Principles of the GDPR Act 2016
In order to operate effectively and fulfil its legal obligations, the DSA needs to collect, maintain and use certain personal data about current, past and prospective members, suppliers and other individuals that contact the DSA, or with whom it has dealings (each, a “data subject” and together, “data subjects”). The DSA is dedicated to obtaining, handling, processing, transporting and storing all such personal data, whether held on computer, or paper, lawfully and correctly, in accordance with the safeguards contained in the UK GDPR Act 2016 (the “GDPR”).
The DSA has a responsibility to protect such personal data, especially sensitive personal data that it collects from data subjects.
The DSA is committed to the 8 principles of data protection as detailed in the UK GDPR Act 2016. These principles require that personal data must:
- be fairly and lawfully processed and not processed unless specific conditions are met;
- be obtained for one or more specified, lawful purposes and not processed in any manner incompatible with those purposes;
- be adequate, relevant and not excessive for those purposes;
- be accurate and, where necessary, kept up to date;
- not be kept for longer than is necessary;
- be processed in accordance with the data subject’s rights under the DPA;
- be kept secure from unauthorised or unlawful processing and protected against accidental loss, destruction or damage;
- not be transferred to countries outside the European Economic Area (EEA) unless the country or territory ensures adequate protection for the rights and freedoms of the data subjects.
What the DSA collects:
The DSA collects personal data that data subjects (you) provide to the DSA, which is information that can be used (or reasonably be used) to identify someone as an individual. The DSA will only do this when you (as the data subject) have agreed to the DSA’s request for that personal data. This personal data may include your:
- Telephone number;
How the DSA will use a data subject’s personal data.
By providing personal data, you (as a data subject) agree that, where it is permitted by applicable law or where you have agreed to receive these communications from the DSA, the DSA may use your personal data to:
- Respond to your requests;
- Improve services for people with Down’s syndrome ;
- Improve the content of our communications;
- Provide you with tips, helpful information, news and updates;
- Notify you of new services;
- Seek your views on new products and services;
- Consider your application for employment;
- Assist with the DSA’s own administrative and quality assurance purposes;
- Maintain a relationship, by keeping in touch with our supporters and members; or
- For other purposes that may be detailed on the DSA website or a mobile application.
The DSA will act as a data controller of such personal data.
The DSA will only collect personal data to serve a specific business, commercial, or legal purpose and only gather the minimum amount needed. The DSA will use only fair and lawful means to obtain the personal data.
The DSA will be transparent in dealings with data subjects whose personal data the DSA holds.
The DSA will obtain a data subject’s informed consent to process his or her personal data in cases where it is necessary and appropriate to do so in compliance with applicable laws.
The DSA will not use personal data collected for one purpose for a different purpose without getting the data subject’s consent, unless applicable laws allow or require it.
The DSA will correct any personal data where it is notified that such personal data is incorrect.
Only authorised paid employees, trustees and volunteers of the DSA and third party suppliers can carry out processing of personal data, which must be consistent with their individual roles and responsibilities.
Personal data will be held in accordance with the safeguards in the DSA Security Guidelines.
How the DSA protects your personal data
The DSA will take appropriate legal, organisational, and technical measures to protect personal data consistent with applicable privacy and data security laws.
When DSA uses a thirdparty service provider, that provider will be carefully selected and required to use appropriate measures to protect the confidentiality and security of personal data.
When we collect your personal information we use strict procedures and security features to prevent unauthorised access. Unfortunately, no data transmission over the Internet is 100 per cent secure. As a result, while we try to protect your personal information, The DSA cannot guarantee the security of any information you transmit to us and you do so at your own risk.
Sharing personal data with third parties
The DSA may share the personal data of a data subject in compliance with applicable law.
In certain special cases where permitted by applicable law, the DSA may disclose your personal data:
- when the DSA has reason to believe that disclosure of this information is necessary to identify, contact or bring legal action against someone who may be causing injury to you or otherwise injuring or interfering with the DSA’s rights, property or operations, other users of this website or any mobile application or anyone else who could be harmed by such activities;
- when the DSA believes that applicable law requires it, or in response to any demand by law enforcement authorities in connection with a criminal investigation, or civil or administrative authorities in connection with a pending civil case or administrative investigation;
Personal data collected may be transferred to, stored and processed in your country of residence or any other country in which the DSA, subcontractors or agents maintain facilities, including the United States and countries outside the European Economic Area (EEA).
The DSA will ensure that if your personal data is transferred outside your country of residence, it will still be treated in accordance with this DSA Policy.
Unless otherwise specified in the website the DSA will not sell or license your personal data to other third parties.
Sometimes the DSA uses selected third parties to provide support services in the normal course of business. These parties may, from time to time, have access to your personal data to enable them to provide those services to the DSA. The DSA requires all third parties providing such support services to meet the same standards of data protection as the DSA’s own. Any third party will be prohibited from using your personal data for that third party’s own purposes. In particular, the DSA will not allow service providers to use your personal data for the marketing activities of that service provider.
Information from Outside Sources
Where permitted by applicable law, the DSA may also collect legally obtained information from third parties to add to its existing user databases. Some of this information may be personal data of data subjects. The DSA may do this to better target information offerings and promotional campaigns in which the DSA believes you would be interested. Such personal data will only be collected and used by the DSA in accordance with the basis on which it was originally provided by the data subject, or as otherwise permitted by applicable law.
Website and mobile application usage information
The DSA also automatically collects information about your computer browser type and operating system, websites you visited before and after visiting our websites, standard server log information, Internet Protocol (IP) addresses, GPS location data, mobile phone service provider, and mobile phone operating system. The DSA aggregates this information to understand how visitors to the DSA websites use the websites so that the DSA can improve these and the services that the DSA offers.
GPS location data does not typically identify individual users. This information includes:
- the total number of visits to the DSA websites and mobile applications;
- the number of visitors to each page of the DSA websites and mobile applications; and
- the domain names of website visitors’ internet service providers.
The DSA uses Google Analytics as the main form of website statistics tracking. Any visitors to the DSA websites who don’t want their data used by Google Analytics can install the Google Analytics optout browser addon.
The DSA website and mobile applications may use technology called “cookies.” A cookie is a small text file that is placed on your hard disk by a server. Cookies allow the DSA website and mobile applications to respond to you, the data subject, as an individual. The website or mobile application can tailor its operations to your needs, likes and dislikes by gathering and remembering information about your preferences.
For instance, the DSA server may set a cookie that keeps you from having to enter a password more than once during a visit to a website.
You can choose to accept or decline cookies. Most web browsers automatically accept cookies, but you can usually modify your browser setting to decline cookies or receive a warning before a cookie is stored if you prefer. Please refer to your Internet browser’s instructions or help screen to learn more about these functions and to specify your cookie preferences.
If you choose to decline cookies, you may not be able to fully experience the interactive features of our websites or any other websites that you visit.
Links to other websites
The DSA’s website (and any mobile applications, if any) may from time to time provide links to or embed third party websites. This DSA Policy does not apply to those third party websites. If you choose to enter such a linked site, you agree that the DSA is not responsible for the availability of such websites and the DSA does not review or endorse and shall not be liable, directly or indirectly, for:
- how these third party websites treat your personal data;
- the content of such third party websites; or
- the use that others make of these third party websites.
Please ensure you check the data protection policy posted on a third party website or mobile application you access before entering any personal data.
Use of IP addresses
An IP address is a set of numbers that is automatically assigned to your computer whenever you log on to your Internet service provider or through your organisation’s local area network (LAN) or wide area network (WAN). Web servers automatically identify your computer by the IP address assigned to it during your session online.
Access to information – Subject Access Request
The DSA will retain your information only for the period necessary to fulfil the purposes outlined in this DSA Policy unless a longer retention period is required or permitted by applicable law. Anyone who is the subject of personal data held by the DSA has the right to make a subject access request to request the updating, correcting or removal of personal data that has been provided to us, at any time, using the contact information provided at the end of this DSA Policy. Applicable laws may also give you the right to access information that you have provided to the DSA.
The DSA reserves the right to charge £10 for responding to such requests. If, as the result of a subject access request, any personal data is found to be incorrect it will be amended. The DSA will deal promptly with subject access requests and will normally respond within 40 days. If there is a reason for delay, the person making the request will be informed accordingly.
The DSA will update this DSA Policy to take account of changes in working practice or applicable law . If the changes that the DSA makes are material, the DSA also may post a notice regarding the changes on its websites or mobile applications. The DSA encourages you to periodically review this DSA Policy to stay informed about how the DSA is helping to protect the personal data that the DSA collects. Your action in continuing to use DSA websites and mobile applications constitutes your agreement to this DSA Policy and any updates. Subsequent changes in this DSA Policy will not apply to personal data that were collected before the change is made. The DSA reserves all of its all legal rights.
Contact the DSA
References to “the DSA,” “we,” “us” and “our” are references to the Down’s Syndrome Association. Please address any questions, comments and requests regarding this DSA Policy to the DSA using the contact information below. If you contact the DSA, please provide information as to how the DSA may contact you.
To contact the DSA in the United Kingdom, call 0333 1212 300 or email info@downssyndrome. org.uk