Privacy Policy

This privacy policy sets out the terms of how Cancer United and our related companies will use any information or personal information that you (“you”, “yours”) give to us or we collect from you. Personal information means any information about you from which you could be identified such as your name, address, telephone number or email address. Whenever you provide us with personal information we will use it as per these terms. Whilst this privacy policy will apply to most of our websites, some of our websites may have additional terms not covered by this privacy policy and you should always check a site’s Terms of Use carefully.

Who are we?

This website is run by Cancer United, a charity, registered in England, number 1155747 whose office is located at: Millfield House, Station Road, Angmering, West Sussex, BN16 4HY.

You may contact us via email at enquiries@cancerunited.org.uk or call 01903 779880.

1. Statement

Cancer United is committed to processing all personal data in accordance with the General Data Protection Regulations and to respecting the rights of all data subjects whose information we process.

We undertake to process all personal data in accordance with Article 5 of the GDPR. Specifically, we commit that personal data shall be:

  • processed lawfully, fairly and in a transparent manner in relation to individuals;
  • collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;
  • adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
  • accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
  • kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals; and
  • processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

2. Schematic data flows

2.1 Overview

Privacy Policy 2.1 Overview

2.2 The way that Cancer United uses personal information

The Cancer United charity processes personal information on behalf of four groups of people.

Supporters: The charity has many supporters who it communicates with via a newsletter, who participate in a range of events organised by the charity. For this purpose, the charity has obtained explicit consent to hold supporters contact details.

Gym Users: The charity runs a gym attended by people living with cancer. For these attendees, more information is needed to ensure the gym classes can be provided safely and ensure attendees’ safety. This includes medical data which is defined as special category information for the purposes of GDPR. The legal basis for this information is that it is necessary for providing the gym classes and may be needed for protecting the subjects’ vital interests. However, because it is special category information the charity additionally collects explicit consent from data subjects.

Learners: The charity runs training courses for trainers running exercise classes for people living with cancer. For this purpose, the charity processes a range of personal data which it processes on a virtual learning system hosted on UK servers on behalf of the charity.

Paid staff: The charity has a very small number of paid staff. The charity collects the minimum amount of personal data to meet its legal duties as an employer. This data is shared with the accountants to produce payroll information, and in turn that is shared with statutory agencies such as HMRC.

3. Legal basis for processing

Where we process personal information, we ensure that the processing is necessary and that we have a valid lawful basis in order to process that data. Our legal bases are recorded in Table 1.

Where we are processing special category data we have a lawful basis for general processing and an additional condition for processing this type of data.

Employees

Information:

  • Personal demographic data;
  • Personal job history (may include special category);
  • Personal financial details necessary for payroll and taxation;
  • Personal details of current employment (may include special category);
  • Medical information necessary for duty of care (special category).

Legal basis:
Processing this information is necessary for us to fulfil our (employment) contract with you; and Processing this information is necessary for us to comply with a legal obligation.

Additional condition:
When processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law.

Gym attendees

Information:

  • Personal demographic data;
  • Medical information (may include special category with additional condition of explicit consent);

Legal basis:
Contractual relationship.

Learners

Information:

  • Personal demographic data.

Legal basis:
Contractual relationship.

Supporters

Information:

  • Personal demographic data.

Legal basis:
Consent.

We record our lawful basis for processing as well as the purposes of the processing in our privacy notice, recorded in Appendix A and made available on our website. We do not process criminal conviction data or data about offences.

4. Consent

We rely on consent for communications to those parties who wish to receive communications from us, and as the additional criteria for processing the special category medical data for clients.

Where we rely on consent, we:

  • have checked that consent is the most appropriate lawful basis for processing.
  • made the request for consent prominent and separate from our terms and conditions.
  • have asked people to positively opt in, without the use of pre-ticked boxes or any other type of default consent, in clear, plain language that is easy to understand.
  • have specified why we want the data and what we’re going to do with it.
  • have given individual (‘granular’) options to consent separately to different purposes and types of processing.
  • have named our organisation who will be relying on the consent.
  • tell individuals they can withdraw their consent at the foot of every email.
  • ensure that individuals can refuse to consent without detriment and avoid making consent a precondition of any service from us other than the specific communication.
  • keep a record of when and how we got consent from the individual and keep a record of exactly what they were told at the time.
  • regularly review consents to check that the relationship, the processing and the purposes have not changed.
  • make it easy for individuals to withdraw their consent at any time, by reminding them in the footer of all communications
  • act on withdrawals of consent as soon as we can.

5. User rights

We respect the rights of all our data subjects.

5.1 The right to be informed

We provide individuals with all the following privacy information:

  • The name and contact details of our organisation.
  • The name and contact details of our data processor, where applicable.
  • The purposes of the processing.
  • The lawful basis for the processing.
  • The recipients or categories of recipients of the personal data.
  • The details of transfers of the personal data to any third countries or international organisations (if applicable in the future: not applicable at present).
  • The retention periods for the personal data.
  • The rights available to individuals in respect of the processing.
  • The right to withdraw consent (where this is the legal basis for processing).
  • The right to lodge a complaint with the ICO.

We provide individuals with privacy information at the time we collect their personal data from them, and via the privacy notice available on our website.

We provide the information in a way that is concise, transparent, intelligible, easily accessible, and uses clear and plain language.

We regularly review and, where necessary, update our privacy information. If we plan to use personal data for a new purpose, we will update our privacy information and communicate the changes to individuals before starting any new processing.

We have undertaken an information audit in March 2018 to find out what personal data we hold and what we do with it.

5.2 The right of access

We will provide a copy of the information that we hold on individuals free of charge so that they are aware of and can verify the lawfulness of the processing in accordance with Recital 63 of the GDPR.

We reserve the right to charge a ‘reasonable fee’ based on the administrative cost of providing the information when a request is manifestly unfounded or excessive, particularly if it is repetitive.

We will provide the information must be provided without delay and at the latest within one month of receipt of the request.

We will take reasonable steps to verify the identity of the person making the request, using ‘reasonable means’.
Where the request is made electronically, we will provide the information in a commonly used electronic format.

5.3 Right to rectification

When we are notified that the personal information we hold is erroneous, we will respond to a request for rectification without undue delay and within one month of receipt and inform any recipients if we rectify any data we have shared with them.

Where we are satisfied that the personal data is accurate, we will tell the data subject that we will not be amending the data. We will explain our decision and inform them of their right to make a complaint to the ICO or another supervisory authority; and their ability to seek to enforce their rights through a judicial remedy.

5.4 Right to erasure

We will respect a data subject’s right to erasure when required to do so under the GDPR, in the following circumstances:

  • the personal data is no longer necessary for the purpose which you originally collected or processed it for;
  • we are relying on consent as the lawful basis for holding the data, and the individual withdraws their consent;
  • we are relying on legitimate interests as our basis for processing, the individual objects to the processing of their data, and there is no overriding legitimate interest to continue this processing;
  • we are processing the personal data for direct marketing purposes and the individual objects to that processing;
  • we have processed the personal data unlawfully (i.e. in breach of the lawfulness requirement of the 1st principle);
  • we have to do it to comply with a legal obligation.

In these circumstances, we will delete the data without undue delay and within one month of receipt and inform any recipients if we delete any data we have shared with them.

Where we do not believe that these circumstances apply we will tell the data subject that we will not be removing their data. We will explain our decision and inform them of their right to make a complaint to the ICO or another supervisory authority; and their ability to seek to enforce their rights through a judicial remedy.

We will review the criteria for erasure periodically, or when they are changed by the external legal environment.

5.5 Right to restrict processing

We will respond to a request for restriction without undue delay and within one month of receipt.

We will restrict the processing of personal data in the following circumstances:

  • the individual contests the accuracy of their personal data and we are verifying the accuracy of the data;
  • the data has been unlawfully processed (i.e. in breach of the lawfulness requirement of the first principle of the GDPR) and the individual opposes erasure and requests restriction instead;
  • we no longer need the personal data but the individual needs us to keep it in order to establish, exercise or defend a legal claim; or
  • the individual has objected to us processing their data under GDPR Article 21(1), and we are considering whether your legitimate grounds override those of the individual.
  • whilst we are considering its accuracy or the legitimate grounds for processing the personal data in question.

5.6 Right to data portability

If an individual requests it, we will provide personal data in a structured, commonly used and machine-readable form, such as CSV files, in accordance with the criteria laid down by the GDPR, i.e. when:

they have provided the information to us directly or where the processing is based on the individual’s consent or for the performance of a contract; and when processing is carried out by automated means.

We are not aware of any circumstances currently in which these criteria are met, but if they arise in the future, we will respond without undue delay, and within one month.

5.7 Right to object

We acknowledge that data subjects have the right to object to of:

  • processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling);
  • processing for direct marketing (including profiling); and
  • processing for purposes of scientific/historical research and statistics.

We believe that this may only arise as part of our marketing activity. In this case, we will stop processing personal data for direct marketing purposes as soon as we receive an objection, and free of charge.

We inform individuals of their right to object in our privacy notice.

5.8 Rights related to automated decision making including profiling

We do not use automated decision making including profiling.

6. Documentation

As a charity of less than 250 employees, we have:

  • Carried out an audit of the personal information we use;
  • Identified the legal basis for processing of each type of information;
  • Updated our data protection policy and privacy notice in accordance with the GDPR;
  • Checked our contracts with data processors acting on our behalf in accordance with the GDPR.

We have included the results of the audit and the legal basis for processing in this document.

We will review this documentation either:

  • We introduce a major change in our information systems
  • We introduce a major change in our business processes
  • Or annually, if the documentation has not been reviewed in the last 12 months

7. Data protection impact assessments

We have implemented a process for carrying out Data Protection Impact Assessments in the event of new systems. We have adopted a model based on ICO guidance (Figure 1), and a standard template for recording results.

Figure 1 The DPIA Process (as defined by the ICO) diagram graphic image.

Figure 1: The DPIA Process (as defined by the ICO)

We have carried out three DPIAs in preparation for GDPR. None of these reveal high risk activity, and therefore, have not contacted the ICO.

We have reviewed the GDPR criteria and do not envisage doing any of the following in the foreseeable future which would require a further DPIA. We have no plans to:

  • Use systematic and extensive profiling or automated decision-making to make significant decisions about people.
  • Process special category data or criminal offence data on a large scale.
  • Systematically monitor a publicly accessible place on a large scale.
  • Use new technologies.
  • Use profiling, automated decision-making or special category data to help make decisions on someone’s access to a service, opportunity or benefit.
  • Carry out profiling on a large scale.
  • Process biometric or genetic data.
  • Combine, compare or match data from multiple sources.
  • Process personal data without providing privacy notice directly to the individual.
  • Process personal data in a way which involves tracking individuals’ online or offline location or behaviour.
  • Process children’s personal data for profiling or automated decision-making or for marketing purposes or offer online services directly to them.
  • Process personal data which could result in a risk of physical harm in the event of a security breach.

7.1 DPIA for HR functions

Assessor:
Professor Alan Gillies
Date of Assessment:
18.05.2018
Person with lead responsibility:
Jan Sheward
Name of Process:
Human Resources Management.
Brief description of process:
The processes necessary to manage our staff and meet our legal obligations as an employer.
Information types to be processed:
Personal demographic data.
Job history
Financial details necessary for payroll and taxation
Details of current employment.
Category of Information to be processed:
Mostly Personal with some special category.
Legal Basis for Processing:
  • Processing this information is necessary to fulfil an (employment) contract with you; and
  • Processing this information is necessary to comply with a legal obligation.
Where does the data come from?
The data subjects themselves or previous employers.
Where is the data processed?:
It is collected and held at the charity’s head office, either on paper in a locked cabinet, or on a local computer.
Do you transfer the data to a country outside the EU?
No.
Do you transfer the data to a third party?
Only when legally required to do so, e.g. for payroll and taxation purposes, when it is passed to the accountants and thence to HMRC or to third parties at the request of the data subject with explicit consent as an additional legal basis.
Who is impacted by the processing?:
The data subjects themselves; HMRC and other statutory agencies.
How do you manage retention and disposal?
We retain personal data for the duration of the employment, and for a period of 12 months after employment, or as long as is necessary to meet our legal duties e.g. for taxation, whichever is the greater.
In the event of job applicants for jobs, we do not retain their information unless they become employees, or give explicit consent as an alternative legal basis for retention. In this case, applicants can revoke their consent at any time, and the information will be destroyed after 12 months, unless that consent is renewed.
What are the risks to the data subjects?
Security breaches; inappropriate disclosure to a third party.
How do you rate the risk without mitigation measures?
Moderate.
What measures are already in place to protect the rights of data subjects and minimise risk?
Physical security measures; Information Security Measures; Verification of users requesting personal information by phone or email.
What additional measures will you put in place to protect the rights of data subjects and minimise risk?
Refresher staff training; Periodic reviews of security measures.
How do you rate the risk after mitigation measures?
Low.
Data of review:
31.05.2019
Additional information:
None

7.2 DPIA for communications with supporters

Assessor:
Professor Alan Gillies
Date of Assessment:
18.05.2018
Person with lead responsibility:
Jan Sheward
Name of Process:
Communications.
Brief description of process:
We inform our supporters through a regular email newsletter and may send additional ad hoc emails.
Information types to be processed:
Name & contact details
Category of Information to be processed:
Personal.
Legal Basis for Processing:
Consent to the processing of this personal data for the purpose of communications.
Where does the data come from?
The data subjects themselves.
Where is the data processed?
By ourselves on PCs located at our head office.
Do you transfer the data to a third party?
No.
Do you transfer the data to a country outside the EU?
No.
Who is impacted by the processing?
The data subjects themselves.
How do you manage retention and disposal?
We retain personal data for the duration of the consent.
What are the risks to the data subjects?
Security breaches; inappropriate disclosure to a third party.
How do you rate the risk without mitigation measures?
Moderate.
What measures are already in place to protect the rights of data subjects and minimise risk?
Physical security measures; Information Security Measures; Verification of users requesting personal information by phone or email.
What additional measures will you put in place to protect the rights of data subjects and minimise risk?
Formalisation of the responsibilities of KBS Marketing as a data processor. Periodic reviews of security measures.
How do you rate the risk after mitigation measures?
Low.
Data of review:
31.05.2019
Additional information:
None

7.3 DPIA for Gym users

Assessor:
Professor Alan Gillies
Date of Assessment:
18.05.2018
Person with lead responsibility:
Jan Sheward
Name of Process:
Provision of gym classes for people living with cancer
Brief description of process:
The charity runs a gym attended by people living with cancer. For these attendees, more information is needed to ensure the gym classes can be provided safely and ensure attendees’ safety. This includes medical data which is defined as special category information for the purposes of GDPR.
Information types to be processed:
Name & contact details, additional information recording progress at classes, medical information to ensure appropriate programmes are provided and to ensure patient safety.
Category of Information to be processes:
Personal
Legal Basis for Processing:
The legal basis for this information is that it is necessary for providing the gym classes and may be needed for protecting the subjects’ vital interests. However, because it is special category information the charity additionally collects explicit consent from data subjects.
Where does the data come from?
The data subjects themselves
Where is the data processed?
At the charity’s head office, where the gym is co-located
Do you transfer the data to a third party?
No
Do you transfer the data to a country outside the EU?
No
Who is impacted by the processing?
The data subjects themselves.
How do you manage retention and disposal?
We retain personal data for the duration of the contract, and for a period of 12 months after the contract or as long as is necessary to meet our contractual obligations.
What are the risks to the data subjects?
Security breaches; inappropriate disclosure to a third party.
How do you rate the risk without mitigation measures?
Moderate.
What measures are already in place to protect the rights of data subjects and minimise risk?
Physical security measures: Located in a locked cabinet in a locked office;
Verification of users requesting personal information by phone or email.
What additional measures will you put in place to protect the rights of data subjects and minimise risk?
Periodic reviews of security measures
How do you rate the risk after mitigation measures?
Moderate
Date of review:
31.05.2019
Additional information:
None

7.4 DPIA for Learners

Assessor:
Professor Alan Gillies
Date of Assessment:
18.05.2018
Person with lead responsibility:
Jan Sheward
Name of Process:
Management of Learners engaged in training programmes for providing exercise classes for people living with cancer.
Brief description of process:
In order to control access to our products and services and manage our training programmes, we need to use basic personal information about the users of those services. We may also record information on the system about what they do there e.g. assessment for training.
Information types to be processed:
Name & contact details
Data on training performance for assessment
Category of Information to be processes:
Personal
Legal Basis for Processing
Processing this information is necessary to fulfil a contract.
Where does the data come from?
The data subjects themselves.
Where is the data processed?
The data is managed on a virtual learning system
Do you transfer the data to a third party?
No
Do you transfer the data to a country outside the EU?
No, the virtual learning system operates on UK-based servers.
Who is impacted by the processing?
The data subjects themselves.
How do you manage retention and disposal?
We retain personal data for the duration of the contract, and for a period of 12 months after the contract or as long as is necessary to meet our contractual obligations.
What are the risks to the data subjects?
Security breaches; inappropriate disclosure to a third party.
How do you rate the risk without mitigation measures?
Moderate
What measures are already in place to protect the rights of data subjects and minimise risk?
Physical security measures; Information Security Measures; Verification of users requesting personal information by phone or email.
What additional measures will you put in place to protect the rights of data subjects and minimise risk?
Formalisation of the responsibilities of KBS Marketing as a data processor. Periodic reviews of security measures
How do you rate the risk after mitigation measures?
Low
Date of review:
31.05.2019
Additional information:
None.

8. Data protection officer

We are not a public authority and the nature of our processing activities does not require the appointment of a Data protection officer (DPO) and therefore have not appointed a DPO.

We have designated Erica Sheward as having day-to-day responsibility for data protection reporting to Jan Sheward.

9. Information Security

We have undertaken an analysis of the risks presented by our processing and use this to assess the appropriate level of security we need to put in place.

We have implemented measures taking into the account of the state of the art and costs of implementation.

We review this policy either:

  • In the event of a security breach or “near miss”;
  • When we introduce a major change in our information systems;
  • When we introduce a major change in our business processes;
  • Or annually, if the policy has not been reviewed in the last 12 months.

We understand that we may also need to put other technical measures in place depending on our circumstances and the type of personal data we process.

We understand the requirements of confidentiality, integrity and availability for the personal data we process.

We make sure that we can restore access to personal data in the event of any incidents, such as by establishing an appropriate backup process.

We conduct regular testing and reviews of our measures to ensure they remain effective, and act on the results of those tests where they highlight areas for improvement.

Where appropriate, we implement measures that adhere to an approved code of conduct or certification mechanism.

We ensure that any data processor we use also implements appropriate technical and organisational measures.

10. International transfers

We process all personal information in our main office in the UK, except for the information processed via the learning management system which resides on servers within the UK.

11. In the event of a breach

In the event of a breach, such as:

  • access by an unauthorised third party;
  • deliberate or accidental action (or inaction) by a controller or processor;
  • sending personal data to an incorrect recipient;
  • computing devices containing personal data being lost or stolen;
  • alteration of personal data without permission; and
  • loss of availability of personal data.

We will assess the likelihood and severity of the resulting risk to people’s rights and freedoms.

Where the likelihood and severity are low, we will:

  • Take steps to mitigate the impact;
  • Take steps to prevent a repetition;
  • Review our policies and procedures to consider any wider lessons that may be learnt.

Where the likelihood or severity is higher, or has the potential to escalate, we will, in addition:

Notify the ICO within 72 hours, and provide them with:

  • a description of the nature of the personal data breach including, where possible:
  • the categories and approximate number of individuals concerned; and
  • the categories and approximate number of personal data records concerned;
  • the name and contact details of our data protection lead where more information can be obtained;
  • a description of the likely consequences of the personal data breach; and
  • a description of the measures taken, or proposed to be taken, to deal with the personal data breach, including, where appropriate, the measures taken to mitigate any possible adverse effects.

Where a breach is likely to result in a high risk to the rights and freedoms of individuals, we will inform those concerned directly and without undue delay. If in doubt, we will seek advice from the ICO when notifying them of a breach.

When notifying individuals, we will seek to help them take steps to protect themselves from the effects of a breach and will remind them of their right to complain to the ICO, and their right to legal redress if we are unable to resolve the matter to their satisfaction.

12. Staff Training and Awareness

We have distributed this policy to all staff, volunteers and information processors on adoption and at each review.

It forms part of the induction process for new staff.

In the event of staff raising concerns over training needs, we will take reasonable steps to address them as part of their staff development.

Appendices: Privacy Notices

A.1 How we manage the personal data of employees (to be given to staff)

The identity and contact details of the controller

The Data Controller is Cancer United, Station Rd, Angmering, Littlehampton BN16 4HY

To contact the Data Controller, please email enquiries@cancerunited.org.uk or call 07957 829505

We are not required to have a designated data protection officer under the GDPR.

Purpose of the processing and the lawful basis for the processing:

We are collecting your personal information to carry out our duties as an employer

Our basis for processing is:

  • Processing this information is necessary for us to fulfil our (employment) contract with you; and
  • Processing this information is necessary for us to comply with a legal obligation.

Some of the personal information is characterised as special category data under the GDPR, we process this under Article 9(2) (b) of the GDPR, which permits the processing of this data where:

“processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law.”

If you do not accept this basis, then you may object to us or to the ICO as described below

Categories of personal data

The categories of personal data we hold are:

  • Personal demographic data e.g. name & contact details, emergency contact details, DOB etc
  • Job history
  • Financial details necessary for payroll and taxation including expenses
  • Details of current employment
  • Medical information necessary for duty of care

Any recipient or categories of recipients of the personal data:

We do not routinely share this information with anyone else. If we did we would do so because we had a legal duty to do so, or because you have provided explicit consent as an alternative legal basis for processing.

Details of transfers to third country and safeguards

The servers which host our internal systems and applications are located in the UK.

Our information processors who process personal information on our behalf do so within the UK.

Retention period or criteria used to determine the retention period
We will retain your personal data for the duration of your employment, and for a period of 12 months after your employment, or as long as is necessary to meet our legal duties e.g. for taxation, whichever is the greater.

In the event of applicants for jobs, we do not retain their information unless they become employees or give explicit consent as an alternative legal basis for retention. In this case, applicants can revoke their consent at any time, and the information will be destroyed after 12 months, unless that consent is renewed.

The existence of each of the data subject’s rights

You have the following rights about the use of your personal information:

  • Where the basis for processing is your consent, you may withdraw that consent at any time by contacting us.
  • If your personal information is incorrect, you may request that errors or incomplete entries be rectified.
  • In certain circumstances, you may have the right to be forgotten and your data erased. Please contact if you wish to exercise this right.
  • Whilst any request is being investigated, you have the right to restrict processing, so that your information will simply be stored.
  • You can request the return of transfer of any personal data you have given to us in a portable electronic format.
  • We do not use automated decision making and profiling of your personal information without human intervention.

To exercise any of these rights, please contact us in writing at Cancer United, Station Rd, Angmering, Littlehampton BN16 4HY.

The source the personal data originates from and whether it came from publicly accessible sources

Your personal information is collected either directly from you, or in limited cases from previous employers as part of the recruitment process
Whether the provision of personal data part of a statutory or contractual requirement or obligation and possible consequences of failing to provide the personal data.

Your personal information is processed as part of our statutory requirements an employer and as part of your employment contract.

The existence of automated decision making, including profiling and information about how decisions are made, the significance and the consequences.

We do not use automated decision making or profiling of any kind.

The right to lodge a complaint with a supervisory authority

You have the right to complain to the Information Commissioners Office by:

You also the right to seek legal redress in the event of suffering harm which you do not feel has been sufficiently addressed by us or by the ICO.

A.2 How we manage the personal data of supporters (displayed on the website, and linked to in a footer for emails to supporters)

The identity and contact details of the controller

The Data Controller is Cancer United, Station Rd, Angmering, Littlehampton BN16 4HY

To contact the Data Controller, please email enquiries@cancerunited.org.uk or call 07957 829505

We are not required to have a designated data protection officer under the GDPR.

Purpose of the processing and the lawful basis for the processing

We are collecting your personal information to provide you with services we provide you with.

Our basis for processing is your consent to the processing of this personal data for the specific purposes of informing you about, and involving you, in the services we provide.

At any time if you no longer wish to receive communications, you may contact us, and we will desist.

If you are still unhappy, you may object to us or to the ICO as described below.

Categories of personal data

The categories of personal data we hold are:

Personal demographic data e.g. name and email addresses of supporters

Any recipient or categories of recipients of the personal data

We do not share this information with anyone else. If we did we would do so because we had a legal duty to do so, or because you have provided explicit consent as an alternative legal basis for processing.

Details of transfers to third country and safeguards

We do not transfer your information outside the UK

Retention period or criteria used to determine the retention period

We will retain your personal data for the duration of your contract with us, and for a period of 12 months after your contract has ended, or as long as is necessary to meet our legal duties, whichever is the greater.

The existence of each of the data subject’s rights

You have the following rights about the use of your personal information:

  • Where the basis for processing is your consent, you may withdraw that consent at any time by contacting us.
  • If your personal information is incorrect, you may request that errors or incomplete entries be rectified.
  • In certain circumstances, you may have the right to be forgotten and your data erased. Please contact if you wish to exercise this right.
  • Whilst any request is being investigated, you have the right to restrict processing, so that your information will simply be stored.
  • You can request the return of transfer of any personal data you have given to us in a portable electronic format.

We do not use automated decision making and profiling of your personal information without human intervention.

To exercise any of these rights, please contact us in writing at Cancer United, Station Rd, Angmering, Littlehampton BN16 4HY

The source the personal data originates from and whether it came from publicly accessible sources

Your personal information is collected directly from you.

Whether the provision of personal data part of a statutory or contractual requirement or obligation and possible consequences of failing to provide the personal data

Your personal information is processed as part of our contract to provide product and services.

The existence of automated decision making, including profiling and information about how decisions are made, the significance and the consequences

We do not use automated decision making or profiling of any kind.

The right to lodge a complaint with a supervisory authority

You have the right to complain to the Information Commissioners Office by:

You also the right to seek legal redress in the event of suffering harm which you do not feel has been sufficiently addressed by us or by the ICO.

A.3 How we manage the personal data of gym users (to be included in any joiner information and linked to in a footer for emails to course attendees)

The identity and contact details of the controller

The Data Controller is Cancer United, Station Rd, Angmering, Littlehampton BN16 4HY

To contact the Data Controller, please email enquiries@cancerunited.org.uk or call 07957 829505

We are not required to have a designated data protection officer under the GDPR.

Purpose of the processing and the lawful basis for the processing

We are collecting your personal information to provide you with services we provide you with.

Our basis for processing is that the information we collect is necessary for the service provided. However, as we also collect special category medical data, we need your explicit consent to process this information. We need this information for your safety and to optimise your exercise programmes.

At any time if you no longer wish us to hold your information, you may contact us, and we will desist, but we will not be able to provide ongoing exercise programmes because of the risk to your health.

If you are still unhappy, you may object to us or to the ICO as described below

Categories of personal data

The categories of personal data we hold are:

  • Personal demographic data e.g. name and email addresses
  • Information about your exercise programme
  • Information about your health and information necessary to ensure for your safety.

Any recipient or categories of recipients of the personal data

We do not share this information with anyone else. If we did we would do so because we had a legal duty to do so, or protect your vital interests whilst you were unable to provide it yourself or because you have provided explicit consent as an alternative legal basis for processing.

Details of transfers to third country and safeguards

We do not transfer your information outside the UK.

Retention period or criteria used to determine the retention period

We will retain your personal data for the duration of your contract with us, and for a period of 12 months after your contract has ended, or as long as is necessary to meet our legal duties, whichever is the greater.

The existence of each of the data subject’s rights

You have the following rights about the use of your personal information:

  • Where the basis for processing is your consent, you may withdraw that consent at any time by contacting us.
  • If your personal information is incorrect, you may request that errors or incomplete entries be rectified.
  • In certain circumstances, you may have the right to be forgotten and your data erased. Please contact if you wish to exercise this right.
  • Whilst any request is being investigated, you have the right to restrict processing, so that your information will simply be stored.
  • You can request the return of transfer of any personal data you have given to us in a portable electronic format.

We do not use automated decision making and profiling of your personal information without human intervention.

To exercise any of these rights, please contact us in writing at Cancer United, Station Rd, Angmering, Littlehampton BN16 4HY

The source the personal data originates from and whether it came from publicly accessible sources

Your personal information is collected directly from you.

Whether the provision of personal data part of a statutory or contractual requirement or obligation and possible consequences of failing to provide the personal data

Your personal information is processed as part of our contract to provide product and services.

The existence of automated decision making, including profiling and information about how decisions are made, the significance and the consequences

We do not use automated decision making or profiling of any kind.

The right to lodge a complaint with a supervisory authority

You have the right to complain to the Information Commissioners Office by:

You also the right to seek legal redress in the event of suffering harm which you do not feel has been sufficiently addressed by us or by the ICO.

A.4 How we manage the personal data of learners (to be included in any handbook for learners and linked to in a footer for emails to course attendees)

The identity and contact details of the controller

The Data Controller is Cancer United, Station Rd, Angmering, Littlehampton BN16 4HY

To contact the Data Controller, please email enquiries@cancerunited.org.uk or call 07957 829505

We are not required to have a designated data protection officer under the GDPR.

Purpose of the processing and the lawful basis for the processing

We are collecting your personal information to provide you with training courses

Our basis for processing is that processing this information is necessary to fulfil a contract If you are still unhappy, you may object to us or to the ICO as described below.

Categories of personal data

The categories of personal data we hold are:

Personal demographic data e.g. contact name and email addresses of learners.

Data on training performance for assessment

Any recipient or categories of recipients of the personal data.

We do not share this information with anyone else. If we did we would do so because we had a legal duty to do so, or because you have provided explicit consent as an alternative legal basis for processing.

Details of transfers to third country and safeguards

We do not transfer your information outside the UK.

Retention period or criteria used to determine the retention period

We will retain your personal data for the duration of your contract with us, and for a period of 12 months after your contract has ended, or as long as is necessary to meet our legal duties, whichever is the greater.

The existence of each of the data subject’s rights

You have the following rights about the use of your personal information:

  • Where the basis for processing is your consent, you may withdraw that consent at any time by contacting us.
  • If your personal information is incorrect, you may request that errors or incomplete entries be rectified.
  • In certain circumstances, you may have the right to be forgotten and your data erased. Please contact if you wish to exercise this right.
  • Whilst any request is being investigated, you have the right to restrict processing, so that your information will simply be stored
  • You can request the return of transfer of any personal data you have given to us in a portable electronic format.

We do not use automated decision making and profiling of your personal information without human intervention.

To exercise any of these rights, please contact us in writing at Cancer United, Station Rd, Angmering, Littlehampton BN16 4HY

The source the personal data originates from and whether it came from publicly accessible sources

Your personal information is collected directly from you.

Whether the provision of personal data part of a statutory or contractual requirement or obligation and possible consequences of failing to provide the personal data

Your personal information is processed as part of our contract to provide product and services.

The existence of automated decision making, including profiling and information about how decisions are made, the significance and the consequences.

We do not use automated decision making or profiling of any kind.

The right to lodge a complaint with a supervisory authority

You have the right to complain to the Information Commissioners Office by:

You also the right to seek legal redress in the event of suffering harm which you do not feel has been sufficiently addressed by us or by the ICO.

Contact

If you have any questions about Cancer United, or would like to join our regular support groups, we would love to hear from you.

Call us on 01903 779880 or email us at: enquiries@cancerunited.org.uk.

Social Media

facebook
linkedin
twitter
youtube
People’s Postcode Lottery logo graphic

People’s Postcode Trust is a grant-giving charity funded entirely by players of People’s Postcode Lottery.

Our project received £15,000 from the Trust to build the CU Fitter Rehab Gym. In 2017, the Project received £20,000 towards the purchase of the CU Fitter Minibus.

Cancer United is a registered charity in England and Wales No.: 1155747
Trustees: Kathryn Hall - Heidi Harris - Matt Owen - Victoria Read - Erica Sheward - Jan Sheward