Privacy Notice

Who we are

The National Botanic Garden of Wales is a charity registered in Wales and England (number 1036354) dedicated to the research and conservation of biodiversity, to sustainability, lifelong learning and the enjoyment of the visitor. We are also a Private Limited Company by guarantee with company number 2909098.

Our registered office address is: Middleton Hall, Llanarthne, Carmarthenshire, SA32 8HG.

How we use your information

This privacy notice tells you what to expect when the National Botanic Garden of Wales collects personal information. It applies to information we collect about:

• Members of the Garden
• Home Educator Members
• Visitors to the Garden
• School parties and other groups visiting the Garden
• People who attend courses
• People who book weddings and other events
• Garden volunteers
• Middleton: Paradise Regained project volunteers
• Job applicants and our current and former employees
• People on apprenticeships at the Garden
• People who donate horticultural specimens
• People who have donated honey samples
• Visitors to our websites
• People who contact the Garden
• People who subscribe to our newsletters or publications

Your rights

You can get more information about your rights at the Information Commissioner’s website

Requesting access to your data

The Garden tries to be as open as it can be in terms of giving people access to their personal information. Individuals can find out if we hold any personal information by making a ‘subject access request’. If we do hold information about you, we will:

• give you a description of it;
• tell you why we are holding it;
• tell you who it could be disclosed to; and
• let you have a copy of the information in an intelligible form.

To make a request to the Garden to view any personal information we may hold relating to you, please complete our Subject Access Request form and e-mail it to dataprotection@gardenofwales.org.uk or post it to:

The Data Protection Officer,
National Botanic Garden of Wales,
Middleton Hall,
Llanarthne,
Carmarthenshire SA32 8HG.

Please also write to this address to ask us to correct any mistakes if any of the information we hold on you is incorrect.

Making a complaint

• The Garden tries to meet the highest standards when collecting and using personal information, and we take any complaints we receive about this very seriously. We encourage people to bring it to our attention if they think that our collection or use of information is unfair, misleading or inappropriate. We would also welcome any suggestions for improving our procedures.
• This privacy notice was drafted with brevity and clarity in mind. It does not provide exhaustive detail of all aspects of the Garden’s collection and use of personal information. However, we are happy to provide any additional information or explanation needed. Any requests for this should be sent to the address above.
• If you want to make a complaint about the way we have processed your personal information, you can contact the Information Commissioner: www.ico.org.uk/concerns.

______________________________________________________________________

Members of the Garden

Purpose and legal basis for processing

Our purpose for collecting the information is so we can process your application and then, when you become a member, to administer your membership account.

The legal basis we rely on for processing your personal data is Article 6(1)(b) of the GDPR, which relates to processing necessary to perform a contract or to take steps at your request, before entering a contract.

What we need

• We need the title, initials, surname, address, e-mail address and telephone number of the (first) member.
• In the case of membership which includes a second adult, the initials and surname of the second member is also required.
• When the membership is being purchased as a gift, we need the name, and address of the purchaser.
• If payment is made by direct debit we require the name(s) of the account holder(s) and the bank account number and sort code.

Why we need it and what we do with it

• We need the names and contact details of the member(s) so that we can produce the membership card(s) and send them to them (if applicable). We also send a hard copy of our magazine once a year, and electronic versions at other times, so require physical and e-mail addresses.
• If a member’s e-mail address is provided we add it to our members’ newsletter subscription list. See People who subscribe to our newsletters for more information.
• We need name and contact details of the purchaser (if different) so that we can tell the member(s) who their membership gift is from, and so that we can take payment.
• We use the member information to communicate if there is a problem with their membership, and to remind them when it is time to renew.
• When members receive their membership cards they will receive confirmation of their personal information that we hold.

How long we keep it

We will keep your information for ten years after your membership expires and is not renewed.

What are your rights?

• Right of access – you can ask for a copy of your personal information that we hold
• Right to rectification – you can ask us to correct anything that is wrong
• Right to erasure – you can ask us to delete your data, but if you are a member this would terminate your membership.
• Right to restriction of processing – you can ask us to restrict the processing of your information in certain circumstances.

Do we use any data processors?

Yes – Members’ e-mail addresses are provided to a third-party provider, MailChimp, to deliver our e-newsletters, and we rely on MailChimp’s certification under the Privacy Shield Framework when this information is transferred to MailChimp’s servers in the US.

For more information, please see MailChimp’s privacy notice.

We also use a third-party direct debit processing company, Eazy Collect Services Ltd., to process all direct debit payments. The information, provided by members, is also shared with the member’s bank for payment. For more information, please see Eazy Collect’s privacy policy.

______________________________________________________________________

Home educator members

Purpose and legal basis for processing

• Our purpose for collecting the information is so we can process your application and then, when you become a member, to administer your membership account.
• The legal basis we rely on for processing your personal data is Article 6(1)(b) of the GDPR, which relates to processing necessary to perform a contract or to take steps at your request, before entering a contract.

What we need

• We need the name and address of the parent or carer who will accompany the children to the Garden.
• We also need the names of the children.

Why we need it and what we do with it

We need the names so that we can produce membership cards, and an address so that we can send the cards and other membership information out in the post.

How long we keep it

We will keep your information for two years after your membership expires and is not renewed.

What are your rights?

• Right of access – you can ask for a copy of your personal information that we hold
• Right to rectification – you can ask us to correct anything that is wrong
• Right to erasure – you can ask us to delete your data, but we may not have to.
• Right to restriction of processing – you may be able to ask us to restrict the processing of your information in certain circumstances.

Do we use any data processors?

No, all processing is done by the Garden.

______________________________________________________________________

Visitors to the Garden

Purpose and legal basis for processing

• A visitors who purchases tickets online will have to supply some personal information. We rely on Article 6(1)(b) of the GDPR – processing necessary to perform a contract – as our lawful basis.
• Closed-circuit television (CCTV) is used at the entrances to the Garden in order to keep visitors, staff and property safe. Images are also taken of registration plates when vehicles enter the Garden. We rely on Article 6(1)(f) of the GDPR – legitimate interest – for our lawful basis for processing this data.
• If a visitor has an accident that is reported to the Garden staff, the name and address of the person, together with the particulars of the accident, will be recorded. We rely on Article 6(1)(c) of the GDPR – legal obligation – for our processing of this data.
• We may collect some personal data when you complete a Comment Card to give us feedback. We rely on Article 6(1)(f) of the GDPR – legitimate interest – for our lawful basis for processing this data.
• If you sign up for the free Wifi at the Garden some personal information will be collected. We rely on Article 6(1)(f) of the GDPR – legitimate interest – for our lawful basis for processing this data.

What we need

• Online tickets: name and billing address of the purchaser, together with their payment card details.
• CCTV: images are recorded in the Gatehouse and images of vehicle registration plates are taken.
• Accident Report: name and contact details of the individual concerned, together with the details of the accident and any treatment administered will be recorded.
• Comment Card: visitors may give their name and e-mail address on the card.
• Wifi: You will be asked for your e-mail address; your device’s MAC address will also be stored.

Why we need it and what we do with it

• Online tickets: We need to send the information securely to the company that processes our online payments.
• CCTV: Used at the entrances to the Garden in order to keep visitors, staff and property safe. Footage is only viewed if there is an incident, and then only in line with the Garden’s CCTV policy. Footage may then be shared with the police or other official bodies.
• Accident Report: The law requires us to keep a register of all accidents that occur onsite.
• Comment Card: We want to make everyone’s visit to the Garden as enjoyable as possible, and we are always looking for ways to improve. We therefore welcome feedback. If an e-mail address has been supplied and a response is required, the details on the Comment Card will be shared with the appropriate Head of Department. Otherwise, comments only are shared with all Heads of Department and used to compile statistics.

Wifi: The information may be used to investigate cyber security incidents, but otherwise will not be shared with any third parties unless you consent to receiving the Garden’s newsletter.

How long we keep it

• Online tickets: Information relating to online payments is kept indefinitely to comply with tax, accounting, and financial reporting obligations.
• The CCTV recordings/images are deleted after 30 days unless required as evidence.
• Accident report data is kept for three years after the accident occurred, in line with our statutory obligations.
• Comment Cards are destroyed after 30 days.
• Information collected when you sign up for free Wifi is kept for two years unless it is required as part of any on-going investigation.

What are your rights?

• Right of access – you can ask for a copy of your personal information that we hold
• Right to rectification – you can ask us to correct anything that is wrong
• Right to erasure – you can ask us to delete you data, but we may not have to.
• Right to restriction of processing – you may be able to ask us to restrict the processing of your information in certain circumstances.
• Right to object – you can object to the processing where we rely on legitimate interest as a lawful basis.

Do we use any data processors?

Yes

• We use Stripe to process our online payments, and we rely on their certification under the Privacy Shield Framework when the information is transferred to Stripe’s servers in the US. Please see Stripe’s privacy notice for further information.
• We use a third-party provider, MailChimp, to deliver our e-newsletters, and we rely on MailChimp’s certification under the Privacy Shield Framework when this information is transferred to MailChimp’s servers in the US. For more information, please see MailChimp’s privacy notice.

School parties and other groups visiting the Garden

The details of school parties and other organised groups that visit the Garden is a matter solely for the school or organisers of the visit. No personal information is collected by the Garden.

______________________________________________________________________

Course attendees

Purpose and legal basis for processing

• Our purpose for collecting the information is so we can administer your application to attend a course.
• The legal basis we rely on for processing your personal data is Article 6(1)(b) of the GDPR, which relates to processing necessary to perform a contract or to take steps at your request, before entering a contract.
• We rely on Article 6(1)(b) – consent – for adding e-mail addresses to the Growing the Future (GTF) mailing list.

What we need

We need to collect names, address, e-mail address and telephone number.

Why we need it and what we do with it

• We need to be able to communicate with people who have booked courses, in case there are any changes, and to prepare a list of attendees for the course leader.
• For a GTF course, if consent is given your e-mail address is added to the GTF mailing list. See People who subscribe to our newsletters for more information.

How long we keep it

• Details of course bookings are removed twelve months after a course.
• E-mail addresses remain on the GTF mailing list until the person unsubscribes.

What are your rights?

• Right of access – you can ask for a copy of your personal information that we hold
• Right to rectification – you can ask us to correct anything that is wrong
• Right to erasure – you can ask us to delete your data, but we may not have to.
• Right to restriction of processing – you may be able to ask us to restrict the processing of your information in certain circumstances.

Do we use any data processors?

Yes. We use a third-party provider, MailChimp, to deliver our e-newsletters, and we rely on MailChimp’s certification under the Privacy Shield Framework when this information is transferred to MailChimp’s servers in the US.

For more information, please see MailChimp’s privacy notice.

______________________________________________________________________

Weddings and corporate events

Purpose and legal basis for processing

• Our purpose for collecting the information is to allow us to plan and carry out your event.
• The legal basis we rely on for processing your personal data is Article 6(1)(b) of the GDPR, which relates to processing necessary to perform a contract or to take steps at your request, before entering a contract.
• For the sensitive personal data related to a wedding booking, we also rely on Article 9(2)(e) of the GDPR, relating to personal data which are manifestly made public by the data subject.
• For other events, we ask for your consent to add your name and e-mail address to our mailing list so that we can keep you informed of events that take place. We rely on Article 6(1)(b) of the GDPR – consent – as our lawful basis for processing.

What we need

• For a wedding, we need the names of the couple getting married, address, telephone numbers and e-mail address.
• For other events, we require the name and contact details of the event organiser.

Why we need it and what we do with it

• We use the contacts details to liaise about the organisation of the wedding or other event, and to communicate afterwards for feedback.
• For a wedding, we need to check with the Carmarthenshire Registrar that all legal requirements have been satisfied.

How long we keep it

We keep the information for 2 years after the event.

What are your rights?

• Right of access – you can ask for a copy of your personal information that we hold
• Right to rectification – you can ask us to correct anything that is wrong
• Right to erasure – you can ask us to delete you data, but we may not have to.
• Right to restriction of processing – you can ask us to restrict the processing of your information in certain circumstances.
• Do we use any data processors?

Yes – In the case of a wedding we have to share the names with Carmarthen Register Office to ensure that all legal requirements have been satisfied with them before the wedding day. We understand that in some cases this could be sensitive information, so we will communicate this information securely, and only to designated officers.

For more information please view Carmarthenshire County Council’s privacy notice.

______________________________________________________________________

Garden Volunteers

Purpose and legal basis for processing

• When you apply to be a volunteer at the Garden we collect information in order to administer your application and to be able to contact you.
• The legal basis we rely on for processing your personal data is Article 6(1)(b) of the GDPR, which relates to processing necessary to perform a contract or to take steps at your request, before entering a contract.
• We rely on Article 9(2)(h) for assessing your work capacity as an employee to process health data.
• We also have legal authority under Article 10 (employment law) to process criminal conviction data.

What we need

We collect your name and contact details, age range, employment history, hobbies and interests, health and disabilities, languages spoken and whether you have any unspent criminal convictions.

Why we need it and what we do with it

• We need your name and contact details so that we can contact you about your application, and then afterwards if you are accepted and begin volunteering.
• Your e-mail address is used to send you the Garden newsletter. See People who subscribe to our newsletters for more information.
• We also ask you to disclose any disabilities and health issues so that we can match you with suitable volunteering opportunities and provide a duty of care to you in accordance with our Health and Safety at Work Policy.
• You are also asked to disclose whether you have any unspent criminal convictions, and you may need to undergo a full criminal record check with the Disclosure & Barring Service. This is because we need to be sure that you are suitable for our volunteering opportunities, and that we keep children and vulnerable adults safe.
• The information you disclose to us will only be seen by those involved in the volunteer application process and will be kept securely.
• You are asked to give the details of your next of kin so that we may contact them in an emergency. Please make sure that you inform them that you have given us their details. This information will only be used in the event of an emergency or accident.
• How long we keep it

If your application is successful we will keep the information you supplied for 3 years after you finish volunteering at the Garden. If your application is unsuccessful, the information will be kept for 3 months.

What are your rights?

• Right of access – you can ask for a copy of your personal information that we hold
• Right to rectification – you can ask us to correct anything that is wrong
• Right to erasure – you can ask us to delete your data, but we may not have to.
• Right to restriction of processing – you can ask us to restrict the processing of your information in certain circumstances.

Do we use any data processors?

Yes – Volunteers’ e-mail addresses are provided to a third-party provider, MailChimp, to deliver our e-newsletters, and we rely on MailChimp’s certification under the Privacy Shield Framework when this information is transferred to MailChimp’s servers in the US.

For more information, please see MailChimp’s privacy notice.

______________________________________________________________________

Middleton: Paradise Regained Volunteers

Purpose and legal basis for processing

• When you apply to be a volunteer with the Middleton: Paradise Regained project we collect information in order to administer your application and to be able to contact you.
• The legal basis we rely on for processing your personal data is Article 6(1)(b) of the GDPR, which relates to processing necessary to perform a contract or to take steps at your request, before entering a contract.
• We rely on Article 9(2)(h) for assessing your work capacity as an employee to process health data.
• We also have legal authority under Article 10 (employment law) to process criminal conviction data.

What we need

• We collect your name and contact details, gender, age range, volunteering history, previous experience with heritage projects, hobbies and interests and details of disabilities.
• We also collect details of an emergency contact.

Why we need it and what we do with it

• We need your name and contact details so that we can contact you about your application, and then afterwards if you are accepted and begin volunteering.
• Your e-mail address is used to send you the project newsletter. See People who subscribe to our newsletters for more information.
• We also ask you to disclose any disabilities so that we can match you with suitable volunteering opportunities and provide a duty of care to you in accordance with our Health and Safety at Work Policy.
• The information you disclose to us will only be seen by those involved in the volunteer application process and will be kept securely.
• You are asked to give the details of an emergency contact so that we may get in touch with them in an emergency. Please make sure that you inform them that you have given us their details. This information will only be used in the event of an emergency or accident.

How long we keep it

If your application is successful we will keep the information you supplied for 3 years after you finish volunteering at the Garden. If your application is unsuccessful, the information will be kept for 3 months.

What are your rights?

• Right of access – you can ask for a copy of your personal information that we hold
• Right to rectification – you can ask us to correct anything that is wrong
• Right to erasure – you can ask us to delete your data, but we may not have to.
• Right to restriction of processing – you can ask us to restrict the processing of your information in certain circumstances.

Do we use any data processors?

Yes – Volunteers’ e-mail addresses are provided to a third-party provider, MailChimp, to deliver our e-newsletters, and we rely on MailChimp’s certification under the Privacy Shield Framework when this information is transferred to MailChimp’s servers in the US.

For more information, please see MailChimp’s privacy notice.

______________________________________________________________________

Job applicants, current and former Garden employees

Purpose and legal basis for processing

• Our purpose for processing this information is to assess your suitability for a role you have applied for or to carry out the necessary administration when you work for us.
• The legal basis we rely on for processing your personal data is Article 6(1)(b) of the GDPR, which relates to processing necessary to perform a contract or to take steps at your request, before entering a contract.
• The legal basis we rely on to process any information you provide as part of your application which is special category data, such as health, religious or ethnic information is Article 9(2)(b) of the GDPR, which also relates to our obligations in employment and the safeguarding of your fundamental rights, and Article 9(2)(h) for assessing your work capacity as an employee. Also Schedule 1 part 1(1) and (2)(a) and (b) of the DPA2018 which relates to processing for employment, the assessment of your working capacity and preventative or occupational medicine.

What we need

• When you apply for a post, we ask for your name and contact details, employment history, details of qualifications and your previous salary. We also ask to see your passport or birth certificate and we may ask to see your original educational certificates.
• When you are offered a post, we need the contact details of referees.
• When you start working for us, we need your national insurance number and bank details.

Why we need it and what we do with it

• When you apply for a post, the information we ask for is used to assess your suitability for employment. You don’t have to provide what we ask for but it may affect your application if you don’t.
• We ask to see your passport or birth certificate (and take a photocopy of it) for proof of identity and to confirm your right to work in the United Kingdom.
• We will ask to see original certificates of educational attainment where these relate to any criteria on the Person Specification for the post, and we will take photocopies.
• When you are offered a post conditionally we ask your referees to write references for you, and use those to further assess your suitability for employment.
• For some posts we will ask you to make an application to the Disclosure and Barring Service for a certificate of enhanced disclosure. We will pay the costs of this and will require that you allow us to take a copy of the certificate when it arrives. This will also be used in making a final decision about your employment.
• When you start working for us we use your national insurance number to ensure you pay the correct amount of tax and national insurance, and to enrol you on to our workplace pension scheme.
• We also have a group insurance policy for all employees, and we pass on your name, gender, date of birth, salary and contract details to our provider.
• We may use your contact details to communicate with you outside work, if necessary, and your personal e-mail address to send you your pay slips and information on the pension scheme.
• We also ask you to provide the details of someone who can be contacted on your behalf in the event of an accident or emergency. You should inform that person that you have given us their details.

How long we keep it

• If you are successful, the information you provide during the application process will be retained by us as part of your employee file for the duration of your employment plus 6 years following the end of your employment. This includes your criminal records declaration, fitness to work, records of any security checks and references.
• If you are unsuccessful at any stage of the process, the information you have provided until that point will be retained for 6 months from the closure of the campaign.
• Information generated throughout the assessment process, for example interview notes, is retained by us for 6 months following the closure of the campaign.
• Equal opportunities information is retained for 6 months following the closure of the campaign whether you are successful or not.

What are your rights?

• Right of access – you can ask for a copy of your personal information that we hold
• Right to rectification – you can ask us to correct anything that is wrong
• Right to erasure – you can ask us to delete you data, but we may not have to.
• Right to restriction of processing – you may be able to ask us to restrict the processing of your information in certain circumstances.

Do we use any data processors?

Yes.

• We are required by law to pass on your name, national insurance number and salary details to HMRC when you start work at the Garden. Please view HMRC’s Personal Information Charter for more information.
• We are also required by law to enrol you in a workplace pension scheme, and so we pass on some data to National Employment Savings Trust (NEST). Please see NEST’s Privacy Policy for more information.
• We pass on some details to Unum in order to add you to the insurance policy. For more information, please see Unum’s Privacy Notice.

Apprenticeships

In addition to the above, information relating to apprentices at the National Botanic Garden of Wales may be passed to Coleg Sir Gar apprenticeship training advisors, internal validators, administrators and course tutors as required by the qualifications being undertaken or due to any welfare issues that arise.

The reason we do this is because Coleg Sir Gar is the approved City & Guilds Apprenticeship qualification provider, overseeing, administrating and verifying the apprenticeship; they also run the courses that all the apprentices undertake.

______________________________________________________________________

People who donate horticultural specimens

Purpose and legal basis for processing

• All horticultural specimens donated to the Garden are registered with the name and address of the donor on our database.
• We rely on Article 6(1)(f) of the GDPR – legitimate interest – for our lawful basis for processing this data.

What we need

Name and address of the donor.

Why we need it and what we do with it

It is a formal and accepted responsibility of a Botanic Garden to keep records of the provenance of all plant material. The information is entered into IrisBG (Botanic Gardens Collection Management System).

How long we keep it

This personal information is kept indefinitely for archiving and scientific research purposes.

What are your rights?

• Right of access – you can ask for a copy of your personal information that we hold
• Right to rectification – you can ask us to correct anything that is wrong
• Right to erasure – you can ask us to delete you data, but we may not have to.
• Right to restriction of processing – you may be able to ask us to restrict the processing of your information in certain circumstances.
• Right to object – you can object to our processing of your personal data.

Do we use any data processors?

No.

______________________________________________________________________

People who have donated honey samples

Purpose and legal basis for processing

• To record the origin of samples of honey that are used in research.
• We rely on Article 6(1)(f) of the GDPR – legitimate interest – for our lawful basis for processing.

What we need

We need the name and address of the donor.

Why we need it and what we do with it

• We collect the address so that we can use the location of the sample in our research.
• We will also send personalised analysis results to the donor at the end of the project, so require the names and addresses of donors.

How long we keep it

The names and addresses of donors will be deleted one year after all personalised analysis results have been sent out to donors. Location data will be retained indefinitely as allowed for in scientific research.

What are your rights?

• Right of access – you can ask for a copy of your personal information that we hold
• Right to rectification – you can ask us to correct anything that is wrong
• Right to erasure – you can ask us to delete you data, but we may not have to.
• Right to restriction of processing – you may be able to ask us to restrict the processing of your information in certain circumstances.
• Right to object – you can object to our processing of your personal data.

Do we use any data processors?

No.

______________________________________________________________________

Visitors to our websites

• We use WordPress to publish our website. For more information about how WordPress processes data, please see Automattic’s privacy notice.
• When someone visits https://gardenofwales.wpenginepowered.com we use a third party service, Google Analytics, to collect standard internet log information and details of visitor behaviour patterns. We do this to find out things such as the number of visitors to the various parts of the site. This information is only processed in a way which does not identify anyone.
• We do not try to find out the identities of those visiting our website, and we do not allow Google to make any attempt to find out, either.
• Our blogging system uses Disqus for its commenting platform, and visitors wanting to post a comment on any blog must agree to Disqus’ terms of service, privacy policy and data sharing policy.
• Use of cookies by the Garden
• You can read more about how we use cookies on our Cookies page.

People who contact us via social media

In general we do not store any information about people who contact us via social media. However, if follow-up communication through another medium (e.g. telephone, e-mail or letter) is required, we will store just the contact details required for this purpose. This information will be retained to provide an audit trail but will not be used for any other purpose.

People who communicate with us, or with whom we contact, as a business

• We hold the names and contact details of individuals who contact us, and individuals acting in their capacity as representatives of their organisations, across the business.
• If this relates to suppliers, contracts, buildings management, IT services etc., the legal basis is Article 6(1)(c) of the GDPR for any legal obligation or Article 6(1)(f) because the processing is within our legitimate interests as a business.
• Contact details of people with whom we communicate in this way are not used for any other purpose except where we may contact you to ask if you are interested in receiving communications from us that are closely related to the original matter. Your details will not be passed on to anyone else without asking you first.

______________________________________________________________________

People who subscribe to our newsletters

Purpose and legal basis for processing

• Our purpose for collecting the information is so we can provide you with one or more of our newsletters and let you know about upcoming events.
• The lawful basis we rely on for processing your personal data is your consent under Article 6(1)(a) of the GDPR.

What we need

Your name and e-mail address.

Why we need it and what we do with it

• We use your email address to send you our e-newsletter.
• We only use your details to provide the service.
• We gather statistics around email opening and clicks using industry standard technologies to help us monitor and improve our e-newsletter.
• You will receive a confirmation email once you have submitted your details and then the newsletters on a weekly or monthly basis.
• We may also use the information for other closely related purposes. For example, we might carry out a survey to measure satisfaction with the newsletter and ask for suggestions.

How long we keep it

Subscribers can cancel their subscription at any time through the ‘Unsubscribe’ link at the bottom of the newsletters.

When someone unsubscribes, they will not receive any further copies of the newsletter unless they re-subscribe. E-mail addresses will be deleted from our lists no longer than a month after someone has unsubscribed, although some residual information may be kept by MailChimp for their compliance purposes – see “Do we use any data processors?” below.

What are your rights?

• Right of access – you can ask for a copy of your personal information that we hold
• Right to rectification – you can ask us to correct anything that is wrong
• Right to erasure – you can ask us to delete you data, but this would end your subscription to the newsletter.
• Right to restriction of processing – you can ask us to restrict the processing of your information in certain circumstances.

Do we use any data processors?

Yes – We use a third-party provider, MailChimp, to deliver our e-newsletters, and we rely on MailChimp’s certification under the Privacy Shield Framework when this information is transferred to MailChimp’s servers in the US.

For more information, please see MailChimp’s privacy notice.

---

Parts of this policy are taken from the website of the Information Commissioner’s Office, Privacy Notice 30^th May 2018, licensed under the Open Government Licence