- Who are we
- How can you contact us?
- Personal information
- How do we obtain your personal information?
- What information do we collect?
- Why are we allowed to process your personal information?
- How do we use your information?
- Direct marketing and consent
- How do we look after your personal information?>
- How long do we keep your information?
- Who do we share your information with?
- Accessing and updating your personal information.
Who are we?
Mercy Corps is powered by the belief that a better world is possible. It works with people to put bold solutions into action – helping them triumph over adversity and build stronger communities from within. We are also committed to respecting and protecting the privacy rights of our donors, supporters, and visitors to our website, and to being transparent about what we do with your data. The following information details how Mercy Corps Europe collects, protects, manages and uses the data we receive.
Mercy Corps is a registered charity in Scotland (SC039570)
How can you contact us?
The Data Protection Officer
Mercy Corps Europe
96/3 Commercial Quay
Personal information relates to living people and Mercy Corps Europe records and uses personal information every time it receives support for its charitable projects throughout the world. It also holds information about some of those who benefit from the work of the charity and its team members.
Mercy Corps Europe realises how important it is to protect people’s privacy, to be transparent about how it uses personal data and to keep that data secure.
This is how Mercy Corps Europe looks after personal information
When we record personal information we will:
- Let you know why it is needed, where it is not obvious
- Be transparent about the use to which it is put
- Only ask for what is necessary and not information that is excessive or irrelevant
- Make sure nobody has access to it who should not
- Ensure that those handling the information are given guidance on their responsibilities
- Share it with other organisations only where permission has been given or where the law allows
- Keep it only for as long as it is needed. We, in turn, rely on you to give us accurate information.
How do we obtain your personal information?
Mercy Corps Europe collects information in the following ways:
When you give it to us directly
You may give us your information when you make a donation, are acting as a representative of a company who is supporting or working with Mercy Corps Europe, respond to a communication from us, sign up for an event, or join our mailing or email list. Some of the ways we receive this information includes: on a secure form on our website, when you contact us by phone, post or email, speaking to you in person, when you provide information to us via one of our social media channels such as Facebook or Twitter.
When you give permission for a third party to share it with us
Your information may be shared with us by third parties if you have given them permission to do so. This includes online fundraising websites, online campaigning websites, and other places where you have opted in to receive further contact from Mercy Corps Europe. We will only contact you further if you have given your consent for this to happen.
What information do we collect?
Personal information is any information that can be used to identify you. For example, this can include your name, address, telephone number, personal or work email address, date of birth, bank details, and credit or debit card details. We only collect personal information that is relevant to the type of interaction you have with Mercy Corps Europe. For example, we will collect your credit or debit card details in order to process a donation or purchase but will not keep or store these after the transaction has been completed.
Your credit or debit card information
If you use your credit or debit card to donate to us, we pass your card details securely to our payment processing partner as part of the payment process. We do this in accordance with the Payment Card Industry Security Standard (PDF download), and don’t store the details on our website or databases.
Why are we allowed to process your personal information?
Our Privacy and Cookie Policies take into account several laws, including:
- the Data Protection Act 2018
- the Privacy and Electronic Communications (EC Directive) Regulations 2003
- General Data Protection Regulation (EU) 2016/679
- Generally, our processing of your personal information as described in this policy is allowed by these laws based on one or more lawful grounds, including:
- Where you have provided your consent to us using your personal information in a certain way. For example, we only use your information to send you marketing communications by email or text with your consent. We also may ask for your explicit consent if you share sensitive personal information with us.
- Where the processing is reasonably necessary for the performance of a contract to which you are a party or to take steps at your request prior to entering a contract. For example, we may rely on this basis where you apply to work for us.
- Where the processing is reasonably necessary to comply with a legal obligation to which we are subject. For example, we may rely on this basis where we are obliged to share your personal information with a regulator or HMRC.
- Where the processing is reasonably necessary for the purpose of a legitimate interest pursued by us or a third party and your privacy rights do not override the legitimate interest.
- For example, we rely on legitimate interests for activities such as sending marketing communications by post or telephone unless you have told us that you would prefer not to hear from us in this way, contacting you as a representative of an organisation about charity partnerships or in order to organise an event, and analysing your interaction with us to improve our internal business processes.
- Where we are relying on legitimate interests to process your personal information, we will consider any potential impact on you (positive or negative), your rights under data protection laws, and will not use your personal information for activities where the impact on you overrides the legitimate interests in the processing.
- Where we process sensitive personal data, we will make sure that we only do so in accordance with one of the additional lawful grounds for processing that type of data, such as where we have your explicit consent or you have made that information manifestly public.
How do we use your information?
How we use your information largely depends on the reason you have provided it to us. We may use your information in the following ways:
- To keep a record of your relationship with Mercy Corps Europe and for internal purposes, such as administration and accounting.
- To look into complaints or legal issues.
- To claim Gift Aid on your donations.
- To give you information you have asked for, update you on our work and provide you with opportunities to support and get involved with Mercy Corps Europe (see section on Direct Marketing below).
- To understand your needs and wishes in order to give you the best possible personalised service.
- To carry out analysis and research which helps us understand how we are doing and improve our communications with you.
Direct marketing and consent
If you have given us consent to do so, we may use your information to send you communications about our work and ways that you can get involved and provide your support. This includes information about; our fundraising appeals, volunteering opportunities, updates on our work, taking part in events and other ways to support Mercy Corps Europe.
This is different from times when we are required to contact you, for example; to enable us to administer and/or confirm receipt of your donation, to reply to your questions, or to provide you with administrative updates. This section relates to fundraising and marketing communications and does not cover administrative communications such as these.
Any time you provide your details to us, we will always include clear questions asking you about your preferences regarding our communications with you. You can also let us know if you wish to withdraw your consent or if you want to change your preferences at any time by contacting email@example.com or by calling 0131 662 5160. You can also contact us in writing at the address below. Further information about communicating with you in different ways is outlined below.
Data for some of our direct marketing appeals will be shared with carefully vetted suppliers for the purposes of fulfilling the appeal. These "data processors" will only act under our instruction and are subject to pre-contract scrutiny and contractual obligations containing strict data protection clauses. We do not allow these suppliers to use your data for their own purposes or disclose it to other third parties without our consent and we will take all reasonable care to ensure that they keep your data secure.
Contact by email and telephone
We will only contact you by email or telephone for fundraising and marketing purposes if you have given us express permission to do so. This means you have provided your email address or telephone number to us and said that we can contact you by these means. We will hold a record of your consent which can be withdrawn or changed at any time you wish to do so.
We will never conceal our identity when contacting you by email or telephone and we will always respect your preferences regarding contact of this kind.
How do we look after your personal information?
We will always take appropriate physical, electronic and organisational measures to ensure that we keep your information secure, accurate and up to date, and that we only keep it as long as is reasonable and necessary.
Although we use appropriate security measures once we have received your personal information, the transmission of information over the internet is never completely secure. We do our best to protect personal information, but we cannot guarantee the security of information transmitted to our website, so any transmission is at the user’s own risk. However, any payment card details (such as credit or debit cards) we receive on our website are passed securely to our payment processing provider according to the Payment Card Industry Security Standards.
How long do we keep your information?
We will hold your personal information on our systems for as long as is necessary for the relevant activity. For example, we will keep a record of donations subject to Gift Aid for six years after the accounting period relating to that donation to comply with HMRC rules.
We will generally treat any consent that you give us as lasting no more than 36 months (3 years) from the date you give your consent, or from the date of your last donation or interaction you have with us.
If at any time you withdraw your consent or change your preferences, your wishes will be acted on immediately and will take effect within the timescales laid out below.
Who do we share your information with?
Mercy Corps Europe will only use your information within our organisation for the purposes for which it was provided and for our own planning and analysis. We will not, under any circumstances, sell your personal data to any third party, and will only share data with our suppliers for the purposes described below. You will not receive marketing from any other companies, charities or organisations as a result of giving your details to us.
We have shared your information with carefully selected service providers and suppliers who help us to deliver our projects, fundraising activities and appeals. For example, we will share name and address details with mailing houses to allow them to print and post our letters to you, our supporters. Such “data processors” will only act under our instruction and are subject to contractual obligations regarding their data protection standards and policies. Some of these key systems and suppliers are named above.
No data we hold about you is retained by any third party after it has been used for the purposes advised by Mercy Corps Europe and all personal data belonging to us is erased by a third party following the termination of a supplier contract.
In some cases, we may transfer your personal data to Mercy Corps locations and third-party service providers who are located outside of the European Economic Area (EEA).
If your personal data is transferred internally within Mercy Corps or third-party service provider outside the European Economic Area (EEA), this will occur under a safeguard mechanism recognized by the European Commission as providing adequate protection for your personal data.
Accessing and updating your personal information
If you let us know about any changes to your personal circumstances, we will always comply with your wishes. Our service levels for different types of communication are:
- Email – 48 hours from the receipt of your request
- Telephone – 48 hours from the receipt of your request
- Mail – 28 days from the receipt of your request. Due to the production timescales for our postal communications, it can often take longer for this type of change to take effect. In most cases we would expect the change to be effective much more quickly and will do our best to stop any further communications within this period, where we can.
Sometimes we may have to contact you about something that is not related to fundraising or marketing. For example, if you have a direct debit with us, we are required to let you know about any changes to your direct debit. Opting out of postal communications will not stop this type of communication unless you cancel your direct debit. If you have any concerns about this type of contact, please get in touch with us.
Cookies, web beacons and similar technologies
A cookie is a piece of information in the form of a very small text file that is placed in an internet user's local storage, e.g., a user’s hard drive. It is generated by a webpage server, which is the computer that operates a website. The information the cookie contains is set by the server and it can be used by that server whenever the user visits the site.
When you enter our website, you are prompted to accept or decline cookies, but are not prevented from navigating the site without doing either. If you accept, a suite of cookies is placed on your machine. If you decline, only cookies necessary to the operation of our website are set.
The GDPR and the Data Protection Act 2018 strengthen the rights that you, as a data subject, have in relation to the personal data that Mercy Corps holds about you. These rights are:
- Right of access – you can make a ‘subject access request’ for a copy of the information we hold about you (see below).
- Right to rectification – you can instruct us to correct any personal data we hold about you that is inaccurate • Right to erasure (‘right to be forgotten’) – you can ask for us to destroy any personal data that we hold about you.
- Right to restrict or object to processing – in some circumstances, you can place restrictions on, for example, who can access your data or who we share it with.
Subject Access Requests Article 15 of the General Data Protection Regulation and section 45 of the Data Protection Act 2018 provide a right of access to the information that we hold about you.
You can submit a subject access request by emailing: firstname.lastname@example.org If you want to post your request to us the address is:
Mercy Corps Europe
96/3 Commercial Quay
Edinburgh EH6 6LX
By email: email@example.com
By telephone: (+44) 0131 662 5160
Information Commissioner’s Office
If we have been unable to deal appropriately with your question or complaint you have a right to refer the matter to the Information Commissioner’s Office (ICO). Their contact details are:
By post: Information Commissioner's Office
More information about the ICO and about how to make a complaint, or ask a general question about data protection, is available on their website.