WEBSITE Privacy Policy

Introduction 

Edinburgh Food Project (also referred to as ‘EFP’, ‘the charity’, ‘we’, ‘our’ or ‘us’) is the Controller over any personal data we process about you for the purposes set out in this Privacy Notice (see below).  This notice outlines what personal data the charity collects and processes about you in various situations, which we have explained below.  This notice does not cover personal data we process about our staff or volunteers. The categories of data subjects whose personal data is covered by this privacy notice include; service users, donors, supporters, third party referrers, individuals who make enquiries via our website or over the phone, post or email. 

This website is not intended for children and we do not knowingly collect data relating to children from our website. However, we may collect information relating to children from you when we ask about dependents during the course of delivering some support services. Please see the below table for further details.   

Please read through the privacy notice to understand how the charity uses and processes your personal data obtained. If you have any concerns about our processing of your personal data or you have a general enquiry in relation to data protection, please contact our Data Protection Officer: [email protected]. 

What is personal data? 

Personal Data: means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. 

Special Category of Data: means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.  

When we use the term ‘personal data’ we mean both personal data and special category of data. 

Our Processing  

Personal Data is collected in several different ways dependent on your interaction with the charityThe table below sets out what personal data we process about you, where we get it from, why we use it, our legal basis and who we share it with Otherwise we will only share your personal data: 

  1. where we are required to share your personal data in accordance with law e.g. such as to assist with investigations carried out by the police, other authorities or any regulatory requirement to which the charity is subject; 
  2. where we use third parties to undertake certain services on our behalf and in doing so they require to process personal data in order to do this.  If so, we will ensure that adequate arrangements are in place to protect your personal data.  These third parties include: our franchisor the Trussell Trust, Advicepro, Xero, Sharepoint, GiftAid,  our professional advisors, our DPO, our third party suppliers such as our IT suppliers, CRM suppliers, marketing platforms (including parties used for sending email marketing communications), payroll provider, donation suppliers, payment bureau provider, fundraising management sites, social media platform providers, our corporate partners;
  3. where we have your consent. 

 When we process special category personal data, in addition to the above legal bases, the additional bases for processing that we rely on are:   

  1. in limited circumstances, with your explicit written consent; 
  2. where it is necessary to protect you or another person from harm and you are not capable of giving consent where it is necessary to protect you or another person from harm and you are not capable of giving consent 
  3. less commonly, we may process this type of information where it is needed in relation to legal claims, or where you have already made the information public. 

How we use the Personal Data 

Purpose 

Personal Data 

Where do we get it from? 

Legal Basis 

Will we share it other than as set out above? 

To provide you with access to our food bank, provide you with food parcels and to handle queries and complaints. 

 

Information that is on your foodbank voucher(s) such as your name, date of birth, address, contact details, family composition, age brackets, and why you are using our food bank, dietary requirement.  Any other information you choose to give to us to engage with our services. 

From you – this can be taken over the phone and from your food voucher.  

 

From other agencies or foodbanks.  

 

Information on the database we use provided by our Franchisor.  

 

We collect this information as it is necessary for both our and your legitimate interest to deliver or receive our services.  If we collect any special category data e.g. we will ask for your consent.  

Yes – We operate as a franchisee of the Trussell Trust network of foodbanks and as such other foodbanks may see personal data, we hold about you if you visit there too; Trussell Trust may see your personal data; your referral agent; or other third parties (such as social care providers or other food banks) if absolutely necessary.   

To respond to enquiries (online and otherwise) or indications of wishes to support the charity. 

Name, Email address, any information you provide to us. 

When you submit an enquiry on our website, use our online forms, email, text, telephone, post or when we meet you face to face.  We may also receive personal data from independent event organisers e.g fundraising sites (e.g. Just Giving) where you have given them this information and indicated you would like to support our charity. 

Legitimate Interest – it is in our legitimate interest to respond to enquiries, requests and information within feedback forms so that we can engage with individuals to the benefit of the charity. 

 

No.  

To provide our Money Advice Service including dealing with your enquiry, and external inbound and outbound referrals, providing signposting advice, debt advice, benefit advice, budgeting advice and support.   

Name, address, contact details, DOB, marital status, dependents, partner info, nationality, race, religion, immigration status – if relevant;   

household details – composition, tenure, no of bedrooms, landlord issues, economic status and financial information, employment information, credit history, income band, language, interpreter required. Third party authority and contact details, health information where relevant to financial matters e.g. benefits,  information re prior legal claims. 

From you. From other organisations that you have given your consent for us to receive information. Other external referees, such as mental health workers seeking advice for their clients.  We may also receive information from your creditors, debt collection agencies, credit reference agencies, Accountant in Bankruptcy, your representative e.g. trustee or POA, your GP, social worker or other healthcare professional, Department of Work and Pensions, Social Security Scotland, HMRC, HM Courts and Tribunals Service.     

Consent and explicit consent.  

 

AdvicePro, AdviceUK, external support agencies for example mental health organisations, veterans organisations, energy companies, etc., the FCA, creditors, debt collection agencies, credit reference agencies, Accountant in Bankruptcy, your representative e.g. trustee or POA, your GP, social worker or other healthcare professional, Department of Work and Pensions, Social Security Scotland, HMRC, HM Courts and Tribunals Service, our Auditors.     

To enable EFP to provide you with our direct marketing communications by email or text. 

Name, email and telephone number 

From you.  

Consent 

No. 

To enable EFP to provide you with our direct marketing communications by telephone or post. 

Name, telephone and address. 

From you.  

Legitimate interest, which is to promote our charitable objectives and to increase fundraising. 

No. 

To enable third party partners to provide you with direct marketing about EFP in electronic communication form such as targeted online (including on social media platforms). 

Name, address, email address. 

From you.  

Consent 

Third party marketing and media (including social media) platforms (such third parties may use third parties to verify your identity). 

To inform our marketing strategy by analysing and profiling our marketing database and to identify others that may be interested in hearing from us (called Lookalike audiences).  This helps us to understand our donors better. 

Name, address, email address, donation. 

From you.  

Our Legitimate Interest to inform and maximise our marketing strategy with a view to further supporting the charity. 

Third parties providing data analytic services. 

To market our services, ideals or aims with a view to converting inquiries, send you our newsletters and similar updates, and marketing activity into donations for our charity. 

Name, email address, telephone, address.  

From you. 

Our legal basis is that it is in our legitimate interest to market our services, ideals or aims.  We may also rely on consent for certain marketing activity and where this is the case, we will obtain this from you separately. 

No.  

To manage our stock donations from donors 

Name, contact details, donation information, job title (if a corporate donor) 

From you.  

Our legitimate interests keeping data accurate and relevant. 

Trussell Trust Database /Sharepoint.  

Managing our donor database and keeping our donors database up to date. 

Name, address, email  address, telephone. 

You and/or third party publicly available resources such as the Royal Mail’s National Change of Address database. 

Our legitimate interests of keeping our database up to date, accurate and relevant. 

Third party data cleaning service providers. 

Administer a donation, including processing donations via online, cheque, text, or while shopping, and gift aid.  Please see our Donor Privacy Notice for further information. 

 

Name, postal address, email address, telephone number, bank details, the fact you are a UK tax payer, the reason for your donation and whether it is in memory of another person. 

From you, Amazon, Justgiving and EasyFundraising. 

Our legitimate Interest to keep data accurate and relevant and to process donations for benefit of the Charity. 

 

Legal obligation to process direct debit under direct debit agreement. 

HMRC for purposes of Gift Aid. 

 

Payment bureau provider administering the payment, including Amazon, Easy Fundraising, Common Good.  

 

Sharepoint and Xero 

Managing relationships with our corporate partners. 

Name and contact details of our point of contact at the corporate partner. 

From you.  

Our legitimate interest of managing our relationship with our corporate partners. 

No. 

Managing relationships with our Information partners. 

Name and contact details of our point of contact at the Information Partners we work with. 

From you or the Information Partner organisation.  

Our legitimate interest of managing our relationship with our partners. 

No. 

Managing relationships with our Corporate Partners. 

Name and contact details of our point of contact at the Corporate Partners we work with. 

From you or the Corporate Partner organisation. 

Our legitimate interest of managing our relationship with our partners. 

No 

To set cookies on our website. 

Data about your use of our website. 

From you.  

For essential cookies it is in our legitimate interest to use these to operate the website.   

For other cookies, we rely on your consent. Please our cookie policy for more information  

Google Analytics and tag manager.  

To record who visits our premises. 

Name, contact details, date and time of visit, vehicle registration number. 

From you.  

Our legitimate interest of documenting visitors to our site for security and fire safety purposes. 

 

 

No. 

To publish case studies and testimonials 

 

Name/picture/details you wish to share.  

From you.  

Consent.  

Social media platforms 

Website 

Funders 

newsletters 

Where we think you are in danger and need our help or help of another party 

Any personal data you supply to us or we collect about you as set out above or in other privacy notices. 

From you and other external parties depending on scenario. 

Legitimate Interest and where it involves special category data, where it is necessary to protect the vital interests of you or another person and you are incapable of providing consent.  

Police, Paramedics, Medical professionals or other emergency services 

To pursue or defend legal claims 

Any personal data you supply to us or we collect about you as set out above or in other privacy notices.  

From you and other external parties depending on scenario.  

Legitimate Interest and where it involves special category data, where it is necessary for the establishment, exercise or defence of legal claims.  

Legal Advisors, Courts or other relevant parties to any legal claim. 

Audit purpose 

Any personal data held in your files. 

From you and other external parties depending on scenario. 

Performance of a Legal Obligation and where it involves special category information, substantial public interest to ensure appropriate checks are being made that our charity is running appropriately. 

Auditors.  

Some of the above grounds for processing will overlap and there may be several grounds which justify our use of your personal data.

 

Will we share your Personal Data outside of the UK? 

Some of our service providers process personal data we give them outside of the UK. For example on of the databases we use to manage our data uses Amazon Web Services in the EEAThe UK has deemed the EEA has providing adequate security for your personal dataWhere we share your personal data to recipient country that is not deemed adequate by the UK Government, then we will put in place additional measures to protect your personal data, such as contracts approved for use by the Information Commissioner’s Office, and any necessary supplementary measures. An example of this is that our CRM may hold some information in the US and we shall ensure that appropriate transfer mechanism is in place such as the Standard Contractual Clauses. 

 

How can I stop EFP using my personal data for marketing purposes if I no longer wish to receive communications from EFP? 

If you no longer wish to receive marketing communication from us you can unsubscribe within each marketing communication or contact our DPO (details above). 

How long will we retain my personal data? 

EFP shall keep your personal data for as long as is necessary and in accordance with our Retention PolicyIn short, we retain food bank records 6 years from voucher date and drop in session records 6 years from last contact with you; and Housing and welfare rights referrals information after which we will archive your record 6 years from last contact with you; volunteer records 18 months after last volunteering activity; donor payment records for 6 years following last contact with donor; MAS keeps records for 6 years following closure of case. 

Your rights 

You have certain rights under data protection law, which are summarised below.  You can exercise these by contacting our DPO [email protected]: 

  • you can withdraw your consent (including for marketing) at any time, at which point we shall stop processing your personal data in that way.  Please note this does not affect the legality of our processing up to the date of your withdrawal of consent. 
  • you can seek to restrict our processing of your personal data, ask us to rectify any personal data we hold about you and to ask us to complete information you think is incomplete, and to object to us processing your personal data for the purposes stated above.   
  • you have the right to access a copy of the personal data held by us about you. There are some exemptions, which means you may not always receive all the information we process. 
  • in certain circumstances you have the right to ask us to provide you with your personal data in a structured, commonly used and machine-readable format to allow you (or us on your behalf) to transmit this information to another party.   
  • in certain circumstances you have the right to ask us to erase the personal data we hold about you.  We will consider any such request in line with UK GDPR.  Please note this is not an absolute right and there may be circumstances where we choose not to delete all of the personal data we hold about you.   

You have the right to lodge a complaint with the Information Commissioners Office (ICO) if you think that we have infringed your rights. You can find more information about reporting a matter to the ICO at the following link: https://ico.org.uk/ 

Website 

The EFP website edinburghfoodproject.org may contain links to other websites.  Please note that EFP has no control of websites outside our domain. The charity is not responsible for the protection and privacy of any sensitive information provided to a website linked to edinburghfoodproject.org.  

Changes 

We reserve the right to amend this privacy notice from time to time.   

Last Updated: June 2024