We will never sell your personal data and will only share it with other organisations when it is strictly necessary and when we are confident that they will look after it to the same high standard.
Who ‘we’ are
For the purposes of this document ‘we’, ‘us’, ‘our’ ‘the Trust’ and ‘Thirlestane Castle’ refers to Thirlestane Castle Trust (Reg. Charity number SCO11491) registered at Thirlestane Castle, Lauder, Scottish Borders, TD2 6RU.
What data we collect
Your personal data (which is any information which identifies you, or which can be identified as relating to you personally for example, your name, address, phone number or email address) will be collected and used by us. We will only collect the personal data that we need.
We collect personal data in connection with specific activities such as making a donation, placing an order, booking holidays or organising a group tour.
You can give us your personal data by filling in a form on our website when you have an enquiry or request to receive our newsletter. You may also give us your personal information by filling in a discount card, gift aid form, comments card, loyalty card or survey. Additionally, you may give us personal details when you contact us by phone.
The personal data you give us may include your name, title, address, telephone number, email address, age, opinions and financial information (such as credit or debit card details and whether donations are gift-aided).
If you are a volunteer we may collect additional information such as details of emergency contacts and previous work experience. This information will be retained for legal reasons and for safeguarding purposes.
How we use this data
We will only use your data on relevant lawful grounds as permitted by the EU General Data Protection Regulation (GDPR)/UK Data Protection Act and Privacy of Electronic Communication Regulation.
Personal data provided to us will be used only for the purposes stated at the time of collection or registration. If asked by the police or other regulatory bodies or government authority investigating suspected illegal activities, we may be required to provide your information.
Your personal data may be used to help us complete your order or answer your request.
If you choose to subscribe to our newsletter we may send you relevant information by email about the castle including information on supporting the charitable trust. You may change your mind at a later date and all communications will give you the option to unsubscribe.
If you make a donation, we will use any personal information you provide to record the nature and amount of your gift, claim gift aid where you have told us you are eligible, and to thank you for your gift.
Charity Commission rules require us to be assured of the provenance of funds and any conditions attached to them. This may involve researching the financial soundness, credibility, reputation and ethical principles of donors who’ve made, or are likely to make, a significant donation to Thirlestane Castle Trust. As part of this process we will carry out research using publicly available information and professional resources. If this applies to you, we’ll remind you about the process when you make your donation.
Shop Purchases, Holiday Bookings or Event Bookings
We process customer data in order to fulfil holiday bookings, event bookings and shop purchases. Your data will be used to communicate with you throughout the process. This may include confirming your order and payment, to confirm dispatch, to clarify further details, and resolve any issues that may arise with your order or booking. We may hold dietary information in relation to event bookings.
You may be asked to participate in a visitor information survey or write in our comments book. This is so we can get feedback on your experience and find out where our visitors come from and how you heard about us. We use this feedback to improve the experiences we offer here at Thirlestane Castle. All the research we conduct is optional and the data is not shared with any other parties.
We may use specific tools to research how customers interact with our website including Google Analytics. This information is aggregated which means we see clusters of information rather than an individual’s data. For example, the proportion of people who visited our website while browsing on a computer in the Scottish Borders. This is collated so we can make sure our website is functioning efficiently.
Recruitment and employment
In order to comply with our contractual, statutory, and management obligations and responsibilities, we process personal data, including ‘sensitive’ personal data, from job applicants and employees. Such data can include, but is not limited to, information relating to health and criminal convictions.
Our contractual responsibilities include those arising from the contract of employment. The data processed to meet contractual responsibilities includes, but is not limited to, data relating to: payroll, bank account, postal address, sick pay; leave, maternity pay, pension and emergency contacts. Our statutory responsibilities are those imposed through law on the Trust as an employer. The data processed to meet statutory responsibilities includes, but is not limited to, data relating to: tax, national insurance, statutory sick pay, statutory maternity pay, family leave, work permits, equal opportunities monitoring. Our management responsibilities are those necessary for the organisational functioning of the Trust. The data processed to meet management responsibilities includes, but is not limited to, data relating to: recruitment and employment, training and development, absence, disciplinary matters, e-mail address and telephone number.
In certain limited circumstances, we may legally collect and process sensitive personal data without requiring the explicit consent of an employee.
We will process data about an employee’s health where it is necessary, for example, to record absence from work due to sickness, to pay statutory sick pay, to make appropriate referrals to the Occupational Health Service, and to make any necessary arrangements or adjustments to the workplace in the case of disability. This processing will not normally happen without the employee’s knowledge and, where necessary, consent.
Data about an employee’s criminal convictions will be held as necessary.
In order to carry out our contractual and management responsibilities, we may, from time to time, need to share an employee’s personal data with one or more third party supplier. To meet the employment contract, we are required to transfer an employee’s personal data to third parties, for example, to pension providers and HM Revenue & Customs. In order to fulfil our statutory responsibilities, we’re required to give some of an employee’s personal data to government departments or agencies e.g. provision of salary and tax data to HM Revenue & Customs.
Updating the information we hold on you
We want you to remain in control of your personal data at all times. If, for any reason, you want to update us or make any changes to the information we hold please contact us by one of the following methods:
Email us at firstname.lastname@example.org
Call us on (+44) 01578 722430. Open 9am -5pm weekdays.
Write to us at Thirlestane Castle, Lauder, Scottish Borders, TD2 6RU
Accessing your data
At any time you can request to see what personal information we hold for you. Please contact us by any of the methods above and provide information that will confirm your identity. We will then give you a copy of the information we hold in an understandable format together with an explanation of why we hold it and how we use it.
What to do if you are not happy
If for any reason you are not happy about how we collect and handle your personal data, please contact us in the first instance so we can resolve any query. You also have the right to inform the Information Commissions Office (ICO if you have any questions about Data Protection. You can contact them by ringing their helpline on 0303 123 113 or by visiting their website at www.ico.org.uk.
Keeping your information
We will only use and store your information for as long as it is required for the purpose it was collected for. How long it will be stored for depends on the information in question, what it is being used for and, sometimes, statutory requirements.
How we secure your data
We operate a robust and thorough process for managing and protecting your data to make sure it is protected at all times. By utilizing strong encryption when your information is stored or in transit we minimize the risk of unauthorized access or disclosure; when entering information on our website, you can check this by right clicking on the padlock icon in the address bar. When we no longer need to keep your data we will dispose of it in a secure and responsible manner.
Disclosing and sharing information
When we allow third parties acting on our behalf to access your information, we will always have complete control of what they see, how long they can access it and what they are allowed to do with it. We have also checked that they comply fully with all data legislation. We do not sell or share your personal information for other organisations to use.
Personal data collected and processed by us may be shared with the following groups:
- Land agents Seed and Co of Cothill, Duns, who act on our behalf in relation to estate and employee management;
- Third party cloud hosting and IT infrastructure providers who host the website and provide IT support in respect of the website;
- Holiday letting agents who take accommodation bookings on our behalf
We may also disclose your personal information to third parties if we are under a duty to disclose or share your personal data in order to comply with any legal obligation; or to protect the rights, property, or safety of Thirlestane Castle Trust, supporters and visitors. This includes exchanging information with other companies and organisations for the purposes of fraud protection.
Some areas of Thirlestane Castle are covered by Closed Circuit Television (CCTV) and you may be recorded when you visit. CCTV is used to provide security and protect our visitors. It will only be viewed when necessary (e.g. to detect or prevent crime) and footage is stored for a set period of time after which it is recorded over. We comply with the Information Commissioner’s Office CCTV Code of Practice.
This policy was last updated on 10th May 2018.