top of page

Data Protection Policy

1. Introduction

This Policy sets out the obligations of Zen Fundraising Limited, a company registered in the United Kingdom under company number 11219994 (“the Company”), regarding data protection and the rights of individuals whose personal data is processed by the Company under the UK General Data Protection Regulation (“UK GDPR”) and the Data Protection Act 2018.

The UK GDPR defines “personal data” as any information relating to an identified or identifiable natural person (“data subject”).

This Policy sets out the Company’s obligations regarding the collection, processing, transfer, storage and disposal of personal data. The procedures and principles set out herein must be followed at all times by the Company, its employees, self-employed fundraisers, agents, subcontractors, contractors, consultants or other parties working on behalf of the Company.

The Company is committed not only to compliance with the law, but also to the fair, lawful and secure handling of personal data, respecting the privacy and rights of all individuals with whom it deals.
 

Definitions

Personal Data: Any information relating to an identified or identifiable natural person.

Data Subject: An individual whose personal data is being processed.

Processing: Any operation performed on personal data, including collection, storage, use, disclosure and deletion.

Controller: The entity that determines the purposes and means of processing personal data.

Processor: An entity that processes personal data on behalf of the controller.
 

2. Data Protection Principles

The Company shall comply with the principles set out within UK GDPR. Personal data must be:

  • Processed lawfully, fairly and transparently

  • Collected only for specified, explicit and legitimate purposes

  • Adequate, relevant and limited to what is necessary

  • Accurate and kept up to date where necessary

  • Retained only for as long as necessary

  • Processed securely using appropriate technical and organisational measures
     

3. Rights of Data Subjects

Data subjects have the following rights under UK GDPR:

  • The right to be informed

  • The right of access

  • The right to rectification

  • The right to erasure

  • The right to restrict processing

  • The right to data portability

  • The right to object

  • Rights relating to automated decision-making and profiling

4. Data Collection, Use and Sharing

Personal data is collected directly from data subjects for processing and administering donations, regular gifts and supporter interactions on behalf of charity partners.

Personal data may be securely shared with:

  • Charity partners acting as Data Controllers

  • Evergiving and other approved processing platforms

  • Authorised payment processing providers

  • Approved third-party service providers where necessary for legitimate business purposes

The Company does not sell or trade personal data.

Where personal data is transferred internationally, Zen Fundraising will ensure that appropriate safeguards and lawful transfer mechanisms are in place in accordance with UK GDPR.

5. Lawful Basis for Processing

The Company shall only process personal data where a lawful basis exists under UK GDPR, including:

  • Consent

  • Performance of a contract

  • Compliance with legal obligations

  • Legitimate interests

  • Protection of vital interests

Where special category data is processed, the Company shall ensure that an additional lawful condition under UK GDPR is satisfied.

6. Specified and Legitimate Purposes

The Company shall only collect and process personal data for specified and legitimate purposes and shall ensure that data subjects are informed of those purposes.

7. Accuracy of Data

The Company shall take reasonable steps to ensure that personal data is accurate and kept up to date.

Where inaccurate or incomplete personal data is identified, the Company shall take reasonable steps to rectify or erase the data without delay.

8. Data Retention

The Company shall not retain personal data for longer than is necessary for the purposes for which it was collected and processed.

Further information regarding retention periods is set out within the Company’s Data Retention Policy.

9. Secure Processing

The Company shall ensure that personal data is processed securely and protected against unauthorised or unlawful processing, accidental loss, destruction or damage.

10. Accountability and Record Keeping
Data Protection Lead

Melanie Staddon
07487872571

The Data Protection Lead shall oversee the implementation of this Policy and monitor compliance with UK GDPR and other applicable legislation.

The Company shall maintain appropriate internal records relating to personal data processing activities, including:

  • Categories of personal data processed

  • Categories of data subjects

  • Purposes of processing

  • Data retention arrangements

  • International transfers where applicable

  • Security and organisational measures implemented
     

11. Data Protection Impact Assessments

The Company shall carry out Data Protection Impact Assessments where processing activities are likely to result in a high risk to the rights and freedoms of data subjects.
 

12. Keeping Data Subjects Informed

The Company shall provide data subjects with appropriate privacy information, including:

  • The identity and contact details of the Company

  • The purpose and lawful basis for processing

  • Categories of personal data processed

  • Details of third-party sharing

  • International transfer safeguards where applicable

  • Retention periods

  • Data subject rights

  • Complaint rights with the Information Commissioner’s Office

13. Subject Access Requests

Data subjects may submit Subject Access Requests (“SARs”) to obtain details of the personal data held about them.

Requests should be directed to:

melanie@zenfr.co.uk

The Company shall normally respond within one month unless an extension is permitted under UK GDPR.

 
14. Rectification

Data subjects have the right to request rectification of inaccurate or incomplete personal data.

The Company shall respond to such requests within the applicable UK GDPR timeframes.

15. Erasure

Data subjects may request erasure of their personal data where:

  • The data is no longer necessary

  • Consent has been withdrawn

  • Processing is unlawful

  • Erasure is required to comply with legal obligations

  • The data subject objects and there is no overriding legitimate interest

The Company shall respond within applicable UK GDPR timeframes.

16. Restriction of Processing

Data subjects may request restriction of processing in accordance with UK GDPR requirements.

17. Objections to Processing

Data subjects may object to processing based on legitimate interests or direct marketing.

Where required under UK GDPR, the Company shall cease such processing.

18. Personal Data Collected and Processed

The Company may collect and process the following categories of personal data to support quality assurance, compliance monitoring and supporter protection:

  • Name

  • Address

  • Telephone Number

  • Email Address

  • Occupation

  • Date of Birth

  • Bank Account Details

  • Payment Information

  • Signature

  • Details of conversations with fundraisers, including communication preferences and feedback
     

19. Data Security – Communications and Transfers

The Company shall ensure that:

  • Personal data shared electronically is limited to what is necessary and transmitted securely using approved Company systems and safeguards

  • Personal data may only be transmitted over secure networks

  • Transmission of personal data over unsecured networks is prohibited

  • Personal data shall not be transmitted by facsimile transmission

  • No personal data is to be kept in hardcopy form
     

20. Data Security – Storage

The Company shall ensure that:

  • Electronic personal data is stored securely using passwords, access controls and encryption where appropriate

  • Personal data is only stored electronically on approved secure systems and platforms authorised by the Company

  • The Company primarily accesses supporter personal data via Evergiving’s secure processing platform and other authorised business systems

  • Personal data should not be downloaded or stored on unauthorised mobile devices

  • Personal data must not be transferred to devices personally belonging to employees, contractors or fundraisers unless expressly authorised and appropriately secured
     

21. Data Security – Disposal

Where personal data is no longer required, it shall be securely deleted or otherwise securely disposed of in accordance with the Company’s Data Retention Policy.
 

22. Data Security – Use of Personal Data

The Company shall ensure that:

  • Personal data is not shared informally

  • Personal data is only shared with employees, agents, contractors, charity partners, processors or authorised third parties where necessary for legitimate business purposes and in accordance with this Policy

  • Personal data is handled securely at all times

  • Devices displaying personal data are locked when unattended
     

23. IT Security

The Company shall ensure that:

  • Passwords are secure and changed regularly where appropriate

  • Passwords are not shared between personnel

  • Software and security updates are applied appropriately

  • Unauthorised software may not be installed on Company systems or devices
     

24. Organisational Measures

The Company shall ensure that:

  • Personnel handling personal data are appropriately trained and supervised

  • Access to personal data is restricted to authorised individuals

  • Personnel handling personal data understand their obligations under UK GDPR and this Policy

  • Appropriate contractual obligations are imposed on contractors and third parties processing personal data on behalf of the Company

  • Data handling practices are periodically reviewed
     

25. International Transfers

Where personal data is transferred internationally, including through approved third-party service providers, the Company shall ensure that appropriate safeguards and lawful transfer mechanisms are in place in accordance with UK GDPR requirements.

The Company shall take reasonable steps to ensure that personal data processed internationally receives an appropriate level of protection and security.
 

26. Data Breach Notification

All personal data breaches must be reported immediately to the Company’s Data Protection Lead.

Where required under UK GDPR, the Company shall notify the Information Commissioner’s Office and affected data subjects within applicable timeframes.
 

27. Implementation of Policy

This Policy is effective from 10 April 2018 and shall be reviewed periodically.

Name: Melanie Staddon
Position: Company Director

Original Policy Date: 10 April 2018
Last Reviewed: 31 March 2026 (Carl Orlowe, CEO

bottom of page