By visiting our website, or responding to social media posts, you are accepting and consenting to the practices described in this notice, so please read it carefully. Any changes we make to this privacy notice will be posted on this page, so remember to check back again if you are a regular user.
This website is owned and operated by C-Change Scotland, who is also the Data Controller.
C-Change is a registered charity (registered in Scotland No. SC035124). We are also a company limited by guarantee (registered in Scotland No. SC262558).
The registered office is:
Changes to the privacy notice and your duty to inform us of changes
This privacy notice was last updated on December 1st, 2020.
It’s important that the personal data that we hold about you is accurate and up to date. Please keep us informed if your personal data changes during the duration of your relationship with us.
We may update this privacy notice from time to time. If we make significant changes we will contact you to confirm that changes have been made.
This section explains what information C-Change collects, keeps and stores about you and/or your family if you receive one of our services or you work with us.
What information do we collect?
We will collect, store and use the following categories of personal information about you:
- Personal contact details such as name, title, addresses, telephone numbers, and personal email addresses.
- Date of birth.
- Location of employment or workplace.
- Recruitment information (including copies of right to work documentation, references and other information included in a CV or cover letter or as part of the application process).
- Employment records (including job titles, work history, working hours, training records and professional memberships).
We may also collect, store and use the following “special categories” of more sensitive personal information:
- Information about your race or ethnicity, religious beliefs, sexual orientation and political opinions.
- Information about your health, including any medical condition, health and sickness records.
- Information about criminal convictions and offences.
Why do we collect your information?
Under the General Data Protection Regulation (GDPR), and the UK’s Data Protection Bill, we must have a legal reason to keep your data and process it. When C-Change provides you with a service, we will process your data on the basis of legitimate interest or public task. We do this because we cannot provide a service to you without using your personal information.
Who do we share your information with?
We share your data within C-Change with people who need to see it in order to provide you with a service. We may also share it with the organisation that pays for your service or with external agencies that inspect our work. We may be required to share your data with other agencies for legal reasons but this is usually very rare.
Those situations might be:
- Where we need to protect your interests (or someone else’s interests).
- Where it is needed in the public interest [or for official purposes].
There may be occasions when we will ask you for consent to use your data, for example to help us inform the public about our work. If this is the case, we will explain to you exactly what your data will be used for. You can withdraw your consent at any time, and wherever possible, any of your data that has been used for publicity purposes will be deleted.
Who is responsible for your data?
The Data Controller is responsible for your data.
How long do we keep your data?
C-Change will keep your data for a specified period of time once we have finished working with you. Depending on the nature of the service and our legal obligations this will be a minimum of 6 years but can extend to 100 years for certain types of work.
How can you access your data? (subject access requests)
You may request a copy of the information that C-Change holds about you. Requests should be made in writing to:
The Data Controller
2b. People who support us/volunteers
How do we collect your personal information?
We obtain personal information from you when you enquire about our activities, become a service user, send or receive an email, make a donation to us, support a campaign, or ask a question about our services. Sometimes we may obtain your personal information from third-party data suppliers, but only if they provide the appropriate evidence that you have agreed for your personal information to be shared with other organisations.
We also gather general information about the use of our website and social media channels such as pages visited and areas that are of most interest to users. We use this information to improve our communication and make it a better experience for everyone.
What information do we collect?
The personal information we collect may include name, address, email address, telephone numbers, date of birth, gender and campaign experience (for contacting you in support of our campaigns). Data protection law recognises that certain categories of personal information are more sensitive. These are known as special categories of data and cover health information, race, religious beliefs and political opinions. We do not usually collect special categories of data about our supporters unless there is a clear reason for doing so, such as participation in a run or walk or similar fundraising event or where we need to ensure we provide the appropriate facilities or support to enable you to participate in an event.
How do we use your data?
We may use your personal information for:
- dealing with our enquiries, requests and complaints
- providing you with information about our work activities events and services
- complying with our legal obligations, policies and procedures.
- providing and personalising our services
- conducting market research
How we communicate with you
Being able to communicate with you is important, as your support and interest will help us transform the lives of the people we work for.
We believe in being open, honest and transparent and want you to feel comfortable about your decision to give us your personal information and how we use it.
We will use the details you provide to us to communicate with you about how we are helping people live their best lives.
We would also like to tell you about ways you can help in the future, whether that’s through volunteering, events or other activities we organise.
We promise that we will only communicate with you in the way you wish us to and we will always respect your privacy.
We will take appropriate measures to keep your personal information safe and secure and we promise not to contact you more than necessary. We will also never pass your personal information on to other organisations for them to use for their own marketing purposes.
In certain instances, C-Change collects and uses your personal information by relying on the ‘legitimate interest’ legal basis. This is because when you, for example, request to receive information from us, we have a legitimate organisational interest to use your personal information to respond to you and there is no overriding prejudice to you by using your personal information for this purpose.
We will always provide you with the option to opt out of hearing from us. In most instances, however, we will rely on obtaining your consent to use your personal information. For example, where we seek to obtain your consent to receive email marketing from C-Change.
We will only communicate with you in the way you have told us to.
If you have actively provided your consent to us along with your email address and/or mobile phone number, we may contact you for marketing purposes by email or text message. By subscribing to emails from C-Change or opting in to email communication from C-Change you grant us the right to use the email address for email marketing.
If you have provided us with your postal address or telephone number, we may send you direct mail or telephone you about our work unless you have told us that you would prefer not to receive such information.
It’s your decision
It is always your decision as to whether you want to receive information about our work and the ways you can get involved.
You may opt out of our marketing communications at any time by clicking the ‘unsubscribe’ link at the end of our marketing emails.
You can also change any of your contact preferences at any time, including telling us that you don’t want us to contact you by calling 0141 427 2946.
Our website may contain links to other websites that are outside our control and are not covered by this privacy notice. If you access other sites using the links provided, the operators of these sites may collect information from you that will be used by them in accordance with their privacy notice which may differ from ours.
2c. Visitors to our website
C-Change sometimes sends small data files, called cookies, from our website to your computer mobile phone or other device. These cookies are then stored on the hard drive of your device. Some of these cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. The data collected is not shared with any third party. The information we get through the use of these cookies is anonymous and we make no attempt to identify you or influence your experience of the site while you are visiting it. If you do not allow these cookies, we will not be able to include your anonymous visit in our statistics.
What are your choices regarding cookies
Please note, however, that if you delete cookies or refuse to accept them, you might not be able to use all of the features we offer, you may not be able to store your preferences, and some of our pages might not display properly.
Where can you find more information about cookies
You can learn more about cookies and the following third-party website: http://www.allaboutcookies.org/
These cookies help C-Change to analyse how users use the site.
Here is a more complete explanation of Google Analytics.
Google Remarketing (interest-based advertising)
This cookie identifies the sites you visit subsequent to visiting our website and allows better and more relevant ads to be displayed to you. You can learn more about and control 3rd party remarketing on youronlinechoices.com.
Facebook Tracking Pixel
YouTube video, Vimeo video, Facebook buttons, Flickr photos
These cookies enable you to use functions embedded in our site (e.g., playing a YouTube video clip).
You can control and/or delete cookies as you wish or delete cookies installed by the site - for more details, see www.allaboutcookies.org.
You can delete all cookies that are already on your computer and you can set most browsers to prevent them from being placed. To do so you should modify your browser settings, click on the help section of your Internet browser and follow the instructions.
However, if you do this, you may have to manually adjust some preferences every time you visit the site and some services and functionalities may not work.
During your visits to our site you may notice some cookies that are not related to C-Change. You should check the third party websites for more information about these.
2d. Job applicants – paid, volunteer and trustee roles
As part of any recruitment process, C-Change collects and processes personal data relating to job applicants. If you apply for a role with C-Change, we will only use the information you supply to us to process your application and to monitor recruitment statistics.
What information do we collect?
We will collect a range of information about you, including:
- your name, address and contact details, including email address and telephone number
- details of your qualifications, skills, experience and employment history
information about your current salary
- whether or not you have a disability for which we need to make reasonable adjustments during the recruitment process
- information about your entitlement to work in the UK
- equal opportunities monitoring information, including information about your ethnic origin, sexual orientation, health, and religion or belief - we will only collect this sensitive information with your explicit consent, which can be withdrawn at any time
How do we collect your personal data?
We collect it in a variety of ways. For example, you may have filled in an application form, or submitted a CV or resumé, you may have provided your passport details or other identification documents, or we may have collected it through interviews or other forms of assessment, like online tests.
We may also collect information about you from third parties, such as references supplied by former employers. C-Change will only seek information about you from third parties once we’ve made you an offer. In all cases the application process will make clear at what point we will be contacting third parties.
Where will we keep your data?
Your personal information will be stored, securely, in several places: on your application record, in our recruitment and selection system, our management systems and on other IT systems.
Why do we need your personal data?
We need to process your data in order to enter into a working agreement with you. In some cases we need to process your data to ensure we are complying with our legal obligations, e.g. checking an individual’s right to work in the UK
We have a legitimate interest in processing your personal data during the recruitment process and for keeping records of the process. It allows us to manage that process, assess and confirm your suitability for the role and decide who to offer a role to. We may also need to process data from job applicants to respond to, and defend against, legal claims. Where we are relying on legitimate interest as a reason for processing data, we have considered whether or not those interests override the rights and freedoms of the applicant and have concluded that they do not.
We process health information if we need to make a reasonable adjustment to the recruitment process for the candidates who have a disability or other conditions that require consideration. This is to carry out our obligations and exercise specific rights in relation to employment.
For some roles C-Change is obliged to seek information about criminal convictions and offences. This is necessary to carry out our obligations and exercise specific rights in relation to employment.
C-Change will not use your personal information for any purpose other than the recruitment exercise for which you have applied.
How long will we keep your data?
Personal information about unsuccessful candidates will be held for one year after the recruitment exercise has been completed; it will then be destroyed. Interview notes for all unsuccessful applicants are destroyed after six months. We retain depersonalised statistical information about applicants to help inform our recruitment activities, but no individuals are identifiable from that data.
If your application is successful, personal data gathered during the recruitment process will be transferred to your personnel file and will be retained in accordance with our retention policy.
Who has access to your data?
Your information will be shared internally for the purposes of the recruitment exercise. This includes members of the HR (people) and recruitment team, interviewers involved in the recruitment process, managers in the organisation area with a vacancy and IT staff if access to the data is necessary for the performance of their roles.
As part of the recruitment process we may need to share your data with third parties in order to conduct any necessary background checks and vetting processes, such as contacting previous employers/referees to obtain a reference; and/or the Disclosure and Barring Service to conduct criminal record checks. As part of the recruitment process, we will make clear to you which checks will be required and at what stage of the process.
What if you don’t provide personal data?
You are under no statutory or contractual obligation to provide data to us during the recruitment process. However, if you do not provide C-Change with the information, we may not be able to process your application properly, or at all.
You are under no obligation to provide information for equal opportunities monitoring purposes and there are no consequences for your application if you choose not to provide such information.
2e. Our current and former employees, volunteers and trustees
C-Change collects and processes personal data relating to its staff and volunteers in order to manage the work relationship with you.
What information do we collect?
C-Change collects and processes a range of information about you that is appropriate to the role you perform with us.
This will vary depending on whether you are an employed member of staff, volunteer or agency worker or consultant and may include:
- your name, address and contact details, including email address and telephone number, date of birth and gender
- your image
- the terms and conditions relating to the work you are doing for C-Change
- details of your qualifications, skills, experience and employment history, including start and end dates with previous employers and with us
information about your salary
- details of your bank account and national insurance number
information about your marital status, next of kin, dependents and emergency contacts
- information about your nationality and entitlement to work in the UK
information about your criminal record
- details of your schedule (days of work and working hours) and attendance at work
- details of periods of leave taken by you, including holiday, sickness absence, family leave and extended leave, and the reasons for the leave
- details of any disciplinary or grievance procedures in which you have been involved, including any warnings issued to you and related correspondence
- assessments of your performance, including appraisals, performance reviews and ratings, training you have participated in, performance improvement plans and related correspondence
- information about medical or health conditions, including whether or not you have a disability for which the organisation needs to make reasonable adjustments
- equal opportunities monitoring information, including information about your ethnic origin, sexual orientation, health and religion or belief
How do we collect your personal data?
We collect your information in a variety of ways. For example, you may have filled in an application form, or submitted a CV or resume; you may have provided your passport details or other identity documents; from forms completed by you at the start or during your work with us; from correspondence with you; or through interviews, meetings or other assessments.
We may also collect information about you from third parties, such as recruitment agencies, references supplied by former employers, and information from criminal records checks as permitted by law.
Where will we keep your data?
Your personal information will be stored, securely, in several places: in your personnel file (hard copy and electronic staff file), in our HR management systems and in other IS systems.
Why do we need your personal data?
C-Change needs to process your data to enter into a working relationship with you and to meet our contractual obligations under any agreement with you. For example, if you are an employee we need to process your data to provide you with an employment contract, to pay you in accordance with that contract and to administer any benefits.
In some cases, C-Change needs to process data to ensure that we are complying with our legal obligations. For example, it is required to check a worker’s right to work in the UK, to deduct tax, to comply with health and safety laws and to enable employees to take periods of leave to which they are entitled. For certain positions, it’s necessary to carry out criminal records checks to ensure that individuals are permitted to carry out the role in question.
In other cases, C-Change has a legitimate interest in processing personal data before, during and after the end of the working relationship.
Processing staff data allows the organisation to:
- run recruitment and talent management processes
- maintain accurate and up-to-date staff records and contact details (including details of who to contact in the event of an emergency), and records of contractual and statutory rights
- operate and keep a record of disciplinary and grievance processes, to ensure acceptable conduct within the workplace
- operate and keep a record of employee performance and related processes and workforce management processes
- operate and keep a record of absence and absence management procedures, to allow effective workforce management and ensure that employees are receiving the pay and other benefits to which they are entitled
- obtain occupational health advice, to ensure that it complies with duties in relation to individuals with disabilities, meet its obligations under health and safety law, and ensure that workers are receiving the sick pay or other benefits to which they are entitled
- operate and keep a record of other types of leave (including maternity, paternity, adoption, parental and shared parental leave) to allow effective workforce management, to ensure that C-Change complies with duties in relation to leave entitlement, and to ensure that workers are receiving pay or other benefits to which they are entitled
- ensure effective general HR and business administration
- provide references on request for current or former employees
- respond to and defend against legal claims
- comply with our statutory and regulatory obligations
- maintain and promote equality, diversity and inclusion in the workplace
Where C-Change is relying on legitimate interest as a reason for processing employee data, we have considered whether, by collecting the data, the charity is overriding the rights and freedoms of our employees and workers and has concluded that we are not.
Some special categories of personal data, such as information about health or medical conditions, are processed to carry out employment law obligations (such as those in relation to employees with disabilities and for health and safety purposes).
Where we process other special categories of personal data, such as information about ethnic origin, sexual orientation, health or religion or belief, this is done for the purposes of equal opportunities monitoring.
Who has access to the data?
Your information will be shared internally, including with members of the people team (including payroll), the finance team, your line manager, managers in the business area in which you work and any other members of staff for whom access to the data is necessary for the performance of their roles.
C-Change shares your data with third parties in order to obtain pre-employment references from other employers and, if applicable to your role, to obtain necessary criminal records checks from Disclosure Scotland.
How long will we keep your data?
C-Change will hold your personal data for the duration of your working relationship with us. After the end of your working relationship with us, due to the nature of the work that C-Change carries out, and in order to meet our safeguarding commitments, we may hold some of your data until your 75th birthday depending on your role.
C-Change will never sell your personal data. However, we may share your information with third parties in order to provide services to you. Your data may be accessible to some of the IT support companies who manage our business critical systems, however, this is only for the purposes of supporting our IT systems and is strictly governed by our contractual arrangements with them.
We require all third parties to respect the security of your personal information and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal information for their own purposes and only permit them to process your personal information for specified purposes and in accordance with our instructions.
We can share your personal information with:
- our ‘customer’ relationship management systems
- archive and storage systems
- commissioners, printers, fulfilment houses, photographers, videographers, creative designers, creative agencies, and online survey providers
- benefits providers and criminal records check processors
- analytics and search engine providers that assist us in the improvement and optimisation of our site
- for employees, payroll agencies, HMRC, pension, insurance companies.and statutory bodies, where regulated to do so by law
- we will keep your personal information confidential, and where we provide it to other third parties we will only do so under contract, on conditions of confidentiality and security, and only for the purposes for which you have provided your information to us
We take the security of your personal information very seriously. We have internal policies, controls and appropriate data collection, storage and processing practices and security measures in place to ensure that your data is not lost, accidentally destroyed, misused or disclosed, and is not accessed except by our employees in the proper performance of their duties.
We work hard to make sure that our security procedures do the job they are designed to do and any communications between you and our website are protected by encryption (this means that communications are turned into codes that only C-Change’s website can understand, which stops unauthorised people seeing them). We work closely with industry-leading technical partners to make sure that all your personal information, including payment data, is safe and secure.
However, we cannot guarantee the security of data that you transmit to our websites and therefore any transmission to us is at your own risk.
Please be aware that any personal information you choose to post on the public areas of our website or social media channels can be read, collected, or used by other users and could be used to send you unsolicited messages. We are not responsible for the personal information you choose to make public. In addition, we are not responsible for the content you publicly post on the site that can be found via web-based search engines.
The information that we collect from you may be transferred to, and stored in, a location outside of the United Kingdom, but only where we are satisfied that it has an adequate level of protection. It may also be processed by staff operating in these locations who work for our service providers. This includes staff engaged in, among other things, the hosting of the site and the provision of support services. By submitting your personal information, you agree to this transfer, storing or processing. C-Change will take all steps reasonably necessary to ensure that your information is treated securely and in accordance with this privacy notice.
Under the General Data Protection Regulation (GDPR), you have the following rights:
- the right to be informed
- the right to access your personal information
- the right to edit and update your personal information
- the right to request to have your personal information deleted
- the right to restrict processing of your personal information
- the right to data portability
- the right to object - including automated decision making and profiling
- the right to lodge a complaint with a supervisory authority
If you wish to exercise your rights, please contact us, providing as much information as possible about the nature of your contact with us to help us locate your records. Any changes you have requested may take 30 days before they take effect.
6a. The right to be informed.
You have the right to be informed about the data we hold and share about you.
6b. The right to access your personal information
You have a right to access your personal data. By making a subject access request to C-Change you can find out what personal data we hold about you, why we hold it and who we disclose it to. You must make a subject access request in writing, and include proof of your identity.
Our address is:
Once we have received your request, and verified your identity, we will respond within 30 days.
6c. The right to edit and update your personal information
The accuracy of your personal information is important to us. You can ask us to edit your personal information including your address and contact details at any time.
6d. The right to request to have your personal information deleted
You have the right to request the deletion of your personal information which we will review on a case-by-case basis.
6e. The right to restrict processing of your personal information
You have the right to ‘block’ or suppress processing of your personal data. However, we will continue to store your data but not further process it. We do this by retaining just enough of your personal information so we can ensure that the restriction is respected in the future. Please note, this is not an absolute right and only applies in certain circumstances.
6f. The right to data portability
You have the right to get your personal data from us in a way that is accessible and machine readable,
for example as a csv file. You also have the right to ask us to transfer data you have provided us with to another organisation where technically feasible.
6g. The right to object - including automated decision making and profiling
You have the right to object to your personal information being processed for marketing (including profiling) and for research purposes. From the very first communication from us and every marketing communication we send after you will have the right to object to marketing.
You can exercise this right by contacting us on the address below:
6h. Your right to lodge a complaint with a supervisory authority
If you wish to lodge a complaint or seek advice from a supervisory authority please contact:
The Information Commissioner’s Office – Scotland
Queen Elizabeth House
Telephone: 0303 123 1115
Anonymization is the process of either encrypting or removing personally identifiable information from data sets, so that the people who the data describe remain unknown or anonymous.
Comply with a legal or regulatory obligation means processing your personal data where it is necessary for compliance with a legal or regulatory obligation that we are subject to.
Consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes.
The Data Controller is the person or persons that is responsible for your personal data. They are required to keep it secure, make decisions about what happens to your data and are accountable if it’s lost or not kept confidential.
The Data Processor is the natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
Encryption is the method by which plain text or any other type of data is converted from a readable form to an encoded version that can only be decoded by another entity if they have access to a decryption key. Encryption is one of the most important methods for providing data security, especially for end-to-end protection of data transmitted across networks.
General Data Protection Regulation (GDPR) is the 2018 legal framework that sets guidelines for the collection and processing of personal information of individuals in the European Union (EU).
Legitimate business interests legal basis means the interests of our company in conducting and managing our business to enable us to give you the best service/products and the best and most secure experience. For example, we have an interest in making sure our marketing is relevant to you, so we may process your information to send you marketing that is tailored to your interests. When we process your personal information for our legitimate interests, we make sure to consider and balance any potential impact on you (both positive and negative), and your rights under data protection laws. Our legitimate business interests do not automatically override your interests - we will not use your personal data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law).
Personal data means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
Profiling means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s economic situation, personal preferences, interests and location.
Pseudonymisation means the processing of personal data in such a manner that the personal data can no longer be attributed to the data subject without the use of additional information. The additional information must be kept separately.
Public task legal basis means we can rely on this lawful basis as we need to process personal data ‘in the exercise of official authority’. This covers public functions and powers that are set out in law; or to perform a specific task in the public interest that is set out in law.
Special category data means data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.
Subject access request is your right to get a copy of the information that is held about you.
Suppression list is a list that contains mailing or email addresses that you want to permanently exclude from future mailings or emails we send.
Third party means a natural or legal person, public authority, agency or body other than the data subject, controller, processor or persons who, under the direct authority of the controller or processor, are authorised to process personal data.