Privacy Notice

INTRODUCTION 

Mourne Heritage Trust takes you privacy seriously and we are fully committed to keeping your information private. 

The processing and sharing of personal information comes with significant rights on your part and significant responsibilities on ours. 

This Data Privacy Notice is provided to fulfil our obligations under the General Data Protection Regulation (GDPR), effective from 25 May 2018, which requires greater accountability and transparency from organisations with regard to your personal information, and which gives you greater control over how we use it. A glossary of the defined terms used throughout this Notice is included in the annex attached at the end. 

Our Data Privacy Notice explains how and when we collect personal data from and about you, why we do so and how we treat this information.  It also explains your rights in relation to the collection of personal information and how you can exercise those rights. 

We may change this Notice from time to time and will immediately publish any updates on our website. 

Any questions regarding this Notice and our privacy practices should be sent by email to mht@mourne.co.uk or by writing to GDPR Manager, 19 Causeway Road, Newcastle, Co. Down, BT33 0DL.  Alternatively, you can telephone 028 4372 4059. 

WHO WE ARE? 

Mourne Heritage Trust is a company registered in Northern Ireland, with registered office as above. Our company number is NI 32946 and we are a registered as a charity with the Charity Commission under the number XR23015. Mourne Heritage Trust was established to meet an identified need for locally based, strategic management of the Mourne Area of Outstanding Natural Beauty (AONB). Our mission statement is: 'To sustain and enhance the environment, rural regeneration, cultural heritage and visitor opportunities of the Mourne Area of Outstanding Natural Beauty and contribute to the well-being of Mourne's communities.' 

We provide services in the areas of environmental and visitor management including activities to protect and enhance habitats and wildlife, to provide and maintain outdoor recreation infrastructure including paths, trails and amenity sites, to promote the special natural, built and cultural heritage qualities and features of the AONB through site based interpretation panels, leaflets and web based information and to encourage sustainable tourism through information provision and advice. For more information on our activities please see http://www.mournelive.com/caring and http://www.caringformourne.com

WHERE WE COLLECT INFORMATION FROM? 
We might collect Personal Data that you provide voluntarily in a number of ways including direct interactions with you by phone, email and in writing, publically available sources (internet, Companies House etc) and via our Website, for example if you contact us with a query or register for our e-zine. 

We also collect aggregated data generated by our IT systems and third parties (e.g. Google Analytics) to assess website and social media usage and performance.  This includes traffic Data, Usage Data and other Technical Data Aggregated Data may be derived from Personal Data but since it cannot be used to identify an individual, it is not Personal Data. 

WHAT TYPE OF PERSONAL DATA DO WE COLLECT AND HOLD?
Personal data is any information that can be used to identify you. 

We hold personal data about the following groups of people. 


Client &  Supplier Contacts 
 

that is any party which has engaged us to provide services or to provide services to us (including key contact data).  Given the nature of our work this includes a broad range of companies across environmental management and related sectors. 

Membership

that is any party who or which has signed up to be a member of our organisation i.e. ‘Friends of Mourne’. 

Supporters

that is anyone who has contacted us to find out about what we do or otherwise supported us, other than through Membership, including volunteers. 

Beneficiaries 

that is any individuals who receive our Services and, reflecting the breadth of those, encompasses many sectors in the general public  including landowners, outdoor recreation users, tourism and activity companies to give just a few examples. 

The data we collect includes contact and identity data including name, address, email address, telephone number, transaction data and business data. 

We are a Controller in respect of the data we collect. This means we make decisions about what data to collect (in respect of those groups of Data Subjects) and how to use it.  We do not process personal data on behalf of anyone else.  When collecting personal data we will explain to you the purposes for which we are collecting it. 

It is unlikely that the Personal Data which we collect and store will include Special Categories of Personal Data. Special Categories of Personal Data includes details about an individual’s race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about health and genetic and biometric data.   

HOW DO WE USE THE PERSONAL DATA WE COLLECT? 
We hold and process personal data to provide our services and function as a business, delivering the activities for which we are funded by a range of government and charitable sources.  This can include for the purposes of day to day contractual and services, to process orders and invoices, to send you communications you have requested that may be of interest to you - primarily about the Mourne AONB and our activities/ events - to seek views on the services we provide, to help us demonstrate the benefits of our services to ensure we continue to receive government funding and/or to satisfy funder monitoring requirements. 

We will not sell or rent your information to third parties. We will not share your information with third parties for marketing purposes.  Any personal information provided to us will only be used for the purposes provided and we will not disclose them without your consent. 

HOW DO WE PROTECT PERSONAL DATA? 
It is our policy to ensure that all Personal Data held by us is handled correctly and appropriately according to the nature of the information, the risk associated with mishandling the data, including the damage that could be caused to an individual as a result of loss, corruption and/or accidental disclosure of any such data, and in accordance with any applicable legal requirements.  Our practises include ensuring that personal data is held on our secure server and/or ensuring that any third party server we use is appropriately secure. We only use servers in the EU. Our current host servers are provided by Microsoft. IT systems and equipment are password protected.  Personal data held on paper is in secure lockable cabinets. 

FOR HOW LONG DO WE STORE PERSONAL DATA? 
We review our retention policies for personal data regularly and we will keep data no longer than is necessary for the activity to which it is relevant, taking account of considerations including having sufficient financial records from an accounting and tax perspective and to submit funding claims. We may also retain details of negotiations, contracts agreed, payments made, procurement processes etc. to protect ourselves in the event of a dispute arising between you and us and to satisfy retention periods required by our various funders. 

We may hold contact details for as long as is necessary for the relevant activity and retain these on mailing lists for as long as you wish to remain subscribed.  We will delete your personal data once you unsubscribe from a mailing list or otherwise let us know you do not wish to receive information from us. We may store aggregate data without limitation (on the basis that no individual can be identified from the data. 

WHAT RIGHTS DO YOU HAVE ABOUT THE PERSONAL DATA WE COLLECT AND HOLD? 
Data Subjects have the following rights in respect of Personal Data relating to them which can be enforced against whoever is the Controller

Right to be informed: the right to be informed about what Personal Data the Controller collects and stores about you and how it’s used. 

Right of access: the right to request a copy of the Personal Data held, as well as confirmation of: 
(i)     the purposes of the processing; 
(ii)   the categories of personal data concerned; 
(iii) the recipients to whom the personal data has/will be disclosed; 
(iv)  for how long it will be stored; and 
(v)    if data wasn’t collected directly from the Data Subject, information about the source. 

Right of rectification: the right to require the Controller to correct any Personal Data held about the Data Subject which is inaccurate or incomplete. 

Right to be forgotten: in certain circumstances, the right to have the Personal Data held about the Data Subject erased from the Controller’s records. 

Right to restriction of processing: the right to request the Controller to restrict the processing carried out in respect of Personal Data relating to the Data Subject. You might want to do this, for instance, if you think the data held by the Controller is inaccurate and you would like to restrict processing the data has been reviewed and updated if necessary. 

Right of portability: the right to have the Personal Data held by the Controller about the Data Subject transferred to another organisation, to the extent it was provided in a structured, commonly used and machine-readable format. 

Right to object to direct marketing: the right to object where processing is carried out for direct marketing purposes (including profiling in connection with that purpose). 

Right to object to automated processing: the right not to be subject to a decision based solely on automated processing (including profiling) which produces legal effects (or other similar significant effects) on the Data Subject. 

If you want to avail of any of these rights, you should contact us immediately at mht@mourne.co.uk. If we are not the Controller, we will need to transfer your request to the Controller – but we will only do so with your consent. If you do contact us with a request, we will also need evidence that you are who you say you are to ensure compliance with data protection legislation. 

WHAT HAPPENS IF I NO LONGER WANT YOU TO PROCESS PERSONAL DATA ABOUT ME? 
If we are holding Personal Data about you as a Controller, we will comply with your request unless we have reasons for lawfully retaining data about you. 

If we are holding Personal Data about you and using that data for marketing purposes or for any other activities based on your consent, you may notify us at any time that you no longer want us to process Personal Data about you for particular purposes or for any purposes whatsoever and we will stop processing your Personal Data for that purpose. This will not affect your ability to receive our Services. 

WHO DO I COMPLAIN TO IF I’M NOT HAPPY WITH HOW YOU PROCESS PERSONAL DATA ABOUT ME? 
If you have any questions or concerns about how we are using Personal Data about you, please contact our Data Protection Officer immediately at our registered address (see paragraph 1.1 above) or by email to mht@mourne.co.uk.   

If you wish to make a complaint about how we have handled Personal Data about you, you may lodge a complaint with the Information Commissioner’s Office by following this link: https://ico.org.uk/concerns/

ANNEX

WHAT DO ALL OF THE DEFINED TERMS IN THIS PRIVACY NOTICE MEAN? 
Throughout this notice you’ll see a lot of defined terms. Where possible, we’ve tried to define them as we go, but we thought it might be useful to have a glossary at the end for you. Anywhere in this notice you see the following terms, they have the following meanings: 

Controller is a legal term set out in the General Data Protection Regulation (GDPR), it means the party responsible for deciding what Personal Data to collect and how to use it; 

Data Subject means the individual who can be identified from the Personal Data; 

Personal Data means data which can be used to identify a living individual. This could be a name and address or it could be a number of details which when taken together make it possible to work out who the information is about. It also includes information about the identifiable individual; 

Processor is another legal term set out in the GDPR, it means the party who has agreed to process Personal Data on behalf of the Controller; and 

Special Categories of Personal Data means details about an individual’s race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about health and genetic and biometric data.