Buy a ticket - be a lifesaver! Play our Spring Raffle today and be in with the chance of winning £3,000.

Play now!

Privacy Notice

This privacy notice sets out our commitment to repay the trust you have shown by sharing your personal data with the Wales Air Ambulance Charity.

Who we are

In this policy, whenever you see the words ‘We’, ‘Us’ or ‘Our’, it refers to the Wales Air Ambulance Charity (WAAC).

Wales Air Ambulance Charity is a working name of the Welsh Air Ambulance Charitable Trust. Registered office: Tŷ Elusen, Ffordd Angel, Llanelli Gate, Dafen, Llanelli. SA14 8LQ. A company limited by guarantee in England and Wales (4036600) and a charity registered in England and Wales (1083645).

Telephone: 0300 0152 999.

Website: www.walesairambulance.com.

Email: dataprotection@walesairambulance.com.

Our approach to privacy

When we use your personal data, we will be acting as a data controller. Essentially this means that we will be making decisions about how we want to use your personal data and why. It is important that you read and understand our full privacy notice, but here is a quick summary of the main rules that apply to us when we use your personal data to help you understand the basics:

  • We must be upfront about how we intend to use your personal data and must use your personal data fairly. Providing privacy information to individuals (such as in this privacy notice) is one aspect of using personal data fairly.

 

  • We must only use your personal data if we have a legal basis to do so under data protection law. These legal bases include:
    • That you have consented to our use of your personal data;
    • That we need to use your personal data to perform a contract between us (or to take steps at your request prior to entering into a contract); and
    • That we (or someone else) has a legitimate reason for needing to use your personal data and those legitimate interests are not outweighed by your rights or interests. We must balance our respective rights and interests before we can rely upon this legal basis.
·       We must only use certain types of special category personal data (such as information relating to your health, racial or ethnic origin or religion) if we can also satisfy one of the conditions for processing this type of information set out in data protection law. These conditions include:

o   That you have given us your explicit consent to use the information;

o   That the processing is necessary for reasons of substantial public interest;

o   That the processing is necessary for complying with and exercising specific rights in employment law; and

o   That the processing is necessary for the establishment, exercise or defence of legal claims.

  • We are only permitted to share your personal data with others in certain circumstances and if we take steps to ensure that your personal data will be secure. We never sell your personal data onto third parties.

 

  • Generally speaking, we must only use your personal data for the specific purposes we have told you about. If we want to use your personal data for other purposes, we need to contact you again to tell you about this.

 

  • We must not hold more personal data than we need for the purposes we have told you about and must not retain your personal data for longer than is necessary for those purposes (this is known as the “retention period”). We must also dispose of any personal data that we no longer need securely.

 

  • We must ensure that we have appropriate security measures in place to protect your personal data. We use a secure server to process and store your personal data. We also may use external service providers such as cloud-based systems. Service providers that we use may be situated inside or outside the European Economic Area (‘EEA’). Any service provider we use must comply with the data protection laws of the UK. The security of your personal data is important to us and we follow strict procedures to comply with the law and protect personal data. We must not transfer your personal data outside the EEA unless certain safeguards are in place.

 

We must act in accordance with your rights under data protection law. Under UK data protection law, you have rights over the personal data that we hold about you. You can contact us any time to exercise your data rights or change your preferences, by emailing dataprotection@walesairambulance.com or by writing to: Data Protection, Wales Air Ambulance, Tŷ Elusen, Ffordd Angel, Llanelli Gate, Dafen. SA14 8LQ.

What is personal data?

Personal data is generally any information that can be used to identify an individual, either directly or indirectly, and any information which relates to or is about an identifiable individual. This can include, but is not limited to, a name, address, phone number, email address or location data from electronic devices (such as mobile phones and IP addresses).

‘Special category’ personal data relates to information that reveals racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership, physical or mental health conditions, sexual life, sexual orientation, biometric or genetic data. Personal data relating to criminal offences and convictions should also be treated as special category personal data.

Privacy Statement

Wales Air Ambulance is committed to protecting your privacy and complying with the Data Protection Act 2018 (‘DPA’) and the UK General Data Protection Regulation (‘GDPR’). We will only use your personal data in accordance with data protection law applicable to England and Wales.  The terms of this privacy notice may change, so please check it from time to time. If we make any significant changes in the way we treat your personal data, we will make this clear on the Wales Air Ambulance website or by contacting you directly.

 

This privacy notice explains how and why we collect your personal data and how it is used. It also sets out information about what rights you have in relation to your personal data. We have a legal duty to protect any personal data we hold about you. We use appropriate technologies to safeguard your personal data, maintain strict security standards and we regularly audit how we collect, store and use personal data.

We respect your privacy and the trust you have shown by sharing your personal data with us. We will never sell your personal data on to third parties.

Please note that Wales Air Ambulance is not a ‘public authority’ as defined under the Freedom of Information Act (‘FOIA’) and therefore we will not respond to requests for information made under FOIA.

What are cookies?

Cookies are small text files which are placed on your computer by websites that you visit. They are widely used to make websites work, or work better, as well as to provide information to the owners of a website. For example, they can help to make sure images appear correctly on your device by storing information about the size of your browser or tell a website operator how well a webpage is performing.

 

A cookie contains an ‘identifier’ (a string of letters and numbers). Cookies may be either ‘persistent’ cookies or ‘session’ cookies. A persistent cookie will be stored by a web browser and will remain valid until its set expiry date or it is deleted by the user before the expiry date. A session cookie will expire at the end of the user session when the web browser is closed.

 

Cookies do not typically contain any information that personally identifies a user, but they can be linked to other personal data stored about you.

 

How we use cookies and your rights

Wales Air Ambulance uses cookies on its website. These cookies are used to enhance the experience of our visitors and to better understand how our website is used and how our advertisements perform. For example, cookies may tell us whether you have visited our site before or if you are a new visitor. Our cookies do not store financial information or information which is capable of directly identifying you (such as your name and address).

 

You have the right to choose whether to accept these cookies. You can exercise this right by amending or setting the controls on your browser to reflect your cookie preferences. However, please note that if you choose to refuse cookies you may not be able to use the full functionality of our website.

 

For more information on cookies and guidance on managing your cookies, please visit the Information Commissioner’s Office website (external link).

Cookies that we use

The following cookies are used on our website, as set by our website service provider. These cookies may be stored on your computer when you visit our website.

We use Google Analytics to analyse the use of our website. Google Analytics gathers information about website use by means of cookies. This data may be stored outside the EU, protected by model clauses. The information gathered relating to our website is used to create reports about the use of our website. Google’s privacy policy is available at: https://www.google.com/policies/privacy.

 

Cookie NameUsed byDescriptionExpiration
__utmaGoogle AnalyticsStores the amount of visits of a user, the time of their first visit, the previous visit, and the current visit. It does not contain any personal data and is used only for analytical purposes.2 years from set/update
__utmzGoogle AnalyticsThis performance cookie stores where a user came from (eg. search engine, search keyword, link).6 months from set/update
_ga and _gidGoogle AnalyticsUsed to distinguish between website users in Google Analytics.2 years and 2 hours
_gat_UA-XXXXXXXX-X (where the Xs are replaced by the Google Analytics ID number)Google AnalyticsUsed to moderate calls to the Google Analytics service.1 minute
__unamShareThisSet as part of the ShareThis service and monitors “click-stream” activity, e.g. web pages viewed, navigation from page to page, time spent on each page etc. The ShareThis service only identifies a user if they have separately signed up with ShareThis for a ShareThis account and given them consent. Checks how long you stay on a site: when a visit starts and ends. It does not contain any personal data and is used only for analytical purposes.14 months
cc_cookie_acceptWebsiteStores whether the user has accepted the cookie message or not.365 days
ASP.NET_SessionIdWebsiteUsed for authenticating a user’s session after logging in. Closes when you exit the browser.End of session
ARRAffinityWebsiteTells our infrastructure which server to handle the request.End of session
MemberLoggedInWebsiteA binary flag which stores whether a user is logged in or not.End of session
ai_session and ai_userWebsiteTracks users as they navigate the website predominately for infrastructure performance insights.1 day
DisplayNameWebsiteKeeps track of a donors preference to show their name during a Direct Debit.End of session
IDE,  DSID,

_ct_rmm

Doubleclick.netThese cookies are managed by DoubleClick, an advertising platform we use to display adverts. They help us identify which visitors to our website have seen or clicked one of our adverts.2 years from set/update
__cfduidCloudFlareIdentify individual clients behind a shared IP address and apply security settings on a per-client basis365 days

 

Cookies set by third parties

If you go on to a page on our website which contains embedded content, you may be sent cookies from these websites. For example, clicking on YouTube videos, or using ‘share’ buttons which enable users to easily share webpage content through popular networks such as Facebook and Twitter. These sites may set a cookie when you are logged into their service.

 

We do not control the setting of these cookies, so we suggest you check the third party website for more information about their cookies and how to manage them.

Your data and rights

Under UK data protection law, you have rights over the personal data that we hold about you. We have summarised these below.

If you would like to contact us about your data and your rights, please email dataprotection@walesairambulance.comor write to: Data Protection, Wales Air Ambulance, Tŷ Elusen, Ffordd Angel, Llanelli Gate, Dafen. SA14 8LQ.

We may be required to ask for further information and/or evidence of identity. We will endeavour to respond fully to all requests within one month of receipt of your request; however, if we are unable to do so we will contact you with reasons for the delay.

Please note that exceptions apply to a number of these rights, and not all rights will be applicable in all circumstances. For more details we recommend you consult the guidance published by the UK’s data protection regulator, the Information Commissioner’s Office (external link).

Right to access your personal data 

You have the right to request access to the personal data that we hold about you. You also have the right to request a copy of the personal data we hold about you, and we provide you with this unless legal exceptions apply.

If you want to access your information, please send a description of the information you want via email or post using our Data Protection contact details above.

Right to have your inaccurate personal data corrected 

You have the right to have inaccurate or incomplete information we hold about you corrected. If you believe the information we hold about you is inaccurate or incomplete, please provide us with details and we will investigate and, where applicable, correct any inaccuracies.

Right to restrict the use of your personal data 

You have the right in certain circumstances (including where you contest the accuracy of your personal data) to ask us to restrict the processing of some or all of your personal data.

Right to erasure of your personal data

You may ask us to delete or remove some or all of your personal data. This right applies in certain circumstances such as where we no longer need the personal data for the purposes for which it was collected. We have the right to refuse to delete or remove your personal data in certain circumstances.

Right for your personal data to be portable 

In certain circumstances, if we are processing your personal data you may ask us to provide it to you or another service provider in a machine-readable format. This includes data that is processed based on your consent, or in order to enter into or carry out a contract with you, and the processing is being done by automated means.

Right to object to the use of your personal data 

If we are processing your personal data based on our legitimate interests, you have the right to object to our use of your data.

If we are processing your data for direct marketing purposes and you wish to object, we will stop processing your information for these purposes as soon as reasonably possible.

You can exercise your right to object by emailing or writing to us using our Data Protection contact details above.

Circumstances in which we will send your Personal Date outside the EEA

We will only send your personal data outside the EEA in the following situations:

  • To comply with a legal obligation;
  • It is necessary for the performance of a contract;
  • We use service providers with servers located in other countries.

If we do transfer your personal data outside the EEA, we will use one of these safeguards to make sure it is protected:

  • We will only transfer it to a non-EEA country which the European Commission has decided has an adequate level of protection for personal data. You can find more about such countries here: https://ec.europa.eu/info/law/law-topic/data-protection_en;
  • We will put a written contract in place between us and the recipient that incorporates European Commission model clauses relating to the transfer of personal data outside the EEA. You can find out more about such clauses here: ICO/international transfers;
  • We will only transfer it to businesses that have signed up to a special agreement between the UK and the USA known as the Privacy Shield. You can find out more and search the Privacy Shield List here: https://www.privacyshield.gov/welcome

Sharing your information

We may need to transfer the personal data we hold about you to any of our premises in the UK.

Sometimes, we will need to share your personal data with others outside our organisation. This section sets out details of who we will share your personal data with and why. It also tells you about our legal basis for doing so under data protection law and steps we will take to protect your personal data.

We will never sell your personal data on to third parties.

 

Our Service Partners

We use carefully selected service partners, such as couriers and other delivery services, website and IT providers, cloud providers, mailing, marketing or PR agencies and payment or online form processors. We haven’t included the names of our service partners in this privacy notice because their identity will change from time to time. However, if you would like further information about any of our current service providers, please contact us via dataprotection@walesairambulanace.com.

 

We use the service partners described above to enable us to run the Charity efficiently and effectively, which is in our legitimate interests.

 

We will only share your personal data with service partners who have satisfied us that they have appropriate data protection and security measures in place to protect your personal data. We also enter into contracts with such service partners which impose on them contractual obligations relating to data protection and security, including an obligation only to use your personal data for specified purposes and in accordance with our instructions.

 

Other Third Parties

We may also need to share your personal data with others in the following circumstances.

 

  • If we sell, transfer or merge parts of our organisation, during any such process, we may need to disclose your personal data to other parties (such as potential purchasers or investors). Where we do so, we will be relying upon our legitimate business interests.

 

  • On occasion, we may be required to disclose your personal data to organisations such as the courts or the police to comply with legal obligations we are subject to and/or to prevent fraud or crime.

 

  • From time to time we may need to disclose your personal data in connection with steps we need to take to protect our business interests or property or the personal safety of our people or visitors to our premises or websites.

 

  • We may need to disclose your personal data to our professional advisers (for example, our lawyers and accountants) in connection with the provision by them of professional advice and/or the establishment or defence of legal claims.

Your personal data may also be shared with us by third parties, whom you have provided information to. For example: independent event organisers and fundraising platforms, such as JustGiving or VirginMoneyGiving; recruitment and volunteering websites or agencies; and service providers who are acting on our behalf, such as lottery canvassers and online shop platforms.

Security

We are committed to ensuring that your personal data is secure. In order to prevent unauthorised access or disclosure, we have put in place physical and electronic procedures to protect against the loss, misuse and alteration of personal data under our control. While we cannot guarantee that loss, misuse or alteration of data will not occur under our control, we follow strict procedures and comply with the law in order to protect data as much as possible.

 

Unfortunately, the transmission of data across the internet is not always completely secure. While we do our best to protect the security of your personal data, please take your own steps to ensure your antivirus software is up-to-date, passwords are kept confidential and you follow safe practices online. We cannot guarantee that loss, misuse or alteration of data will not occur when data is sent/transferred to us; any transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access, accidental loss, destruction or damage.

Patient Confidentiality

Wales Air Ambulance is an independent charity and, while we work closely with our NHS partners, the charity is not part of the National Health Service. This means we do not collect, store or have access to medical records, mission data that identifies patients, or any other personal data held on NHS servers.

 

Clinical data for the missions we undertake is carefully regulated by NHS Wales. We will only collect, use and store anonymised data, or the personal data of patients who have consented to share their details for publicity purposes.

 

For advice and information regarding medical records, please email abm.emrtsrecords@wales.nhs.uk or write to: Confidential – FAO EMRTS Cymru, Tŷ Elusen, Ffordd Angel, Llanelli Gate, Dafen. SA14 8LQ.

Personal data we collect and how we use it

How we will use your personal data, the legal bases we will rely upon, how long we will keep your personal data and other details will depend upon who you are and why we need your personal data in the first place.

 

In this section, we provide specific privacy information relating to the different categories of individuals that this privacy notice applies to.

 

Enquiries we receive from you

Purpose and lawful basis for processing

 

When you contact us to make an enquiry, we collect information, including your personal data, so that we can respond to it and fulfil your request.

 

The lawful basis we rely on to process your personal data is article 6(1)(f) of the GDPR, which allows us to process personal data when this is necessary for our legitimate interests. The legitimate interests we rely upon for responding to your enquiry are:

  • Our legitimate interest in assisting you with your enquiry.
  • Our legitimate interest in improving our business and training our staff.

If your enquiry involves providing us with any special category personal data such as health, religious or ethnic information, we will only process that information if it is necessary for reasons of substantial public interest or where you have given your express consent, under Article 9(2) of the GDPR.

 

What we need and why and how long is it kept

 

We need enough information from you to answer your enquiry. We use information from web forms, emails, mail, telephone and social media platforms to send you information or materials that you have requested. We will usually need to take your name and contact details from you, and we may make notes to provide you with a further service as required. If you contact us via email or post, we will need a return address for a response.

 

General enquiries are kept for up to 1 year after the case is closed. Complaints are kept for up to 3 years after the case is closed. Enquiries relating to data rights requests are kept for up to 6 years. For enquiries and complaints relating to fundraising, lottery and donation records, these may be kept for longer. Please refer to the relevant sections below for more information.

 

Call and meeting recordings

Purpose and lawful basis for processing

From time to time, WAAC may record teleconference calls and virtual meetings/events using the software and cloud-based systems available on our devices. This will be for one of the following purposes:

  • To provide an exact record of a scheduled call or meeting in order to accurately transcribe minutes.

 

  • To publish a webinar as part of publicity or fundraising activities. A webinar is a seminar or other presentation that takes place on the internet, allowing participants in different locations to see and hear the presenter, ask questions, and sometimes answer polls.

For the purposes of a webinar, the lawful basis we rely on to process your personal data is article 6(1)(f) of the GDPR where the processing is necessary for our legitimate interests. The legitimate interests we rely on are to generate awareness of the charity and its activities to maximise support and income.

 

The lawful basis we rely on to record teleconference and virtual meetings is article 6(1)(a) of the GDPR, which allows us to process personal data where you have given your consent to the processing.

 

What we need and why and how long it is kept

 

We will collect your name, email address and/or telephone number before the call or meeting begins. Where consent is required, it will be requested by us in writing, either via the contact details you have provided or via a tick-box declaration at the start of a virtual meeting/event; the recording of a call or meeting will not proceed if we do not have explicit consent from all participants. In the case of a promoted webinar we will provide advance notice that we intend to record and publish the event.

 

Where consent is required, you can withdraw your consent at any time. However, this will not affect the validity of consent previously provided for any recordings already made.

 

Any participation by you within the teleconference or virtual meeting/event will be recorded for the duration of the activity. This can include your username, audio and video input and document and screen-sharing from your device.

 

Please also ensure you read the privacy policy of virtual meeting sites before sharing data and make use of their privacy settings and reporting mechanisms to control how your data is used.

 

Recordings for transcription purposes are retained for up to 6 months from the date of the recording. Webinars which are published by WAAC are retained indefinitely.

 

 

Donations

Purpose and lawful basis for processing

 

When you make a donation to us, whether online, over the phone, by post or via social media like Facebook, as a one-off donation or regular giving membership, we collect information, including your personal data, so that we canprocess your donation and reclaim tax via Gift Aid.

 

The lawful basis we rely on to process your personal data is article 6(1)(f) of the GDPR which allows us to process personal data when this is necessary for our legitimate interests. The legitimate interests we rely upon to process your donation and to obtain any tax reimbursements is that it is in our legitimate interests to maximise the donations received to be able to fulfil our charitable purposes.

 

What we need and why and how long is it kept

 

Any donations you make will require personal and financial information. We collect your contact information (such as name, telephone or email address) and your payment details (such as a credit card or Direct Debit instructions). We may also collect details about your tax status.

 

Contact information, financial information and tax status are used to process the donation and reclaim tax through Gift Aid. Financial information that is collected is held securely and deleted on an ongoing basis (credit and debit card details are not stored by us). Your contact information may be used to get in touch with you in order to process the donation and to check if we can reclaim Gift Aid. Gift Aid and donation records are kept for at least 7 years from the last action.

 

When you make a donation to us, we will ask you if you would like to receive news and updates from Wales Air Ambulance in future. Your preferences will be recorded so we know if we can or cannot send you news and updates.

 

Lifesaving Lottery subscriptions

Purpose and lawful basis for processing

 

In subscribing to our Lifesaving Lottery membership, we will require personal and financial information in order to fulfil the subscription process, administer your membership and contact you if you have won a prize or there is an issue with your subscription.

 

The lawful basis we rely on to process your personal data is article 6(1)(b) of the GDPR which allows us to process personal data when this is necessary for the performance of a contract.

 

What we need and why and how long is it kept

 

We collect your contact information (such as name, telephone or email address) and your payment details (such as a debit card or Direct Debit instructions). These are used to fulfil the subscription process and process payment. Your contact details are also used to administer your membership and notify you if you have won a prize.

 

Financial information that is collected is held securely and deleted on an ongoing basis (debit card details are not stored by us). Your contact information may be used to get in touch with you in order to fulfil the subscription, discuss your membership and respond to any enquiries you may have. Lottery membership records are kept for up to 7 years from the last action.

 

When you become a Lifesaving Lottery member, we will ask you if you would like to receive news and updates from Wales Air Ambulance in future. Your preferences will be recorded so we know if we can or cannot send you news and updates.

 

Ordering goods online

Purpose and lawful basis for processing

 

When making your purchase online, you will be required to provide us with your personal data so that we can process the order, take payment and deliver the products you have purchased.

 

The lawful basis we rely on to process your personal data is article 6(1)(b) of the GDPR which allows us to process personal data when this is necessary for the performance of a contract.

 

What we need and why and how long is it kept

 

We collect your contact information (such as name, postal address, telephone or email address) and your payment details (such as a credit card).

 

Your card details are required to enable us to take payment. This information is held securely and deleted on an ongoing basis (credit and debit card details are not stored by us). Your contact information may be used to get in touch with you in order to fulfil your order or if there any queries with your order. Your address is required in order to deliver the products you have purchased. Records of online orders are kept for up to 7 years from the last action.

 

When you order goods online from us, we will ask you if you would like to receive news and updates from Wales Air Ambulance in future. Your preferences will be recorded so we know if we can or cannot send you news and updates.

 

Delivery and collections service

Purpose and lawful basis for processing

 

When you contact us to arrange a collection of unwanted goods for our charity shops, or when you use our delivery service for furniture and other large items bought in our shops, we will collect your personal data so that we can fulfil the service you have requested.

 

If you sign up to our Gift Aid scheme through the sale of your unwanted goods, we will also process your personal data to reclaim tax via Gift Aid.

 

The lawful basis we rely on to process your personal data for collections and Gift Aid is article 6(1)(f) of the GDPR, which allows us to process personal data when this is necessary for our legitimate interests. The legitimate interests we rely upon are:

  • Our interests in raising money for the charity by facilitating donations of goods for our shops,
  • Maximising the sale of donated goods through Gift Aid, where possible.

The lawful basis we rely on to process your personal data for our delivery service is article 6(1)(b) of the GDPR which allows us to process personal data when this is necessary for the performance of a contract.

 

What we need and why and how long is it kept

 

We collect your name, address and telephone number so we can locate your premises and contact you if we need to regarding your delivery or collection. Payment for the delivery service is taken in our shops when purchasing the goods. We may also collect details about your tax status.

 

When you use our delivery or collection service, we will ask you if you would like to receive news and updates from Wales Air Ambulance in future. Your preferences will be recorded so we know if we can or cannot send you news and updates.

 

Gift Aid records are kept for at least 7 years from the last action. Personal data used for our delivery and collection service is kept for up to 3 years from the last action.

 

Fundraising

Purpose and lawful basis for processing

 

We are grateful for any fundraising activities you choose to undertake in aid of Wales Air Ambulance. When you contact us for information on how to fundraise, we will ask for your name and contact details to enable us to provide you with information, answer your queries and for general support with your fundraising activity.

 

Sometimes when you sign up to take part in specific fundraising events, we will also require emergency contact details.

 

When paying in the money you have raised we may, depending on the method you use, need to process your bank or credit card details to take payment of the monies raised. Should you use a sponsor form to keep a record of the monies raised, we will also process names, contact details and the tax status of your sponsors in order to process payments and reclaim tax through Gift Aid on eligible donations.

 

The lawful basis we rely on to process your personal data and that of people who sponsor you is article 6(1)(f) of the GDPR which allows us to process personal data when this is necessary for our legitimate interests. The legitimate interests we rely upon are:

 

  • our interests in raising money for the charity by facilitating fundraising activities, and
  • processing donations and maximising donations through Gift Aid, where applicable.

 

If your enquiry involves providing us with any special category personal data such as health, religious or ethnic information, we will only process that information where you have given your express consent.

 

What we need and why and how long is it kept

 

We collect your name, telephone number, email address and postal address in order to offer and coordinate any support, requests or enquiries you have during your fundraising with us and to send you any materials that may assist with your fundraising activity.

 

When we ask for emergency contact details, we need this information for health and safety purposes. We do not ask for information relating to health conditions or assess your suitability to take part in an event.

 

When using a sponsorship form we need the names, addresses and tax status of the sponsors to be able to reclaim tax via Gift Aid.

 

When using a bank transfer or a credit/debit card to pay the monies you have raised to us, we will need your bank or card details in order to process the payment. This information is held securely and deleted on an ongoing basis (credit and debit card details are not stored by us).

 

Personal data for fundraising activities and events is held for up to 7 years from the last action.

 

There are a variety of different ways you can donate to us and if you decide to do so via JustGiving, Facebook or any other online giving platforms, any personal data processed will be done under the terms of the relevant online giving or social media platform. Other people, not us, control these platforms and you should therefore review the terms and conditions and privacy policies of these other organisations. That way, you will understand how they will use your information, what information relating to you they will place in the public domain and what you can do if you are unhappy about it.

 

When you fundraise for us, we will ask you if you would like to receive news and updates from Wales Air Ambulance in future. Your preferences will be recorded so we know if we can or cannot send you news and updates.

 

Grant fundraising: Trusts and Foundations

Purpose and lawful basis for processing

 

Wales Air Ambulance researches grant funding opportunities relevant to us, which may include sourcing the names and contact information (including publicly available information) of Trustees, grant officers, secretaries or other persons actively involved in the Trust or Foundation. This personal data will be used so we can contact you with our enquiries regarding a grant and the application process.

 

We do not undertake wealth screening or profiling of high net worth individuals.

 

The lawful basis we rely on to process your personal data is article 6(1)(f) of the GDPR which allows us to process personal data when this is necessary for our legitimate interests. The legitimate interests we rely upon are our interests in raising money for the charity by facilitating grant funding we may be eligible for.

 

What we need and why and how long is it kept

 

We collect the contact details of the relevant person(s) involved in the Trust or Foundation, so we can contact you about the grant. This includes name(s), email address(es), a postal address and telephone number(s).

 

This information is held either indefinitely if the details remain accurate and we continue to have contact with you about grant opportunities, or for 7 years since the last action.

 

Publicity – Fundraising or patient stories

Purpose and lawful basis for processing

 

An important part of what we do is raising awareness of our charitable activity in the public domain, to generate interest and support for Wales Air Ambulance. This may include stories shared on social media, on our website, in the press or in literature we produce.

 

We are always grateful to supporters who approach us or agree to share their story. If you agree to share your story, we will use the information gathered from you (from web forms, emails, mail, telephone and social media, for example) to generate publicity and raise awareness of our work with your permission.

 

The lawful basis we rely on to process your personal data is Article 6(1)(a) of the GDPR which allows us to process personal data where you have given your consent to the processing. If your story involves providing us with any special category personal data such as health, religious or ethnic information, we will only process that information where you have given your explicit consent.

 

Where the information provided is in relation to a child under the age of 18, we will request the consent of a person with parental responsibility for the child. Parents/guardians and individuals who are 18 or over will be asked to complete a consent form or provide another form of written consent to process the information.

 

If we are already in contact with you regarding a donation, lottery subscription, fundraising or voluntary activity, we may use this information to ask you if you would be interested in sharing your story. Your preferences will be recorded so we know if we can or cannot contact you about publicity opportunities in future.

 

What we need and why and how long is it kept

 

We need your name and contact details to liaise with you regarding your story and details of your activity, or the incident which occurred when you required our assistance, together with information about your experience of the service we provide and any other relevant information.

 

You can withdraw your consent at any time. However, this will not affect the validity of consent previously provided for publications already made.

 

We will keep your personal data until you inform us that you no longer wish us to use the information for publicity purposes, or if the case study has not been actively used for more than 5 years. If your records also relate to donations, lottery subscriptions or voluntary activity we may keep some of your details for longer (see the relevant sections of our privacy notice). An index of the deleted record, a redacted consent form and the original press release are retained indefinitely. The withdrawal process will include asking individuals if they wish for digital testimonials within WAAC’s control to be erased; for example, on our website.

 

Applying for a job or voluntary role

Purpose and lawful basis for processing

 

Our purpose for processing this information is to assess your suitability for a role you have applied for and to help us develop and improve our recruitment process.

 

The lawful basis we rely on for processing your personal data is article 6(1)(b) of the GDPR, which relates to processing necessary to perform a contract or to take steps at your request, before entering a contract.

 

If you provide us with any information about reasonable adjustments you require under the Equality Act 2010, the lawful basis we rely on for processing this information is article 6(1)(c) to comply with our legal obligations under the Act.

 

The lawful basis we rely on to process any information you provide as part of your application which is special category data, such as health, religious or ethnicity information is article 9(2)(b) of the GDPR, which relates to our obligations in employment and the safeguarding of your fundamental rights.

 

We process information about applicant criminal convictions and offences. The lawful basis we rely on to process this data is Article 6(1)(c) to comply with a legal obligation. In addition, we rely on the processing condition under Article 9(2)(b) where the processing is necessary for complying with employment, social security and social protection law and/or Article 9(2)(g) where the processing is necessary for reasons of substantial public interest, namely, preventing or detecting unlawful acts, safeguarding, protecting the public against dishonesty, preventing fraud or suspicion of terrorism or money laundering.

 

What we need and why and how long is it kept

 

We will use all the information you provide during the recruitment process to progress your application with a view to offering you an employment contract or a volunteering role with us, or to fulfil legal or regulatory requirements if necessary. We will use your name and contact details to correspond with you as part of the process.

 

If you provide us with any information about reasonable adjustments you require, we will use this information to make any reasonable adjustments required.

 

We will not share any of the information you provide with any third parties for marketing purposes.

 

We will use the contact details you give us to contact you to progress your application. We may also contact you to request your feedback about our recruitment process. We will use the other information you provide to assess your suitability for the role.

We will only collect information about criminal convictions if it is appropriate given the nature of the role and where we are legally able to do so. Where appropriate, we will collect information about criminal convictions as part of the recruitment process.

To make sure we meet our legal data protection and privacy obligations, we only hold on to your information for as long as we actually need it for the purposes we acquired it in the first place.

In most cases, this means that information gathered as part of the recruitment exercise will usually be retained for up to 6 months after the recruitment exercise has been completed. In the case of a successful applicant, information which is relevant to the ongoing employment or volunteering relationship will be transferred to the employee’s/volunteer’s personnel record and retained in accordance with the periods applicable for employees and volunteers.

 

CCTV and dashcams

Purpose and lawful basis for processing

 

We use Closed-circuit television (CCTV) footage outside or inside our buildings, and dashcams on the vehicles we use for our retail delivery and collection service. The purpose for processing this information is for security and safety reasons and/or insurance or legal purposes.

 

The lawful basis we rely on to process your personal data is article 6(1)(f) of the GDPR, which allows us to process personal data when it is necessary for the purposes of our legitimate interests. Our legitimate interests are to ensure the safety of our property, staff and visitors, and where necessary to support the establishment, exercise or defence of legal claims.

 

 

What we need and why and how long it is kept

 

We process CCTV images and dashcam footage to prevent crime and protect buildings and assets from damage, for the personal safety of staff, visitors and other members of the public.

 

CCTV recordings are usually deleted after approximately 28 days and dashcam footage is overwritten after one day, unless an incident has occurred and the CCTV or dashcam footage is required to be retained for a longer period to assist with the incident.

 

Website

Purpose and lawful basis for processing

 

When you use our website, some personal data will be obtained about you and used in order to maintain and monitor the performance of our website and to enable us to continually improve our website.

 

The lawful basis we rely on to process your personal data is article 6(1)(f) of the GDPR, which allows us to process personal data when it is necessary for the purposes of our legitimate interests. Our legitimate interests are ensuring that our website is up to date, efficient and user friendly.

 

Our website includes hyperlinks to, and details of, third party websites. We have no control over, and are not responsible for, the privacy policies and practices of third parties.

 

What we need and why and how long is it kept

 

We collect technical information about your visit, including the full Uniform Resource Locators (“URL”), clickstream to, through and from our website (including date and time), page response times, download errors, length of visit to certain pages, and methods used to browse away from the page.

 

Some of the information is collected by us each time you use our website through our use of cookies. Further information about the cookies we use and the purposes for which we use them can be found in the Use of Cookies section below.

 

When you send us personal data through the website, for example when joining our lottery, making a donation or ordering goods, your personal data is processed via our website content management system (CMS) and retained for up to 7 years in line with the relevant sections above. Please refer to the relevant area of Section 3 on the personal data we collect, and Section 6 on sharing your information with service providers.

 

Social media

We operate a number of social media platforms including, but not limited to, Facebook, Twitter, YouTube and Instagram. Depending on your settings or the privacy policies for each social media site or messaging service, you might give us permission to access personal data from those services. For example, when you send us a message, tag us in an event photo or make a donation.

 

Although this policy covers how we will use any data collected from these social media sites, it does not cover how the providers of social media websites will use your information. Please ensure you read the privacy policy of social media sites before sharing data and make use of their privacy settings and reporting mechanisms to control how your data is used.

 

Profiling your interests

Purpose and lawful basis for processing

 

Wales Air Ambulance does not use personal data to undertake automated individual decision-making (making decisions solely by automated means without human involvement). We do not use personal data to undertake wealth screening or data matching. We do not buy or sell personal data.

 

In limited circumstances, we may use the personal data of some supporters to undertake a type of profiling (processing of personal data to evaluate certain things about an individual) for direct marketing purposes. For example, we may use the personal data of supporters who have taken part in a running event to send information on a future running event being held, which they may be interested in. We will only send you news and updates if you have provided consent for us to do so.

 

We do not use special category data (such as health, religious or political beliefs, racial or ethnic origin) in profiling. We do not undertake profiling using the personal data of anyone under the age of 18. We do not use publicly available information about you, professional consumer profiling agencies or online databases: we will only record information you have given us directly.

 

The lawful basis we rely on to process your personal data for interests-based profiling is Article 6(1)(f) of the GDPR, which allows us to process personal data when it is necessary for the purposes of our legitimate interests. Our legitimate interests are to raise money for the charity by facilitating fundraising activities through tailored events and communications, which specific supporters have requested updates on. Additionally, interests-based profiling will only be undertaken on records for which we have explicit consent to receive news and updates from us. We rely on the lawful basis of consent for this, which is covered in the direct marketing section 3.16.

 

What we need and why and how long is it kept

 

When you engage in an activity such as fundraising for us, the type of activity is recorded alongside your other personal data (name, contact details and information you share with us about your support for Wales Air Ambulance). We will record if the activity relates to a tailored news topic that we provide, such as upcoming running events, and if we have your consent to receive news and updates from us. Only when the above criteria are met will we consider using your personal data to generate interests-based profiling for tailored news and updates.

 

Fundraising records are kept for up to 7 years from the last action. For more information please see the sections on fundraising and direct marketing within Section 3.

 

Signing up to a newsletter or updates (direct marketing)

Purpose and lawful basis for processing

 

If you sign up to receive newsletters or updates from us, we will ask you to provide your name and contact details in order to send you the newsletters or updates you have requested.

 

The lawful basis we rely on to process your personal data is Article 6(1)(a) of the GDPR which allows us to process personal data where you have given your consent to the processing.

 

What we need and why and how long is it kept

 

Direct marketing preferences are recorded in a ‘granular’ way. This means we keep a record of the methods you have specifically consented to us using to send news and updates (for example, email only).

 

We collect your name, email address and/or postal address and/or telephone number, and your preferences as to how you want to be communicated with, in order to process your request and to send you the newsletters or updates you have requested. We may also keep a record of certain topics you may be interested in, such as running events, and use this information to make decisions about the type of news and updates we send you (please refer to the Profiling section 3.15).

 

We will keep your personal data until you inform us that you no longer wish to receive newsletters or updates from us. If your personal data forms part of a fundraising or donation record, we may keep your personal data for longer but consent to receive news and updates will be removed from the record.

 

Direct marketing suppressions (record of objection)

Purpose and lawful basis for processing

 

You can object to direct marketing from us at any time. When you object to direct marketing, the personal data we receive from you or an agency on your behalf (such as the Fundraising Preference Service or Telephone Preference Service) is called a Suppression Record.

 

The lawful basis we rely on to process your personal data suppression is Article 6(1)(f) of the GDPR, which allows us to process personal data when it is necessary for the purposes of our legitimate interests. Our legitimate interests are ensuring we do not send you marketing communications such as news and updates when you have exercised your right to object to direct marketing.

 

What we need and why and how long is it kept

 

Suppression records are held indefinitely to ensure we do not send you direct marketing communications. We need to hold enough personal data to be able to correctly identify your suppression record. This includes your name, email address and/or postal address and/or telephone number.

 

Visitor, Health and safety and safeguarding records

Purpose and lawful basis for processing

 

Wales Air Ambulance will keep a record of visitors to its premises. Visitors’ names, company name, car registration and date and time of visit are recorded in a visitor’s book.

 

We also keep a record of any accidents or incidents you report to us while on any of our premises. This includes personal data you provide us with when reporting the incident, such as your name, contact details and incident information. This is collected so that we can:

  • Follow Health & Safety reporting procedures including the Reporting of Injuries, Diseases and Dangerous Occurrences Regulations 2013 (‘RIDDOR’),
  • Comply with our legal obligations under the Health and Safety at Work Act 1974, the Management of Health and Safety regulations 1999 and any other relevant Health and Safety Laws,
  • Learn from and improve our health and safety practices (reports are anonymised for Quality purposes),
  • Keep accurate records for the establishment, exercise or defence of legal claims.

 

The lawful basis we rely on to process your personal data is Article 6(1)(c) of the GDPR to comply with a legal obligation.

 

The lawful basis we rely on to process any information you provide which is special category data, such as health, religious or ethnicity information is either Article 9(2)(b) of the GDPR, that the processing is necessary in the field of employment and social security and social protection law, or Article 9(2)(f), which relates to processing for the establishment, exercise or defence of legal claims.

 

Safeguarding means protecting peoples’ health, wellbeing and human rights, and enabling them to live free from harm, abuse and neglect, which includes children, young people and at-risk adults,  from  harm  that  arises  from  coming  into  contact  with  our employees,  volunteers, trustees or other individuals associated with Wales Air Ambulance. It is our responsibility to implement stringent procedures and ensure records and the reporting of safeguarding matters are handled appropriately and in line with the Children Act 1989, the Safeguarding Vulnerable Groups Act 2006 and any other relevant Safeguarding legislation, guidance and policies.

 

The lawful basis we rely on to process your personal data for safeguarding purposes is Article 6(1)(c) of the GDPR to comply with a legal obligation where a legal obligation applies, or otherwise legitimate interests. Our legitimate interests are ensuring the safety of staff, volunteers, visitors and the public we engage with and protecting Wales Air Ambulance’s reputation and interests.

 

The lawful basis we rely on to process any information you provide which is special category data, such as health, religious or ethnicity information is either Article 9(2)(b) of the GDPR, that the processing is necessary in the field of employment and social security and social protection law or Article 9(2)(f), which relates to processing for the establishment, exercise or defence of legal claims.

 

What we need and why and how long is it kept

 

All visitors are required to provide their name, company they work for, person they are visiting and their car registration number. We retain logbooks for up to 4 years.

 

We collect your name, contact details and information relating to the incident or accident, including injuries sustained, so we can comply with reporting procedures. We may also keep records of follow-up enquiries we have with you and notes relating to an investigation as part of the reporting procedure.

 

Records relating to health and safety accidents and incidents are kept for 40 years from the date that the record was made.

 

Records relating to safeguarding incidents are kept for up to 30 years from the date that the record was made.

We collect your name, contact details and information relating to the incident or accident, including injuries sustained, so we can comply with reporting procedures. We may also keep records of follow-up enquiries we have with you and notes relating to an investigation as part of the reporting procedure.

Records relating to health and safety accidents and incidents are kept for 40 years from the date that the record was made.

Records relating to safeguarding incidents are kept for up to 30 years from the date that the record was made.