CPO GDPR POLICY
Who are we?
Christian Publishing and Outreach (thereafter called CPO) is a registered charity in England and Wales, number 221462.
CPO is a registered company in England and Wales, registration number 588731.
CPO is registered with the Information Commissioner’s Office (ICO) as a data controller, registration number Z9128713
Where does this policy apply?
This policy applies to all the websites we operate, our use of emails and postal mailings for marketing purposes, and any other methods we use for collecting information. It covers what we collect and why, what we do with the information, what we won’t do with the information, and what rights you have. Not all information on this page will be relevant to the CPO Toolkit site.
What information do we collect and where do we collect it from?
We will only ever collect the information we need – including data to help improve our services, or which you agree we can collect.
Personal data is any information that can be used to identify you. For example, it can include information such as your name, email address, postal address, telephone number, mobile telephone number, bank account details, credit/debit card details, and whether you are a taxpayer so that we can claim Gift Aid on any donations you may make. It also includes Internet Protocol (IP) addresses (the location of the computer on the internet), details of pages visited on our websites and files downloaded.
We collect information in the following ways:
We collect this information in connection with specific activities, for example, when you use our websites or printed forms or telephone our offices to:
- Purchase goods or services
- Purchase a subscription
- Register for an event
- Create an account on any of our websites
- Engage with us on social media
- Sign up for our email newsletter
- Complete a survey, questionnaire or feedback form
- Give a donation
- Or in any other way provide us with information
You don’t have to disclose any of this information to browse our websites. However, if you choose to withhold requested information, we may not be able to provide you with certain services.
Information that we collect from your use of our websites
Information from third parties
We may receive information about you from third parties, for example from a friend who wants to send you a gift subscription.
We may receive updated delivery and address information from our delivery agents so that we can correct our records and deliver your next purchase or communication more easily. If we receive information about you from third parties, we will provide you with details of whom we received it. We will do this as soon as practically possible.
Information from public sources
We may combine information you provide to us with information available from public sources or records in order to gain a better understanding of our supporters and those who engage with us. Such information may be found in places such as Companies House, The Charity Commission and information that has been published online and in print.
Sensitive/special categories of data
GDPR law recognises that certain categories of personal information are more sensitive. This is known as sensitive personal data or special categories of data and covers health information, race and ethnicity, religious or philosophical beliefs and political opinions amongst other things.
We do not collect sensitive personal information about you unless there is a clear reason for doing so, such as involvement in an event where we need this information to ensure safeguarding, to carry out appropriate checks on volunteers, or care for participants. For some events we will collect health information so that leaders on our events have the relevant information to care for participants.
When we collect this information, we will make it clear to you what we are collecting and why and what are our legitimate interests or other legal grounds for processing this information.
We use Google Analytics and other services to collect information about how our websites are used. These help us to know how often users visit our websites, what pages they visit when they do so, and how they use our content online.
How do we use personal data?
We may use the personal data that you provide in the following ways:
- to process and send you your goods and any other resources you have ordered from CPO
- to process any donation(s) we may receive from you, to claim Gift Aid on these donations and to update you on how your donations are being used
- to process event bookings
- to set up direct debits, standing orders and one-off credit/debit card payments
- to provide you with information that you have requested about our work or our activities
- to provide you with information about other resources, events or programmes we offer that are similar to those you have already purchased or enquired about and to which you have not objected to receiving
- to communicate with supporters
- to record the contact that we have with you
- to provide you with information about CPO and how you can support our work as a charity (where you have consented to receiving this information as applicable)
- to invite you to participate in surveys or research
- for administration purposes, e.g. we may contact you about a donation you have made or where you have expressed an interest or registered for an event
- for internal record keeping, such as the management of feedback or complaints
- to notify you about changes to our services
- to analyse and improve the services we offer
- to analyse the use of our websites and ensure their content is presented in the most effective manner for you and your device (see also our cookies policy)
- to further our legitimate charitable aims such as sending you information about how donations are being used
You can choose at any time which marketing materials you want to receive from CPO. If there is something you would prefer not to receive, please email, phone or write.
Links to other websites
Our website contains links to other websites belonging to third parties and we sometimes choose to participate in social networking websites including, but not limited to, YouTube, Facebook, Twitter, Pinterest and Instagram.
Do we sell or share personal information?
We never sell or share your personal information with other organisations to use for their own purposes.
However, if we run an event in collaboration with another named organisation, your details may need to be shared with them and those who provide services to help us deliver the event. We will make it clear what will happen to your data when you register.
Sensitive/special categories of data
If you provide us with sensitive/special categories of personal data including, but not limited to, your racial or ethnic origin, political opinions, religious or philosophical beliefs or your physical or mental health, we will only use this for the specific purpose for which you gave permission and where it is within our legitimate interests to process or where we have other legal grounds to do so.
What is our legal basis for processing data?
GDPR allows various legal basis for processing data. They are:
(a) Consent: the individual has given clear consent for you to process their personal data for a specific purpose.
(b) Contract: the processing is necessary for a contract you have with the individual, or because they
have asked you to take specific steps before entering into a contract.
(c) Legal obligation: the processing is necessary for you to comply with the law (not including
(d) Vital interests: the processing is necessary to protect someone’s life.
(e) Public task: the processing is necessary for you to perform a task in the public interest or for your
official functions, and the task or function has a clear basis in law.
(f) Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.
We use a legitimate interest basis for processing data relating to purchase of goods, services, subscriptions and other resources you have ordered and events you have booked.
This includes sending you information about related resources and events that you might be interested in, given your previous purchases, if you have not objected to being sent this further information at the time at which we collected your data, or at any later stage.
We rely on legitimate interests for a variety of purposes. Legitimate interest is about balancing the interests of CPO and your rights, freedom and having due regard to your reasonable expectations about the use of your data. These purposes include:
- mailing CPO News your magazine subscription
- mailing other information about CPO
- thanking you for your donation (either by mail or telephone)
We also rely on the legitimate interest to share with you the fundraising needs of the charity and to ask for your support, given your engagement with CPO’s resources, events and programmes, provided that we have also previously obtained any additional consents required to send this information to you in particular formats. For example, we will not send fundraising information or requests to you by email or other electronic means or via automated telephone calls where you have not opted in to these beforehand. You can let us know at any time if you would prefer not to receive these communications.
Every email newsletter you receive provides a clear opportunity for you to opt out of/unsubscribe from future email newsletters.
We use the contract legal basis for processing data that is necessary to comply with a contract. For example, CPO may enter into a contact with a data controller and that forms the legal basis for processing data, or taking specific tasks before entering into a contract.
We use compliance with a legal obligation as the basis for processing any legally required activities such as Gift Aid returns to HMRC.
Who has access to your personal information for processing data and how do we keep it safe?
We maintain a high level of security in relation to the collection, storage and disclosure of your information. This is very important to us and we take all necessary steps to ensure that any information we hold about you is safe.
Storing your information
We place great importance on the security of all personal data associated with our customers, subscribers and supporters.
Information is stored by CPO on secure servers at our offices, off-site and in the cloud. We may also store information in paper files.
We have security measures in place to attempt to protect against the loss, misuse and alteration of personal data under our control. For example, only authorised personnel are able to access personal information, we ensure access to information is password protected or secured via locked filing cabinets and we encrypt financial information you input before it is sent to us.
While we cannot ensure or guarantee that loss, misuse or alteration of data will not occur while it is under our control, we use our best efforts to try to prevent this.
Any sensitive or special categories of data you may provide to us are only shared on an absolute need to know basis, and are deleted after each relevant event unless we need to keep that information for a longer period e.g. for safeguarding reasons.
We enforce strict procedures and security features to protect your information and prevent unauthorised access, although we cannot completely guarantee the security of any information you transmit to us.
Where you or we have provided a password enabling you to access parts of our websites or use our services, it is your responsibility to keep this password confidential. Please don’t share your password with anyone. If you think anyone else has gained access to your password, please let us know as soon as possible.
Transferring your information outside of Europe
Although most of the information we store and process stays within the UK, some information may be transferred to countries outside the UK or the European Union (EU).
By submitting your personal information to us you agree to this transfer, storing or processing at a location outside the EU.
Payment by credit or debit card
If you use your credit or debit card to buy, subscribe or donate to CPO, or pay online or over the phone, we will ensure that this is done securely and in accordance with the (PCI DSS) Payment Card Industry Data Security Standard. Only those staff authorised to process payments will be able to see your card details. Once your transaction is completed, we do not store your full credit or debit card details.
All transactions online are processed by Barclaycard or iZettle.
We hold bank account details for the purpose of collecting direct debits in accordance with direct debit mandate rules.
Sharing your information
CPO does not sell or share any information about you to other organisations. CPO may disclose your personal information only in the following circumstances:
- To third parties who provide a service to us and are our data processors. We employ other companies and individuals to perform functions on our behalf. Examples include delivering packages, sending postal mail and email, removing repetitive information from customer lists, analysing data, providing marketing assistance, processing credit card payments, and providing computer support. These data processors have access to personal information needed to perform their functions, but may not use it for other purposes. We require these third parties to comply strictly with our instructions and data protection laws and will make sure that appropriate controls are in place.
- Where we are under a duty to disclose your personal information in order to comply with any legal obligation (for example to government bodies and law enforcement agencies), or in order to enforce or apply our rights (including in relation to our website or other applicable terms and conditions) or to protect CPO (for example, in cases of suspected fraud or defamation).
- Where we use our wholly owned subsidiary, Heritage Studios, to provide services, which has an identical GDPR policy under the same management.
How long do we keep your data for?
- We will hold your personal information on our systems for as long as is needed to fulfil the function for which we hold the data or as long as is required by law for the relevant activity. For example, HMRC requires us to keep a record of donations, Gift Aid and financial transactions for seven years.
- If you request that we stop sending you marketing or fundraising information, we will keep a record of your contact details and appropriate information to enable us to comply with your request to not to be contacted by us.
- Where your information is no longer required we will ensure that it is disposed of in a secure manner.
- Information will only be kept as long as is necessary for the purposes for which you provided it or we obtained it and will be minimised to ensure we only keep what is necessary.
What are your rights?
We’d like to keep all who engage with CPO up to date with our news. We will not use your information for marketing or fundraising purposes if you have asked us not to or we do not have your permission to use it for these purposes. (In certain circumstances we must obtain your permission before we contact you for marketing or fundraising purposes.) However, we will retain your basic details on a suppression list to help ensure that we do not continue to contact you.
If you are registered to receive one of our email newsletters, every email communication provides a clear opportunity for you to opt out of/unsubscribe from future email communications.
The General Data Protection Regulation give you certain rights over your data and how we use it.
The lawful basis for processing, affects which rights are available to individuals. This can be summarised as follows:
You have the right to:
- request a copy of the information we hold about you and details of what we do with that information (known as a subject access request)
- update or amend the information we hold about you if it is wrong
- change your communication preferences at any time
- withdraw your consent to use of your personal information where we are relying on consent as the legal ground for processing it
- ask us to remove your personal information from our records
- ask us to restrict the processing of your personal information
- obtain a portable copy of certain personal information where this is processed automatically
- object to the processing of your information for marketing purposes or profiling
- raise a concern or complaint about the way in which your information is being used
- ask us to explain any automated processing or profiling we carry out and the impact of this on you
If you wish to exercise any of these rights, please contact us. If we are not sure who you are, we may ask for reasonable proof of your identity before providing you with information or carrying out any of the above actions.
Complaints, compliments or comments
If you are unhappy with our work or something that we have done or failed to do, we want to know about it. We also welcome your views on what we do well. Your comments enable us as an organisation to learn and continuously improve our services.
If you wish to raise a data protection concern or complaint with a supervisory body, you can address a complaint to the Information Commissioner’s Office.
We keep this policy under regular review. If we make any significant changes in the way we treat your personal information, we will make this clear on our websites or by contacting you directly.
You do not have to agree to any changes if these are not compatible with the initial purposes for which you provided or we collected your data.
In a nutshell
- We collect information that is personal data. Personal data is information that can be used to help identify an individual, such as name, address, phone number, email address, IP addresses or website pages accessed.
- We collect information about everyone who engages with CPO. This could be customers, partners, businesses, magazine subscribers, those who participate in our programme of events, donors, freelancers, illustrators, employees or trustees.
- We collect information to provide goods and services, to provide information, to resource our activities and fulfil our charitable objectives and for administration. This information may also be used for research, analysis and for the prevention or detection of crime.
- We only collect the information that we need or that you agree we can collect.
- We do our best to keep personal information secure whenever we collect personal data online.
- We never sell your data and we will never share it with another company or charity for their own purposes.
- We only share data where we are required by law or with carefully selected service providers who carry out work for us. We recognise the importance of ensuring that all our service providers treat your data as carefully as we would, use it only as instructed, and allow us to check that they do this.
- This policy replaces all previous versions and is correct as of 17th April 2018.