Privacy Notice

This Privacy Notice sets out your rights regarding any of your personal data that we may hold, how we may use this information, and the measures we will take to protect it. Hermes Trust is a Data Controller as defined under data privacy legislation.

We will review and amend this privacy statement from time to time. You can find the most up to date version on our website Any terms with a specific definition used in this statement, are highlighted in italics and are explained in the Glossary section.

What is personal data?

Personal data means any information relating to an individual who can be directly or indirectly identified by reference to the information. This applies to both digital and paper-based information included within filing systems, or which is intended to be placed within a filing system. Individuals are referred to as Data Subjects under data privacy legislation. A wide range of information constitutes personal data (see below).

What does processing mean?

The processing of personal data means any interaction with the information including viewing, collecting, sharing, storing, transferring or analysing. This can be by both a Data Controller, or a Data Processor.

Who holds your personal data?

Your personal data will be held by Hermes Trust. You can find information on how to contact us, as well as further information on what Hermes does, on our website. The use of your personal data is covered by Hermes Trust’s registration with the UK Information Commissioner's Office; registration number Z6975055.

Why is your personal data required?

Personal data is required so that we can enter into and maintain a relationship with you in your capacity as beneficiary, benefactor, borrower, lender, guarantor or witness, and so that we can meet any statutory obligations such as those concerned with preventing financial crime. Depending on our relationship, you will need to provide certain personal data which we will hold throughout the relationship and, where required by law, for longer.

The General Data Protection Regulation (GDPR) legislation which applies across Europe only allows the processing of personal data if one or more conditions are met; this is known as alawful basis for processing. There are six lawful bases provided under GDPR, which are included in the Glossary section. Hermes will only process your personal data for the reasons it was provided for, and only where there is a lawful basis for processing allowing this.

What we use your personal data for?

Why do we need to use your personal data and which lawful basis for processing is applicable?

What are our legitimate interests in using your personal data?

To manage our relationship with you

Undertake activity for your and our legitimate interests (legitimate interests)

Fulfilling a contract we have agreed between us (contract)

Keeping our records up to date so that we can efficiently process an application from you, enter into and maintain a relationship with you, or process transactions.

To fight financial crime

We are legally required to complete certain activities (legal obligation)
Undertake activity for your and our legitimate interests (legitimate interests)

Complying with our legal requirements.
Reviewing and improving how we prevent financial crime.

What personal data will Hermes use?

The different types of personal data we might need include:

Category of personal data


Contact information

How to contact you including address(es), telephone number(s), email address(es).

Personal details

Personal information such as your name, date of birth, occupation (current or previous), CV, work or training references.

Photo ID

Copy of passport or driving licence.

National Identification numbers

A number or code given to you by a government authority to identify who you are, such as your National Insurance number.

Financial information

Financial information such as your bank account details, transaction details, transaction history, bank references.

Contractual information

Details about any agreements we have made.

Administrative information

Such as file reference numbers.

Special categories of personal data

GDPR categorises certain sensitive personal information as 'special category' personal data; this includes information about your health, political opinions, or sexual orientation for instance. Hermes will not collect and use these types of data, unless there is a legal obligation to do so.

How will your personal data be obtained?

Hermes collects personal data that you provide when interacting with us, for example when you:

  • Apply for a grant or loan

  • Donate or lend to us

  • Act as surety or witness

  • Talk to us on the phone or in person

  • Send us e-mails or letters

  • Take part in financial reviews or interviews

We may also obtain your personal data from other institutions if there is a lawful basis to do so, in which case you will be notified of how and why we will use them. This could include the following:

  • Financial institutions (e.g. when they notify us of a donation you have made, or supply a bank reference if you are acting as guarantor)

  • Places where you have worked or studied

  • Companies that introduce you to us

  • Credit Reference Agencies

  • Financial advisers or representatives

  • Insurers

  • Public information sources

  • Agents working on our behalf such as solicitors or valuers

  • Medical practitioners

  • Government and law enforcement agencies.


Our web-site does not use cookies of any kind.

Who has access to your personal data?

When you give us personal information, we take steps to ensure that it is treated securely. Hermes has a Trustee body, one administrator and no other staff, so access to physical records is very limited. At times it may be necessary to transmit personal data by post or email, and this can never be guaranteed to be 100% secure. As a result, while we strive to protect your personal information, we cannot guarantee the security of any information you transmit to us, and you do so at your own risk. Once we receive your information, we make our best effort to ensure its security on our systems. Our computer system is protected by McAfee Total Protection.

When using our online donation pages, your donation is processed by PayPal whose security includes firewalls and data encryption. Their Privacy Policy can be found at

Links to other websites

Our website may contain links to other websites run by other organisations to which this Privacy Notice does not apply. So we encourage you to read the privacy statements on the other websites you visit. We cannot be responsible for the privacy policies and practices of other sites even if you access them using links from our website.

In addition, if you linked to our website from a third party site, we cannot be responsible for the privacy policies and practices of the owners and operators of that third party site and recommend that you check the policy of that third party site.

Why might personal data be shared?

We will not sell or rent your information to third parties, not share it with third parties for marketing purposes.

Hermes will only share your data if there is a lawful basis to do so. We will treat all your personal data as private and confidential and in accordance with data privacy legislation (also after any relationship between us has ended). Information we hold about you will not be disclosed to anyone unless:

  • it is in your / our legitimate interests

  • it is necessary to honour a contract we have entered into with you

  • we are legally required to disclose the information

  • we need to disclose the information for the purposes of or in connection with any legal proceedings, or for the purposes of obtaining legal advice, or the disclosure is otherwise necessary for the purposes of establishing, exercising or defending legal rights

  • disclosure is required to protect our legitimate interests, or someone else's legitimate interests (for example, to prevent fraud)

  • the disclosure is made with your consent

With whom might your personal data shared?

For the above reasons, we may need to share your personal data with other organisations. For example:

  • Our bank (e.g. for the purpose of financial transactions)

  • Professionals such as accountants, solicitors or valuers (e.g. to arrange loan security)

  • HMRC (e.g. for the purposes of reclaiming tax under Gift Aid)

  • Credit reference agencies

  • Debt collectors

  • Government authorities who are entitled to request your data

  • Fraud prevention agencies and legal authorities

  • Other lenders who hold a charge over the same security

  • Third parties you ask us to share your data with

Does Hermes share your data outside of the European Economic Area?

If you are a donor supporting one of our beneficiaries outside of the European Economic Area (EEA) we may convey to the beneficiary your name and the amount of the donation unless you have requested anonymity.

If you choose not to provide your personal data

If you choose not to provide us with, or choose to restrict the processing of, the information we need, this may prevent us from entering into a relationship with you or meeting our contractual obligations. This situation could result in the termination of our contract with you.

Marketing communications

From time to time we may wish to feature, in our promotional materials, projects that have benefitted from our grants or loans. This could include the location of your project and the size of a grant or loan. However, we shall not do this without first obtaining your consent.

How long does Hermes keep your personal data for?

As long as there is relationship between you and Hermes we will process your personal data to maintain that relationship. Personal data will be kept for a further six years after the final transaction, in accordance with statutory accounting requirements. We may keep it for longer if we cannot delete it for legal, regulatory or technical reasons. Personal data will be retained with the utmost care and security measures will be applied to ensure your privacy and security are maintained.

What are your rights?

GDPR entitles you to several rights in relation to your personal data.

The right to be informed

Individuals or data subjects as they are referred to under data privacy legislation, have the right to be informed about the collection, use and sharing of their personal data. Organisations must provide individuals with certain information at the time personal data is collected. This Privacy Statement provides you with the information you are entitled to and we are required to give you.

The right to access your data

You have the right to access your data to establish what it is being used for and verify the lawfulness of any processing. Before providing access to your personal data we will ask you to verify your identity to protect you from identity theft and financial crime. We may also need to ask you some questions to ensure we have understood your request correctly. If you wish to access your personal data, please contact us.

The right to rectification (correcting mistakes and inaccuracies)

It is important that any personal data we use is accurate, up to date, and relevant. To ensure that your data is correct you have the right to access, correct and/or update your personal data at any time. If you think your data is incorrect or incomplete and you wish to correct your data or privacy settings, please contact us.

The right to erasure (the deletion of your personal data)

You have right to request that we delete your personal data if:

a) your personal data is no longer needed in relation to the purposes for which was collected
b) you withdraw your consent and there are no other legal bases to process your personal data
c) you object to us processing your personal data for direct marketing purposes
d) you object to us processing your personal data for the legitimate interests of Hermes
e) you feel that your personal data is not being processed lawfully
f) your personal data needs to be deleted to comply with legal requirements.

The right to restrict processing

You have the right to request the restriction of the processing of your personal data for a limited period and under certain circumstances. For example, this could apply if you feel that your personal data held by Hermes is inaccurate, has not been processed lawfully, or is no longer needed for the purposes it was originally collected for. Hermes has the right to store your personal data while your query is investigated.

The right to data portability

You have the right to receive your personal data in a structured, commonly used and machine-readable format.

The right to object to processing

You have the right to object to the processing of your personal data based on legitimate interests, direct marketing, and processing for historical research and statistical purposes. If you decide to exercise this right, please contact us and we will consider your request; Hermes is legally allowed to continue to process your data if one of the following can be demonstrated:

a) compelling legitimate grounds for the processing, which override your interests, rights and freedoms; or
b) processing is required for the establishment, exercise or defence of legal claims.

Rights related to automated decision making, including profiling

Hermes does not undertake any processing which includes decisions made by solely automated means, including profiling.

How to Complain

Please contact us in the first instance if you have any concerns with how we have processed your personal data. Details on how to do this are included in our website. You also have the right to lodge a complaint directly with the ICO; please visit their website ( for further details on how to do this.





A message given to an Internet Browser by a Server, which is stored in a text file; the message is then sent back to the Server each time the Browser requests a webpage to be opened.
Cookies are used to identify users of webpages and to customise content where applicable.

Data controller

An individual or organisation which determines why personal data needs to be processed, and the manner it is processed in.

Data Privacy Officer

A position within an organisation responsible for ensuring that personal data is processed in accordance with UK data privacy requirements.

Data Processor

An individual or organisation which processes personal data on behalf of a data controller, in accordance with instructions from the data controller.

Data Subject

An individual who can be identified from the personal data i.e. the person the data is about.

European Economic Area (EEA)

The European area which provides for the free movement of persons, goods, services and capital; it is made up of EU members plus other countries within Europe which have agreements in place with the EU.

Financial Conduct Authority

A UK regulatory body operating independently of the UK Government, which oversees the regulation of conduct by financial services firms operating in the UK.

GDPR - General Data Protection Regulation

The legal framework that sets the guidelines and requirements for the collection, processing and storage of personal data of identifiable individuals within the European Union (EU). The GDPR legislation was adopted in April 2016 and comes into force across the EU on 25 May 2018.

Information Commissioner's Office (ICO)

The independent UK authority set up to uphold data privacy rights in the public interest. Their details can be found on their web-site

Lawful basis for processing

One of six allowable lawful bases for processing must be satisfied for Hermes to process your personal data. The six lawful bases are:

  1. Consent - the individual has given clear consent

  2. Contract - processing is necessary for a contract to be provided

  3. Legal obligation - processing is necessary to comply with the law

  4. Protect life - processing is necessary to protect someone's life

  5. Public interest - processing is necessary to perform a task in the public interest

  6. Legitimate interest - processing is necessary for Hermes' legitimate interests, or the legitimate interests of a third party, unless there is a good reason to protect the individual's data which overrides these legitimate interests.

Legitimate interests

The business reason for Hermes to use your information. It must not conflict unfairly with your rights and interests. GDPR specifically mentions several examples of legitimate interests such as the prevention of fraud, marketing customers could reasonably expect to receive, or IT security for instance.

Personal Data

Any information relating to an identified or identifiable natural person (an individual).

Special Categories of Personal Data

Personal data which relates to particular characteristics including racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health or medical information, sexual life or orientation.
Additional protection is required for personal data falling into this category, and both a general and specific lawful basis for processing are required. This means that one of the six general GDPR lawful bases for processing is needed, as well as one of the following which relate specifically to special categories of personal data:

  1. explicit consent

  2. processing is necessary for meeting obligations under employment, social security and social protection law

  3. processing is necessary to protect the vital interests of someone who is unable to provide consent

  4. processing is carried out during legitimate activity by a Foundation, Association or other not-for-profit body with a political, philosophical, religious, or trade union-based aim and processing relates to current or former members of that organisation, and that personal data is not disclosed outside of that organisation

  5. processing relates to personal data which has been disclosed by the individual

  6. processing is necessary in connection with legal claims

  7. processing is necessary for substantial public interest

  8. processing is necessary for preventative or occupational health

  9. processing is necessary for public interest in the area of public health

  10. processing is necessary for archiving purposes in the public interest such as scientific, historic or statistical research