Our approach to privacy When we use your personal data, we will be acting as a data controller. Essentially this means that we will be making decisions about how we want to use your personal data and why. It is important that you read and understand our full privacy notice, but here is a quick summary of the main rules that apply to us when we use your personal data to help you understand the basics: We must be upfront about how we intend to use your personal data and must use your personal data fairly. Providing privacy information to individuals (such as in this privacy notice) is one aspect of using personal data We must only use your personal data if we have a legal basis to do so under data protection law. These legal bases include: That you have consented to our use of your personal data; That we need to use your personal data to perform a contract between us (or to take steps at your request prior to entering into a contract); and That we (or someone else) has a legitimate reason for needing to use your personal data and those legitimate interests are not outweighed by your rights or interests. We must balance our respective rights and interests before we can rely upon this legal basis. We must only use certain types of special category personal data (such as information relating to your health, racial or ethnic origin or religion) if we can also satisfy one of the conditions for processing this type of information set out in data protection law. These conditions include: That you have given us your explicit consent to use the information; That the processing is necessary for reasons of substantial public interest; That the processing is necessary for complying with and exercising specific rights in employment law; and That the processing is necessary for the establishment, exercise or defence of legal claims. We are only permitted to share your personal data with others in certain circumstances and if we take steps to ensure that your personal data will be secure. We never sell your personal data onto third parties. Generally speaking, we must only use your personal data for the specific purposes we have told you about. If we want to use your personal data for other purposes, we need to contact you again to tell you about this. We must not hold more personal data than we need for the purposes we have told you about and must not retain your personal data for longer than is necessary for those purposes (this is known as the “retention period”). We must also dispose of any personal data that we no longer need securely. We must ensure that we have appropriate security measures in place to protect your personal data. We use a secure server to process and store your personal data. We also may use external service providers such as cloud-based systems. Service providers that we use may be situated inside or outside the European Economic Area (‘EEA’). Any service provider we use must comply with the data protection laws of the UK. The security of your personal data is important to us and we follow strict procedures to comply with the law and protect personal data. We must not transfer your personal data outside the EEA unless certain safeguards are in place. We must act in accordance with your rights under data protection law. Under UK data protection law, you have rights over the personal data that we hold about you. You can contact us any time to exercise your data rights or change your preferences, by emailing [email protected] or by writing to: Data Protection, Wales Air Ambulance, Tŷ Elusen, Ffordd Angel, Llanelli Gate, Dafen. SA14 8LQ.