This privacy notice (“Notice”) sets out how the Westminster Foundation for Democracy (WFD) protects the privacy of your personal information. This policy applies to all WFD operations, both inside the European Union (EU) and non-EU countries.
WFD is required to collect, use and disclose personal information in order to perform our core business functions and activities. This includes (but not exclusively) processing personal data:
- of individuals and suppliers who are contracted to deliver services;
- for making and managing travel bookings on behalf WFD employees, contractors and representatives;
- for managing the safety and security of individuals travelling on WFD business;
- via third parties to comply with contractual or legal obligations and/or other legitimate business support contracts (i.e. outsourced services)
WFD is committed to protecting the privacy and confidentiality of personal information and to maintaining various physical, electronic and procedural safeguards to protect personal information in our care. WFD is recognised as a ‘data controller’ for the purposes of the General Data Protection Regulation (GDPR) for any personal information you provide directly to us.
By providing your personal information to WFD, you agree that this Notice will apply to how we handle your personal information and that you consent to us collecting, using and disclosing your personal information as detailed in this Notice. If you do not agree with any part of this Notice, you must not provide your personal information to us. However, if you choose not to provide us with your personal information, or if you withdraw a consent that you have given under this Notice, this may affect WFD’s ability to fulfil some, or all our obligations expected of us.
For example: When arranging travel for WFD activities, we will make bookings on behalf of staff and delegates – most travel bookings must be made under the traveller’s full name and must include contact details and appropriate identification (example: passport details). WFD cannot make bookings on behalf of individuals without that information.
I. What personal information does WFD collect?
Under this Notice Personal information is defined as:
Data relating to a living individual who is or can be identified either
- from the data; or
- from the data in conjunction with other information that is in, or is likely to come into, the possession of the data controller; (example: a document with an individual’s full name and details about the organisation they work for or their date of birth)
Generally, the type of personal information WFD collect is the information that is needed to meet our contractual or legal obligations with individuals engaged in WFD business or to protect an individual’s vital interest (i.e. personal safety). We therefore typically process the following types of personal information:
- contact information (name, home address, phone number, email address);
- bank / payment information (account number, sort code)
- employment information (salary, national insurance numbers, pension arrangements, etc.); this only applies to WFD employees and contractors
- passport details
- other details relevant to your travel arrangements or required by the relevant travel service provider(s) (example: dietary requirement, emergency contact details).WFD also collect personal information (usually email address) for communications purposes (example: to issue our newsletter) and for monitoring business performance and analysis. The latter would usually be personal biographic information and opinion which would be used for internal evaluation and reporting purposes. In these circumstance WFD will ensure your explicit consent is obtained at the point of collecting your personal information. In some circumstances, we may collect personal information from you which may be regarded as sensitive information under the GDPR. Sensitive information may include (without limitation) your racial or ethnic origin, philosophical or religious beliefs or affiliations, sexual preferences or practices, criminal record and the alleged commission of an offence, membership of political, professional or trade associations, biometric and genetic information, passwords and financial information and health information. We will only collect sensitive information in compliance with the GDPR, with your explicit consent, and where it is reasonably necessary for, or directly related to, one or more of our business functions or activities (example: to make travel arrangements or manage an individual’s safety and security). To the extent permitted or required under the GDPR, you consent to us using and disclosing your sensitive information for the purpose for which it was collected, unless we subsequently receive your consent to use it for another purpose. For example, if you provide health information to us for the purpose of ensuring travel insurance cover, you consent to us using and disclosing that health information in connection with arranging that travel insurance on your behalf. We will not use sensitive information for purposes other than those for which it was collected unless we subsequently receive your consent to use it for another purpose.
II. How does WFD collect personal information?
WFD will only collect personal information in compliance with the GDPR. WFD usually collect your personal information for a specific purpose which will be made clear to you at the point of collection (wherever practically possible); Examples of when personal information is collected includes:
- when you join/engage with WFD as a new employee, consultant, associate, expert, etc.
- when you apply for a job with WFD;
- when WFD make travel arrangements on your behalf;
- when you engage with us via social media;
- when you subscribe to request communications from WFD (example: e-newsletter) Unless you choose to do so under a pseudonym or anonymously, we may also collect your personal information (other than sensitive information) when you complete surveys or provide us with feedback (example: on one of WFD’s event’s or activities). In some circumstances, WFD may obtain personal information about you from a third party. For example, where WFD use external business services/systems to support us in managing a WFD event/activity. Where this occurs, we will rely on the third party communicating to you their policy of managing your personal information and what the obligations are for WFD and the third party as the data processor and data controller, respectively. You should let us know immediately if you become aware that your personal information has been provided to us by another person or organisation without your consent. WFD make every effort to maintain the accuracy and completeness of your personal information which we store and ensure it is up to date. However, you can assist us with this by promptly contacting us if there are any changes to your personal information or if you become aware that we have inaccurate personal information relating to you (see section XII below). We will not be responsible for any losses arising from any inaccurate, inauthentic, deficient or incomplete personal information that you, or a person acting on your behalf, provide to us.
III. How does WFD use your personal information?
WFD will only process your information, where:
1. the processing is necessary to fulfil a contractual obligation
Example – WFD employees and consultants/experts engaging in WFD business will be required to provide personal information in order for us to meet the requirements of our contractual relationship with you. This includes, payment of salary or for services (bank details and national insurance number) or contacting you to communicate important information relating to your employment/contract (phone number, email and/or home address)
2. the processing is necessary to protect your vital interest (example: safety and security)
Example – Individuals travelling overseas on WFD business will be required to provide personal information such as contact and passport details, emergency contact information, medical conditions, etc. This information is collected to ensure that, in the event of a security incident, WFD can effectively manage a crisis situation and protect the safety and security of an individual working for or representing WFD.
3. the processing is necessary for compliance with our legal obligations
Example – It is a legal requirement for WFD to collect, check and record individuals’ work eligibility before engaging them in employment contracts or as contractors for service. WFD will request photo ID (most often a passport) from relevant individuals in order to fulfil this legal obligation. This information may be shared with a third-party auditor if requested as part of a compliance audit.
4. the processing is necessary for our legitimate interests
Example – Candidates who apply for a job with WFD will be required to provide personal information, including contact information and employment history information. WFD require this information in order the process the candidate’s application and to assess their suitability for the position. There is a legitimate interest for both parties in us processing this personal information (example: WFD filling our vacancy and the potential candidate being offered employment).
5. you have given your consent to such processing (which you may withdraw at any time, as detailed at section VII below);
Example – if there is no other lawful basis identified that justifies WFD to process your personal information, we will ensure that consent is obtained prior to us processing your information. This includes, collecting personal information for the purpose of issuing individuals with our e-newsletter or collecting feedback (example: demographic data and opinions) for the purpose of internal analysis and evaluation of our programmes.
In some circumstances, WFD are required to disclose personal information to a contracted third-party in order for them to manage contracted out services (example: outsourced IT support, payroll, business travel agency) or where the processing of personal information is a legitimate requirement for WFD meeting its contractual business agreement with that third-party (example: providing copy employment contracts and salary evidence to funders for accounting or audit purposes).
If you have any concerns regarding the transfer of your personal information to a third-party, please refer to the “Feedback / Complaints / Contact” section below (section XII).
Where there is no legitimate interest identified, WFD will only use your personal information to send electronic communications materials to you (including e-newsletters) if you have opted-in to receive them. You can subscribe to receive the e-newsletter by providing your personal contact details on the homepage of our website. Should you no longer wish to receive WFD’s monthly newsletter you can unsubscribe by following the unsubscribe prompt in your email. Please also see the “Your rights” section of this Notice to learn about your ability, at any time, to opt out / withdraw consent (section VII below). Please also refer to the “Feedback / Complaints / Contact” section below (section XII) if you wish to raise any other questions or concerns.
IV. Is personal information disclosed to third parties?
WFD do not and will not sell, rent out or trade your personal information. We will only disclose your personal information to third parties in the ways set out in this Notice and as set out below, and in accordance with the GDPR. Note that, in this Notice, where we say “disclose”, this includes to transfer, share (including verbally and in writing), send, or otherwise make available or accessible your personal information to another person or entity.
Your personal information may be disclosed to the following types of third parties:
- our contractors, suppliers and outsourced service providers, including: travel management company; business IT support; staff payroll providers and staff pension scheme managers (the latter for WFD employees only);
- external business advisers (example: auditors, legal advisers, and recruitment consultants);
- travel service providers such as airlines, hotels, transfer handlers and other related service providers;
- WFD funders – where there is a legitimate business reason or requirement to share personal information to provide evidence for contractual or accounting purposes;
- a person who can verify to us that they have a relationship with you (example: a family member when you are not contactable, and the person properly identifies themselves and the request is, in our opinion, in your interest example: where we are managing a security incident in a location you are assumed to be and WFD are not able to locate/contact you personally;
- customs and immigration authorities to comply with our legal obligations and any applicable customs/immigration requirements relating to your travel;
- government agencies and public authorities to comply with a valid and authorised request, including a court order or other valid legal process;
- enforcement agencies where we suspect that unlawful activity has been or may be engaged in and the personal information is a necessary part of our reasonable investigation or reporting of the matter. Other than the above, we will not disclose your personal information without your consent unless we reasonably believe that disclosure is necessary to lessen or prevent a threat to life, health or safety of an individual, or to public health or safety, or for certain action to be undertaken by an enforcement body (example: prevention, detection, investigation, prosecution or punishment of criminal offences), or where such disclosure is authorised or required by law (including applicable privacy / data protection laws).
V. Is personal information transferred overseas?
WFD operates globally, with operational field offices in a variety of countries from time to time (currently Macedonia, Serbia, Montenegro, Bosnia and Hercegovina, Ukraine, Kyrgyzstan, Kosovo, Georgia, Ghana, Nigeria, Gambia, Uganda, Sierra Leone, Kenya, Mozambique, Sri Lanka, Pakistan, Indonesia, Laos, Burma, Venezuela, Algeria, Morocco, Tunisia, Jordan and Lebanon). Your personal information may be disclosed and/or accessed by WFD personnel in our overseas offices in the above locations in relation to WFD’s operational programme delivery. We ensure that any such disclosures will be necessary both for business reasons and for WFD to continue to comply with the GDPR and be handled in line with this policy.
It is possible that information will be transferred between overseas recipients located in a jurisdiction where you will not be able to seek redress under your local data protection laws and that does not have an equivalent level of data protection as in your own jurisdiction. To the extent permitted by your local data protection laws, we will not be liable for how these overseas recipients handle, store and process your personal information.
VI. Security of information
WFD is committed to safeguarding and protecting personal information and will implement and maintain appropriate technical and organisational measures to ensure a level of security appropriate to protect any personal information provided to us. WFD has implemented various physical, electronic and managerial security procedures to protect the personal information that it holds from loss and misuse, and from unauthorised access, modification, disclosure and interference. WFD conducts periodic reviews of our systems and technologies, to ensure they are secure and fit for purpose. WFD strive to protect your personal information as fully as we protect our own confidential information.
WFD will destroy or de-identify personal information once we no longer require it for our business purposes, or as required by law.
VII. Your rights in relation to the personal information WFD collect
If you wish to:
- update, modify, delete or obtain a copy of the personal information that WFD hold on you; or
- restrict or stop WFD from using any of the personal information which we hold on you, including by withdrawing any consent you have previously given to the processing of such information; or
- where any personal information has been processed on the basis of your consent or otherwise as necessary to perform a contract to which you are a party, request a copy of such personal information in a suitable format,
you can request this by emailing us at the address set out in section XII below. You will receive acknowledgement of your request and we will advise you of the timeframe within which you will receive a response.
We aim to respond to such requests within one month or less, although we reserve the right to extend this period for complex requests.
Please note that, if you request that WFD restrict or stop using your personal information that we hold, or you withdraw a consent you have previously given to the processing of such information, this may affect WFD’s ability to fulfil some, or all our obligations expected of us, or negatively impact services we provide to you.
You must always provide accurate information and you agree to update it whenever necessary. You also agree that, in the absence of any update, we can assume that the information submitted to us is correct, unless we subsequently become aware that it is not correct.
You can at any time tell us not to send you communications (example: WFD newsletter) by email by clicking on the unsubscribe link within the emails you receive from us or by contacting us as indicated below (section XII).
In any of the situations listed above, we may request that you prove your identity by providing us with a copy of a valid means of identification. This is for us to comply with our security obligations and to prevent unauthorised disclosure or alteration of personal information.
As permitted by the GDPR, WFD reserves the right to charge you a reasonable administrative fee for or refuse any manifestly unfounded or excessive numbers of requests concerning your access to your personal information, and for any additional copies of the personal information you request from us.
VIII. Social Media Integrations
WFD’s website may use social media features and widgets (such as “Like” and “Share” buttons/widgets) (“SM Features”). These are provided and operated by third party companies (example: Facebook, Twitter, etc.) and either hosted by a third party or hosted directly on our website. SM Features may collect information such as the page you are visiting on our website and your IP address, and may set cookies to enable the SM Feature to function properly.
IX. IP addresses
When you access our website or open electronic correspondence or communications from us, our servers may record data regarding your device and the network you are using to connect with us, including your IP address. An IP address is a series of numbers which identify your computer, and which are generally assigned when you access the internet. We may use IP addresses for system administration, investigation of security issues and compiling anonymised data regarding usage of our website.
X. Tracking Technologies / Cookies
We may use third-party web analytics services on our websites. The analytics providers that administer these services use technologies such as cookies and web beacons to help WFD analyse how visitors use our websites.
XI. Linked Sites
XII. Feedback / Complaints / Contact
If you have any enquiries, comments or complaints about this Notice or WFD’s handling of your personal information, or wish to inform us of a change or correction to your personal information, or would like a copy of the information we collect on you, or would like to raise a complaint or comment, please contact us using the details set out below:
Data Protection Officer Westminster Foundation for Democracy Artillery House 11-19 Artillery Row London SW1P 1RT
We aim to respond to any enquiries or complaints within one month of receipt.
XIII. Changes to our Notice
WFD may amend this Notice from time to time. If we make a change to the Notice, the updated version will be posted on our website. We will post a prominent notice on our website to notify you of any significant changes to our Notice and indicate at the end of the Notice when it was most recently updated. It is your responsibility, and we encourage you, to check the website from time to time in order to determine whether there have been any changes to our Notice. In certain circumstances, if we update our Notice we may also be required re-confirm your consent.