Privacy Notice
Introduction
Scotland’s Charity Air Ambulance (also referred to as ‘the charity’, ‘we’, ‘our’ or ‘us’) is the Data Controller over any personal data we process about you for the purposes set out in this Privacy Notice (see below). This notice outlines what personal data the charity collects and processes about you in various situations, which we have explained below. This notice does not cover personal data we process about our staff, workers, or volunteers.
The categories of data subjects whose personal data is covered by this privacy notice include; patients and victims of accidents, patients’ next of kin, supporters, donors, third-party healthcare employees, employees of public authorities, employees of corporate partners, individuals who make enquiries or purchases of our products or services, such as through our life saving lottery, via our website or over the phone or email.
Please read through the privacy notice to understand how the charity uses and processes your personal data. If you have any concerns about our processing of your personal data or you have a general enquiry in relation to data protection please contact our Data Protection Officer at dpo@scaa.org.uk
What is personal data?
Personal Data: means any information relating to an identified or identifiable living person (‘data subject’); an identifiable living person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Special Category of Data: means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.
When we use the term ‘personal data’ we mean both personal data and special category of data.
Our Processing
Personal Data is collected in several different ways dependent on your interaction with the charity. The table below sets out what personal data we process about you, where we get it from, why we use it, our legal basis and who we share it with. Otherwise we will only share your personal data:
- where we are required to share your personal data in accordance with law e.g. such as to assist with investigations carried out by the police, other authorities or any regulatory requirement to which the charity is subject;
- where we use third parties to undertake certain services on our behalf and in doing so they require to process personal data in order to do this. If so, we will ensure that adequate arrangements are in place to protect your personal data. These third parties include: our professional advisors, our DPO, our website host provider, cloud storage suppliers, CRM suppliers, marketing platforms (including parties used for sending email marketing communications), lottery agents, IT infrastructure suppliers, payroll provider, donation site, payment bureau provider, postal mailing housing, fundraising management sites;
- where we have your consent.
| Purpose | Personal Data | Where do we get it from? | Legal basis | Will we share it other than set out above? |
To enable SCAA to process donations from you. | Name, email address, postal address, telephone number, bank details, transaction description and payment amount. | From you | Legitimate Interest to process donations for the benefit of the charity. | Donations will be operated by two separate payment providers including:
|
| To process and deliver your order from our online shop (operated by Shopify at shop.scaa.org.uk) | Name, email address, postal address (including billing address and shipping address), phone number, bank details, any information you provide to us, any username and password you create, answers to security questions and any information you provide to us. | From you | Performance of a contract with you | Yes with Sage pay, Rapidata and Shopify |
| To manage our relationship with you which will include: (a) Notifying you about changes to our terms or privacy notice (b) Asking you to leave a review or take a survey | Name, email address, postal address, phone number, any information you provide to us. | From you | Performance of a contract with you Necessary to comply with a legal obligation Necessary for our legitimate interests (to keep our records updated and to study how customers/supporters use our products/services) | Yes with telemarketing company or other agency |
| To respond to enquiries (online and otherwise) or indications of wishes to support the charity. | Name, Email address, any information you provide to us. | When you submit an enquiry on our website, use our online forms, email, text, telephone, post or when we meet you face to face. We may also receive personal data from independent event organisers e.g. the Edinburgh Marathon and fundraising sites (e.g. Just Giving) where you have given them this information and indicated you would like to support our charity. | Legitimate Interest – it is in our legitimate interest to respond to enquiries, requests and information within feedback forms so that we can engage with individuals to the benefit of the charity. | No |
| To enable SCAA to provide you with our direct marketing communications by email or text. | Name, email and telephone number | From you | Consent | No |
| To enable SCAA to provide you with our direct marketing communications by telephone or post. | Name, telephone number and address. | From you | Legitimate interest, which is to promote our charitable objectives and to increase fundraising. | No |
| To enable third party partners to provide you with direct marketing about SCAA in electronic communication form such as targeted online (including on social media platforms) or TV marketing. | Name, address, email address. | From you | Consent | Third-party marketing and media (including social media) platforms (such third parties may use third parties to verify your identity). |
| Processing gift aid | Name, postal address, email address, telephone number, bank details, the fact you are a UK tax payer, the reason for your donation and whether it is in memory of another person. | From you | Legitimate Interest to process donations for the benefit of the charity. Legal obligation to process direct debit under direct debit agreement. | HMRC for purposes of Gift Aid. Payment bureau provider administering the payment. |
| Organise and manage the life-saving lottery operated by SCAA including the distribution of prizes and publicising of winners. | Name, postal address, email address, date of birth. | Third-party lottery organiser. | Legitimate interest to generate income for the benefit of the charity. | Third-party lottery provider called Tower Lotteries. Payment bureau provider administering the payment (Access PaySuite). |
| Case studies | Name, email, phone number details of the call out. | From you or third parties involved in a call out. | Consent | With the public (i.e. for news articles, fundraising campaigns, social media posts). |
| Will writing service | Name, postal address, email address, telephone number, data relating to your enquiry. | From you | Consent | Watermans Legal Ltd. |
| Managing relationships with our corporate partners. | Name and contact details of our point of contact at the corporate partner. | From you | Our legitimate interest of managing our relationship with our corporate partners. | No. |
| Cookies | Data about your use of our website. | From you | Legitimate interest to understand use of our website in order to maximise its usability. Consent for non-essential cookies. Please visit our Cookie Notice for further information. For specific information about the cookies which are in use on our online shop, operated by Shopify, see https://www.shopify.com/legal/cookies. | Google Analytics, Facebook Pixel, Hotjar, Shopify |
| To record who visits our premises. | Name, contact details, date and time of visit, vehicle registration number | From you | Our legitimate interest of documenting visitors to our site for security and fire safety purposes. | No. |
Will we share your Personal Data outside of the UK?
Some of our service providers process personal data we give them outside of the UK. Where this happens and the recipient country is not deemed adequate by the UK Government, then we will put in place additional measures to protect your personal data by using specific contracts approved for use in the UK which give personal data the same protection it has in the UK.
Please contact us if you want further information on the specific mechanism used by us when transferring your personal data out of the UK.
Data Security
We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.
We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
Retention
SCAA shall keep your personal data for as long as is necessary and in accordance with our Data Retention Archiving, and Erasure Policy. In short, we retain general correspondence and emails for 1 year from receipt; inactive donor records for 3 years, after which we will archive your record; active donor records for as long as required until 2 years inactive, after which we will archive your record; financial records for up to 6 years.
Your rights
You have certain rights under data protection law, which are summarised below. You can exercise these by contacting our DPO on dpo@scaa.org.uk:
- you can withdraw your consent (including for marketing) at any time, at which point we shall stop processing your personal data in that way. Please note this does not affect the legality of our processing up to the date of your withdrawal of consent.
- you can seek to restrict our processing of your personal data, ask us to rectify any personal data we hold about you or object to us processing your personal data for the purposes stated above.
- you have the right to access personal data held by us about you.
- in certain circumstances you have the right to ask us to provide you with your personal data in a structured, commonly used and machine-readable format to allow you (or us on your behalf) to transmit this information to another party.
- in certain circumstances you have the right to ask us to erase the personal data we hold about you. We will consider any such request in line with UK GDPR. Please note this is not an absolute right and there may be circumstances where we choose not to delete all of the personal data we hold about you.
- you have the right to lodge a complaint with the Information Commissioners Office (ICO) if you think that we have infringed your rights. You can find more information about reporting a matter to the ICO at the following link: https://ico.org.uk/
You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we could refuse to comply with your request in these circumstances.
We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.
We try to respond to all legitimate requests within one month. Occasionally it could take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.
Website
The SCAA website www.scaa.org.uk may contain links to other websites. Please note that SCAA has no control of websites outside our domain. The charity is not responsible for the protection and privacy of any sensitive information provided to a website linked to scaa.org.uk
Changes
We reserve the right to amend this privacy notice from time to time.
Last Updated: November 2024