Privacy notice - information that we need to tell everyone
Under data protection law, you have rights we need to make you aware of. The rights available to you depend on our reason for processing your information.
You are not normally required to pay any charge for exercising your rights. However, we may charge a reasonable fee if your request is clearly unfounded, repetitive, or excessive; alternatively, we may refuse to comply with your request in such circumstances.
We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.
We have one month to respond to you under normal circumstances, though this may be extended if your request is particularly complex.
- Your right of access
You have the right to ask us for copies of your personal information. This right always applies. There are some exemptions, which means you may not always receive all the information we process. You can find out more about this right on the ICO website.
- Your right to rectification
You have the right to ask us to rectify information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete. This right always applies. You can find out more about this right on the ICO website.
- Your right to erasure
You have the right to ask us to erase your personal information in certain circumstances. You can find out more about this right on the ICO website.
- Your right to restriction of processing
You have the right to ask us to restrict the processing of your information in certain circumstances. You can find out more about this right on the ICO website.
- Your right to object to processing
You have the right to object to processing if we are able to process your information because the process forms part of our public tasks, or is in our legitimate interests. You can find out more about this right on the ICO website.
- Your right to data portability
This only applies to information you have given us. You have the right to ask that we transfer the information you gave us from one organisation to another, or give it to you. The right only applies if we are processing information based on your consent or under, or in talks about entering into a contract and the processing is automated. You can find out more about this right on the ICO website.
- Your right to complain
You have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues ( www.ico.org.uk). We would, however, appreciate the chance to deal with your concerns before you approach the ICO so please contact us in the first instance.
How long we will use your personal data
We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.
This may include retaining data after you have made an opt-out or similar request to ensure that you are not subsequently sent information by mistake and to protect against, for example, malicious attempts to add you to lists you do not wish to be a member of.
To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
Details of how long your data will be retained are detailed in the relevant EEF privacy notices.
We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.
We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
This website includes links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for how they use your personal information. When you leave our website, we encourage you to read the privacy notice of every website you visit.
We use Microsoft Office as a third party to process your data in all our work. Please refer to its privacy notice, available here, for further details.
The EEF website, including all data provided by users through it, is managed by a third party, Percipio. Please refer to its privacy notice, available here, for further details.
Data processors specific to how you have engaged with the EEF are detailed in the relevant privacy notices.
This website is not intended for children and we do not knowingly collect data relating to children.
Data protection and GDPR issues are overseen by a Data Protection working group which meets regularly to monitor ongoing compliance, review risks, and address new data protection issues. The group is headed by the Head of Finance and Operations and supported by colleagues from relevant EEF teams. The working group reports into the EEF’s Finance and Fundraising Committee, with issues escalated to the Board of Trustees when needed.
Data Protection Officer (DPO)
The EEF's Data Protection working group has assessed the necessity of appointing a Data Protection Officer (DPO). The group has concluded that, for the time being, such a role is not necessary for the EEF. This decision will be reviewed bi-annually, to take account of any change in core activities. The reasons for this decision are documented here.
All EEF staff have undergone training in data protection and the implications of GDPR. Colleagues with particular responsibilities for data protection have undergone further training. The Data Protection working group continues to review the training needs of the team to ensure the EEF’s approach remains up-to-date.
Changes to this privacy notice
This version was last updated on 30 January 2020; historic versions can be obtained by contacting us.