“Yorkshire Children’s Centre” (referred to in this policy as “we”, “us” or “our) is a trading name of:

National Children’s Centre Limited

Brian Jackson House
New North Parade
Huddersfield
HD1 5JP

Registered Charity Number:288125
Company number: 1763241
ICO Registration Number: Z5459259

We have appointed a Data Protection Officer, who can be contacted in the following ways should you have any questions, complaints or feedback about your privacy:

Data Protection Officer

FAO Robert Edden and Bruce & Butler Limited
Yorkshire Children’s Centre
Brian Jackson House
New North Parade
Huddersfield
HD1 5JP

Email: [email protected]

Tel: 01484 519988

We collect your personal data in the following ways:

Data you give to us:

• When you request delivery of items you have purchased
• When you request collection of donated item(s)
• When you receive a guarantee for sale of new goods
• When you open a charitable account
• When you make a request for specific item(s)
• When you are captured on our CCTV system

Data we collect when you buy our products or use our services:

• Payment and transaction data

We will collect, use, store and transfer different kinds of personal data about you which we have grouped together as follows:

• Identity data – title, name, date of birth, gender
• Contact data – current address, email address, telephone number(s).
• Transaction data – details of the products and services you have purchased from us, including date and time of purchasing and spend in relation to that transaction. We also process the name on your payment card, your card, expiry date and CVV number.
• CCTV Data – visual footage collected via CCTV.

We do not collect any special categories of personal data about you. This includes details about race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health and genetic and biometric data.

We are only allowed to use personal data about you if we have a legal basis to do so, and we are required to tell you what that legal basis is. We have set out in the table below: the personal data which we collect from you, how we use it, and the legal ground on which we rely when we use the personal data.

In some circumstances we can use your personal data if it is in our legitimate interest to do so, provided that we have told you what that legitimate interest is. A legitimate interest is when we have a business or commercial reason to use your information which, when balanced against your rights, is justifiable. If we are relying on our legitimate interests, we have set that out in the table below. We will not use your personal data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law).

In order to provide you with our services and meet our legal obligations, we only share your data with 3rd parties, in the following circumstances:

• To fulfil your purchase;
• To authorise debit/credit card payments and any other transactions authorised by the
  customer;
• To handle complaints, queries and improve customer service;
• To meet legal obligations, for example, for the purposes of national security, taxation and criminal investigations; and
• If the Pass It On Shop is acquired by a third party, in which case personal data held by it, about its customers, will be one of the transferred assets.

We’ll never make your personal data available to anyone outside Yorkshire Children’s Centre for them to use for their own marketing purposes without your prior consent.consent.

We have a number of lawful reasons that we can use (or ‘process’) your personal data. One of these lawful reasons is called ‘legitimate interests’.

Broadly speaking legitimate interests means that we can process your personal information if we have a genuine and legitimate reason to and we are not harming any of your rights and interests.

The EEA is the European Economic Area, which consists of the EU Members States, Iceland, Liechtenstein and Norway. If we transfer your personal data outside the EEA we have to tell you.

Limited personal information that we collect from you may be transferred to and processed in a destination outside of the EEA. In these circumstances, your personal information will only be transferred on one of the following bases:

• The country that we send the data is approved by the European Commission as providing an
  adequate level of protection for personal data; or
• The recipient has agreed with us standard contractual clauses (SCC’s) approved by the
  European Commission, obliging the recipient to safeguard the personal data; or
• The recipient has agreed Binding Corporate Rules (BCR’s) approved by the European
  Commission, obliging the recipient to safeguard personal data; or
• There exists another situation where the transfer is permitted under applicable data protection
  legislation (for example, where a third-party recipient of personal data in the United States
  has registered for the EU-US Privacy Shield).

To find out more about how your personal information is protected when it is transferred outside the EEA, please contact our Data Protection Officer using the details above. Before sharing any information with a third party, we will ensure that there is a data processing agreement in place requiring that the third party protects personal data according to the GDPR.

We will only retain your personal data for as long as is necessary to fulfil the purposes for which it is collected. When assessing what retention period is appropriate for your personal data, we take into consideration:

• Any statutory or legal obligations;
• The requirements of the business;
• The purposes for which we originally collected the personal data;
• The lawful grounds on which we based our processing;
• The types of personal data we have collected;
• The amount and categories of your personal data; and
• Whether the purpose of the processing could reasonably be fulfilled by other means.

After such time, we will securely delete or destroy your personal data. In most instances the personal data processed by us this will be securely destroyed 6 years from when you cease to be a customer. We only hold CCTV data for a period of 28 days.

Right to be Informed

We will always be transparent in the way we use your personal data. You will be fully informed about the processing through relevant privacy notices.

Right to Access

You have a right to request access to the personal data that we hold about you and this should be provided to you, under the General Data Protection Regulation (GDPR) and the Data Protection Act 2018, within 1 month. If you would like to request a copy of your personal data, please contact us using the details at the top of this policy.

Right to rectification

We want to make sure that the personal data we hold about you is accurate and up to date. If any of your details are incorrect, please let us know and we will amend them.

Right to erasure

You have the right to have your data ‘erased’ in the following situations:

• Where the personal data is no longer necessary in relation to the purpose for which it was originally collected or processed.
• When you withdraw consent.
• When you object to the processing and there is no overriding legitimate interest for continuing the processing.
• When the personal data was unlawfully processed.
• When the personal data has to be erased in order to comply with a legal obligation.

If you would like to request erasure of your personal data, please contact us using the details at the top of this policy. Please note that each request will be reviewed on a case by case basis and where we have a lawful reason to retain the data, it may not be erased.

Right to restrict processing

You have the right to restrict processing in certain situations such as:

• Where you contest the accuracy of your personal data, we will restrict the processing until you have verified the accuracy of your personal data.
• Where you have objected to processing and we are considering whether our legitimate grounds override your legitimate grounds.
• When processing is unlawful, and you oppose erasure and request restriction instead.
• Where we no longer need the personal data, but you require the data to establish, exercise or defend a legal claim.

Right to data portability

You have the right to data portability in certain situations. You have the right to obtain and reuse your personal data for your own purposes via a machine-readable format, such as a .CSV file. If you would like to request portability of your personal data, please contact us. This only applies:

• To personal data that you have provided to us;
• Where the processing is based on your consent or for the performance of a contract; and
• When processing is carried out by automated means.

Right to object

You have the right to object to the Yorkshire Children’s Centre processing your data in these circumstances:

• Where the processing is for direct marketing. Remember you can opt out of email communication at any time via the unsubscribe feature on our emails;
• Where the processing is based on legitimate interests;

Please let us know if you are unhappy with how we have used your personal data by contacting the Data Protection Officer (details can be found at the top of this policy).

You also have a right to complain to the Information Commissioner’s Office. You can find their contact details at www.ico.org.uk. We would be grateful for the chance to deal with your concerns before you approach the ICO so please contact us in the first instance.