Privacy PolicyThe privacy and security of your personal information is extremely important to us. This privacy policy explains how and why we use your personal data, to make sure you stay informed and can be confident about giving us your information.

We may update this policy from time to time so please check it regularly. If there are significant updates, we will inform those people with whom we are in regular contact, such as email subscribers or regular donors.

We will never sell your personal data and will only share it with trusted third parties in accordance with our privacy policy. We will investigate the privacy and security of any third party organisations before we share your personal data with them.

We’ll only use your personal data on relevant lawful grounds as permitted by the EU General Data Protection Regulation (from 25 May 2018)/UK Data Protection Act 2018 and Privacy and Electronic Communication Regulations 2003.

On this page:

Who are The Royal Parks? What personal data do we collect? How do we get your personal data? How we use your personal data? Your rights as a data subject Cookies Links to third party websites Where do we process your personal data? Security Notification of changes Complaints

Who are The Royal Parks?

In this policy, whenever you see the words The Royal Parks, ‘TRP’ ‘we’, ‘us’, ‘our’, it refers to The Royal Parks Limited.

The Royal Parks Limited is a charity created in March 2017 and officially launched in July 2017 to support and manage 5,000 acres of Royal parkland across London.

If you would like to contact us about this privacy notice or how we use your personal data, please contact us at:

The Royal Parks September 2018 version 1.0

The Old Police HouseHyde ParkLondonW2 2UH

Telephone: +44 (0)300 061 2000

Email: dataprotection@royalparks.org.uk

The Royal Parks is the data controller of the personal data we process, unless otherwise stated.

What personal data do we collect?

Your personal data is any information which identifies you, or which can be identified as relating to you personally. We’ll only collect the personal data that we need.

We collect personal data in connection with specific activities such as:

Making a donation to TRP Volunteering with TRP Making a school or sports booking Applying for licences Conducting research Ordering an image Being a TRP employee Making an application for employment You are representing your organisation in any capacity Booking an activity with TRP.

Some examples of the types of personal data we may collect include:

your full name and title your postal address your date of birth your age or gender employment status demographic information email address telephone number personal description photographs CCTV images

The Royal Parks September 2018 version 1.0

IP address.

How do we get your personal data?We may get your personal data from our website, volunteering forms, job application forms, fundraising responses, emails and telephone calls.

This includes information you give when interacting with us, for example joining or registering, placing an order or communicating with us. For example:

Personal details (name, date of birth, email, address, telephone, and so on) when you become a donor or supporter

Financial information (payment information such as direct debit details, and whether donations are gift-aided) when you make a payment to The Royal Parks

Your opinions and attitudes about The Royal Parks, activities and interests, and your experiences of The Royal Parks

Personal details (name, date of birth, email, address, telephone) and some sensitive data (health information, ethnicity) when registering as a volunteer with The Royal Parks or becoming a TRP employee

Personal details (name and email address) when registering for an event on behalf of your school.

Personal data collected as a result of your involvement with us

Your activities and involvement with us will result in personal data being collected and processed. This could include details of how you’ve helped us by volunteering or being involved with our campaigns and activities. If you decide to donate to us then we’ll keep records of when and how much you give to a particular cause.

Information we generate

We collect anonymous data (i.e. information which can’t be used to identify you) to monitor website usage through the use of cookies. Website usage data includes number of visitors, what pages are viewed, and the duration of visits to the website. We may sometimes share this information with third parties to support us with analysing website usage and improving the overall user experience.

See Cookies for further information on website analytics.

Special categories of personal data

The Royal Parks September 2018 version 1.0

The GDPR defines ‘special categories of personal data’ as information about racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, physical or mental health, sex life or sexual orientation, genetic or biometric data. Criminal allegations, proceedings or convictions must be treated in a similar way to special categories of personal data and also have restrictions around when they can be processed.

At times we’ll collect special categories of personal data (also known as sensitive personal data) for equal opportunities monitoring, as well as researching whether we deliver great experiences for everyone, but this is only ever analysed at an aggregate level. We may also collect some sensitive personal data for employment or volunteer purposes when it is necessary to do so.

Volunteer

If you’re a volunteer then we may collect extra information about you (e.g. references, criminal records checks, details of emergency contacts, medical conditions etc.). This information will be retained for legal or contractual reasons, to protect both us and you (including in the event of an insurance or legal claim) and for safeguarding purposes.

How we use your personal data

Personal data provided to us will be used for the purpose or purposes outlined in any privacy notice in a transparent manner at the time of collection or registration where appropriate, in accordance with any preferences you express. If asked by regulatory or government authorities investigating suspected illegal activities, we may need to provide your personal data.

Your personal data may be collected and used to:

help us deliver our charitable activities help us raise funds, to provide a service or product you have requested to inform you of news, events,

activities and services running in the Royal Parks.

Below are the main uses of your data which depend on the nature of our relationship with you and how you interact with our various services, websites and activities.

Marketing communications to supporters

Your privacy is important to us, so we’ll always keep your details secure. We’d like to use your details to keep in touch about things that may matter to you.

The Royal Parks September 2018 version 1.0

If you choose to hear from us we may send you information based on what is most relevant to you or things you’ve told us you like. We may also show you relevant content online. This might be about visiting the Royal Parks, volunteering with us, Health & Wellbeing, Nature and Heritage events and experiences, conservation work, fundraising campaigns, and learning opportunities.

We’ll only send these to you if you agree to receive them and have given us your consent to process your personal data for the purpose of marketing. We will never share your information with companies outside The Royal Parks for inclusion in their marketing. If you agree to receive marketing information from us you can change your mind at a later date. You can easily unsubscribe from digital communications at any time.

However, if you tell us you don’t want to receive marketing communications, then you may not hear about events or other work we do that may be of interest to you.

We may sometimes use third parties to capture some of your data on our behalf, but only where we are confident that the third party will treat your data securely, in accordance with our terms and in line with the requirements set out in the GDPR.

Marketing communications to customers

If you are an existing customer of ours, we may send you marketing information related to your previous purchase. We will do this on the basis of legitimate interest, the legitimate interest being to keep you updated as to related products and services. You can object to this processing at any time by unsubscribing from the direct marketing emails or by contacting us on the address above.

Social media targeting

If you are a social media user, we will use certain social media tools as part of our relationship with you. These tools include such things as Facebook and Instagram Custom/Lookalike Audiences, Google Customer Match/Similar Audiences, Twitter Tailored/Lookalike Audiences and LinkedIn Matched Audiences. We may sometimes use third parties to support us with our social media targeting.

Through using these tools, we will provide some of your data to the social media platform / organisation to allow them to identify your social media profile with them. The social media platform / organisation will then show you relevant advertisements relating to the Royal Parks which we think you will be interested in seeing on your newsfeed.

The social media platform / organisation will also use your profile to identify those with similar characteristics to you who we think may also be interested in finding out more about the Royal Parks and the work we do. These identified individuals will then be shown

The Royal Parks September 2018 version 1.0

advertisements about the Royal Parks on their newsfeed. This activity is governed by the social medial platform’s own privacy policy and terms and conditions, so please refer to these documents if you require any further information about this activity.

This processing is carried out in the legitimate interests of The Royal Parks: those legitimate interests are to improve our communications with you and lift our profile. You have the right to object to this processing at any time.

Fundraising, donations and legacy pledges

Where we have your permission, we may invite you to support vital initiatives by making a donation, getting involved in fundraising activities or leaving a gift in your will.

Occasionally, we may invite some supporters to attend special events to find out more about the ways in which donations and gifts in wills can make a difference to specific projects and to our cause. We’ll also send you updates on the impact that you make by supporting us in this way, unless you tell us not to. We will send these invitations on the basis of the legitimate interests of The Royal Parks to provide related news and updates in relation to your identified area of interest.

If you make a donation, we’ll use any personal information you give us to record the nature and amount of your gift, claim gift aid where you’ve told us you’re eligible and thank you for your gift. If you interact or have a conversation with us, we’ll note anything relevant and store this securely on our systems.

If you tell us you want to fundraise to support our cause, we’ll use the personal information you give us to record your plans and contact you to support your fundraising efforts.

Management of volunteers

We need to use your personal data to manage your volunteering, from the moment you enquire to the time you decide to stop volunteering with us. This could include: contacting you about an opportunity you’ve applied for or we think you might be interested in, expense claims you’ve made, shifts you’ve booked and to recognise your contribution.

It could also include information about things happening where you volunteer and about your volunteering, including asking for your opinions on your volunteering experience.

We may also share this data anonymously with funders to help them monitor how their funding is making a difference.

The Royal Parks September 2018 version 1.0

We will only process your personal data for the purpose of volunteering with your consent. We will retain your personal data for three years after you last volunteered with us. You are able to withdraw your consent at any time after you have given it.

Orders and events management

We process customer data to fulfil orders and run events. Your data will be used to communicate with you throughout the process, including confirming we’ve received your order and payment, to confirm dispatch, to clarify where we might need more detail to fulfil an order or booking, or to resolve issues that might arise with your order or booking.

The Royal Parks Half Marathon and other events held in the Parks have their own privacy notices which can be found on their websites.

Research

We carry out research with our supporters, customers, staff and volunteers to get feedback on their experience with us. We use this feedback to improve the experiences that we offer and ensure we know what is relevant and interesting to you. We process your data for research on the basis of consent.

If you choose to take part in research, we’ll tell you when you start what data we will collect, why and how we’ll use it. All the research we conduct is optional and you can choose not to take part. For some of our research we may ask you to provide special categories of personal data (e.g. ethnicity). You don’t have to provide this data and we also provide a ‘prefer not to say’ option. We only use it at an aggregate level for reporting (e.g. equal opportunities monitoring).

We may share some of your personal data with a research agency who will carry out research on our behalf.

Learning and development

If you choose to sign up to one of our courses through our website or by telephone, we will process a limited amount of your personal data in order to provide you with the service you have requested. Your personal data will be processed on a contractual basis: we cannot provide the service without your personal data.

If you are providing us with your personal data in order for us to run a course for your school, we will keep the personal data securely and will not use it for any other purpose but to provide the product requested. We may also request some personal data about the children attending the course, but this personal data will be destroyed as soon as the course has run. We may keep some anonymised data for statistical and reporting purposes.

The Royal Parks September 2018 version 1.0

We may at times receive your personal data from a third party, such as digital agency providing information about schools. When we receive your personal data from a third party in this manner, we will treat it in accordance with our privacy policy and data protection policy and ensure that it is kept securely and for only as long as necessary. If we have received your personal data from a third party, we will inform you when we contact you. We process your personal data in this manner on the basis of legitimate interests: The Royal Parks believes that it is in our legitimate interest to keep schools up-to-date with our learning programmes and we will only contact relevant personnel at those schools.

Recruitment and employment

In order to comply with our contractual, statutory, and management obligations and responsibilities, we process personal data, including special categories of personal data, from job applicants and employees.

Such data can include, but isn’t limited to, information relating to health, racial or ethnic origin, and criminal convictions. Further information on what data is collected and why it’s processed is given below.

Contractual responsibilities

Our contractual responsibilities include those arising from the contract of employment. The data processed to meet contractual responsibilities includes, but is not limited to, data relating to: payroll, bank account, postal address, sick pay, leave, maternity pay, pension and emergency contacts.

Legal obligations

Our legal responsibilities are those imposed through law on the organisation as an employer. The personal data processed to meet statutory responsibilities includes, but is not limited to, data relating to: tax, national insurance, statutory sick pay, statutory maternity pay, family leave, work permits, equal opportunities monitoring.

Legitimate interests

Our management responsibilities are those necessary for the organisational functioning of the organisation and are processed under the lawful basis of legitimate interests.

The Royal Parks September 2018 version 1.0

Special categories of personal data

In certain limited circumstances, we may legally collect and process special categories of personal data without requiring the explicit consent of an employee.

We will process data about an employee’s health where it is necessary, for example, to record absence from work due to sickness, to pay statutory sick pay, to make appropriate referrals to the Occupational Health Service, and to make any necessary arrangements or adjustments to the workplace in the case of disability. This processing will not normally happen without the employee’s knowledge and, where necessary, consent.

We will process data about, but not limited to, an employee’s racial and ethnic origin, their sexual orientation or their religious beliefs only where they have volunteered such data and only for the purpose of monitoring and upholding our equal opportunities policies and related provisions.

Data about an employee’s criminal convictions will be held as necessary.

Disclosure of personal data to third parties

In order to carry out our contractual and legal responsibilities, we may, from time to time, need to share a data subject’s personal data with one or more third party.

To meet the employment contract, we are required to transfer an employee’s personal data to third parties, for example, to pension providers and HM Revenue & Customs.

In order to fulfil our statutory responsibilities, we’re required to give some of an employee’s personal data to government departments or agencies e.g. provision of salary and tax data to HM Revenue & Customs.

To fulfil our legal obligations we may be required to provide government bodies such as the police with your personal data no matter the capacity in which we received your details.

Your rights as a data subject

As a data subject whose personal information we hold, you have certain rights. If you wish to exercise any of these rights, please email dataprotection@royalparks.org.uk or use the information supplied in the About Us section above. In order to process your request, we will ask you to provide two valid forms of identification for verification purposes. Your rights are as follows:

The Royal Parks September 2018 version 1.0

The right to be informed - As a data controller, we are obliged to provide clear and transparent information about our data processing activities. This is provided by this privacy policy and any related communications we may send you.

The right of access - You have the right to ask us for copies of your personal information. This right always applies. There are some exemptions, which means you may not always receive all the information we process.

The right to data portability - This only applies to information you have given us. You have the right to ask that we transfer the information you gave us from one organisation to another, or give it to you. This right only applies if we are processing information based on your consent or under contract and the processing is automated.

The right to object - You have the right to object to processing if we are able to process your information because the process forms part of our public tasks, or is in our legitimate interests.

The right to rectification - You have the right to ask us to rectify information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete.

The right to restriction of processing - You have the right to ask us to restrict the processing of your information in certain circumstances.

The right to erasure - You have the right to ask us to erase your personal information in certain circumstances. We will take all reasonable steps to ensure that we erase the data.

Rights related automated decision-making including profiling – You have rights surrounding our use of automated decision-making and profiling. You can object to us using your personal data in such a way at any time.

We will confirm that we have updated, ported, erased, provided or amended your personal data as requested within one month of receipt of your request. If we are unable to meet your request or require an extension to meet the request we will inform you within one month.

If we are processing your personal data with your consent, then you have the right to withdraw that consent at any time and we will cease processing your personal data without undue delay.

Cookies

The Royal Parks September 2018 version 1.0

A 'cookie' is a small text file that is placed on a user's computer hard drive by a website. There are several types of cookie and the most common are often referred to as 'session' cookies. These are used to keep track of information needed by a user as they travel from page to page within a website. These cookies have a short lifetime and expire within a few minutes of the user leaving the site.

Other types of cookies can be used to track internet activity after the user has left a website. These are either sponsored by organisations external to the website being visited (known as 'third party' cookies) or can originate from the website organisation itself ('first party' cookies). These usually have a long lifetime with several months being quite common. They are 'harvested' and 'refreshed' whenever the user visits a page where the same or a similar cookie is being used.

This website uses benign, short lived 'session' cookies and 'first party' cookies to tell whether a website user has logged-in, where to find details that can be used to pre-fill parts of on-line forms and to personalise the user's visit to the website. They are also used to track anonymously which areas of the site are popular and which are not used; this allows us to target carefully our website resources.

This website uses Google Analytics, a web analytics service provided by Google Inc., which uses cookies to help a website analyse how users use the site. The information generated by the cookie about your use of this website (including your IP address) will be used by Google for the purpose of evaluating your use of the website on our behalf. When your personal data is processed by Google Analytics, it will be processed under Google’s privacy notice, which can be found here.

The Royal Parks also uses cookies in its email communications to personalise the email and track whether the mail has been opened or read and whether the recipient has used any website links contained in the email communication. This allows us to monitor and improve our email communications and website.

Internet browsers normally accept cookies by default but you may refuse the use of cookies by selecting the appropriate settings on your browser. The website www.allaboutcookies.org (run by the Interactive Marketing Bureau, provided here for information only and not connected to or recommended by The Royal Parks) contains step-by-step guidance on how cookies can be switched off by users. However, please note that if you do this you may not be able to use the full functionality of this website.

Links to third party websites

This Privacy Policy applies solely to the personal data collected by TRP and does not apply to third party websites.

The Royal Parks September 2018 version 1.0

Users should be aware that if they access other websites, using the links provided, these are outside our control. If they provide personal data to other companies, the privacy policies of those companies determine the uses to which that information is put and this Privacy Policy will no longer apply. TRP is not responsible for the privacy policies of third party websites and advises users to read the privacy policies of other websites before registering any personal data.

Security

We recognise the need to ensure that personal information gathered via this website remains secure. We use industry standard Secure Server Software (SSL) for your transactions with us to protect against the loss, misuse and alteration of the personal information under our control. It encrypts all of your personal information, including credit card number, name, and address, so that it cannot be read as the information travels over the Internet. However, you acknowledge that although we exercise adequate care and security there remains a risk that information transmitted over the Internet and stored by computer may be intercepted or accessed by an unauthorised third party.

When personal data is stored on The Royal Parks’ systems we take every care to ensure the security of your personal data. Its information systems are adequately and appropriately protected, by the implementation and maintenance of security controls, against threats to the systems. The implemented security controls are appropriate to the measures of risks and the value of assets, and implemented, used and where relevant tested, correctly, through information security compliance (audit) reviews, to ensure that the required level of security is maintained.

Where we process your data

Unless we specifically inform you otherwise, your personal data is processed in the EEA.

Notification of changes

We may update this policy at any time without notice. Any changes to this policy will be notified by an announcement on this website. Your continued use of this website, following the posting of changes to this policy, will mean you accept these changes.

Complaints

Should you wish to discuss a complaint, please feel free to contact us using the details provided above. All complaints will be treated in a confidential manner.

The Royal Parks September 2018 version 1.0

Should you feel unsatisfied with our handling of your data, or about any complaint that you have made to us about our handling of your data, you are entitled to escalate your complaint to a supervisory authority within the European Union. For the United Kingdom, this is the Information Commissioner’s Office (ICO). Its contact information can be found at https://ico.org.uk/global/contact-us/.

The Royal Parks September 2018 version 1.0