The Society for the Protection of Ancient Buildings (SPAB) is committed to protecting and respecting your privacy. For the purposes of the General Data Protection Regulations (GDPR) and any subsequent UK legislation covering data protection the Data Controller is the SPAB. This Policy sets out why we collect personal information about individuals and how we use that information. It explains the legal basis for this and the rights you have over the way your information is used.
This Policy covers the SPAB, its Mills Section and its regional groups in relation to the collection and use of the information you give us. We may change this Policy from time to time. If we make any significant changes we will advertise this on the website or contact you directly with the information. Please check this page occasionally to make sure you are happy with any changes.
If you have any questions about this Policy or about your personal information held by the Society, please contact the SPAB via email@example.com or via post to: SPAB, 37 Spital Square, London, E1 6DY.
What type of personal information we collect
The type and amount of information we collect depends on why you are providing it.
The information we collect when you make an enquiry may include your name, email address, postal address and phone number. It may also include your date of birth if we have specific need of this (eg a form of membership that is dependant on age).
If you are a donor, volunteer, are joining us as a member, or are seeking our advice we will ask for your name and contact details (your full address, email address, and your phone number). We may also ask you for details of your building, your work or the reasons for your interest in building conservation. If you are attending an event we may ask for details of any dietary or access requirements.
If you are paying for your subscription, or for a course, event booking or purchase we may require banking information or credit/debit card details from you. When you donate or make a purchase online, your card information is not held by us, it is collected by our third party payment processors who specialise in the secure online capture and processing of credit/debit card transactions
If you are applying for a grant or job, the information you are asked to provide is as set out in the application form and is necessary for the purposes of our considering the application.
When we collect information
We may collect information from you whenever you contact us or have any involvement with us for example when you:
- Join as a SPAB or SPAB Mills Section member
- visit our website (see our Cookies policy below)
- donate to us, fundraise for us or indicate your intention to leave us a legacy
- enquire about our activities or services, such as casework, technical advice, courses, or the Scholarship and Fellowship programmes
- subscribe to any of our email newsletters in order to receive information about our activities
- agree to be included in our database of specialists
- volunteer for us
- attend a meeting with us and provide us with information
- take part in our regional or country-based events
- manage a mill that is part of National Mills Open weekend
- occupy a property over which there are SPAB covenants
- submit an application for listed building consent or faculty that is notified to us
- own an historic building in need of repair that is part of our casework
- loan or donate books, drawings, furniture or other objects to the Society
- take part in an SPAB event, including as an attendee, speaker, tutor, site visit host, venue provider, volunteer etc
- visit or make an enquiry to our archive
- contact us in any way including online, email, phone, SMS, social media or post
- supply us with goods or services
- are a staff member or volunteer
- are a staff member or volunteer’s next of kin
Where we collect information
We collect information:
- From you when you give it to us directly: You may provide your details when you ask us for information or make a donation, volunteer, attend our events, receive technical advice, attend a course or contact us for any other reason.
- When you have given other organisations permission to share it: your information may be provided to us by other organisations if you have given them your permission. This might for example be a charity working with us or might be when you buy a product or service from a third party organisation. The information we receive from other organisations depends on the preferences you have expressed or the option responses you have given them.
- When it is available on social media: depending on your settings or the privacy policies applying for social media and messaging services you use, such as Facebook, Instagram or Twitter, you might give us permission to access information from those accounts or services.
How we use your information
We will use your personal information in a number of ways which reflect the legal basis applying to processing of your data. These may include:
- providing you with the information or services you have asked for
- processing donations you make, including processing for Gift Aid purposes
- processing orders you have submitted
- organising volunteering activities you have told us you want to be involved in and in relation to the fundraising for us you are involved in
- sending you digital marketing communication, with your consent, including information about our services and activities, campaigns and appeals asking for donations and other fundraising activities and promotions for which we seek support. You can opt out at any time.
- when necessary for carrying out your obligations under any contract between us
- seeking your views on the services or activities we carry out so that we can make improvements
- maintaining our organisational records and ensuring we know how you prefer to be contacted
- analysing the operation of our website and analysing your website behaviour to improve the website and its usefulness
- processing grant or job applications
- notifying you of changes to our services
Our legal basis for processing your information
The use of your information for the purposes set out above is lawful because one or more of the following applies:
- Where you have provided information to us for the purposes of requesting information or requesting that we carry out a service for you, we will proceed on the basis that you have given consent to us using the information for that purpose, based on the way that you provided the information to us. You may withdraw consent at any time by emailing us at firstname.lastname@example.org. This will not affect the lawfulness of processing of your information prior to your withdrawal of consent being received and actioned.
- It is necessary for us to hold and use your information so that we can carry out our obligations under a contract entered into with you or to take steps you ask us to prior to entering into a contract.
- It is necessary to comply with our legal, charitable, tax or insurance obligations.
- Where the purpose of our processing is the provision of information or services to you, we may also rely on the fact that it is necessary for your legitimate interests that we provide the information or service requested, and given that you have made the request, would presume that there is no prejudice to you in our fulfilling your request.
- Where it is necessary as part of the SPAB’s statutory function as a consultee in the planning or faculty system or in its charitable role as an expert adviser to government, councils and dioceses on historic buildings at risk.
If you want to contact us about your marketing preferences please contact email@example.com,uk or see the SPAB website for your membership database entry. If you have registered an online account via our website, you can change your preferences at any time using the ‘My profile’ page. You can also unsubscribe from any of our email newsletters by clicking ‘unsubscribe’ at the bottom of the email.
How we keep your information safe
We understand the importance of security of your personal information and take appropriate steps to safeguard it. Carefully considered security measures are in place to protect the SPAB computer server from attack and to ensure banking information, such as direct debit forms, is stored securely. We ensure that only authorised staff, volunteers and contractors manage your information. No data transmission over the internet can however be guaranteed to be 100% secure. While we strive to safeguard your information, we cannot guarantee the security of any information you provide online and you do this at your own risk.
Who has access to your information?
- SPAB staff
- Volunteer organisers (in the case of regionally or nationally-based activities and events)
- Third parties who provide services for us, for example companies providing subscription reminders or hosting databases. We select our third party service providers with care. We provide these third parties with only the information that is necessary to provide the service and we will have an agreement in place that requires them to operate with the same care over data protection as we do.
- Third parties if we run an event in conjunction with them. We will let you know how your data is used when you register for any event. eg with courses run jointly with Historic Royal Palaces, or when we visit buildings or sites where the host requires us to supply details of those visiting.
- Analytics and search engine providers that help us to improve our website and its use.
- Third parties in connection with restructuring or reorganisation of our operations, for example if we merged or collaborated with another charity. In such event we will take steps to ensure your privacy rights will be protected by the third party.
When you are using our secure online donation or payment pages, your donation or payment is processed by a third party payment processor, who specialises in the secure online capture and processing of credit/debit card transactions. If you have any questions regarding secure transactions, please contact us.
In the unlikely event that the information you provide to us needs to be transferred to countries outside the UK, we will meet our obligations under GDPR by ensuring that the information has equivalent protection as if it were being held within the UK. We do this by ensuring that any third parties processing your data outside the UK either benefits from an adequacy determination for GDPR purposes and/or, where appropriate, we have entered into a Data Processing Agreement which contains model UK/EU clauses.
We may also disclose your personal information if we are required to do so under any legal obligation and may use external data for the purposes of fraud prevention and credit risk reduction, or where doing so would not infringe your rights, but is necessary and in the public interest.
Other than this, we will not share your information with other organisations without your consent.
Keeping your information up to date
We appreciate it if you can let us know should your contact details change. If you are a member, or have registered an online account with our website, you can do so through the ‘My Account’ page. Otherwise, you can contact us at firstname.lastname@example.org, or by post to 37 Spital Square, London E1 6DY.
Cookies are small pieces of information sent by a web server to a web browser, which enable the server to collect information from the browser. They are stored on your hard drive to allow our website to recognise you when you visit.
You can block any cookies from any website through your browser settings. For more information about how to disable cookies in your browser please visit the About cookies website.
Flash cookies make it quicker and easier for you to access sites on subsequent visits that use Flash technology. Deleting them means you may have to re-enter information each time you visit the same site. But just like any cookie, you can delete Flash cookies by going to the Settings Manager for your Adobe Flash Player. You will be taken to the Adobe website, which lists the websites with the cookies in your browser. Just click Delete opposite the relevant website.
You can find out more information about cookies at www.allaboutcookies.org, which gives details on how to delete cookies from your computer. For information on how to do this on your mobile phone browser, please see your handset manual.
We appreciate that our supporters are of all ages. Where appropriate we will ask for consent from a school, parent or guardian to collect information about children (under 16s) such as those who are Young Millers or who attend a SPAB-organised schools event.
How long we keep your information for
We will hold your personal information for as long as it is necessary for the relevant activity. By way of example, we hold records of donations you make for at least six years so we can fulfil our statutory obligations for tax purposes. If you contact our technical advice service we will store your records for at least six years for insurance purposes after which they will be archived as part of the Society’s historic record.
If you cease to be involved with the SPAB we will archive your information as part of the Society’s historic record but will not use it to contact you about SPAB services. If you lapse or resign as a member we may contact you for up to 2 years afterwards about rejoining.
Credit and debit card details are not stored by the Society except where taken by telephone. In this situation the three digit security code will be destroyed immediately after processing. Gift aid forms, related to subscriptions or donations will be securely stored in order that the Society can demonstrate to HM Customs and Revenue, if required, that you have confirmed your status as a UK tax payer. Paper based direct debit instructions will also be stored securely.
If you are a donor your contact details will be kept only so long as it is judged reasonable to do so though we may periodically ask you to renew your consent.
If you ask us to stop contacting you with marketing or fundraising materials, we will keep a record of your contact details and limited information needed to ensure we comply with your request.
You have the right to request details of the processing activities that we carry out with your personal information through making a Subject Access Request. Such requests have to be made in writing. More details about how to make a request, and the procedure to be followed, can be found by contacting email@example.com.
Subject to certain safeguard or limitations and exemptions you also have the following rights:
- the right to request rectification of information that is inaccurate or out of date;
- the right to erasure of your information (known as the “right to be forgotten”);
- the right to restrict the way in which we are dealing with and using your information; and
- the right to request that your information be provided to you in a format that is secure and suitable for re-use (known as the “right to portability”);
- rights in relation to automated decision making and profiling including profiling for marketing purposes.
To exercise any of these rights, you should contact firstname.lastname@example.org or the SPAB’s Director at 37 Spital Square, London E1 6DY.
If you are not happy with the way in which we have processed or dealt with your information, you can complain to the Information Commissioner’s Office. Further details about how to complain can be found here.
This Policy may be changed from time to time. If we make any significant changes we will advertise this on our website or contact you directly with the information. You are advised to check this Policy when you consider giving your personal information to us.
This Policy was issued in April 2018.