar Square, London SW1Y 5BJ. Please note that Carey
works part time (1 day a week) and will get back to you as soon as possible.
What type of personal information we collect
The type and amount of information we collect depends on why you are providing it.
The information we collect when you make an enquiry includes your name, email address, postal
address and phone number.
Similarly, if you are a supporter, for example volunteering, making a donation, or signing up for an event, we will ask for the information noted above and may need your full address e.g. for UK Gift Aid declarations.
When processing donations or payments and bank or credit card details are provided to us we keep
any records and/ or processing securely at the Maple Leaf Trust office.
If you are a grant or job applicant the information you are asked to provide is as set out in the
application and necessary for the purposes of our considering the application.
How we collect information
We may collect information from you whenever you contact us or have any involvement with us for
example when you:
- donate to us or fundraise for us
- enquire about our activities or services
- sign up to receive news about our activities
- post content onto our website/ social media sites
- volunteer for us
- attend a meeting with us and provide us with information
- take part in our events
- contact us in any way including online, email, phone, SMS, social media or post
Where we collect information from
We collect information:
- From you when you give it to us directly: You may provide your details when you ask us for information or make a donation, volunteer, attend our events contact us for any other reason. Your information may be collected by an organisation we are working with (such Billetto regarding ticket sales to events or Givergy when purchasing Auction items.) but we are still responsible for your information.
- When you have given other organisations permission to share it: Your information may be provided to us by other organisations if you have given them your permission. This might for example be a charity working with us or might be when you buy a product or service from a third party organisation. The information we receive from other organisations depends on your settings or the option responses you have given them.
How we use your information
We will use your personal information in a number of ways which reflect the legal basis applying to
processing of your data. These may include:
- providing you with the information or services you have asked for
- processing donations you make, including processing for Gift Aid purposes
- organising volunteering activity you have told us you want to be involved in and in relation to the fundraising for us you are involved in
- sending you communications with your consent that may be of interest including marketing information about our services and activities, campaigns and appeals asking for donations and other fundraising activities and promotions for which we seek support
- when necessary for carrying out your obligations under any contract between us
- seeking your views on the services or activities we carry on so that we can make improvements
- maintaining our organisational records and ensuring we know how you prefer to be contacted
- processing grant or job applications
Our legal basis for processing your information
The use of your information for the purposes set out above is lawful because one or more of the
- Where you have provided information to us for the purposes of requesting information or requesting that we carry out a service for you, we will proceed on the basis that you have given consent to us using the information for that purpose, based on the way that you provided the information to us. You may withdraw consent at any time by emailing us at firstname.lastname@example.org. This will not affect the lawfulness of processing of your information prior to your withdrawal of consent being received and actioned.
- It is necessary for us to hold and use your information so that we can carry out our obligations under a contract entered into with you or to take steps you ask us to prior to entering into a contract.
- It is necessary to comply with our legal obligations. We are required to keep financial information for seven years, after which it is securely destroyed.
- Where the purpose of our processing is the provision of information or services to you, we may also rely on the fact that it is necessary for your legitimate interests that we provide the information or service requested, and given that you have made the request, would presume that there is no prejudice to you in our fulfilling your request.
- We may provide information when we are reliant on the legitimate interests condition – for example provision of information to a third party to enable them to fulfil part of a request for assistance.eg in the VSC seeking assistance for veteran support from the Canadian Government or an assessment of need by the NAME .[Other possible options include processing necessary to protect the vital interests of the individual concerned or other individuals and processing necessary for a task carried out in the public interest or in the exercise of official authority vested in the charity.
If you want to contact us about your marketing preferences please contact Carey Bates at email
email@example.com or call on 0207 930 3889.
How we keep your information safe
We understand the importance of security of your personal information and take appropriate steps to
Confirmations of payments made via bank or credit card machine are locked away securely in the
office, within the Canadian High Commission.
We do collect and retain sensitive personal information for the veterans we support, as we are aware of disabilities, illnesses and age. This information is kept in order that the committee is able to ensure communication if appropriate and helpful. At times, the information may be shared with Canada's Veterans Affairs Department to ensure the well-being of the individual whom we are supporting. Information is never shared for marketing or PR purposes unless the individual agreed. The information is held by a limited subset of committee members and the Maple Leaf Trust to ensure that correspondence with and payments to the veterans may be made.
We always ensure only authorised persons have access to your information, which means only our
staff, volunteers and contractors, and that everyone who has access is appropriately trained to
manage your information.
No data transmission over the internet can however be guaranteed to be 100% secure. So while we
strive to safeguard your information, we cannot guarantee the security of any information you provide online and you do this at your own risk.
Who has access to your information?
- Third parties who provide services for us, for example our website, newsletter, emails, sending mailings and processing donations. We select our third party service providers with care. We provide these third parties with the information that is necessary to provide the service and we will have an agreement in place that requires them to operate with the same care over data protection as we do.
- Third parties if we run an event in conjunction with them. Any information we collect for an event is to ensure the individual has access and that they receive the appropriate service eg meals reserved / dietary requirements, seating plans etc.
We may also disclose your personal information if we are required to do so under any legal obligation and may use external data for the purposes of fraud prevention and credit risk reduction, or where doing so would not infringe your rights, but is necessary and in the public interest.
Other than this, we will not share your information with other organisations without your consent.
Keeping your information up to date
We really appreciate it if you let us know if your contact details change. You can do so by contacting
us at firstname.lastname@example.org.
We do not use ‘ cookies’. Should this change we would advise you via our website and
updating of our policy.
We appreciate that our supporters and volunteers are of all ages. Where appropriate we will ask for
consent from a parent or guardian to collect information about children (under 16s).
How long we keep your information for.
We will hold your personal information for as long as it is necessary for the relevant activity. By way of example, we hold records of donations you make for at least seven years so we can fulfil our statutory obligations for tax purposes.
Where we rely on your consent to contact you for direct marketing purposes, we will treat your
consent as lasting only for as long as it is reasonable to do so. This will usually be for four years. We
may periodically ask you to renew your consent.
If you ask us to stop contacting you with marketing or fundraising materials, we will keep a record of
your contact details and limited information needed to ensure we comply with your request.
You have the right to request details of the processing activities that we carry out with your personal
information through making a Subject Access Request More details about how to make a request,
and the procedure to be followed, can be found in our Data Protection Policy. To make a request
contact us at email email@example.com.
You also have the following rights which will be introduced in the UK under the GDPR on 25 May
- the right to request rectification of information that is inaccurate or out of date;
- the right to erasure of your information (known as the “right to be forgotten”);
- the right to restrict the way in which we are dealing with and using your information; and
- the right to request that your information be provided to you in a format that is secure and suitable for re-use (known as the “right to portability”);
- rights in relation to automated decision making and profiling including profiling for marketing purposes.
All of these rights are subject to certain safeguards and limits or exemptions, further details of which
can be found in our Data Protection Policy. To exercise any of these rights, you should contact Carey
Bates, Office Manager, Maple Leaf Trust at Canada House, Trafalgar Square, London SW1Y 5BJ.
If you are not happy with the way in which we have processed or dealt with your information, you can complain to the Information Commissioner’s Office. Further details about how to complain can be
This Policy may be changed from time to time. If we make any significant changes we will advertise
this on our website and contact you directly with the information.
Do please check this Policy each time you consider giving your personal information to us.
This Policy was last updated on 30 March 2018.
(2) Charity Data Protection Policy
1.1. Maple Leaf Trust, “the Charity” is the Data Controller for the purposes of the EU General Data
1.2. The Charity collects and uses certain types of personal information about the following
categories of individuals:
1.2.2. Volunteers including Trustees;
1.2.3. Service Users;
and other individuals who come into contact with the Charity.
1.3. The Charity will process this personal information in the following ways:
1.3.1. We collect information to sell tickets for our charity events, process donations, send a
newsletter and provide support to our veterans.
1.3.2. to comply with statutory and contractual obligations relating to employment;
1.3.3. to comply with statutory and other legal obligations relating to safeguarding.
1.4. This policy is intended to ensure that personal information is dealt with properly and securely and in accordance with the EU General Data Protection Regulation (the “GDPR”) and other related legislation. It will apply to information regardless of the way it is used or recorded and applies for as long as the information is held.
1.5. The GDPR applies to all computerised data and manual files if they come within the definition of a filing system. Broadly speaking, a filing system is one where the data is structured in some way that it is searchable on the basis of specific criteria (eg so you would be able to use something like the individual’s name to find their information), and if this is the case, it does not matter whether the information is located in a different physical location.
1.6. This policy will be updated as necessary to reflect best practice, or amendments made to the GDPR, and shall be reviewed every 2 years.
2. PERSONAL DATA
2.1. ‘Personal data’ is information that identifies an individual, and includes information that would
identify an individual to the person to whom it is disclosed because of any special knowledge
that they have or can obtain 1 . A sub-set of personal data is known as ‘special category personal data’. This special category data is information that relates to:
2.1.1. race or ethnic origin;
2.1.2. political opinions;
2.1.3. religious or philosophical beliefs;
2.1.4. trade union membership;
2.1.5. physical or mental health;
2.1.6. an individual’s sex life or sexual orientation;
2.1.7. genetic or biometric data for the purpose of uniquely identifying a natural person.
2.2. Special Category information is given special protection, and additional safeguards apply if this information is to be collected and used. The Maple Leaf Trust does not compile or use such
2.3. Information relating to criminal convictions shall only be held and processed where there is legal authority to do so.
3. THE DATA PROTECTION PRINCIPLES
3.1. The six data protection principles as laid down in the GDPR are followed at all times:
3.1.1. personal data shall be processed fairly, lawfully and in a transparent manner, and
processing shall not be lawful unless one of the processing conditions can be met;
3.1.2. personal data shall be collected for specific, explicit, and legitimate purposes, and shall not
be further processed in a manner incompatible with those purposes;
3.1.3. personal data shall be adequate, relevant, and limited to what is necessary for the
purpose(s) for which it is being processed;
3.1.4. personal data shall be accurate and, where necessary, kept up to date;
3.1.5. personal data processed for any purpose(s) shall not be kept for longer than is necessary
for that purpose/those purposes;
3.1.6. personal data shall be processed in such a way that ensures appropriate security of the
data, including protection against unauthorised or unlawful processing and against
accidental loss, destruction, or damage, using appropriate technical or organisational
3.2. In addition to this, the Charity is committed to ensuring that at all times, anyone dealing with personal data shall be mindful of the individual’s rights under the law (as explained in more detail in paragraphs 7 and 8 below).
3.3. The Charity is committed to complying with the principles in 3.1 at all times. This means that the Charity will:
3.3.1. inform individuals as to the purpose of collecting any information from them, as and when we ask for it; (For example, if asked for the number of female employees, and you only have one female employee, this would be personal data if it was possible to obtain a list of employees from the website.)
3.3.2. be responsible for checking the quality and accuracy of the information;
3.3.3. regularly review the records held to ensure that information is not held longer than is
necessary, and that it has been held in accordance with the Records Retention Policy;
3.3.4. ensure that when information is authorised for disposal it is done appropriately;
3.3.5. ensure appropriate security measures to safeguard personal information whether it is held in paper files or on our computer system, and follow the relevant security policy
requirements at all times;
3.3.6. share personal information with others only when it is necessary and legally appropriate to do so;
3.3.7. set out clear procedures for responding to requests for access to personal information
known as subject access requests;
3.3.8. report any breaches of the GDPR in accordance with the procedure in paragraph 9 below.
4. CONDITIONS FOR PROCESSING IN THE FIRST DATA PROTECTION PRINCIPLE
4.1. The individual has given consent that is specific to the particular type of processing activity, and that consent is informed, unambiguous and freely given;
4.2. The processing is necessary for the performance of a contract, to which the individual is a party, or is necessary for the purpose of taking steps with regard to entering into a contract with the
individual, at their request; 4.3. The processing is necessary for the performance of a legal obligation to which we are subject;
4.4. The processing is necessary to protect the vital interests of the individual or another;
4.5. The processing is necessary for the performance of a task carried out in the public interest, or in the exercise of official authority vested in us;
5. DISCLOSURE OF PERSONAL DATA
5.1. The following list includes the most usual reasons that the Charity will authorise disclosure of personal data to a third party:
5.1.1. to give a confidential reference relating to a current or former employee, or volunteer.
5.1.2. for the prevention or detection of crime;
5.1.3. for the assessment of any tax or duty;
5.1.4. where it is necessary to exercise a right or obligation conferred or imposed by law upon us
5.1.5. for the purpose of, or in connection with, legal proceedings
5.1.6. for the purpose of obtaining legal advice;
5.1.7. for research, historical and statistical purposes (so long as this neither supports decisions in relation to individuals, nor causes substantial damage or distress);
5.2. The Charity may receive requests from third parties (i.e. those other than the data subject, the Charity, and its employees) to disclose personal data it holds about individuals. This information will not generally be disclosed unless one of the specific exemptions under the GDPR which allow disclosure applies, or where disclosure is necessary for the legitimate interests of the third party concerned or the Charity.
5.3. All requests for the disclosure of personal data must be sent to Carey Bates, Office Manager, who will review and decide whether to make the disclosure, ensuring that reasonable steps are taken to verify the identity of the requesting third party before making any disclosure.
6. SECURITY OF PERSONAL DATA
6.1. The Charity will take reasonable steps to ensure that members of staff and volunteers will only have access to personal data where it is necessary for them to carry out their duties. All staff and volunteers will be made aware of this Policy and their duties under the GDPR. The Charity will take all reasonable steps to ensure that all personal information is held securely and is not accessible to unauthorised persons.
6.2. For further details as regards security of IT systems, please refer to the ICT Policy.
7. SUBJECT ACCESS REQUESTS
7.1. Anybody who makes a request to see any personal information held about them by the Charity is making a subject access request. All information relating to the individual, including that held in electronic or manual files should be considered for disclosure, provided that they constitute a “filing system” (see clause 1.5).
7.2. All requests should be sent to Carey Bates, Office Manager within 3 working days of receipt, and must be dealt with in full without delay and at the latest within one month of receipt.
7.3. Where a child or young person does not have sufficient understanding to make his or her own request (usually those under the age of 12, or over 12 but with a special educational need which makes understanding their information rights more difficult), a person with parental responsibility can make a request on their behalf. The Office Manager must, however, be satisfied that:
7.3.1. the child or young person lacks sufficient understanding; and
7.3.2. the request made on behalf of the child or young person is in their interests.
7.4. Any individual, including a child or young person with ownership of their own information rights, may appoint another person to request access to their records. In such circumstances the
Charity must have written evidence that the individual has authorised the person to make the
application and the Office Manager must be confident of the identity of the individual making the
request and of the authorisation of the individual to whom the request relates.
7.5. Access to records will be refused in instances where an exemption applies, for example,
information sharing may place the individual at risk of significant harm or jeopardise police
investigations into any alleged offence(s).
7.6. A subject access request must be made in writing. The Charity may ask for any further
information reasonably required to locate the information.
7.7. An individual only has the automatic right to access information about themselves, and care
needs to be taken not to disclose the personal data of third parties where consent has not been
given, or where seeking consent would not be reasonable, and it would not be appropriate to
release the information. Particular care must be taken in the case of any complaint or dispute to
ensure confidentiality is protected.
7.8. All files must be reviewed by The Office Manager before any disclosure takes place. Access will not be granted before this review has taken place.
7.9. Where all the data in a document cannot be disclosed a permanent copy should be made and the data obscured or retyped if this is more sensible. A copy of the full document and the altered document should be retained, with the reason why the document was altered.
Exemptions to Access by Data Subjects
7.10. Where a claim to legal professional privilege could be maintained in legal proceedings, the
information is likely to be exempt from disclosure unless the privilege is waived.
8. OTHER RIGHTS OF INDIVIDUALS
8.1. The Charity has an obligation to comply with the rights of individuals under the law, and takes these rights seriously. The following section sets out how the Charity will comply with the rights to:
8.1.1. object to processing;
8.1.3. erasure; and
8.1.4. data portability.
Right to object to processing
8.2. An individual has the right to object to the processing of their personal data on the grounds of pursuit of a public interest or legitimate interest (grounds 4.5 and 4.6 above) where they do not believe that those grounds are made out.
8.3. Where such an objection is made, it must be sent to the Office Manager within 2 working days of receipt, and the Office Manager will assess whether there are compelling legitimate grounds to continue processing which override the interests, rights and freedoms of the individuals, or whether the information is required for the establishment, exercise or defence of legal proceedings.
8.4. The Office Manager shall be responsible for notifying the individual of the outcome of their
assessment within 7 of working days of receipt of the objection.
8.5. Where personal data is being processed for direct marketing purposes an individual has the right to object at any time to processing of personal data concerning him or her for such marketing and their personal data shall no longer be processed by the Charity for direct marketing purposes.
Right to rectification
8.6. An individual has the right to request the rectification of inaccurate data without undue delay. Where any request for rectification is received, it should be sent to the Office Manager within 7 working days of receipt, and where adequate proof of inaccuracy is given, the data shall be amended as soon as reasonably practicable, and the individual notified.
8.7. Where there is a dispute as to the accuracy of the data, the request and reasons for refusal shall be noted alongside the data, and communicated to the individual. The individual shall be given the option of a review under the complaints procedure, or an appeal direct to the Information Commissioner.
8.8. An individual also has a right to have incomplete information completed by providing the missing data, and any information submitted in this way shall be updated without undue delay.
Right to erasure
8.9. Individuals have a right, in certain circumstances, to have data permanently erased without
undue delay. This right arises in the following circumstances:
8.9.1. where the personal data is no longer necessary for the purpose or purposes for which it
was collected and processed;
8.9.2. where consent is withdrawn and there is no other legal basis for the processing;
8.9.3. where an objection has been raised under the right to object, and found to be legitimate;
8.9.4. where personal data is being unlawfully processed (usually where one of the conditions for processing cannot be met);
8.9.5. where there is a legal obligation on the Charity to delete.
8.10. The Office Manager will make a decision regarding any application for erasure of personal data, and will balance the request against the exemptions provided for in the law. Where a decision is made to erase the data, and this data has been passed to other controllers, and/or has been made public, reasonable attempts to inform those controllers of the request shall be made.
Right to restrict processing
8.11. In the following circumstances, processing of an individual’s personal data may be restricted:
8.11.1. where the accuracy of data has been contested, during the period when the Charity is
attempting to verify the accuracy of the data;
8.11.2. where processing has been found to be unlawful, and the individual has asked that there
be a restriction on processing rather than erasure;
8.11.3. where data would normally be deleted, but the individual has requested that their
information be kept for the purpose of the establishment, exercise or defence of a legal
8.11.4. where there has been an objection made under 8.2 above, pending the outcome of any
Right to portability
8.12. If an individual wants to send their personal data to another organisation they have a right to request that you provide their information in a structured, commonly used, and machine readable format. If a request for this is made, it should be forwarded to the Office Manager within 7 working days of receipt, and the Office Manager will review and revert as necessary.
9. BREACH OF ANY REQUIREMENT OF THE GDPR
9.1. Any and all breaches of the DPA, including a breach of any of the data protection principles shall be reported as soon as it is discovered, to the Chair of the Maple Leaf Trust.
9.2. Once notified, the Chair shall assess:
9.2.1. the extent of the breach;
9.2.2. the risks to the data subjects as a consequence of the breach;
9.2.3. any security measures in place that will protect the information;
9.2.4. any measures that can be taken immediately to mitigate the risk to the individuals.
9.3. Unless the Chair concludes that there is unlikely to be any risk to individuals from the breach, it must be notified to the Information Commissioner’s Office within 72 hours of the breach having come to the attention of the Charity, unless a delay can be justified.
9.4. The Information Commissioner shall be told:
9.4.1. details of the breach, including the volume of data at risk, and the number and categories
of data subjects;
9.4.2. the contact point for any enquiries which shall usually be the Office Manager.
9.4.3. the likely consequences of the breach;
9.4.4. measures proposed or already taken to address the breach.
9.5. If the breach is likely to result in a high risk to the rights and freedoms of the affected individuals then the Chair shall notify data subjects of the breach without undue delay unless the data would be unintelligible to those not authorised to access it, or measures have been taken to mitigate any risk to the affected individuals.
9.6. Data subjects shall be told:
9.6.1. the nature of the breach;
9.6.2. who to contact with any questions;
9.6.3. measures taken to mitigate any risks.
9.7. The Chair shall then be responsible for instigating an investigation into the breach, including how it happened, and whether it could have been prevented. Any recommendations for further
training or a change in procedure shall be reviewed by the board and a decision made about
implementation of those recommendations.