SSR Privacy Policy

This Privacy Policy was last updated on 4th July 2024

This Privacy Policy explains how and why we use your personal data to deliver the services SSR provides. This Privacy Policy complies with the General Data Protection Regulation (GDPR) and Privacy and Electronic Communications Regulations (PECR),

Who we are

The terms ‘we’ or derivatives, ‘the Charity’, ‘the Association’ and ‘SSR’ refer to Scoliosis Support and Research. SSR is a registered charity in England and Wales (registered number 1181463), registered office address: Ground Floor, 329 Latimer Road, W10 6RA. For the purposes of the GDPR, SSR is a Data Controller.

The term ‘you’ and derivatives refers to members, donors, volunteers, trustees and other users of our services, including the website.

How do we use your personal data?

We collect and process all personal data to enable us to:

  • establish or maintain up-to-date membership records;
  • put members in touch with the relevant Regional Representative(s) and, for ‘full’ members, put you in touch with other members living in your area or those that have similar medical experiences;
  • provide services and publications to our members, including our Helpline, Backbone (our in-house magazine), and newsletters and notice of events (free or with an entrance fee) or other topics of interest sent by email. You are free to ‘unsubscribe’ from these emails at any time;
  • raise funds through donations, an online shop and other related activities, including postal direct marketing.
  • raise funds and promote the aims and objectives of the charity using electronic communication, primarily by email. Such electronic direct marketing is undertaken only with your consent, which you may withdraw at any time;
  • employ our staff, engage volunteers and Trustees, and run the charity, including maintenance of our accounts and records.

What personal data do we collect and process?

We collect and process only the minimum personal data needed to achieve the above objectives. Personal data you give us may include:

  • identity (name and title). Optionally/prefer not to say: date of birth, age, gender;
  • contact details (postal address, email address, telephone numbers);
  • membership details (eg date joined, subs paid);
  • ‘special category’ personal data that includes health information (including photographs), medical and surgical history, genetic and biometric data, current challenges and treatments. You do not have to provide special category data if you do not wish to;
  • preferences (pen picture, dietary (for events);
  • donation/bequest details (eg donations, bequests, gift aid details etc);
  • payment details (for the online shop).

For staff, volunteers and Trustees only, we also collect and process bank details to enable the payment of salary, pensions, expenses etc.

You can give us your personal data by filling in forms on our website, registering to use our website, participating in Helpline discussions or by corresponding with us (by phone, email or by joining as a member, donor, employee or volunteer).

How we share your data

We keep your data confidential and share it only for operational purposes or in line with our legal obligations. Examples include payments processing (such as PayPal), HMRC (for Gift Aid or bequest purposes), our printers (for despatch of our magazine Backbone) and MailChimp (for email distribution and managing email marketing subscriber lists).

All conversations with our Helpline staff are completely confidential, unless in exceptional circumstances our staff need to contact the emergency services if a caller indicates that they are at serious or immediate risk of harming themselves or others, or if a terrorist act is suspected.

Some people have provided us with information about themselves in order to be used as case studies or on our literature or advertisements. In such instances, we first obtain their consent to use this information.

We do not share your data with anybody for marketing purposes.

If you are donating or participating in an event through a third party website, such as JustGiving, then that website’s Privacy Policy applies. We receive your details only if you consent for these to be passed on to us and we use the data in line with your consent.

How we make sure it is legal to process your data

We rely on the following ‘legal bases’ under the GDPR and PECR to use your personal data.

  • Consent – for direct marketing by electronic means, primarily by email;
  • contact details (postal address, email address, telephone numbers);
  • Contractual obligations – to manage payroll, pensions and other staff-related data processing, and to fulfil orders from our online shop;
  • Legitimate Interests – for all remaining data processing, including direct marketing by post and emailed newsletters and other non-marketing information.

We follow the Code of Fundraising Practice (https://www.fundraisingregulator.org.uk/code) guidelines as well as the PECR for marketing. We will not call people who are registered with the Telephone Preference Service (TPS) or companies registered with the Corporate TPS, unless those people or companies have consented to be called by us.

Charity Commission rules require us to be assured of the source of funds (especially bequests) and any conditions attached to them. As part of this process we will carry out research using publicly available information and professional resources. If this applies to you, we will explain the due diligence process when you make your donation.

How we use cookies and analytics

On first use of the website you will be asked for permission to store cookies on your computer’s hard drive.

A cookie is a small file that helps us to analyse web traffic or identify you when you visit our site. Cookies help us provide you with a better website by enabling us to monitor which pages you find useful and which you do not. A cookie in no way gives us access to your computer or any information about you, other than the data you choose to share with us.

We use Google Analytics to understand how you use the website. Google Analytics collects information including IP address, geographic location of the device, browser type, browser language, date and time of your request, time(s) of your visit(s), page views and page elements (ie links) that you click.

Our website may, from time to time, contain links to and from the websites of other relevant stakeholders. If you follow a link to any of these websites, please note that these websites have their own privacy policies and that we don’t accept any responsibility or liability for these policies.

How we secure your data

We hold your personal data on our secure database E- Tapestry. Our staff complete mandatory data protection training when first employed and annually thereafter.

Data on our E- Tapestry database (provided by Blackbaud) will be used in accordance with our own privacy policy. In providing the Solutions, Blackbaud acts as a data processor and only in accordance with our instructions

Blackbaud is a United States-based company and is subject to United States law. When Blackbaud collects personal data of individuals located in the European Union, United Kingdom, or Switzerland, they may transfer such data to the United States.

Blackbaud uses Standard Contractual Clauses (“SCCs”) or Model Clauses as a mechanism to provide appropriate safeguards for the protection of personal data for EU, UK, and Swiss data protection purposes.

Full details of their privacy policy can be found at https://www.blackbaud.co.uk/company/privacy-policy/europe

Our website is hosted on servers located in the UK. We take great care to ensure that our website operates at the highest security levels and that our suppliers are committed to best practice in digital security. We encrypt all personal information and financial data in transmission.

How long do we keep your information?

We do not keep your information for longer than necessary.

We keep financial information for seven years due to legal requirements, and we delete all other personal information from our customer relationship management system if we have had no contact with you for three years.

You have the right to be ‘forgotten’, in which case we will remove all data we hold about you from our systems within 30 days, other than that needed to comply with our legal or regulatory obligations.

Changes to our Privacy Policy

We keep our Privacy Policy under regular review and we will place any updates on the website. If your consent is needed to any changes to our electronic direct marketing approach then we will seek that consent before undertaking such marketing.

This Privacy Policy was last updated on 4th July 2024

Your rights

Data protection regulations give you clear rights over how we process your data. You can find out more detail about your rights by visiting the Information Commissioner’s Office website’s section on individual rights here: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/.

How you can contact us

If you have any questions in relation to this Privacy Policy or wish to exercise your rights, then please contact:

– Email: info@ssr.org.uk

– Tel: 020 8964 5343

– Address: Chief Executive, Scoliosis Support and Research, Ground Floor, 329  Latimer Road, W10 6RA.

Should you have any issues regarding our processing of your data we would welcome the chance to address these, but you are free to lodge any complaint directly with the Information Commissioner’s Office at https://ico.org.uk/global/contact-us/.

wave shape
mobile close icon