This Privacy Notice sets out your rights regarding any of your personal data that we may hold, how we may use this information, and the measures we will take to protect it. Hermes Trust is a Data Controller as defined under data privacy legislation.
We will review and amend this privacy statement from time to time. You can find the most up to date version on our website http://www.hermes-trust.org.uk/. Any terms with a specific definition used in this statement, are highlighted in italics and are explained in the Glossary section.
What is personal data?
Personal data means any information relating to an individual who can be directly or indirectly identified by reference to the information. This applies to both digital and paper-based information included within filing systems, or which is intended to be placed within a filing system. Individuals are referred to as Data Subjects under data privacy legislation. A wide range of information constitutes personal data (see below).
What does processing mean?
The processing of personal data means any interaction with the information including viewing, collecting, sharing, storing, transferring or analysing. This can be by both a Data Controller, or a Data Processor.
Who holds your personal data?
Your personal data will be held by Hermes Trust. You can find information on how to contact us, as well as further information on what Hermes does, on our website. The use of your personal data is covered by Hermes Trust’s registration with the UK Information Commissioner's Office; registration number Z6975055.
Why is your personal data required?
Personal data is required so that we can enter into and maintain a relationship with you in your capacity as beneficiary, benefactor, borrower, lender, guarantor or witness, and so that we can meet any statutory obligations such as those concerned with preventing financial crime. Depending on our relationship, you will need to provide certain personal data which we will hold throughout the relationship and, where required by law, for longer.
The General Data Protection Regulation (GDPR) legislation which applies across Europe only allows the processing of personal data if one or more conditions are met; this is known as alawful basis for processing. There are six lawful bases provided under GDPR, which are included in the Glossary section. Hermes will only process your personal data for the reasons it was provided for, and only where there is a lawful basis for processing allowing this.
What personal data will Hermes use?
The different types of personal data we might need include:
How will your personal data be obtained?
Hermes collects personal data that you provide when interacting with us, for example when you:
We may also obtain your personal data from other institutions if there is a lawful basis to do so, in which case you will be notified of how and why we will use them. This could include the following:
Who has access to your personal data?
When you give us personal information, we take steps to ensure that it is treated securely. Hermes has a Trustee body, one administrator and no other staff, so access to physical records is very limited. At times it may be necessary to transmit personal data by post or email, and this can never be guaranteed to be 100% secure. As a result, while we strive to protect your personal information, we cannot guarantee the security of any information you transmit to us, and you do so at your own risk. Once we receive your information, we make our best effort to ensure its security on our systems. Our computer system is protected by McAfee Total Protection.
Links to other websites
Our website may contain links to other websites run by other organisations to which this Privacy Notice does not apply. So we encourage you to read the privacy statements on the other websites you visit. We cannot be responsible for the privacy policies and practices of other sites even if you access them using links from our website.
In addition, if you linked to our website from a third party site, we cannot be responsible for the privacy policies and practices of the owners and operators of that third party site and recommend that you check the policy of that third party site.
Why might personal data be shared?
We will not sell or rent your information to third parties, not share it with third parties for marketing purposes.
Hermes will only share your data if there is a lawful basis to do so. We will treat all your personal data as private and confidential and in accordance with data privacy legislation (also after any relationship between us has ended). Information we hold about you will not be disclosed to anyone unless:
With whom might your personal data shared?
For the above reasons, we may need to share your personal data with other organisations. For example:
Does Hermes share your data outside of the European Economic Area?
If you are a donor supporting one of our beneficiaries outside of the European Economic Area (EEA) we may convey to the beneficiary your name and the amount of the donation unless you have requested anonymity.
If you choose not to provide your personal data
If you choose not to provide us with, or choose to restrict the processing of, the information we need, this may prevent us from entering into a relationship with you or meeting our contractual obligations. This situation could result in the termination of our contract with you.
From time to time we may wish to feature, in our promotional materials, projects that have benefitted from our grants or loans. This could include the location of your project and the size of a grant or loan. However, we shall not do this without first obtaining your consent.
How long does Hermes keep your personal data for?
As long as there is relationship between you and Hermes we will process your personal data to maintain that relationship. Personal data will be kept for a further six years after the final transaction, in accordance with statutory accounting requirements. We may keep it for longer if we cannot delete it for legal, regulatory or technical reasons. Personal data will be retained with the utmost care and security measures will be applied to ensure your privacy and security are maintained.
What are your rights?
GDPR entitles you to several rights in relation to your personal data.
The right to be informed
Individuals or data subjects as they are referred to under data privacy legislation, have the right to be informed about the collection, use and sharing of their personal data. Organisations must provide individuals with certain information at the time personal data is collected. This Privacy Statement provides you with the information you are entitled to and we are required to give you.
The right to access your data
You have the right to access your data to establish what it is being used for and verify the lawfulness of any processing. Before providing access to your personal data we will ask you to verify your identity to protect you from identity theft and financial crime. We may also need to ask you some questions to ensure we have understood your request correctly. If you wish to access your personal data, please contact us.
The right to rectification (correcting mistakes and inaccuracies)
It is important that any personal data we use is accurate, up to date, and relevant. To ensure that your data is correct you have the right to access, correct and/or update your personal data at any time. If you think your data is incorrect or incomplete and you wish to correct your data or privacy settings, please contact us.
The right to erasure (the deletion of your personal data)
You have right to request that we delete your personal data if:
a) your personal data is no longer needed in relation to the purposes for which was collected
The right to restrict processing
You have the right to request the restriction of the processing of your personal data for a limited period and under certain circumstances. For example, this could apply if you feel that your personal data held by Hermes is inaccurate, has not been processed lawfully, or is no longer needed for the purposes it was originally collected for. Hermes has the right to store your personal data while your query is investigated.
The right to data portability
You have the right to receive your personal data in a structured, commonly used and machine-readable format.
The right to object to processing
You have the right to object to the processing of your personal data based on legitimate interests, direct marketing, and processing for historical research and statistical purposes. If you decide to exercise this right, please contact us and we will consider your request; Hermes is legally allowed to continue to process your data if one of the following can be demonstrated:
a) compelling legitimate grounds for the processing, which override your interests, rights and freedoms; or
Rights related to automated decision making, including profiling
Hermes does not undertake any processing which includes decisions made by solely automated means, including profiling.
How to Complain
Please contact us in the first instance if you have any concerns with how we have processed your personal data. Details on how to do this are included in our website. You also have the right to lodge a complaint directly with the ICO; please visit their website (https://ico.org.uk/for-the-public/) for further details on how to do this.