This document outlines how Ribble Valley Conservative Association processes and manages personal data and:
• Identifies the data controller.
• Explains the lawful basis for processing personal data.
• Outlines the personal data held and processed.
• Outlines the scope of the special category personal data held and processed.
• Outlines the process of Subject Access Requests.
We are happy to make this notice available in other accessible formats such as braille. If you wish to obtain a copy in an accessible format please contact our Data Protection Officer.
This privacy notice has been created to demonstrate the Party’s commitment to the protection of your data and to be transparent in how we deal with it. This notice provides the information as required by Articles 13 and 14 GDPR.
The Party will process your data in accordance with the General Data Protection Regulation (GDPR), the Data Protection Act 2018 and related legislation.
This privacy notice was published on Friday 18th June, 2021.
From time to time we may make amendments to or update this privacy notice.
1. Data Controller: Who are we?
Our objective is to promote our values and to elect Conservative candidates at every level of government across the United Kingdom, or when we campaign in referenda.
The Data Controller is Ribble Valley Conservative Association, which is an accounting unit of the Conservative & Unionist Party. When you share data with us you are sharing it with The Conservative & Unionist Party as a whole. Ribble Valley Conservative Association remains the Data Controller for any data you share with us.
If you have any questions about this policy or for more information about how we use your data or would like to exercise any of your rights contact:
Data Protection Officer
Ribble Valley Conservative Association
9 Railway View Avenue
3. How we protect your data
We take the security of personal data seriously. We use security technology, including firewalls, password protection and encryption to safeguard information and have procedures in place to ensure that our paper and computer systems and databases are protected against unauthorised disclosure, use, loss and damage. We have processes in place to deal with a data breach in the unlikely event one should occur.
We only use third party service providers where we are satisfied that they provide adequate security for your personal data.
4. Lawful basis for processing
How we use your data is protected by law and we are only permitted to process your data where we have an acceptable reason for doing so. The lawful reasons we process your data are:
- Processing is necessary for the performance of a task carried out in the public interest (public task – democratic engagement), or
- When it is our legal duty (legal obligation), or
- When you provide consent (consent), or
- To protect your vital interests (vital interests), or
- To fulfil a contract with you (contract), or
- When we have a legitimate interest (legitimate interest).
Some types of sensitive personal data are given extra protection under the law; information about your race, ethnicity, sexual orientation, sex life, religious or philosophical beliefs, criminal record, trade union membership and political opinion is “special category” data under data protection legislation and we will only process this data where we have a lawful reason to do so. The work of the Conservative Party, and the wider Conservative Party, is deemed to be of substantial public interest and therefore we are permitted to process special category personal data relating to your political opinion in so far as it is necessary for the purposes of our political activities.
Where we have identified “legitimate interest” as our lawful reason for processing your data we conduct a balancing test in order to determine whether our legitimate interests to process your data are overridden by your interests, rights and freedoms. For more information about our legitimate interest balancing tests please contact our Data Protection Officer.
5. Data sources
Data held is that provided by you when you contact us and correspondence with third parties in response to cases taken up on your behalf. If you do not wish for us to contact you by telephone please do not provide this information.
The Register of Electors that councils provide to authorised persons under the Representation of the People Act is also used for electoral purposes.
We collect personal data from a variety of sources:
Provided by you (Directly):
- In person when you speak to one of our representatives or volunteers
- Through a telephone call, either where you call us, or we call you
- On paper, such as if you return a printed survey, a petition, a reply slip on a leaflet or if you write to us
- Digitally, such as if you fill in a form on a website or interact with the Party online via our websites or social media platforms
- When you offer or ask about volunteering, or take part in party activities
- When you enter into a transaction with the Party, such as becoming a member, donating, purchasing a product from our online shop or paying to attend an event
- When you consent to receiving electronic marketing (we never buy in email addresses)
- When you attend an event
Third-Party Sources (Indirectly):
- When data is shared with us from the wider Conservative Party
- The full electoral register and marked registers to which the Party is legally entitled as per The Representation of the People (England and Wales) (Amendment) Regulations 2002 and the Representation of the People Regulations 2001 in Scotland. We receive an updated version of these from local authorities every time an update is published, which is usually every month.
- Social media platforms and other technology providers (for instance, when you click on one of our Facebook ads or watch one of our Youtube videos)
- Publicly available information such as media history, news reports, web searches etc
- Public records or sources such as Companies House, Land Registry etc
- CCTV, if you visit Conservative Party Headquarters or one of our regional offices
- Data brokers and data analytics companies – such as Experian
- Royal Mail
- Telephone Preference Service
- Market research organisations
- Due diligence and screening organisations
6. How we use your information
We process data with the intention of using it primarily for the broad purpose of our political, campaigning and fundraising activities.
The tables below illustrate examples of how we commonly use your data, the typical categories of data that we might process and our justification and legal bases for doing so.
(i) Campaigning and Communications
(ii) Membership and Donations
(iv) Research, Due Diligence and Press
(v) Contacting us or visiting one of our offices
(vi) Visiting any online shop we may operate
(viii) Market Research and Opinion Polling
7. Data Security
Personal data is stored electronically and securely. We ensure that our service providers comply with the same high standard that we do, and are in the UK.
8. Special category data
Special category data will be processed under the lawful basis indicated in section 3, as is permitted in clauses 22, 23 and 24 of schedule 1 of the Data Protection Act, covering political parties and elected representatives.
9. Transferring your data outside of the European Economic Area
Some service providers are located outside of the European Economic Area (EEA) and therefore it may be necessary to transfer your personal data outside of the EEA. Where the transfer of your data outside of the EEA takes place we will make sure that it is protected in the same way as if the data was inside the EEA, and it only occurs with your consent.
We will use one of the following safeguards to ensure this:
- Where the European Commission has issued an adequacy decision determining that a non-EEA country or organisation ensures an adequate level of data protection.
- A contract is put in place with the recipient of the data obliging them to protect the data to the same standards as the EEA.
- The transfer is to an organisation that complies with the EU-US Privacy Shield.
Legally it is not permitted to transfer certain types of data, such as Electoral Register Data, outside of the EEA, and we honour that obligation.
10. Data retention policy
We retain your information in accordance with the CCHQ Data Retention Policy and Data Retention Schedule. We constantly review the data that we hold and regularly consider its relevance and our need to hold onto it. We use several factors to determine our retention periods. Factors we take into consideration are:
- Retention periods as required by law – for example, the Conservative Party is under a statutory duty to retain financial information for a period of 6 years,
- The purpose for which the data was provided or obtained,
- Our documented business requirement for holding onto your data,
- Whether holding onto your data will infringe your rights over your data,
- Legal and regulatory obligations that may require reference to your data,
If you require more detailed information on how long your data will be kept for please contact our Data Protection Officer.
11. Subject Access Requests
Subject Access Requests are dealt with in line with the guidance given by the Information Commissioner’s Office (ICO):
- We will request verification of the identity of any individual making a request, and ask for further clarification and details if needed.
- We will respond within 28 calendar days once we have confirmed it is a legitimate request.
- Data subjects have the right to the following:
- To be told whether any personal data is being processed
- To be given a description of the personal data, the reasons it is being processed and whether it will be given to another organisations or people.
- To be given a copy of the information comprising the data, and given details of the source of the data where this is available.
12. Will we share your data with anyone else?
We will never sell your data but sometimes it is necessary to share your information, either within the wider Conservative Party, or with our service providers, data controllers and data processors. Data is only ever shared where we have a party reason and when the law allows us to do so.
We share data with:
- The wider Conservative Party
- Affiliate organisations – such as National Conservative Draws Society or various Conservative “Friends of “ organisations
- Business associates and professional advisers – for example opinion pollsters or political strategists
- Suppliers and sub-contractors – for example printing and delivery suppliers
- Service providers and sub-contractors – for example an Email Marketing Platform or a Cloud Storage provider
- Organisations providing services for events
- Social media platforms and other technology providers
- Data analytics companies
- Due diligence and screening organisations
- Financial service organisations – such card payment providers
- Political organisations
- Elected representatives
- Media Organisations
- Regulatory bodies – such as the Electoral Commission or the Information Commissioner’s Office
- Market researchers
- Healthcare and welfare organisations
- Law enforcement authorities – for the purposes of prevention of crime
- Government authorities
- Third parties with whom you have requested we share your data
Where we use a third-party data processor, in other words an organisation that processes data on our behalf and under our instruction, we ensure that this processing is governed by a legally enforceable data processing agreement which sets out their responsibilities for protecting your data and your rights. Where we share data with a third party controller, an organisation that determines how data will be processed, we ensure that this is governed by a Controller to Controller data sharing agreement.
Where we share data with the wider Conservative Party we ensure that the recipient of the data agrees to a terms and conditions that they will use the data only for the purposes for which it was provided and will take necessary measures to ensure its security. Members of the wider Party receive training on data protection.
13. Cookies and similar technologies
14. Data Rights
Where we use consent as our legal basis for processing your data, or process special categories of your data on the basis of your explicit consent, you have the right to withdraw your consent at any time.
At any point you have the following rights:
- Right of access – you have the right to request a copy of the information held about you.
- Right of rectification – you have a right to correct data held about you that is inaccurate or incomplete.
- Right to be forgotten – in certain circumstances you can ask for the data held about you to be erased from our records.
- Right to object – you have the right to object to certain types of processing, such as direct marketing.
- Right to object to automated processing, including profiling – you also have the right to be subject to the legal effects of automated processing or profiling.
- Right to judicial review: if our office refuses your request under rights of access, we will provide you with a reason why. You have the right to complain.
15. Making a complaint
If you are unhappy with the way that we have processed or handled your data then you have a right to complain to the Information Commissioner’s Office (ICO). The ICO is the supervisory body authorised by the Data Protection Act 2018 to regulate the handling of personal data within the United Kingdom.
The contact details for the Information Commissioner’s Office are:
- Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, SK9 5AF
- Telephone: 0303 123 1113
- Website: https://ico.org.uk/make-a-complaint/
If you have any questions about the data held please contact Ribble Valley Conservative Association via the contact information on this website.
Please note that proof of identity is required should you choose to exercise any of the above rights in relation to personal data.
We retain the right to update this policy at any time. If there are changes that significantly impact your rights, we will contact you in advance if we hold contact details for you.