This privacy notice explains how and why Crystal Palace Park Trust collects and uses your personal data when you visit our website, sign up to receive our newsletter, make a donation or attend one of our events.
It is important that you read this privacy notice so that you are fully aware of how and why we use your personal data.
If you need to contact us about your privacy rights, please email: firstname.lastname@example.org.
Who are we?
When we refer to “we” or “us” in this privacy notice we are referring to Crystal Palace Park Trust and our trading company Crystal Palace Park Events Limited.
Crystal Palace Park Trust is a charity registered with the Charity Commission for England and Wales with charity number 1193331 and a registered company with company number 11360503. Crystal Palace Park Events Limited is a private limited company with company number 12855520.
We are a controller of your personal data, which means we are responsible for deciding how we hold and use personal data about you.
Our contact details
Address: Crystal Palace Park Trust, GLL College, National Sports Centre, Ledrington Road, London, SE19 2BB
Personal data we collect
If you sign up to receive our newsletter we will ask you to give us your email address.
If you register to attend an event we’re organising, we will ask you to give us your first and last name and your email address. We may sometimes ask for additional information from you if it is needed for a particular event (for example, details of food allergies or accessibility needs).
If you get in touch with us by email or through our website, we will use any personal data you give us in order to consider your query or request and respond to you. We may share your information with third parties such as the Ward Park Security or Bromley Council’s Antisocial Behaviour Unit.
We sometimes collect personal data from other sources. For example, we might receive your name and email or telephone contact details from other stakeholder organisations.
It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes.
How we use your personal data
Whenever we use your personal data we will always ensure we have a legal basis.
We will only use your personal data to send newsletters or other marketing materials to you by
email if you have given your consent. You can opt out of email marketing by clicking the ‘unsubscribe’ link in any of our emails or you can contact us at any time to opt out, change your contact details or to update your communication preferences.
If you contact us by email or through our website, or if another stakeholder organisation gives us your information, we use your personal data where we have a legitimate interest to consider your query or request and to respond to you.
If you sign up to attend an event organised by us, we will use your personal data in order to perform any contract that we have with you or where we have a legitimate interest. Our legitimate interests for using your personal data in this way could include: letting you know about changes to the event (e.g. a change to event timings or available facilities), informing you about event requirements (e.g. additional security checks), or telling you if an event is postponed or cancelled.
We will sometimes use your personal data where it is necessary for us to comply with a legal or regulatory obligation. For example, to comply with health and safety law at our events or to comply with legal requirements to retain financial data and Gift Aid records if you make a donation.
Using our website
Our website is not intended for children and we do not knowingly collect personal data relating to children.
Sharing your personal data
We may disclose your personal data to:
- Our staff, Trustees or volunteers.
- Partners and stakeholders that we work with, including Bromley Council.
- Our external service providers, such as IT or website support services.
- Third party platforms such as Mailchimp (which we use to send our newsletters), PayPal (which we use to process donations) or Eventbrite (which we use for events).
- Our professional advisers, such as our accountants, auditors, bankers, insurers and lawyers.
- A regulator – for example, when we make returns to HMRC or report to the Charity Commission.
- Law enforcement agencies, the police, or a court or for the purposes of prevention of fraud or other crime.
- As part of a sale, transfer or merger of parts of our organisation or our assets
Security and international transfers
We have appropriate security measures in place to prevent your personal data from being
accidentally lost, used or accessed in an unauthorised way, altered or disclosed. When we engage contractors or other third party service providers, we put agreements in place to make sure they only process your personal data on our instructions and are subject to a duty of confidentiality.
We have put in place procedures to deal with any suspected personal data breach.
Some of our service providers, such as Google Drive and Mailchimp, may store your personal data in countries outside the UK. We use reputable service providers and we ensure there are safeguards in place to protect your personal data when it is transferred overseas.
Retention of personal data
We will keep your personal data for as long as reasonably necessary for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. We will usually keep financial records for 6 years.
If you attend one of our events, we will keep your personal data for 2 weeks following the event in case we need to contact you or in case of any issue or incident that needs to be investigated.
If you have signed up to our mailing list and we have not heard from you for more than 5 years (e.g. because you have not responded to communications from us) we will endeavour to contact you to confirm that you wish us to retain your personal data. If we do not receive a reply we will usually delete or anonymise your information.
We may retain your personal data for longer than our standard retention period in the event of a complaint or if we reasonably believe there is a prospect of a legal claim connected to our relationship with you.
You have the right to:
- Request access to your personal data (commonly known as a subject access request). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.
- Ask us to correct personal data that we hold about you which is incorrect, incomplete or inaccurate.
In certain circumstances, you also have the right to:
- Ask us to erase your personal data from our files and systems where there is no good reason for us continuing to hold it.
- Object to us using your personal data to further our legitimate interests (or those of a third party) or where we are using your personal data for direct marketing purposes.
- Ask us to restrict or suspend the use of your personal data, for example, if you want us to establish its accuracy or our reasons for using it.
- Ask us to transfer your personal data to another person or organisation.
You also have rights in relation to automated decision making which has a legal effect or otherwise significantly affects you. You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces significant legal effects concerning you.
If you have given your consent to us processing your personal information, you have the right to withdraw your consent at any time.
If you make a request, we may need to request information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.
Queries or Complaints
If you have any questions about this privacy notice or how we handle your personal data, please contact us at email@example.com.
You have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), which is the UK supervisory authority for data protection issues – www.ico.org.uk