World Cancer Research Fund’s Privacy notice
World Cancer Research Fund (WCRF) promises to respect any personal data you share with us, or that we get from other organisations, and keep it safe
World Cancer Research Fund (WCRF) promises to respect any personal data you share with us, or that we get from other organisations, and keep it safe. We use the information we collect about you to process orders, information requests, manage donations, share our educational material and help you enjoy a more personalised experience.
Developing a better understanding of our supporters through their personal data enables us to make informed decisions, market communications with you and others appropriately, fundraise more efficiently and, ultimately, help us reach our vision of living in a world where no one develops a preventable cancer.
Our marketing communications include information about our latest breakthroughs, campaigns and life-changing research. If you would like to opt in to receive these communications or change your current preferences then please contact us on:
Telephone: 020 7343 4200
This privacy notice sets out how we process your data. It also explains your rights and options around how we use your personal information.
We collect information about you:
When you give it to us directly
This might be when you:
- interact with us online
- register with us
- communicate with us
- make a donation
- take part in an event
- apply to work or volunteer for us
- give us your personal information in any other way
When you give it to us indirectly
This is when your personal information is given to us by third parties. These might be:
- websites such as JustGiving
- business partners
- sub-contractors in technical, payment and delivery services
- event organisers
- advertising networks
- analytics providers and search information providers
Your information may be shared with us by independent event organisers, for example the London Marathon or fundraising sites like JustGiving or Virgin Money Giving. These independent third parties will only do so when you have indicated that you wish to support World Cancer Research Fund and with your consent.
When this happens, we’ll contact you by telephone or email to check how you’d like to hear from us in the future, and to offer you support with your fundraising efforts.
When you give permission to other organisations to share your information or it is available publicly
We may combine information you provide to us with information available from external sources. This is so we can gain a better understanding of our supporters to improve our fundraising methods, products and services. The information we get from other organisations may depend on your privacy settings with them or the responses you give them. Therefore, it is advisable that you check your privacy settings with all organisations you are registered with on a regular basis. We collect your information from the following types of sources:
- Third-party organisations – for example, you may have provided permission for a company or other organisation to share your data with third parties, including charities. This could be when you buy a product or service, register for an online competition or sign up with a comparison site.
- Social media – depending on your settings or the privacy policies for social media platforms and messaging services like Facebook, WhatsApp or Twitter, you might give permission to access information from those accounts or services.
- Information available publicly – this may include information found in the public domain such as online searches, registers such as Companies House, the electoral roll and press reports.
When you visit our website
When you visit our website, we automatically collect the following personal information:
- the internet protocol (IP) address used to connect your computer to the internet
- your browser type and version
- your time zone setting
- browser plug-in types and versions
- your operating systems and platforms
- demographics and interest reporting
- information about your visit to our website, including:
- the uniform resource locator (URL) clickstream information to, through and from this site (including date and time)
- products/services you viewed and searched for
- page response times
- download errors
- length of visits to certain pages
- referral sources (how you arrived at the website)
- page interaction information (such as scrolling and clicks)
- methods used to browse away from the page
What is personal information?
We collect, store and use the following kinds of personal information:
- Your name and contact details, including postal address, telephone number, email address and, where applicable, social media profile URL
- Your date of birth
- Financial information, such as bank details or credit/debit card details, where you provide them to make a payment or a donation. We do not store credit or debit card details, but we are required to store bank details in some circumstances, such as when they are used for direct debit payments
- Photographs of you at our events – if filming or photography is to be used at one of our events, we will advise you of this prior to the event taking place and you will have the option not to be filmed or photographed
- Information about your computer/mobile device and your visits to and use of this website, including for example your IP address and geographical location
- Information about our services which you use/which we consider of interest to you
- Information as to whether you are a tax payer so that we can claim Gift Aid
- Relevant information from your relatives or those who care for you and know you well
- Any other personal information shared with us as not described above
What is sensitive personal information (special category data)?
The General Data Protection Regulation (GDPR) recognises certain categories of personal information as sensitive and therefore requiring more protection.
For example, this includes information about your health, religious beliefs, ethnicity and political opinions.
In the course of liaising with our supporters, WCRF may be informed of sensitive information. If this is the case, we will only record this information if we have a valid reason and the GDPR permits it, as described in how and why we will use your personal information.
Where we collect and manage information from under-18s, we aim to manage it in a way which is appropriate to the age of the child. Before processing personal data of children under 13 years of age, who cannot give their own consent, we will always obtain the consent of a legally responsible adult (normally a parent or guardian).
How do we use your personal information?
We use your personal information to:
- provide you with services, products or information you’ve asked us for
- provide you with further information about our work, services, activities or products
- allow you to purchase goods
- process your donations, including the collection of Gift Aid
- further our charitable aims, including for fundraising activities
- research the impact and effectiveness of our work and services
- register, administer and personalise online accounts
- register and administer your participation in events you’ve registered for
- administer and keep our website safe and secure and for internal operations, including troubleshooting, data analysis, testing, research, statistical and survey purposes
- improve your interactions with our website, for example by making sure that content is presented in the most relevant and effective manner for you and for your computer/mobile device
- report on the results and impact of our work, services and events
- analyse and improve our work, services, activities, products or information (including our website) or for our internal records
- use IP addresses and monitor website use to identify locations, block disruptive use, record website traffic or personalise the way information is presented to you
- to process your application for a job or volunteer role with us
- training and/or quality control
- audit and/or administer our accounts
- satisfy legal obligations which are binding on us, for example arising from contracts entered into between you and us or in relation to regulatory, government and/or law enforcement bodies with whom we may work
- prevent fraud, misuse of services or money laundering and to perform due diligence in respect of larger donations
- reduce credit risk
- communicate with you in any other way
- for the establishment, defence and/or enforcement of legal claims; and/or
- check and make improvements to our services
- we may use your life story, your case study and photograph in our literature (we will discuss this with you in-depth before doing so and we will also seek your permission beforehand. You have the option not to be included in any of our literature)
- we will not sell, give or rent your information to anyone for their own marketing purposes
Why we build profiles of supporters and targeting communications
We use profiling and screening techniques to ensure communications are relevant and timely, and to provide an improved experience for our supporters. Profiling also allows us to target our resources effectively. We do this because it allows us to understand the background of the people who support us, and helps us to make appropriate requests to supporters who may be able and willing to give more than they already do. Importantly, it enables us to raise more funds, sooner, and more cost-effectively, than we otherwise would. It also educates us on who may want to become a new supporter.
When building a profile, we may analyse geographic, demographic, wealth and other information relating to you in order to better understand your interests and preferences to contact you with the most relevant communications. In doing this, we may use additional information from third-party sources when it is available. Such information is compiled using publicly available data about you, for example addresses, listed Directorships or typical earnings in a given area.
When we market to you and talk about fundraising
We use your details to give you information about our work, events, services and/or products which we think might interest you.
For example, we might contact you about goods you’ve purchased or used in the past, or send you updates about our fundraising appeals and latest campaigns.
Where we do this via email we will only do this with your prior consent.
If you provide us with your telephone number during one of our marketing campaigns and your telephone number is included on either the telephone preference service or fundraising preference service lists, we will treat the provision of your telephone number to us as an indication that you do not object to receiving telephone marketing calls from us for the time being. You can change your preference at any time by contacting us on email@example.com or 020 7343 4200.
Donations and other payments
When you use our secure online donation or payment pages, you will be directed to a payment gateway, which will receive your credit card number and contact information to process the transaction. We do not retain your credit or debit card details.
How long do we keep your personal information?
In general, if we no longer need your information for the reasons you gave it to us, we will remove it.
But we’ll remove it sooner if:
- we are no longer lawfully entitled to process or keep it
- you ask us to remove it
What happens if you ask for your data to be removed?
Our lawful grounds for processing your information
The GDPR requires us to rely on one or more lawful grounds to process your personal information. These are the grounds we think are relevant.
- Where you have given your consent for us to use your personal information in a certain way. For example, we will ask for your consent to use your personal information to send you electronic direct marketing/fundraising information.
- Where necessary so that we can comply with a legal obligation (for example, where we need to share your personal information with regulatory bodies which govern our work and services).
- Where necessary for the performance of a contract which we have with you or to take steps before entering a contract (for example, if you purchase something from our online shop or apply to work for/volunteer with us).
- Where there is a legitimate interest in us doing so (for example, writing to supporters to let them know about our work and ways of supporting us).
What do we mean by "legitimate interests"?
The GDPR allows us to collect and process your personal information if it is reasonably necessary to achieve our or others’ legitimate interests, as long as that processing is fair, balanced and does not unduly impact your rights.
WCRF legitimate interests
In broad terms, our “legitimate interests” means running WCRF as a charitable entity in pursuit of our aims and ideals. For example, by:
- providing information about cancer prevention and healthy living
- by sending postal or telephone marketing and fundraising asks which further the aims and objectives of WCRF
- processing donations and payments
- administering events
- taking applications for job vacancies, recruitment and volunteers.
Your legitimate interests
“Legitimate interests” can also include your interests, such as when you have requested information or certain goods or services from us, and those of third parties (for example, beneficiaries of our work and services).
How do we balance these interests?
When we legitimately process your personal information in this way, we consider and balance any potential impact on you (both positive and negative), and your rights under data protection laws.
We won’t use your personal information for activities where our interests are overridden by the impact on you. For example, where use would be excessively intrusive (unless, for instance, we are otherwise required or permitted to by law).
Will we share your personal information?
WCRF does not share, sell or rent personal information to third parties for marketing purposes. Our promise to you is to take every reasonable effort to keep your personal information secure and will only share them with suppliers working on our behalf such as companies who manage our mailings.
WCRF may provide aggregate statistics for our website about our visitors, orders, traffic patterns and related site information to reputable third-party vendors. These statistics will not include any personal information. We will only disclose personal information if required to do so by government bodies and law enforcement agents.
However, in general we may disclose your personal information to selected third parties in order to achieve the other purposes set out in this policy.
These may include (among others):
- business partners, suppliers and sub-contractors
- providers of related services that you have chosen to receive
- analytics and search engine providers
- IT service providers
- other beneficiaries, executors and legal advisers, when administering a legacy
- in particular, we reserve the right to disclose your personal information to third parties:
- in the event that we sell or buy any business or assets, in which case we will disclose your personal information to the prospective seller or buyer of such business or assets
- if substantially all of our assets are acquired by a third party, personal information held by us may be one of the transferred assets
- if we are under any legal or regulatory duty to do so
- to protect the rights, property or safety of WCRF, its personnel, users, visitors or others
Security, storage and access to your personal information
We promise to keep your personal information safe and secure.
We have appropriate and proportionate security policies and organisational and technical measures, such as Cyber Essentials accreditation, in place to help us do this. For example, we require specialist suppliers who process secure payments to comply with the Payment Card Industry Data Security Standard (PCI DSS) standards.
We use external companies to collect or process personal data on our behalf. We do comprehensive checks on these companies before we work with them, and put a contract in place that sets out our expectations and requirements, especially regarding how they manage the personal data they have collected or have access to.
Who can see my personal information?
Only appropriately trained staff, volunteers and contractors can access your information. It is stored on secure servers with features to prevent unauthorised access.
We undertake regular reviews of who has access to information that we hold to ensure that your information is only accessible by those authorised to do so.
Where is my personal information stored?
The personal information that we collect from you will primarily be stored at a destination within the UK or European Economic Area (EEA).
However, we use agencies and suppliers in and outside the UK to process personal information on our behalf. Some of our suppliers run their operations outside the EEA and your personal information may therefore be transferred or stored outside the UK or EEA.
Although they may not be subject to the same data protection laws as companies based in the UK, we’ll take all reasonable steps necessary to make sure they provide an adequate level of protection in accordance with UK data protection law. By submitting your personal information to us you agree to this transfer, storing or processing at a location outside the EEA.
Unfortunately, no transmission of your personal information over the internet can be guaranteed to be 100% secure. Although we do our best to protect your personal data, we cannot guarantee the security of your data transmitted to us; any transmission is at your own risk. Once we have received your information, we use strict procedures and security features to try to prevent unauthorised access.
These are your rights in relation to how we process your personal information:
Right to be informed
You have the right to be told how your personal information will be used. This policy and other policies and statements used on our website and in our communications provide you with a clear and transparent description of how your personal information may be used.
Right of access
You can write to us to ask for confirmation of what information we hold on you and to request a copy of that information (called a Data Subject Access request) within one month and without charge in normal circumstances.
Provided we are satisfied that you are entitled to see the information requested and we have successfully confirmed your identity, we will give you your personal information (subject to any exceptions that apply).
Right of erasure
You have the right to ask us to erase/delete your personal information. Where possible we will check with you to see if it is better for you to have your details suppressed rather than deleted. By using your right of erasure, we cannot guarantee that you will not receive further mailings from us, for example if WCRF purchases or rents a list of names after we have actioned your request for erasure and if your details are on this new list, you may well receive a communication from us. This is because we check all new lists against our database and once a name has been erased/deleted from our database we have no way of checking if that name is on the new list and has previously requested not to be contacted.
Right to restrict processing
You have the right to ask us to restrict the processing of your personal data, so you do not receive further communications or contact from us. Unlike erasure, restricting processing means that we still hold your personal data, but our systems are instructed not to process your data in the ways that you do not want. Therefore, should WCRF rent or purchase a new list of names after your request for suppression, we can cross reference this list with your details. Should your details appear on the new list and because we still have your basic details on our database, we will know that you do not want to receive communications from us and because of this you will not receive communications.
Right of rectification
If you believe our records of your personal information are inaccurate, you have the right to ask us to update those records.
You can also ask us to check the personal information that we hold about you if you are unsure whether it is up to date.
Right to object
You have the right to object to processing where we are:
- processing your personal information on the grounds of legitimate interest
- using your personal information for direct marketing or
- using your personal information for statistical purposes
Where we rely on your consent to use your personal information, you have the right to withdraw that consent at any time.
This includes the right to ask us to stop using your personal information for marketing or fundraising by electronic or any other means (for example to be unsubscribed from our email newsletter list).
Right to data portability
Where we are processing your personal information:
- because you gave us your consent
- because such processing is necessary for the performance of a contract to which you are party or to take steps at your request prior to entering into a contract, and the processing is carried out by automated means
you may ask us to provide it to you – or another service provider – in a machine-readable format.
Rights related to automated decision-making
Where we take automated decisions (ie with no human involvement) in relation to your personal information, you have the right to ask us for human intervention or to challenge any such decision. We do not process any personal data in this way.
How to exercise your rights
To exercise any of these rights, please send a description of the personal information in question using the contact details below. We reserve the right to ask for:
- personal identification
- further information
Please note that you may only use/benefit from some of these rights in limited circumstances. For more information, we suggest that you consult guidance from the Information Commissioner’s Office (ICO) or please contact us.
Changes to this Policy
If your personal details change, please help us to keep your information up to date by notifying our Supporter Services department; details below.
Who we are and how to contact us
The data controller is World Cancer Research Fund, charity registration number 1000739 and our registered address is:
World Cancer Research Fund
140 Pentonville Road
We are registered with the ICO as a data controller, registration number Z6021605 and you can find out more about our registration here.
Please let us know if you have any questions or concerns about this policy or about the way in which your personal information is being processed by contacting our Supporter Services team using any of the following channels:
Telephone: +44 (0)20 7343 4200
Post: Supporter Services at the address above