Privacy Notice

This privacy notice sets out our commitment to repay the trust you have shown by sharing your personal data with the Wales Air Ambulance Charity. We are committed to treating all personal information responsibly, with respect and care, and being open and transparent about how we do this. This notice details how and why we use the information you share with us, and what we do to protect it.

Who we are

In this policy, whenever you see the words ‘We’, ‘Us’ or ‘Our’, it refers to the Wales Air Ambulance Charity (WAAC).

Wales Air Ambulance Charity is a working name of the Welsh Air Ambulance Charitable Trust. Registered office: Tŷ Elusen, Ffordd Angel, Llanelli Gate, Dafen, Llanelli. SA14 8LQ. A company limited by guarantee in England and Wales (4036600) and a charity registered in England and Wales (1083645).

Telephone: 0300 0152 999. Website: www.walesairambulance.com. Email: dataprotection@walesairambulance.com.

Privacy statement

Wales Air Ambulance is committed to protecting your privacy and complying with the Data Protection Act 2018 (‘DPA’) and the UK General Data Protection Regulation (‘GDPR’). We will only use your personal data in accordance with data protection law applicable to England and Wales. The terms of this privacy notice may change, so please check it from time to time. If we make any significant changes in the way we treat your personal data, we will make this clear on the Wales Air Ambulance website or by contacting you directly.

This privacy notice explains how and why we collect your personal data and how it is used. It also sets out information about what rights you have in relation to your personal data. We have a legal duty to protect any personal data we hold about you. We use appropriate technologies to safeguard your personal data, maintain strict security standards and we regularly audit how we collect, store and use personal data.

We respect your privacy and the trust you have shown by sharing your personal data with us. We will never sell your personal data on to third parties.

Please note that Wales Air Ambulance is not a ‘public authority’ as defined under the Freedom of Information Act (‘FOIA’) and therefore we will not respond to requests for information made under FOIA.

We do not hold patient medical records. These are managed by our NHS partner, who are contactable via emrts.records@wales.nhs.uk. More information on patient records is available in the Patient Confidentiality section of our Privacy Notice here.

What is personal data?

‘Personal data’ is generally any information that can be used to identify an individual, either directly or indirectly, and any information which relates to or is about an identifiable individual. This can include, but is not limited to, a name, address, phone number, email address or location data from electronic devices (such as mobile phones and IP addresses).

‘Special category’ personal data relates to information that reveals racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership, physical or mental health conditions, sexual life, sexual orientation, biometric or genetic data. Personal data relating to criminal offences and convictions should also be treated as special category personal data.

When we talk about ‘processing’ personal data, this means any activity that we undertake that involves the use of personal data.  Depending on the purpose of the information, processing can include obtaining, recording or holding the data, as well as organising, amending, retrieving, using it to make decisions, disclosing, erasing or destroying it. Processing also includes transmitting or transferring personal data to third parties, such as trusted service providers acting on our behalf.

When we use your personal data, we will be acting as a data controller. Essentially this means that we will be making decisions about how we want to use your personal data and why. It is important that you read and understand our full privacy notice, but here is a quick summary of the main rules that apply to us when we use your personal data to help you understand the basics:

• We must be upfront about how we intend to use your personal data and must use your personal data fairly. Providing privacy information to individuals (such as in this privacy notice) is one aspect of using personal data fairly.

• We must only use your personal data if we have a legal basis to do so under data protection law. These legal bases include:
  • That you have consented to our use of your personal data;
  • That we need to use your personal data to perform a contract between us (or to take steps at your request prior to entering into a contract);
  • That we need to process your personal data to ensure compliance with a legal obligation.
  • That, in rare cases, we need to process personal data under the basis of vital interests where it is necessary to protect life; and
  • That we (or someone else) has a legitimate reason for needing to use your personal data and those legitimate interests are not outweighed by your rights or interests. We must balance our respective rights and interests before we can rely upon this legal basis.

• We must only use certain types of special category personal data (such as information relating to your health, racial or ethnic origin or religion) if we can also satisfy one of the conditions for processing this type of information set out in data protection law. These conditions include:
  • That you have given us your explicit consent to use the information;
  • That the processing is necessary for reasons of substantial public interest;
  • That the processing is necessary for complying with and exercising specific rights in employment law; and
  • That the processing is necessary for the establishment, exercise or defence of legal claims.
  • That the processing is necessary for vital interests.

• We are only permitted to share your personal data with others in certain circumstances and if we take steps to ensure that your personal data will be secure. We never sell your personal data onto third parties.

• Generally speaking, we must only use your personal data for the specific purposes we have told you about. If we want to use your personal data for other purposes, we need to contact you again to tell you about this.

• We must not hold more personal data than we need for the purposes we have told you about and must not retain your personal data for longer than is necessary for those purposes (this is known as the “retention period”). We must also dispose of any personal data that we no longer need securely.

• We must ensure that we have appropriate security measures in place to protect your personal data. We use a secure server to process and store your personal data. We also may use external service providers such as cloud-based systems. Service providers that we use may be situated inside or outside the European Economic Area (‘EEA’). Any service provider we use must comply with the data protection laws of the UK. The security of your personal data is important to us and we follow strict procedures to comply with the law and protect personal data. We must not transfer your personal data outside the EEA unless certain safeguards are in place.

• We must act in accordance with your rights under data protection law. Under UK data protection law, you have rights over the personal data that we hold about you. You can contact us any time to exercise your data rights or change your preferences, by emailing dataprotection@walesairambulance.com or by writing to: Data Protection, Wales Air Ambulance, Tŷ Elusen, Ffordd Angel, Llanelli Gate, Dafen. SA14 8LQ.

Wales Air Ambulance is an independent charity and, while we work closely with our NHS partners, the charity is not part of the National Health Service. This means we do not collect, store or have access to medical records, mission data that identifies patients, or any other personal data held on NHS servers.

Clinical data for the missions we undertake is carefully regulated by NHS Wales. We will only collect, use and store anonymised data, or the personal data of patients who have consented to share their details for publicity purposes.

For advice and information regarding medical records, please email emrts.records@wales.nhs.uk or write to: Confidential – FAO EMRTS Cymru, Tŷ Elusen, Ffordd Angel, Llanelli Gate, Dafen. SA14 8LQ.

If you have any questions, comments or suggestions, or would like to exercise your data rights, please let us know by emailing dataprotection@walesairambulance.com or by writing to: Data Protection, Wales Air Ambulance, Tŷ Elusen, Ffordd Angel, Llanelli Gate, Dafen. SA14 8LQ.

If you are unhappy with any aspect of how we are using your personal data, we would like to hear about it. We appreciate the opportunity that this feedback gives us to learn and improve.

You also have the right to lodge a complaint about any use of your personal data with the UK’s data protection regulator, the Information Commissioner’s Office (external link); with the Charity Commission (external link); or with the Fundraising Regulator (external link), which manages the Fundraising Preference Service. Our registered charity number is 1083645.

For medical records: please email emrts.records@wales.nhs.uk or write to: Confidential – FAO EMRTS Cymru, Tŷ Elusen, Ffordd Angel, Llanelli Gate, Dafen. SA14 8LQ.

We may change this privacy notice from time to time. If we make any significant changes in the way we treat your personal data, we will make this clear on the Wales Air Ambulance website or by contacting you directly.

Please ensure you read and understand this privacy notice in full from time to time. Regularly reviewing how your personal data is used helps to ensure you are aware and in control of your data.

This privacy notice was last reviewed in April 2026.

What’s new:

• New, quick-view section summarising the personal data we collect and how we use it.
• Expanded definitions to help understand personal data processing.
• Greater clarity on NHS medical records enquiries, which we don’t process.
• ‘Vital interests’ added to some legal bases for processing (relating to protecting life).
• Update to the processing of personal data of children (under-18s) (Section 10) for clarity on parent/guardian records.
• Cookies table has been moved from section 11 to a dedicated Cookies Policy.
• New section (12) on the use of innovative technologies, like AI, when processing personal data.
• Updates to how we undertake profiling for direct marketing, including data matching processing.
• Personal emergency evacuation plans for visitors and personal safety devices used by staff added to Visitor and Health & Safety personal data processing.
• Update to the processing of personal data of suppliers, contractors and service providers.

Under UK data protection law, you have rights over the personal data that we hold about you. We have summarised these below.

If you would like to contact us about your data and your rights, please email dataprotection@walesairambulance.com or write to: Data Protection, Wales Air Ambulance, Tŷ Elusen, Ffordd Angel, Llanelli Gate, Dafen. SA14 8LQ.

We may be required to ask for further information and/or evidence of identity. We will endeavour to respond fully to all requests within one month of receipt of your request; however, if we are unable to do so we will contact you with reasons for the delay.

Please note that exceptions apply to a number of these rights, and not all rights will be applicable in all circumstances. For more details we recommend you consult the guidance published by the UK’s data protection regulator, the Information Commissioner’s Office (external link).

Right to access your personal data

You have the right to request access to the personal data that we hold about you. You also have the right to request a copy of the personal data we hold about you, and we provide you with this unless legal exceptions apply.

If you want to access your information, please send a description of the information you want via email or post using our Data Protection contact details above.

Right to have your inaccurate personal data corrected

You have the right to have inaccurate or incomplete information we hold about you corrected. If you believe the information we hold about you is inaccurate or incomplete, please provide us with details and we will investigate and, where applicable, correct any inaccuracies.

Right to restrict the use of your personal data

You have the right in certain circumstances (including where you contest the accuracy of your personal data) to ask us to restrict the processing of some or all of your personal data.

Right to erasure of your personal data

You may ask us to delete or remove some or all of your personal data. This right applies in certain circumstances such as where we no longer need the personal data for the purposes for which it was collected. We have the right to refuse to delete or remove your personal data in certain circumstances.

Right for your personal data to be portable

In certain circumstances, if we are processing your personal data you may ask us to provide it to you or another service provider in a machine-readable format. This includes data that is processed based on your consent, or in order to enter into or carry out a contract with you, and the processing is being done by automated means.

Right to object to the use of your personal data

If we are processing your personal data based on our legitimate interests, you have the right to object to our use of your data.

If we are processing your data for direct marketing purposes and you wish to object, we will stop processing your information for these purposes as soon as reasonably possible.

You can exercise your right to object by emailing or writing to us using our Data Protection contact details above.

We are committed to ensuring that your personal data is secure. In order to prevent unauthorised access or disclosure, we have put in place physical and electronic procedures to protect against the loss, misuse and alteration of personal data under our control. While we cannot guarantee that loss, misuse or alteration of data will not occur under our control, we follow strict procedures and comply with the law in order to protect data as much as possible.

Unfortunately, the transmission of data across the internet is not always completely secure. While we do our best to protect the security of your personal data, please take your own steps to ensure your antivirus software is up-to-date, passwords are kept confidential and you follow safe practices online. We cannot guarantee that loss, misuse or alteration of data will not occur when data is sent/transferred to us; any transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access, accidental loss, destruction or damage.

We may need to transfer the personal data we hold about you to any of our premises in the UK.

Sometimes, we will need to share your personal data with others outside our organisation. This section sets out details of who we will share your personal data with and why. It also tells you about our legal basis for doing so under data protection law and steps we will take to protect your personal data.

We will never sell your personal data on to third parties.

Our Service Providers

We use carefully selected service providers, such as couriers and other delivery services, website and IT providers, cloud providers, mailing, marketing or PR agencies and payment or online form processors. We haven’t included the names of our service providers in this privacy notice because their identity will change from time to time. However, if you would like further information about any of our current service providers, please contact us via dataprotection@walesairambulanace.com.

We use the service providers described above to enable us to run the Charity efficiently and effectively, which is in our legitimate interests.

We will only share your personal data with service providers who have satisfied us that they have appropriate data protection and security measures in place to protect your personal data. We enter into contracts with service providers which impose on them contractual obligations relating to data protection and security, including an obligation only to use your personal data for specified purposes and in accordance with our instructions.

Other Third Parties

We may also need to share your personal data with others in the following circumstances.

If we sell, transfer or merge parts of our organisation, during any such process, we may need to disclose your personal data to other parties (such as potential purchasers or investors). Where we do so, we will be relying upon our legitimate business interests.

On occasion, we may be required to disclose your personal data to organisations such as the courts or the police to comply with legal obligations we are subject to and/or to prevent fraud or crime.

From time to time, we may need to disclose your personal data in connection with steps we need to take to protect our business interests or property or the personal safety of our people or visitors to our premises or websites.

We may need to disclose your personal data to our professional advisers (for example, our lawyers and accountants) in connection with the provision by them of professional advice and/or the establishment or defence of legal claims.

Your personal data may also be shared with us by third parties, whom you have provided information to. For example: independent event organisers and digital fundraising platforms; recruitment and volunteering websites or agencies; and service providers who are acting on our behalf, such as lottery canvassers and online shops.

We will only send your personal data outside the EEA in the following situations:

To comply with a legal obligation;

• It is necessary for the performance of a contract;
• We use service providers with servers located in other countries.

If we do transfer your personal data outside the EEA, we will use one of these safeguards to make sure it is protected:

• We will only transfer it to a non-EEA country which the European Commission and/or UK has decided has an adequate level of protection for personal data. You can find more about such countries here: https://ec.europa.eu/info/law/law-topic/data-protection_en;

• We will put a written contract in place between us and the recipient that incorporates European Commission and/or UK model clauses relating to the transfer of personal data outside the EEA. You can find out more about such clauses here: ICO/international transfers.

We do not knowingly collect or solicit personal data from anyone aged under 18, or knowingly allow such persons to provide us with their personal data, without parent or guardian consent.

If we have reason to believe that we hold personal data of a person aged under 18 without the consent of a parent or guardian, we will delete that data.

The personal data of children undertaking fundraising activities in aid of the Charity may be recorded if the parent/guardian wishes to have fundraising efforts recognised. This information is stored, with parent/guardian consent, under the parent or guardian’s record on our database.

If you believe that we might have personal data from or about anyone aged under 18 without the consent of a parent or guardian, please email dataprotection@walesairambulance.com or write to: Data Protection, Wales Air Ambulance, Tŷ Elusen, Ffordd Angel, Llanelli Gate, Dafen. SA14 8LQ.

What are cookies?

Cookies are small text files which are placed on your computer by websites that you visit. They are widely used to make websites work, or work better, as well as to provide information to the owners of a website. For example, they can help to make sure images appear correctly on your device by storing information about the size of your browser or tell a website operator how well a webpage is performing.

A cookie contains an ‘identifier’ (a string of letters and numbers). Cookies may be either ‘persistent’ cookies or ‘session’ cookies. A persistent cookie will be stored by a web browser and will remain valid until its set expiry date, or it is deleted by the user before the expiry date. A session cookie will expire at the end of the user session when the web browser is closed.

Cookies do not typically contain any information that personally identifies a user, but they can be linked to other personal data stored about you.

How we use cookies and your rights

Wales Air Ambulance uses cookies on its website. These cookies are used to enhance the experience of our visitors and to better understand how our website is used and how our advertisements perform. For example, cookies may tell us whether you have visited our site before or if you are a new visitor. Our cookies do not store financial information or information which is capable of directly identifying you (such as your name and address).

You have the right to choose whether to accept these cookies. You can exercise this right by amending or setting the controls on your browser to reflect your cookie preferences. However, please note that if you choose to refuse cookies you may not be able to use the full functionality of our website.

We use Google Analytics to analyse the use of our website. Google Analytics gathers information about website use by means of cookies. This data may be stored outside the EU, protected by model clauses. The information gathered relating to our website is used to create reports about the use of our website. Google’s privacy policy is available at: https://www.google.com/policies/privacy.

For more information on cookies and guidance on managing your cookies, please visit the Information Commissioner’s Office website (external link).

Cookies that we use

The cookies used on our website are set by our online service providers. These cookies may be stored on your computer when you visit our website.

For detailed information on the cookies we use, please see the Cookie Policy on our website. This list is updated from time to time, and you are able to change your cookie preferences any time you visit our website.

Cookies set by third parties

If you go on to a page on our website which contains embedded content, you may be sent cookies from these websites. For example, clicking on YouTube videos, or using ‘share’ buttons which enable users to easily share webpage content through popular networks such as Facebook and Twitter. These sites may set a cookie when you are logged into their service.

We do not control the setting of these cookies, so we suggest you check the third-party website for more information about their cookies and how to manage them.

Innovative technologies can be described as the use of new digital technology, or a new way of using existing technology, at an organisation. For example, artificial intelligence (AI), machine and deep learning, smart tech, new software, or software being used in a novel way.

WAAC is committed to exploring or using technologies that help it to continue to be a world leader in pre-hospital care and achieve its charitable purposes for generations to come.

Where it is safe, appropriate and beneficial to achieving our charitable purposes, we use digital technologies to perform certain processes. This may include automation and/or AI. These tools are used to improve the efficiency and quality of our business processes, allow the Charity to use its funds responsibly, improve your experience with us, and ensure our staff and volunteers are able to contribute their time effectively.

These tools may be built and used internally, or we may instruct a service provider to undertake some or all of this work on our behalf. When we use service providers to supply digital technologies, stringent technical and organisational safeguards are put in place, including supplier vetting and legally-binding agreements.

If AI tools are used during the processing of personal data, we ensure that the personal data is never used for the purposes of a supplier’s machine learning or the development of their own AI products. For all digital technologies, we maintain human oversight of the processing; a trained member of staff will always carefully review any output or result generated by automation or an AI tool.

If you have any questions or wish to exercise your rights regarding the use of your personal data in this way, please contact dataprotection@walesairambulance.com or 0300 0152 999.

Summary information

How we will use your personal data, the legal bases we will rely upon, how long we will keep your personal data, and other details will depend upon who you are and why we need your personal data in the first place.

For transparency, we provide comprehensive privacy information relating to the different categories of individuals/services that this privacy notice applies to. You can select the section(s) that apply to you for relevant details. A general summary is provided here, covering the types of information we might collect, how we might collect it, and why.

IN DETAIL –

Enquiries we receive from you

Purpose and lawful basis for processing

When you contact us to make an enquiry, we collect information, including your personal data, so that we can respond to it and fulfill your request.

The lawful basis we rely on to process your personal data is article 6(1)(f) of the GDPR, which allows us to process personal data when this is necessary for our legitimate interests. The legitimate interests we rely upon for responding to your enquiry are:

• Our legitimate interest in assisting you with your enquiry.
• Our legitimate interest in improving our business and training our staff.

If your enquiry involves providing us with any special category personal data such as health, religious or ethnic information, we will only process that information if it is necessary for reasons of substantial public interest or where you have given your express consent, under Article 9(2) of the GDPR.

What we need and why and how long is it kept

We need enough information from you to answer your enquiry. We use information from web forms, emails, mail, telephone and social media platforms to send you information or materials that you have requested. We will usually need to take your name and contact details from you, and we may make notes to provide you with a further service as required. If you contact us via email or post, we will need a return address for a response.

General enquiries that do not relate to an existing record are kept for up to 1 year after the case is closed. Complaints are kept for up to 7 years after the case is closed. Enquiries relating to data rights requests are kept for up to 7 years from resolution. For enquiries and complaints relating to ongoing fundraising, lottery and donation records, these may be kept for longer. Please refer to the relevant sections below for more information.

Donations

Purpose and lawful basis for processing

When you make a donation to us, whether online, over the phone, by post or via social media like Facebook, as a one-off donation or regular giving membership, we collect information, including your personal data, so that we can process your donation and reclaim tax via Gift Aid.

The lawful basis we rely on to process your personal data is article 6(1)(f) of the GDPR which allows us to process personal data when this is necessary for our legitimate interests. The legitimate interests we rely upon to process your donation and to obtain any tax reimbursements is that it is in our legitimate interests to maximise the donations received to be able to fulfil our charitable purposes.

What we need and why and how long is it kept

Any donations you make will require personal and financial information. We collect your contact information (such as name, telephone or email address) and your payment details (such as a credit card or Direct Debit instructions). We may also collect details about your tax status.

Contact information, financial information and tax status are used to process the donation and reclaim tax through Gift Aid. Financial information that is collected is held securely and deleted on an ongoing basis (credit and debit card details are not stored by us). Your contact information may be used to get in touch with you in order to process the donation and to check if we can reclaim Gift Aid. Gift Aid and donation records are kept for at least 7 years from the last action.

When you make a donation to us, we will ask you if you would like to receive news and updates from Wales Air Ambulance in future. Your preferences will be recorded so we know if we can or cannot send you news and updates.

Lifesaving Lottery subscriptions

Purpose and lawful basis for processing

In subscribing to our Lifesaving Lottery membership, we will require personal and financial information in order to fulfil the subscription process, administer your membership and contact you if you have won a prize or there is an issue with your subscription.

The lawful basis we rely on to process your personal data is article 6(1)(b) of the GDPR which allows us to process personal data when this is necessary for the performance of a contract.

What we need and why and how long is it kept

We collect your contact information (such as name, telephone or email address) and your payment details (such as a debit card or Direct Debit instructions). These are used to fulfil the subscription process and process payment. Your contact details are also used to administer your membership and notify you if you have won a prize.

Financial information that is collected is held securely and deleted on an ongoing basis (debit card details are not stored by us). Your contact information may be used to get in touch with you in order to fulfil the subscription, discuss your membership and respond to any enquiries you may have. Lottery membership records are kept for up to 7 years from the last action.

When you become a Lifesaving Lottery member, we will ask you if you would like to receive news and updates from Wales Air Ambulance in future. Your preferences will be recorded so we know if we can or cannot send you news and updates.

Fundraising

Purpose and lawful basis for processing

We are grateful for any fundraising activities you choose to undertake in aid of Wales Air Ambulance. When you contact us for information on how to fundraise, we will ask for your name and contact details to enable us to provide you with information, answer your queries and for general support with your fundraising activity.

Sometimes when you sign up to take part in specific fundraising events, we will also require emergency contact details.

When paying in the money you have raised we may, depending on the method you use, need to process your bank or credit card details to take payment of the monies raised. Should you use a sponsor form to keep a record of the monies raised, we will also process names, contact details and the tax status of your sponsors in order to process payments and reclaim tax through Gift Aid on eligible donations.

The lawful basis we rely on to process your personal data and that of people who sponsor you is article 6(1)(f) of the GDPR which allows us to process personal data when this is necessary for our legitimate interests. The legitimate interests we rely upon are:

• our interests in raising money for the charity by facilitating fundraising activities, and
• processing donations and maximising donations through Gift Aid, where applicable.

If your enquiry involves providing us with any special category personal data such as health, religious or ethnic information, we will only process that information where you have given your express consent.

What we need and why and how long is it kept

We collect your name, telephone number, email address and postal address in order to offer and coordinate any support, requests or enquiries you have during your fundraising with us and to send you any materials that may assist with your fundraising activity.

When we ask for emergency contact details, we need this information for health and safety purposes. We do not ask for information relating to health conditions or assess your suitability to take part in an event.

When using a sponsorship form we need the names, addresses and tax status of the sponsors to be able to reclaim tax via Gift Aid.

When using a bank transfer or a credit/debit card to pay the monies you have raised to us, we will need your bank or card details in order to process the payment. This information is held securely and deleted on an ongoing basis (credit and debit card details are not stored by us).

Personal data for fundraising activities and events is held for up to 7 years from the last action.

There are a variety of different ways you can donate to us and if you decide to do so via an online giving platform such as JustGiving or Facebook, any personal data processed will be done under the terms of the relevant online giving or social media platform. Other people, not us, control these platforms and you should therefore review the terms and conditions and privacy policies of these other organisations. That way, you will understand how they will use your information, what information relating to you they will place in the public domain, and what you can do if you are unhappy about it.

When you fundraise for us, we will ask you if you would like to receive news and updates from Wales Air Ambulance in future. Your preferences will be recorded so we know if we can or cannot send you news and updates

Grant fundraising: Trusts and Foundations

Purpose and lawful basis for processing

Wales Air Ambulance researches grant funding opportunities relevant to us, which may include sourcing the names and contact information (including publicly available information) of Trustees, grant officers, secretaries or other persons actively involved in the Trust or Foundation. This personal data will be used so we can contact you with our enquiries regarding a grant and the application process.

The lawful basis we rely on to process your personal data is article 6(1)(f) of the GDPR which allows us to process personal data when this is necessary for our legitimate interests. The legitimate interests we rely upon are our interests in raising money for the charity by facilitating grant funding we may be eligible for.

What we need and why and how long is it kept

We collect the contact details of the relevant person(s) involved in the Trust or Foundation, so we can contact you about the grant. This includes name(s), email address(es), a postal address and telephone number(s).

This information is held either indefinitely if the details remain accurate and we continue to have contact with you about grant opportunities, or for 7 years since the last action.

Publicity – Fundraising or patient stories

Purpose and lawful basis for processing

An important part of what we do is raising awareness of our charitable activity in the public domain, to generate interest and support for Wales Air Ambulance. This may include stories shared on social media, on our website, in the press or in literature we produce.

We are always grateful to supporters who approach us or agree to share their story. If you agree to share your story, we will use the information gathered from you (from web forms, emails, mail, telephone and social media, for example) to generate publicity and raise awareness of our work with your permission.

The lawful basis we rely on to process your personal data is Article 6(1)(a) of the GDPR which allows us to process personal data where you have given your consent to the processing. If your story involves providing us with any special category personal data such as health, religious or ethnic information, we will only process that information where you have given your explicit consent.

Where the information provided is in relation to a child under the age of 18, we will request the consent of a person with parental responsibility for the child. Parents/guardians and individuals who are 18 or over will be asked to complete a consent form or provide another form of written consent to process the information.

If we are already in contact with you regarding a donation, lottery subscription, fundraising or voluntary activity, we may use this information to ask you if you would be interested in sharing your story. Your preferences will be recorded so we know if we can or cannot contact you about publicity opportunities in future.

What we need and why and how long is it kept

We need your name and contact details to liaise with you regarding your story and details of your activity, or the incident which occurred when you required our assistance, together with information about your experience of the service we provide and any other relevant information.

You can withdraw your consent at any time. However, this will not affect the validity of consent previously provided for publications already made.

We will keep your personal data until you inform us that you no longer wish us to use the information for publicity purposes, or if the case study has not been actively used for more than 5 years. If your records also relate to donations, lottery subscriptions or voluntary activity we may keep some of your details for longer (see the relevant sections of our privacy notice). An index of the deleted record, a redacted consent form and the original press release are retained indefinitely. The withdrawal process will include asking individuals if they wish for digital testimonials within WAAC’s control to be erased; for example, on our website.

Ordering goods online

Purpose and lawful basis for processing

When making your purchase online, you will be required to provide us with your personal data so that we can process the order, take payment and deliver the products you have purchased.

The lawful basis we rely on to process your personal data is article 6(1)(b) of the GDPR which allows us to process personal data when this is necessary for the performance of a contract.

What we need and why and how long is it kept

We collect your contact information (such as name, postal address, telephone or email address) and your payment details (such as a credit card).

Your card details are required to enable us to take payment. This information is held securely and deleted on an ongoing basis (credit and debit card details are not stored by us). Your contact information may be used to get in touch with you in order to fulfil your order or if there any queries with your order. Your address is required in order to deliver the products you have purchased. Records of online orders are kept for up to 7 years from the last action.

When you order goods online from us, we will ask you if you would like to receive news and updates from Wales Air Ambulance in future. Your preferences will be recorded so we know if we can or cannot send you news and updates.

Delivery and collections service

Purpose and lawful basis for processing

When you contact us to arrange a collection of unwanted goods for our charity shops, or when you use our delivery service for furniture and other large items bought in our shops, we will collect your personal data so that we can fulfil the service you have requested.

If you sign up to our Gift Aid scheme through the sale of your unwanted goods, we will also process your personal data to reclaim tax via Gift Aid.

The lawful basis we rely on to process your personal data for collections and Gift Aid is article 6(1)(f) of the GDPR, which allows us to process personal data when this is necessary for our legitimate interests. The legitimate interests we rely upon are:

• Our interests in raising money for the charity by facilitating donations of goods for our shops,
• Maximising the sale of donated goods through Gift Aid, where possible.

The lawful basis we rely on to process your personal data for our delivery service is article 6(1)(b) of the GDPR which allows us to process personal data when this is necessary for the performance of a contract.

What we need and why and how long is it kept

We collect your name, address and telephone number so we can locate your premises and contact you if we need to regarding your delivery or collection. Payment for the delivery service is taken in our shops when purchasing the goods. We may also collect details about your tax status.

When you use our delivery or collection service, we will ask you if you would like to receive news and updates from Wales Air Ambulance in future. Your preferences will be recorded so we know if we can or cannot send you news and updates.

Gift Aid records are kept for at least 7 years from the last action. Personal data used for our delivery and collection service is kept for up to 3 years from the last action.

Signing up to a newsletter or updates (direct marketing)

Purpose and lawful basis for processing

If you sign up to receive newsletters or updates from us, we will ask you to provide your name and contact details in order to send you the newsletters or updates you have requested.

The lawful basis we rely on to process your personal data is Article 6(1)(a) of the GDPR which allows us to process personal data where you have given your consent to the processing.

What we need and why and how long is it kept

Direct marketing preferences are recorded in a ‘granular’ way. This means we keep a record of the methods you have specifically consented to us using to send news and updates (for example, email only).

We collect your name, email address and/or postal address and/or telephone number, and your preferences as to how you want to be communicated with, in order to process your request and to send you the newsletters or updates you have requested. We may also keep a record of certain topics you may be interested in, such as running events, and use this information to make decisions about the type of news and updates we send you (please refer to the Profiling section).

We will keep your personal data until you inform us that you no longer wish to receive newsletters or updates from us. If your personal data forms part of a fundraising or donation record, we may keep your personal data for longer but consent to receive news and updates will be removed from the record.

If you withdraw consent, it may be necessary and appropriate to keep an indefinite record that you do not want to be contacted, using the least amount of information to correctly identify you (please refer to the Suppressions section).

Data matching and profiling your interests

Purpose and lawful basis for processing

To make sure that we send you the right information, and manage our resources efficiently, we sometimes undertake data matching and profiling if you have chosen to receive news and information about Wales Air Ambulance.

Data profiling is the process of examining our database of supporter information to create groups with similar characteristics or interests. We may combine this with publicly available information, data matching, to help us determine if you might be interested in getting involved in fundraising or volunteering activities, or sending other information that we feel may be of interest.

The lawful basis we rely on to process your personal data is article 6(1)(f) of the GDPR which allows us to process personal data when this is necessary for our legitimate interests. The legitimate interests we rely upon are our interests in ensuring:

• our communications are relevant and timely.
• we are sending information that we believe is of interest to you – for example, events in your area.
• we understand how you may be able to help us in the future.
• we raise funds for our lifesaving service in the most cost-effective ways, spending donor’s money responsibly.
• we exclude anyone who may be vulnerable, for example under 18s or adults at risk, and anyone who has registered with a preference service, from receiving marketing from us.

What we need and why and how long is it kept

When you engage in an activity with us, such as fundraising or donating, the activity is recorded alongside your other personal data (name, contact details and Gift Aid status) and your preferences to receive news and information about Wales Air Ambulance. If you have consented to receive news and information, we will use your records to tailor communications to you.

We may combine our records with public sources such as news articles, foundation websites, annual reports and public wealth databases, to help tailor these updates.

We do not use special category data (such as health, religious or political beliefs, racial or ethnic origin) in profiling. We do not undertake profiling using the personal data of anyone under the age of 18. Profiling activity is not solely automated, which means there is a trained member of staff checking data accuracy and that the minimum amount of information is used to help get our tailored news updates right.

You have the right to change your preferences for news and updates at any time. If you would prefer us not to use your personal data in this way, please contact us via dataprotection@walesairambulance.com or 0300 0152 999.

Records are kept for up to 7 years from the last action. If you withdraw consent, it may be necessary and appropriate to keep an indefinite record that you do not want to be contacted, using the least amount of information to correctly identify you (please refer to the Suppressions section).

Direct marketing suppressions (record of objection)

Purpose and lawful basis for processing

You can object to direct marketing from us at any time. When you object to direct marketing, the personal data we receive from you or an agency on your behalf (such as the Fundraising Preference Service or Telephone Preference Service) is called a Suppression Record.

The lawful basis we rely on to process your personal data suppression is Article 6(1)(f) of the GDPR, which allows us to process personal data when it is necessary for the purposes of our legitimate interests. Our legitimate interests are ensuring we do not send you marketing communications such as news and updates when you have exercised your right to object to direct marketing.

What we need and why and how long is it kept

Suppression records are held indefinitely to ensure we do not send you direct marketing communications. We need to hold enough personal data to be able to correctly identify your suppression record. This includes your name, email address and/or postal address and/or telephone number.

Website

Purpose and lawful basis for processing

When you use our website, some personal data will be obtained about you and used in order to maintain and monitor the performance of our website and to enable us to continually improve our website.

The lawful basis we rely on to process your personal data is article 6(1)(f) of the GDPR, which allows us to process personal data when it is necessary for the purposes of our legitimate interests. Our legitimate interests are ensuring that our website is up to date, efficient and user friendly.

Our website includes hyperlinks to, and details of, third party websites. We have no control over, and are not responsible for, the privacy policies and practices of third parties.

What we need and why and how long is it kept

We collect technical information about your visit, including the full Uniform Resource Locators (“URL”), clickstream to, through and from our website (including date and time), page response times, download errors, length of visit to certain pages, and methods used to browse away from the page.

Some of the information is collected by us each time you use our website through our use of cookies. Further information about the cookies we use and the purposes for which we use them can be found in the Use of Cookies section of this notice.

When you send us personal data through the website, for example when joining our lottery, making a donation or ordering goods, your personal data is processed via our website content management system (CMS) and retained for up to 7 years in line with the relevant sections above.

Social media

We operate a number of social media platforms including, but not limited to, Facebook, X, TikTok, YouTube and Instagram. Depending on your settings or the privacy policies for each social media site or messaging service, you might give us permission to access personal data from those services. For example, when you send us a message, tag us in an event photo or make a donation.

Although this policy covers how we will use any data collected from these social media sites, it does not cover how the providers of social media websites will use your information. Please ensure you read the privacy policy of social media sites before sharing data and make use of their privacy settings and reporting mechanisms to control how your data is used.

Applying for a job or voluntary role

Purpose and lawful basis for processing

Our purpose for processing this information is to assess your suitability for a role you have applied for and to help us develop and improve our recruitment and selection process.

The lawful basis we rely on for processing your personal data is article 6(1)(b) of the GDPR, which relates to processing necessary to perform a contract or to take steps at your request, before entering a contract or agreement.

If you provide us with any information about reasonable adjustments you require under the Equality Act 2010, the lawful basis we rely on for processing this information is article 6(1)(c) to comply with our legal obligations under the Act.

The lawful basis we rely on to process any information you provide as part of your application which is special category data, such as health, religious or ethnicity information is article 9(2)(b) of the GDPR, which relates to our obligations in employment and the safeguarding of your fundamental rights.

We process information about applicant criminal convictions and offences. The lawful basis we rely on to process this data is Article 6(1)(c) to comply with a legal obligation. In addition, we rely on the processing condition under Article 9(2)(b) where the processing is necessary for complying with employment, social security and social protection law and/or Article 9(2)(g) where the processing is necessary for reasons of substantial public interest, namely, preventing or detecting unlawful acts, safeguarding, protecting the public against dishonesty, preventing fraud or suspicion of terrorism or money laundering.

What we need and why and how long is it kept

We will use all the information you provide during the recruitment process to progress your application with a view to offering you an employment contract or a volunteering role with us, or to fulfil legal or regulatory requirements if necessary. We will use your name and contact details to correspond with you as part of the process.

If you provide us with any information about reasonable adjustments you require, we will use this information to make any reasonable adjustments required.

We will not share any of the information you provide with any third parties for marketing purposes.

We will use the contact details you give us to contact you to progress your application. We may also contact you to request your feedback about our recruitment process. We will use the other information you provide to assess your suitability for the role.

We will only collect information about criminal convictions if it is appropriate given the nature of the role and where we are legally able to do so. Where appropriate, we will collect information about criminal convictions as part of the recruitment process.

To make sure we meet our legal data protection and privacy obligations, we only hold on to your information for as long as we actually need it for the purposes we acquired it in the first place.

In most cases, this means that information gathered as part of the recruitment exercise will usually be retained for up to 6 months after the recruitment exercise has been completed. In the case of a successful applicant, information which is relevant to the ongoing employment or volunteering relationship will be transferred to the employee’s/volunteer’s personnel record and retained in accordance with the periods applicable for employees and volunteers. If you wish to remain registered on our recruitment platform for future opportunities, this information is retained based on your consent until you no longer wish to be registered for job alerts.

Call and meeting recordings

Purpose and lawful basis for processing

From time to time, WAAC may record teleconference calls and virtual meetings/events using the software and cloud-based systems available on our devices. This will be for one of the following purposes:

1. To provide an exact record of a scheduled call or meeting in order to accurately transcribe minutes.
2. To publish a webinar as part of publicity or fundraising activities. A webinar is a seminar or other presentation that takes place on the internet, allowing participants in different locations to see and hear the presenter, ask questions, and sometimes answer polls.

For the purposes of a webinar, the lawful basis we rely on to process your personal data is article 6(1)(f) of the GDPR where the processing is necessary for our legitimate interests. The legitimate interests we rely on are to generate awareness of the charity and its activities to maximise support and income.

The lawful basis we rely on to record teleconference and virtual meetings is article 6(1)(a) of the GDPR, which allows us to process personal data where you have given your consent to the processing.

What we need and why and how long it is kept

We will collect your name, email address and/or telephone number before the call or meeting begins. Where consent is required, it will be requested by us in writing, either via the contact details you have provided or via a tick-box or verbal declaration at the start of a virtual meeting/event; the recording of a call or meeting will not proceed if we do not have explicit consent from all participants. In the case of a promoted webinar we will provide advance notice that we intend to record and publish the event.

Where consent is required, you can withdraw your consent at any time. However, this will not affect the validity of consent previously provided for any recordings already made.

Any participation by you within the teleconference or virtual meeting/event will be recorded for the duration of the activity. This can include your username, audio and video input, auto-generated transcriptions, and document and screen-sharing from your device.

Please also ensure you read the privacy policy of virtual meeting sites before sharing data and make use of their privacy settings and reporting mechanisms to control how your data is used.

Recordings for transcription purposes are retained for up to 6 months from the date of the recording. Webinars which are published by WAAC are retained indefinitely.

CCTV and dashcams

Purpose and lawful basis for processing

We use Closed-circuit television (CCTV) footage outside or inside our buildings, and dashcams on the vehicles we use for our retail delivery and collection service. The purpose for processing this information is for security and safety reasons and/or insurance or legal purposes.

The lawful basis we rely on to process your personal data is article 6(1)(f) of the GDPR, which allows us to process personal data when it is necessary for the purposes of our legitimate interests. Our legitimate interests are to ensure the safety of our property, staff and visitors, and where necessary to support the establishment, exercise or defence of legal claims.

What we need and why and how long it is kept

We process CCTV images and dashcam footage to prevent crime and protect buildings and assets from damage, for the personal safety of staff, visitors and other members of the public.

CCTV recordings are usually deleted after approximately 28 days and dashcam footage is overwritten after one day, unless an incident has occurred and the CCTV or dashcam footage is required to be retained for a longer period to assist with the incident.

Visitor, health and safety and safeguarding records

Purpose and lawful basis for processing

Wales Air Ambulance will keep a record of visitors to its premises, which are recorded in a visitor’s logbook or electronic sign-in device.

As part of your visit to some of our premises, you may be asked if you require assistance to evacuate from the building should the fire alarm be activated. If required, a Personal Emergency Evacuation Plan (PEEP) will be prepared with you based on your individual needs.

We keep a record of any accidents or incidents reported to us on any of our premises. This includes personal data provided when reporting the incident, such as your name, contact details, health and incident information.

Some members of staff, on our premises or in the community, carry personal safety devices. These devices can be activated if staff are subjected to abuse, aggression or fear of abuse or aggression. The Charity has zero tolerance for violence or aggressive behaviour towards its staff and volunteers. When a device is activated, it will start an audio recording and geolocation tracking that is monitored by a trusted service provider who may contact emergency services on our behalf.

This information is collected so that we can:

• Follow Health & Safety reporting procedures including the Reporting of Injuries, Diseases and Dangerous Occurrences Regulations 2013 (‘RIDDOR’),
• Comply with our legal obligations under the Health and Safety at Work Act 1974, the Management of Health and Safety at Work regulations 1999 and any other relevant Health and Safety Laws,
• Learn from and improve our health and safety practices (reports are anonymised for analysis purposes),
• Keep accurate records for the establishment, exercise or defence of legal claims.

The lawful basis we rely on to process your personal data is Article 6(1)(c) of the GDPR to comply with a legal obligation.

The lawful basis we rely on to process any information you provide which is special category data, such as health, religious or ethnicity information is either Article 9(2)(b) of the GDPR, that the processing is necessary in the field of employment and social security and social protection law, or Article 9(2)(f), which relates to processing for the establishment, exercise or defence of legal claims.

Safeguarding means protecting people’s health, wellbeing and human rights, and enabling them to live free from harm, abuse and neglect, which includes children, young people and at-risk adults,  from  harm  that  arises  from  coming  into  contact  with  our employees,  volunteers, trustees or other individuals associated with Wales Air Ambulance. It is our responsibility to implement stringent procedures and ensure records and the reporting of safeguarding matters are handled appropriately and in line with the Children Act 1989, the Safeguarding Vulnerable Groups Act 2006 and any other relevant Safeguarding legislation, guidance and policies.

The lawful basis we rely on to process your personal data for safeguarding purposes is Article 6(1)(c) of the GDPR to comply with a legal obligation where a legal obligation applies, or otherwise legitimate interests. Our legitimate interests are ensuring the safety of staff, volunteers, visitors and the public we engage with and protecting Wales Air Ambulance’s interests.

The lawful basis we rely on to process any information you provide which is special category data, such as health, religious or ethnicity information is either Article 9(2)(b) of the GDPR, that the processing is necessary in the field of employment and social security and social protection law or Article 9(2)(f), which relates to processing for the establishment, exercise or defence of legal claims.

In rare cases, we may rely on Article 6(1)(d) and, if special category data is involved, Article 9(2)(c) of the GDPR where the processing is necessary to protect the vital interests of an individual (that is, essential to their life) and they are physically or legally incapable of giving consent.

What we need and why and how long is it kept

All visitors, including but not limited to volunteers, contractors, service providers, employees of partner organisations, job candidates, and charity supporters, are required to provide their name, company they work for (if applicable to their visit), person they are visiting, their car registration number and the date and time they enter and leave premises (records are automatically timestamped for digital sign-in).

Digital sign-in systems may require a photograph for identification, depending on the nature of the visit. For example, a contractor requiring access to a restricted area. If a companion app is being used for a digital sign-in system, the app tracks your phone location on our premises and stops tracking outside of premise boundaries.

We retain visitor records for up to 4 years.

For Personal Evacuation Emergency Plans (PEEPs), we will collect the information you provide to us that is relevant to your individual requirements in the event of an emergency evacuation. This may include your name, your contact details or next of kin, date(s) of your visit(s), health or disability information that helps to inform the plan, and communication during an emergency evacuation.

How long we retain a PEEP record for depends on the nature of your relationship with us. It will remain on record for up to 4 years since a visit to our premises, or longer if it is required as part of an investigation.

For incident or accidents reported to us, we collect your name, contact details and information relating to the incident or accident, including injuries sustained, so we can comply with reporting procedures. We may also keep records of follow-up enquiries we have with you and notes relating to an investigation as part of the reporting procedure.

The retention period for health and safety records will depend on the accident or incident. General accidents/incidents are kept for up to four years from the date of the event or, in the case of a child, up to four years after their 18th birthday. Accidents/incidents relating to health exposure to certain substances or agents are kept for 40 years.

Records relating to safeguarding incidents are kept for up to 30 years from the date that the record was made.

Suppliers, contractors and service providers

Purpose and lawful basis for processing

Wales Air Ambulance may process the personal data of representatives, employees, or other people from our suppliers and service providers, and all other external workers such as contract workers and advisors.

The purposes of processing your personal data will depend on the nature of our relationship with you or your employer, and your function. This includes but is not limited to:

• To manage our suppliers and service providers and perform our duties pursuant to a contractual relationship, or the preparation of a contract;
• To grant you access to our facilities and/or technologies to allow you to perform services;
• To ensure compliance with policies and legal requirements;
• To preserve our legal interests;
• To monitor performance and manage resources.

The lawful basis we rely on to process your personal data is article 6(1)(b) of the GDPR which allows us to process personal data when this is necessary for the performance of a contract.

What we need and why and how long is it kept

We obtain your personal data either directly from you or through the supplier or service provider for whom you work. The types of personal data that we process will vary depending on your function, location and any terms and conditions of engagement relevant to you.

Some of types of personal data we may process include: name, contact details, your employer and job title, identity documentation, billing information, work related information, and communications such as emails. Some personal data may be inferred from the information you provide, or arise in the context of managing our engagement with you and your employer.

When visiting our premises, we may also process CCTV footage, health and safety incident logs, or visitor logbook information. See the relevant sections in this notice.

Personal data is retained for up to 6 years from the date of contract termination. Personal data may be retained for longer if it relates to health and safety or safeguarding records. See the relevant sections in this notice.