This policy is also available as a pdf.

Introduction

Your privacy is very important to us. We want you to be confident that the information you give us when using our site is safe and secure. In this Privacy Policy we explain how we use your information.

We will also tell you how and why we collect your personal info, your rights and choices when it comes to these details, as well as the steps we take to keep your information secure and confidential.

Controller’s contact details

Playlist for Life is the controller for the personal information we process. 

If you have any queries relating to our use of your personal information or any other related data protection questions, you can contact us in the following ways: 

Playlist for Life,
Unit 14,
Govanhill Workspace,
69 Dixon Road,
Glasgow
G42 8AT

How we collect and use your personal information

Most of the personal information we process is provided to us directly by you for one of the following reasons:

  • You have made an enquiry to us.
  • You have requested information or a service from us.
  • You have bought goods or services from us.
  • You have told us we can contact you with information about our work, invitations to participate in our events, or with requests for help from you such as fundraising requests.
  • You have used our website or other online services.
  • You have applied for a job or secondment with us.
  • You are representing your organisation.

We also receive personal information indirectly, in the following scenarios:

  • Someone who cares for you has requested advice from us about using music as a therapeutic intervention to help you.
  • An employee of ours gives us your contact details as an emergency contact or a referee.

Your data protection rights

Under data protection law, you have important rights. The rights available to you depend on our reason for processing your information.

Your right of access

You have the right to ask us for copies of your personal information. This right always applies. There are some exemptions, which means you may not always receive all the information we process.

Your right to rectification

You have the right to have your personal information corrected if it is inaccurate or incomplete. This right always applies.

Your right to erasure

You have the right in certain circumstances to ask us to delete or remove your personal information from our systems.

Your right to restriction of processing

You have the right to ask us to restrict the processing of your information in certain circumstances, i.e. to 'block' us from using your personal information or limit the way in which we can use it.

Your right to object to processing

You have the right to object to processing if we are able to process your information because the processing is in our legitimate interests. If you raise an objection we will stop processing your personal information unless very exceptional circumstances apply, in which case we will let you know why we're continuing to process your personal information.

Your right to data portability

This only applies to information you have given us. You have the right to ask that we transfer the information you gave us from one organisation to another, or give it to you. The right only applies if we are processing information based on your consent or under contract, or in talks about entering into a contract, and the processing is automated.

Exercising your rights 

You are not required to pay any charge for exercising your rights. We have one month to respond to you.

We will use all reasonable efforts consistent with our legal duty to provide you with your rights in accordance with data protection legislation.

To make enquiries, exercise any of your rights set out in this Privacy Policy, and/or make a complaint please contact [email protected]or write to:

The Data Manager,
Playlist for Life,
Unit 14,
Govanhill Workspace,
69 Dixon Road,
Glasgow
G42 8AT

If you're not satisfied with the way any complaint you make in relation to your personal information is handled by us then you may be able to refer your complaint to the relevant data protection regulator. In the UK, this is the Information Commissioner's Office.

Sharing your information

We will never sell or give away your information to any third parties to allow them to contact you for the purposes of direct marketing. That means that you can be sure that you will never be sent a fundraising request from a different charity if you give us your contact details.

We do use data processors to provide some services to us. Data processors are third parties who provide a service for us, such as our email provider.

We have contracts in place with all our data processors. This means that they cannot do anything with your personal information unless we have instructed them to do it. They will not share your personal information with any organisation apart from us. They will hold it securely and retain it for the period we instruct. You can see further information on the data processors we use in the section on processing purposes below.

Some of our data processors store information outside the EU but where they do we have policies and contracts in place to ensure they are fully compliant with the GDPR’s strict rules on when data can be transferred outside the EU.

In some circumstances we may be legally obliged to share your information. For example under a court order or where we are required to cooperate with a law enforcement agency such as the police. In any situation like this, we will always make sure that we have a lawful basis on which to share the information and document our decision making.

Links to other websites

Where we provide links to websites of other organisations, this privacy notice does not cover how that organisation processes personal information. We encourage you to read the privacy notices on the other websites you visit.

Changes to this privacy notice

This policy is effective from 25 May 2018.

We may, from time to time, make changes to this Privacy Policy to reflect any changes to our privacy practices in accordance with changes to legislation, best practice or Site enhancements.

We will let you know what these changes are by posting them to this page. Changes posted on this page will become effective as soon as they are posted.

Where the changes are significant, we may also choose to email you with the new details and get your consent to make these changes where required by law.

It is your responsibility as a user to make sure that you are aware of changes posted on this page by checking for any changes on a regular basis.

Children’s information

We recognise that children may have an interest in dementia and may wish to contact us to find out about our work as a charity or about the use of music to care for someone with dementia.

If you are aged 16 or under we will answer your questions and try to help you in the same way we would for anyone else. If you ask us for a particular service, or want to fundraise for us, we may have to ask you to gain the consent of a parent or guardian before we can help you. In some circumstances, we may have to speak to your parent or guardian ourselves before we can do what you ask. This is because the law makes it clear that we have to take particular care when working with people aged 16 or under to make sure their information is used appropriately.

If we do collect and store your information we will always store it securely and, just as with people over 16, we will only share it with our data processors in accordance with the provisions below.

In all circumstances, we will not knowingly send marketing communications to people aged 13 years or under.

Our processing purposes

This section explains the various tasks we undertake as a charity and how we process your information to do those tasks.

1. Make a general enquiry

Purpose and legal basis for processing

When you contact us to make a general enquiry about us or our work, or to request information from us, we collect information, including your personal data, so that we can respond to it in the most appropriate way.

The legal basis we rely on to process the personal data you give us in this case is Article 6(1)(f) of the GDPR which allows us to process your personal data where it is in our legitimate interests to do so. We always balance our legitimate interests with your interests as the owner of your own information.  

What we need and why we need it

We need enough information from you to answer your enquiry.

This will usually include your contact details. If you contact us by post, email or through our website, we will need some contact details from you in order to respond to you. If you telephone us, our telephone system will tell us the number you are calling from if that number is available to the system, but we will not record that number. If you telephone us and we cannot respond immediately to your enquiry we may need to record some contact details in order to respond to you later. You can choose which contact details to give us and which to ask us to use.

We may also, if appropriate, record the name of the organisation you represent.

We will record the details of your enquiry in order for us to answer appropriately.

What we do with your information

Unless your enquiry is extremely simple or trivial (such as, for example, a phone call asking us for our address), we will keep a record of your enquiry and your contact details so we can respond to it appropriately and effectively. We may keep a record of our response to you.

Depending on the complexity of your enquiry we may open a case file in which to record the details of your enquiry in one place.

We will keep the information you provide so that, if you contact us again, we have a record of your enquiry and our response.

We may also use it to analyse our own work and how well we carry out our tasks.

How long we keep it

We will keep your information for three years after our last contact with you.

What are your rights

You have the rights of access, rectification, erasure, restriction, objection. 

Our data processors

We use Office 365, provided by Microsoft to provide our email system and some cloud storage services (such as storing letters we send). 

We use Salesforce as our Constituent Management Database. This is where we store your contact details and any case files we have opened on your enquiry.

We use RaisingIT as our website supplier. If you contact us via our website RaisingIT will store the information you supply via the forms on our website.

2. Request a free service from us

 We provide a range of services to help us fulfil our charitable purposes. Services such as:

  • specific advice on how to help someone with dementia
  • direct help to create a playlist for someone with dementia
  • the provision of volunteer speakers who provide talks about our work and the therapeutic power of music in dementia care

Purpose and legal basis for processing

If you request a service from us we need enough information from you to enable us to provide the service you have requested.  

The legal basis we rely on to process the personal data you give us in this case is Article 6(1)(f) of the GDPR which allows us to process your personal data where it is in our legitimate interests to do so. We always balance our legitimate interests with your interests as the owner of your own information.

If the information you provide us with in relation to your enquiry contains special category data, such as health, religious, political information, or information related to race or ethnic background, then the legal basis we rely on to process it is Article 9(2)(g) of the GDPR which allow us to process special category information where there is a substantial public interest to do so.

The UK Parliament, in the Data Protection Act 2018 has defined the specific instances where this legal basis can be used in the UK. We rely on the ‘Counselling etc’ provision in Schedule 1, part 2(17) of that Act to allow us to process special category data in this instance. That provision allows us to process the data of a third party where we are unable to get the consent of that third party directly to process their own data. We rely on this if you ask us for advice or support in relation to someone with dementia that you care for.

What we need and why we need it

We need enough information from you to answer your enquiry. This will include some way of contacting you, such as an email address, your home or business address, or a telephone number.

To provide support for someone with dementia we will often need some information about the circumstances and life history of that person such as their age, where they grew up, and other biographical information relating to their life. It may also be helpful to know how advanced someone’s dementia is. All this information will allow us to provide the most appropriate advice in terms of music that may be beneficial to them or ways to find, store, or listen to music.

We will never ask for more information than we need to provide the advice or service you have requested.

What we do with it

We will keep a record of your request and will keep the information you provide so that, if you contact us again, we have a record of your enquiry and our response.

Depending on the nature of your enquiry we may open a case file in which to record the details of your enquiry in one place. We will always do that when providing specific support for somone with dementia. When you have provided us with any special category data or biographical data about yourself or someone you care for we will always take particular care with that by storing it securely and having strict access controls in place to ensure only people who are dealing with your case can access the information. 

We may also use your information to analyse our own work and how well we carry out our tasks.

How long we keep it

We will keep the information your provide for three years after our last contact with you. After that point we will delete your information unless you request us not to or there is some legal obligation preventing us from deleting it.

What are your rights

You have the rights of access, rectification, erasure, restriction, objection.

Our data processors

We use Office 365, provided by Microsoft, to provide our email system and some cloud storage services (such as storing letters we send).

We use Salesforce as our Constituent Management Database. This is where we store your contact details and any case files we have opened on your enquiry.

We use RaisingIT as our website supplier. If you contact us via our website RaisingIT will store the information you supply via the forms on our website.

3. Paid-for goods or services

We provide a range of paid-for goods and services to help us fulfill our charitable purposes. Those include:  

  • Paid-for training for individuals and organisations
  • Paid-for events such as concerts
  • Goods such as books and materials we sell through our online shop and face-to-face at events

Purpose and legal basis for processing

If you wish to purchase goods or services from us we need enough information from you to enable us to fulfill your order. 

The legal basis we rely on to process the personal data you give us in this case is Article 6(1)(b) of the GDPR which allows us to process your personal data where there is a contract in place between us that allows us to do so.

When we collect any information about your access or dietary requirements we also need your consent as this type of information is classed as special category data. In that case we rely on Article 9(2)(a) of the GDPR.

What we need and why we need it

Depending on what you are purchasing from us and how you choose to pay we will need some or all of the following information: your name, your contact details, your billing address, your delivery address, the organisation you represent.

Unless you are paying by cash we will also need payment information from you such as your bank details or debit / credit card details.

If you are an individual purchasing training from us or attending an event we may need further details from you including your occupation, any previous training, qualifications or experience relevant to the training and any access or dietary requirements you may have.

If you are purchasing training from us on behalf of an organisation we may need further details from you including the names of people who will be attending the training on behalf of your organisation. It is your responsibility to ensure that you have the right to pass on the names of attendees to us.

What we do with it

We use the information you give us in order to provide you with the goods or services you have purchased.

When you purchase goods or services from us we keep a record of the transaction for accounting purposes and so that we can respond to any complaints, queries, or requests for refunds you may have about the transaction or the goods or services you purchased.

Where you have purchased training from us as an individual we store your details to record that you have been trained by us. We do not provide this information to anyone unless you request us to do so.

Where you have purchased training from us on behalf of an organisation we store details of your organisation to record that staff in your organisation have been trained by us. We may make the fact your organisation has been trained by us public on, for example, our accreditation register. We do this so that people searching for information on services your organisation provides know that you have been trained by us. We will not share or make public any personal information relating to the training unless we have your specific consent to do so, for example to share photographs of the training as a news story on our website.

We also use the information you have provided to help us analyse and improve our goods, services and the means by which we provide them. 

How long we keep it

We will keep the information your provide and other information relating to the contract for six years after our the contract. After that point we will delete your information unless there is some legal obligation preventing us from deleting it.

What are your rights

You have the rights of access, rectification, and portability to all data collected under contract.

Where we have used consent to collect information relating to access or dietary requirements you have the right to withdraw that consent at any time as well as rights of access, rectification, erasure, restriction, objection and portability.

Our data processors

We use Office 365, provided by Microsoft, to provide our email system and some cloud storage services (such as storing letters we send).

We use Salesforce as our Constituent Management Database. This is where we store your contact details and any case files we have opened on your purchase.

We use Stripe as our credit / debit card processors. If you pay for goods or services with a credit or debit card Stripe will store some of your personal information in order to process the transaction.

We use Xero as our bookkeeping system. Depending on how you pay for your transaction, limited information about your transaction may be passed to Xero.

We use Thomson Cooper as our accountants. Depending on how you pay for your transaction, limited information about your transaction may be passed to Thomson Cooper.

We use the Clydesdale Bank as our bank. Depending on how you pay for your transaction, limited information about your transaction may be passed to the Clydesdale Bank.

We use RaisingIT as our website supplier. If you purchase goods or services via our website RaisingIT will store the information you supply via the forms on our website.

4. Administering donations

As a charity we rely on donations to provide the funds for us to operate and carry out our charitable mission.

Purpose and legal basis for processing

If you choose to donate to us (thank you if you do!) we will collect the information needed to process and administer your donation.

The legal basis we rely on to process the personal data you give us in this case is Article 6(1)(f) of the GDPR which allows us to process your personal data where it is in our legitimate interests to do so. We always balance our legitimate interests with your interests as the owner of your own information.

When people donate they sometimes tell us why they are donating. As we are a dementia charity that is often because someone they know lives with dementia. We never require you to tell us why you are donating but if you choose to do so, you must only tell us about someone else’s dementia status if you have their specific consent to do so. Please note that if you are donating via our website to someone’s fundraising page any reason that you give will be automatically published on our website and anyone in the world will be able to see it. Where we publish such information we do so on the basis of consent, i.e. Articles 6(1)(a) and 9(2)(a) of the GDPR.

What we need and why we need it

Depending on how you choose to donate we will need the following information from you: your name and your contact details, and the organisation you represent if you are donating on behalf of an organisation. We collect these details so we can thank you for your donation and contact you if there is any problem with the process of donation that we think you need to know about.

Unless you are paying by cash we will also need payment information from you such as your bank details or debit / credit card details. We collect this information so we can process your donation.

If you choose to apply Gift Aid to your donation we will collect your home address and UK tax status from you in order to administer your Gift Aid.

What we do with it

We use the information you give us in order to administer your donation, thank you for it, and contact you in case of any problems with processing your donation.

When you donate to us we keep a record of the transaction for accounting purposes and so that we can respond to any complaints, queries, or requests for refunds if you have made the donation in error.

We also use the information you have provided to help us analyse and improve our goods, services and the means by which we provide them.

How long we keep it

We will keep the information your provide and other information relating to your donation for six years after the donation occurred. After that point we will delete your information unless there is some legal obligation preventing us from deleting it.

What are your rights

You have the rights of access, rectification, erasure, restriction, objection.

Our data processors

We use Office 365, provided by Microsoft, to provide our email system and some cloud storage services (such as storing letters we send). 

We use Salesforce as our Constituent Management Database. This is where we store your contact details and any case files we have opened regarding your donation.

We use Stripe as our credit / debit card processors. If you donate using a credit or debit card Stripe will store some of your personal information in order to process the transaction.

We use GoCardless as our credit / debit card processors for regular payments. If you set up a regular donation on our website using a credit or debit card GoCardless will store some of your personal information in order to process the transaction.

We use Xero as our bookkeeping system. Depending on how you choose to donate, limited information about your transaction may be passed to Xero.

We use Thomson Cooper as our accountants. Depending on how you choose to donate, limited information about your transaction may be passed to Thomson Cooper.

We use the Clydesdale Bank as our bank. Depending on how you choose to donate, limited information about your transaction may be passed to the Clydesdale Bank.

We use RaisingIT as our website supplier. If you purchase goods or services via our website RaisingIT will store the information you supply via the forms on our website.

If you choose to apply Gift Aid to your donation we will pass your information to Her Majesty’s Revenue and Customs (HMRC).

5. Marketing

As a charity, we like to keep people informed about our work, the latest news about music and dementia, our events and other opportunities to get involved, and our fundraising activities that they may wish to help with.

Purpose and legal basis for processing

If you choose to we will add your name and contact details to our marketing list so we can send you information such as that listed above. We will only ever send you such information when we have your consent to do so and we will send you that information only via the channels (e.g. by email, post, or telephone) that you have told us we can use.

The legal basis we rely on to process the personal data you give us in this case is Article 6(1)(a) of the GDPR which allows us to process your personal data where we have your consent to do so.

What we need and why we need it

To provide you with the information you have requested we need your name and some means of contacting you such as your email address, phone number or postal address. We also need to record your consent to receiving this information and your consent to the channels by which we can contact you.

What we do with it

We store the details you have given us on our marketing list and use it to provide you with the information you have requested. We may also use your information to understand whether you have responded to anything contained in the information we send you. This helps us to improve our communications.

How long we keep it

We will keep your details on our marketing list for two years or until you as us to remove them. After two years we will contact you to ask if you still wish to remain on our marketing list and remind you of your rights to be removed.

What are your rights

We rely on your consent to process the personal data you give us to provide this service. This means you have the right to withdraw your consent at any time. If you do that, we will update our records immediately to reflect your wishes. You also have the rights of access, rectification, erasure, restriction, objection and portability.

Our data processors

We use Office 365, provided by Microsoft, to provide our email system and some cloud storage services (such as storing letters we send).

We use Salesforce as our Constituent Management Database. This is where we store your contact details in our marketing list and your consent record.

We use RaisingIT as our website supplier. If you have consented to receiving our information via our website RaisingIT will store the information your contact details and consent record.

We use MailChimp to send some of our marketing communications.

 

6. Business contacts

Purpose and legal basis for processing

We store the names and contact details of individuals acting in their capacity as representatives of their organisations.

Our legal basis for processing this information is Article 6(1)(c) of the GDPR where there is a legal obligation or Article 6(1)(f) because the processing is within our legitimate interests as a charity.

What we need and why we need it

We store names and contact details of individuals in organisations with whom we have a business relationship so that we can effectively administer that relationship.

What we do with it

We store this information in our email system and our CRM. We use it to contact the individuals concerned in their business capacity so that we can run our charity.

How long we keep it

We keep this information for six years after our business relationship with the organisation the individual represents has ended.

What are your rights

You have the rights of access, rectification, and portability to all data collected under contract.

Do we use any data processors

We use Office 365, provided by Microsoft to provide our email system and some cloud storage services (such as storing letters we send).

We use Salesforce as our Constituent Management Database. This is where we store your contact details and any case files we have opened on your enquiry.

7. Employees and Job Applicants

We collect and process personal information on people who apply for a job or volunteering role with us. Information on how we process your information in these circumstances is available separately and will always be provided in any job or volunteering role we advertise so it is available before you apply.

8. Administering our website

When you use our website and choose to give us information, your information will be processed according to the provisions of one of the reasons above, such as the section on making a general enquiry. This section of the policy deals with the information we gather to effectively administer our website.

Purpose and legal basis for processing

When you visit our website, www.playlistforlife.org.uk, we gather some information about you and your use of our website.

The legal basis we rely on to process the personal data you give us in this case is Article 6(1)(f) of the GDPR which allows us to process your personal data where it is in our legitimate interests to do so. We always balance our legitimate interests with your interests as the owner of your own information.

Analytics

We use a third-party service, Google Analytics, to collect standard internet log information such as traffic and details of visitor behavior patterns. We do this to find out such things as the number of visitors to various parts of the site so that we can understand such things as which information is most relevant to people and whether the way we are presenting information is effective.

This information is only processed in a way that does not identify you. We do not make, and do not allow Google to make, any attempt to find out the identity of you or anyone else visiting our website.

Your data may also be available to our website provider, Raising IT, to enable us and them to deliver their service to us, carry out analysis and research on demographics, interests and behaviour of our users and supporters to help us gain a better understanding of them to enable us to improve our services. This may include connecting data we receive from you on the website to data available from other sources. Your personally identifiable data will only be used where it is necessary for the analysis required, and where your interests for privacy are not deemed to outweigh their legitimate interests in developing new services for us. In the case of this activity the follow will apply:

  1. Your data will be made available to our website provider
  2. The data that may be available to them include any of the data we collect as described in the sections above.
  3. Our website provider will not transfer your data to any other third party, or transfer your data outside of the EEA.
  4. They will store your data for a maximum of 7 years.
  5. This processing does not affect any of the rights you have under GDPR.

Where we do collect information from you through our website for one of the other reasons specified in the sections above, or for any other reason, we will be upfront about that. We will make it clear when we are collecting your information and what we intend to do with it.

Cookies

Cookies are small text files that are placed on your computer by websites that you visit. They are widely used in order to make websites work, or work more efficiently, as well as to provide information to the owners of the site. The table below explains the cookies we use and why.

 

Cookie Name

Used by

Description

Expiration

__utma

Google Analytics

Stores the amount of visits of a user, the time of their first visit, the previous visit, and the current visit. It does not contain any personal information and is used only for analytical purposes.

2 years from set/update

__utmz

Google Analytics

This performance cookie stores where a user came from (eg. search engine, search keyword, link).

6 months from set/update

_ga and _gid

Google Analytics

Used to distinguish between website users in Google Analytics.

2 years and 2 hours

_gat_UA-92778477-1

Google Analytics

Used to moderate calls to the Google Analytics service.

1 minute

__unam

ShareThis

Set as part of the ShareThis service and monitors "click-stream" activity, e.g. web pages viewed, navigation from page to page, time spent on each page etc. The ShareThis service only identifies a user if they have separately signed up with ShareThis for a ShareThis account and given them consent. Checks how long you stay on a site: when a visit starts, and ends. It does not contain any personal information and is used only for analytical purposes.

14 months

cc_cookie_accept

Website

Stores whether the user has accepted the cookie message or not.

365 days

ASP.NET_SessionId

Website

Used for authenticating a user's session after logging in. Closes when you exit the browser.

End of session

ARRAffinity

Website

Tells our infrastructure which server to handle the request.

End of session

MemberLoggedIn

Website

A binary flag which stores whether a user is logged in or not.

End of session

ai_session and ai_user

Website

Tracks users as they navigate the website predominately for infrastructure performance insights.

1 day

DisplayName

Website

Keeps track of a donors preference to show their name during a Direct Debit.

End of session

 

Controlling cookies

Most web browsers allow you to control the cookies that you come across while browsing the web, including allowing you to refuse to accept cookies and to delete cookies. For detailed information on what cookies are and how they are used see here: www.allaboutcookies.org

 The following links will show you how to manage cookies on popular browsers:

To find information relating to other browsers, visit the browser developer's website.

To opt out of being tracked by Google Analytics across all websites, visit http://tools.google.com/dlpage/gaoptout

Your rights

As we are processing your personal data for our legitimate interests, you have the right to object to our processing of your personal data. There may be legitimate reasons why we may refuse your objection.