Institute of Welsh Affairs Privacy Notice
The new General Data Protection Regulation (GDPR) rules came into force on 25th May 2018, and we wanted to ensure that we clearly explain why and when we collect personal information about people who visit our website and those of our third party service providers, how we use it, the conditions under which we may share it with others and how we keep it secure.
Explaining the language we use in this notice
- ‘IWA’ means The Institute of Welsh Affairs, 56 James St, Cardiff Bay, Cardiff, CF10 5EZ (registered charity 1078435)
- ‘our’, ‘us’ and ‘we’ means the Institute of Welsh Affairs
- ‘you’ and ‘your’ means the person entering the Agreement
This Notice may be updated from time to time so please check this page occasionally to ensure that you’re happy with any changes. By using our website, you’re agreeing to be bound by this Notice.
The Institute of Welsh Affairs is an independent think-tank working to make Wales better. We come up with practical ideas to improve the economy, education and health.
We are an independent charity, funded by our members and charitable trusts. Our vision is to help create a better Wales where everyone can flourish. We act as a catalyst for change. We provide a platform for intelligent debate and work with our members to generate ideas for practical change.
We do this through focusing on three priority themes that will improve Wales’ wellbeing:
- Public Services
In each area we will draw upon evidence and experience to devise practical solutions, and work with policy makers from across the spectrum to achieve long-term change.
What information is being collected from you?
We obtain information about you when you use our website, join as a member, buy tickets for our events through our Eventbrite page, make a donation to us, when you contact us about products and services, or if you are signed up to receive one of our newsletters.
The personal information we collect might include your name, address, email address, date of birth (for Young Professional memberships), IP address, and information regarding what pages are accessed and when. If you buy a membership or event ticket from us, or make a donation to us online, your card information is not held by us, it is collected by our third party payment processors (Asperato, GoCardless, SagePay and Eventbrite), who specialise in the secure online capture and processing of credit/debit card transactions, as explained below.
How will we use your information?
We may use your information to:
- process a membership you have bought;
- send you your members newsletter;
- issue you with a ticket for one of our events;
- allow us to assist with your access or dietary requirements that you have provided to us for the purpose of an event we are holding;
- process a donation that you have made;
- to carry out our obligations arising from any contracts entered into by you and us;
- seek your views or comments on the services we provide;
- notify you of changes to our services;
- send you communications which you have requested and that may be of interest to you. These may include information about upcoming events, updates on our work, fundraising activities, and other information you may be interested in;
- process a grant or job application;
- any future practices that may be necessary for the benefit of our members or subscribers.
We will review our retention periods for personal information on a regular basis. However, we are legally required to hold some types of information to fulfil our statutory obligations (for example the collection of Gift Aid). We will hold your personal information on our systems for as long as is necessary for the relevant activity, or as long as is set out in any relevant contract you hold with us.
Further details about the information we collect:
(Please note that the legal basis for gathering your data is below)
When you sign up to one of our events, our ticketing platform (Eventbrite) will collect personal information such as name, email address, job title and company. It will also collect information relevant to the event such as allergy information. We may also ask you if you want to be contacted about future events and receive other news from the IWA via email. If this is the case then we will add the relevant information to our Salesforce database.
2. Membership sign up
When you become a member of the IWA, we will collect the following personal details from you:
- Email Address
- Date of Birth (if Young Persons membership – to ascertain you are under 30)
These details will be added to our database (currently Salesforce) in order to manage your membership. This data will also be transferred to our email and marketing service (currently Mailchimp) in order to send you the membership newsletter and keep you updated on the IWA’s work. When you are sent an email, Mailchimp will collect your IP address, the location where you received the email, if you open the email, where you click on the email, and if the email bounced.
If your payment is made using our third party provider (currently GoCardless) then we only have access to your bank name and the last 3 digits of your account.
However if your direct debit was set up directly with us prior to 2016, you pay by SAGEPAY or by cheque then we will collect the following information:
- The name of your bank
- Your address
- The last 4 digits of your card number
- In the case of a cheque – your bank account number and sort code
3. Using our website
Information gathered from your use of the Site.
Your use of the Site gives us your consent to the use of Personal Information as set out below.
We gather the following anonymous information in aggregate form: browser type (eg Internet Explorer, Chrome), operating system (eg Windows, MacOS), IP address, and internet domain (eg BT).
It is possible to switch off cookies by setting your browser preferences. Turning cookies off may result in a loss of functionality when using our website.
4. Mailing list sign up
If you sign up to receive emails from us, the personal information that you provide to us (email address and name) will be collected by Mailchimp and stored on our database called Salesforce. When you are sent an email, Mailchimp will collect your IP address, the location where you received the email, if you open the email, where you click on the email, and if the email address bounced back.
5. the welsh agenda notification email sign up
If you sign up to receive the welsh agenda article notification emails from us, the personal information that you provide to us (email address and name) will be collected by Mailchimp and stored on our database called Salesforce. When you are sent an email, Mailchimp will collect your IP address, the location where you received the email, if you open the email, where you click on the email, and if the email address bounced back.
Our legal basis for collecting this data
We undertake the actions above for the reasons set out below, using the numbering of the relevant paragraph:
1 – Our legal basis for processing this data is legitimate interest. We will use this information to provide your ticket and other correspondence that is necessary for the event.
2 – Our legal basis for processing this data is consent. We will gather your consent when you sign up to become a member of the IWA.
3 – Our legal basis for processing this data is legitimate interest. It is in the legitimate interest of us as an organisation to gather this information in order to analyse how our website is used to allow us to improve our services to you.
4 – Our legal basis for processing this data is consent. We will only send you emails if you have given us permission to do so.
5 – Our legal basis for processing this data is consent. We will only send you emails if you have given us permission to do so.
Who has access to your information?
We will not sell or rent your information to third parties.
Unless specified that we are working in partnership with another organisation on an event or project, we will not share your information with third parties.
We will not share your information with third parties for marketing purposes.
Third Party Service Providers working on our behalf
We may need to pass your information to our third party service providers for the purposes of completing tasks and providing services to you on our behalf (for example to process memberships and donations, issue you with event tickets, to send you the welsh agenda magazine and other mailings). However, when we use third party service providers, we disclose only the personal information that is necessary to deliver the service and we have agreements in place that requires them to keep your information secure and not to use it for their own direct marketing purposes.
We will not release your information to third parties for them to use for their own direct marketing purposes, unless you have given us permission to do so for example when buying tickets for an event we are doing in conjunction with another organisation, or we are required to do so by law, for example, by a court order or for the purposes of prevention of fraud or other crime.
When you are using our secure online membership, donation and product pages, your payment is processed by a third party payment processor, who specialises in the secure online capture and processing of credit/debit card transactions. If you have any questions regarding secure transactions, please contact us.
Receiving information from us
You can choose whether or not you wish to receive information from us. If you do not want to receive direct marketing communications from us about such exciting things as our work, upcoming events, or articles on the welsh agenda, then you can select your choices by ticking the relevant boxes situated on the form on which we collect your information.
We will not contact you for marketing purposes by email or phone unless you have given your prior consent. We will not contact you for marketing purposes by post if you have indicated that you do not wish to be contacted. You can change your marketing preferences at any time by contacting us via letter addressed to IWA, 56 James Street, Cardiff, CF10 5EZ, by email: email@example.com or by calling our office on 02920 484 387.
If you want to access and update your information
It is important to us that the information we hold for you is accurate. We’re working on ways to make it easier for you to review and correct the information that we hold about you. In the meantime, if you move house or change email address, or any of the other information we hold is inaccurate or out of date, please get in contact to let us know. You can contact us via letter addressed to IWA, 56 James Street, Cardiff, CF10 5EZ, by email: firstname.lastname@example.org or by calling our office on 02920 484 387.
You have the right to ask for a copy of the information we hold about you (we may need to charge a small fee to cover our costs in providing you with details of the information we hold about you.)
What security precautions we use to protect the loss, misuse or alteration of your information
When you give us personal information, we take steps to ensure that it’s treated securely. Any sensitive information (such as credit or debit card details) is encrypted via our website’s payment pages that use Asperato’s 3D secure links from our website to our payment processors GoCardless or Sagepay, who in turn provide some of the most stringent security systems available. When we log in to GoCardless and Sagepay we are unable to view your details in totality. When you are on a secure web page, a ‘lock’ icon will be shown next to the URL in the address bar at the top of the page, as well as on the bottom of web browsers such as Chrome.
Non-sensitive details (your email address etc.) are transmitted normally over the Internet, and this can never be guaranteed to be 100% secure. As a result, while we strive to protect your personal information, we cannot guarantee the security of any information you transmit to us, and you do so at your own risk. Once we receive your information, we make our best effort to ensure its security on our systems.
Links to other websites
Our website may contain links to other websites run by other organisations. This privacy notice applies only to our website‚ so we would encourage you to read the privacy statements on the other websites you visit. We cannot be responsible for the privacy policies and practices of other sites even if you access them using links from our website.
In addition, if you linked to our website from a third party site, we cannot be responsible for the privacy policies and practices of the owners and operators of that third party site and recommend that you check the policy of that third party site.
Are you aged 13 or under?
We are concerned about protecting the privacy of children aged 13 or under. If you are aged 13 or under‚ please get your parent/guardian’s permission beforehand whenever you provide us with personal information.
Transferring your information outside of Europe
As part of the services offered to you through this website or our third party service providers, such as Eventbrite or Mailchimp, the information which you provide to us may be transferred to countries outside the European Union (“EU”). By way of example, this may happen if any of our servers are from time to time located in a country outside of the EU. These countries may not have similar data protection laws to the UK. By submitting your personal data, you’re agreeing to this transfer, storing or processing.
If we transfer your information outside of the EU in this way, we will take steps to ensure that appropriate security measures are taken with the aim of ensuring that your privacy rights continue to be protected as outlined in this Notice.
If you use our services while you are outside the EU, your information may be transferred outside the EU in order to provide you with those services.
Any questions regarding this Notice and our privacy practices should be sent via letter addressed to the IWA, 56 James Street, Cardiff, CF10 5EZ, by email to email@example.com or by calling our office on 02920 484 387.
Review of this Notice
We will regularly review this Notice in line with any GDPR changes. This Notice was last updated in March 2020.
Last updated: 6th March 2020