Privacy policy
At King Charles III Charitable Fund, respecting your data privacy rights is a top priority. This policy explains why and how we collect personal data about you, how we may process such data, and what rights you have regarding your personal data.
We collect and process your data based on the type of data subject that you are. This policy is laid out such that the general provisions are at the top of this notice. We collect personal data specific to different data subjects as listed in the headings below.
Please read the General Information and the most relevant category(ies) of data subject for your situation. The lawful bases we rely on for processing your information can be found in the data subject categories below.
Contents
- General Information
- Employees
- Donors
- Grantees
- Suppliers
- Non-Executive & Executive Managers
- Key Stakeholders
- Other Data Subject Types
- Unsolicited Personal Information
- Retention Schedule
General Information
The information in this section is relevant to all categories of data subject.
Our contact details
King Charles III Fund is responsible for your personal data.
3 Orchard Place
Broadway
London
SW1H 0BF
You can contact a representative by sending an email to the following address:
Last reviewed: 13th October 2023
The Privacy Manager for King Charles III Charitable Fund
The King Charles III Charitable Fund has appointed Yvonne Abba-Opoku ACG as our Privacy Manager. They can be contacted at the following email address: contact@kccf.org.uk
Your data protection rights
Under the General Data Protection Regulation (GDPR) you have rights. You can make a request to exercise these rights at any point. There are rules and exceptions in relation to these rights. They may not be exercisable in all situations.
The GDPR rights are:
- The right to be informed.
- You have the right to be informed about how King Charles III Charitable Fund processes your personal data. Typically, King Charles III Charitable Fund communicates this information through privacy notices such as this one.
- The right of data access
- You have a right to obtain a copy of the personal data we hold about you.
- The right of data rectification
- You have a right to ask for the correction of inaccurate or incomplete personal data which we hold about you.
- The right of data erasure
- You have the right to request that personal data be erased when it is no longer needed, where applicable law obliges us to delete the data, or the processing of it is unlawful. You may also ask us to erase personal data where you have withdrawn your consent or objected to the data processing.
- The right to restrict data processing
- You have the right to restrict the processing of your personal data. Where that is the case, we may still store your information, but not use it further.
- The right to data portability
- You have the right to receive your personal data in a structured, machine-readable format for your own purposes, or to request us to share it with a third party.
- The right to object to data processing
- You have the right to object to our processing of your personal data based on the legitimate interests, where your data privacy rights outweigh our reasoning for legitimate interests. You may also object to our marketing activities or activities related to research.
- Rights in relation to automated decision making and profiling.
- You have the right not to be subjected to a decision based solely on automated processing, including profiling, which produces legal or similarly significant effects. Currently, King Charles III Charitable Fund only uses profiling as part of our Due Diligence process. This processing is conducted by a reputable third party and the results are manually reviewed by the Executives and Trustees at King Charles III Charitable Fund.
You may request to enforce your data privacy rights by emailing contact@kccf.org.uk
In certain circumstances, we may need to restrict the above rights to safeguard the public interest (e.g., the prevention or detection of crime) or our business interests (e.g., the maintenance of legal privilege).
Consent as a legal basis for processing
For some data processing, King Charles III Charitable Fund uses consent as a legal basis. If you have consented to processing by King Charles III Charitable Fund, please be aware that you have the right to withdraw this consent at any point. If you would like to withdraw consent for a particular type of data processing that King Charles III Charitable Fund performs, please email the following address:
Complaints to a Supervisory Authority
You have the right to lodge a complaint with a supervisory authority with regards to the way that King Charles III Charitable Fund processes your personal data. The King Charles III Charitable Fund recommends lodging a complaint with the ‘Information Commissioner’s Office (ICO)’. This is the UK’s supervisory authority and is the one which King Charles III Charitable Fund is registered with.
How we share your data
We will not share your information with any third parties for the purposes of direct marketing.
We use data processors who are third parties who provide elements of services for us. We have contracts in place with our data processors. This means that they cannot do anything with your personal information unless we have instructed them to do it. They will not share your personal information with any organisation apart from us unless it has been authorised by King Charles III Charitable Fund. They will hold it securely and retain it for the period we instruct.
In some circumstances we are legally obliged to share information. For example, under a court order. In any scenario, we will satisfy ourselves that we have a lawful basis on which to share the information and document our decision making and satisfy ourselves we have a legal basis on which to share the information.
King Charles III Charitable Fund will always try to use third party providers who are located in the UK or EU, or who host data in UK or EU data centres. This is not always possible. Where this is not possible, King Charles III Charitable Fund will ensure that we use GDPR compliant contracts with the third parties. We will use Appropriate Safeguards, such as International Data Transfer Agreements, to ensure the ongoing protection of your data.
How we protect your information
We implement appropriate technical and organisational measures to protect personal data that we hold from unauthorised disclosure, use, alteration, or destruction. Where appropriate, we use encryption and other technologies that assist in securing the data you provide. We also require our service providers to comply with strict data privacy requirements where they process your personal data.
How long we keep your personal data
We only keep your personal data for as long as necessary for the purposes described in this privacy notice, or until you notify us that you no longer wish us to process your data. After this time, we will securely delete your personal data, unless we are required to keep it to meet legal or regulatory obligations, or to resolve potential legal disputes.
Contact and further information
If you have any questions about how we use your personal data or wish to make a complaint about how we handle it, you may contact King Charles III Charitable Fund at: contact@kccf.org.uk
In case you would like to be provided with information about a specific personal data processing activity, you can request that by submitting a request at contact@kccf.org.uk
We collect only the personal data from you that we need for the purposes described above. Certain personal data collected from you relates to your next of kin and emergency contacts. In these cases, you are requested to inform such persons about this notice.
What happens if you do not provide us with the information we have requested?
Where it concerns processing operations related to your employment (as described below), King Charles III Charitable Fund will not be able to fulfil its legal and contractual obligations and adequately employ you without certain personal data and you may not be able to exercise your employee rights if you do not provide the personal data requested. Although we cannot mandate you to share your personal data with us, please note that this then may have consequences which could affect your employment in a negative manner, such as not being able to exercise your statutory rights or even to continue your employment. Whenever you are asked to provide us with any personal data related to you, we will indicate which personal data is required, and which personal data may be provided voluntarily.
- If the legal basis for processing your personal data is legitimate interest, then you may obtain a copy of our assessment regarding our legitimate interest to process your personal data by submitting a request to contact@kccf.org.uk
- In some cases, we process your personal data on the basis of statutory requirements, for example, on the basis of employment law, allowances, tax or reporting obligations, cooperation obligations with authorities or statutory retention periods in order to carry out our contractual responsibilities as an employer.
- In exceptional circumstances we may ask your consent at the time of collecting the personal data, for example photos, communications materials, and events. If we ask you for consent in order to use your personal data for a particular purpose, we will remind you that you are free to withdraw your consent at any time and we will tell you how you can do this.
Regarding special categories of personal data we will only process such data in accordance with applicable law and:
- with your explicit consent for specific activities in accordance with applicable law.
- when necessary for exercising rights based on employment, or social protection law or as authorised by collective agreement, or for preventive and occupational medicine or and evaluation of working abilities; or
- where necessary for establishment, exercise, and defence of legal claims.
Regarding personal data concerning criminal convictions and offences, we will only process such data where such processing is permitted by applicable (local) law.
Employees
The information in this section applies to current, past, or potential employees and temporary staff including secondees. Depending on your specific circumstances, your data may be used in all, some of, or none of the below listed processes:
Purpose of Processing | Description of Processing | Lawful Basis for Processing | Legitimate Interest |
| Employee Recruitment | Agreement of vacancy through to employment or secondment offer and acceptance by candidate. This will include new employee completing diversity monitoring form which includes special category data. | Contract | Not applicable |
| Employee Onboarding | From candidate acceptance to fully onboarded employee with all training and IT accounts set up, on payroll, pension etc. | Contract | Not applicable |
| Employee Matters | Including: Sickness, Maternity/Paternity, Disciplinary & Grievance, Termination. From notification of an employee matter, following of relevant organisational procedures, through to completion of matter. This may include special category data. | Contract | Not applicable |
| Employee Appraisal and Management Notes | Annual performance appraisal and development plan and management notes on employee performance. | Legitimate interest | To effectively manage the development and progress of employees. |
| Employee Training | All employee training either of individuals for specific purposes to mass training such as GDPR or H&S. | Legitimate interest | To effectively manage the training of staff. |
| Employee Benefits | Onboarding and management of employees who are on company benefit schemes. Annual review of benefit schemes and communication with staff on those. | Contract | Not applicable |
| Ex-Employee References | Providing references for ex-employees to future employers. | Consent | Not applicable |
| Secondments | Providing information to or receiving information from a third party in relation to secondment arrangements. | Contract | Not applicable |
| Payroll & Pensions | Processing staff pay & Pensions | Contract | Not applicable |
| Accounts Payable | Payment of Grantees, Suppliers and expenses. | Contract | Not applicable |
| External Auditor Engagement | Annual External Audit. Sample of information can be requested by external Auditors. Information is uploaded to a secure file sharing platform called We Transfer | Legal Obligation | Not applicable |
| Account (ID) Management and IT user support | Set up and ongoing management of all IT software and hardware including user accounts, IT security etc | Legitimate interest | To effectively manage the IT systems of the charity and monitor security of various systems. |
| Public Relations | Press releases and engagement with the media. | Legitimate interest | To effectively promote and manage the brand and international name of the charity and founder. |
| Contact with potential donors | Receipt of information on potential donors through either referral or direct contact and follow up by email/phone/meeting and confirmation of their wish to donate | Legitimate interest | To provide donors with updates on how their donations have been used by the charity. |
Transfers of Personal Data to Third Parties
King Charles III Fund may transfer your personal data to third parties. King Charles III Charitable Fund may transfer your personal data to the following categories of recipients:
- Recruiters & Recruitment Management Tools
- Third party host organisation that PWCF has entered into a secondment arrangement with.
- Cloud Storage & Document Management Tools
- Employee Management & Training Tools
- Remote Working & Calendar Planning Tools
- Sales and Marketing Management Tools
- Office Suppliers & Travel Bookings
- IT Security and Management Tools
- Accountants & Financial Management Tools
- Banks
- Pension Providers
- Auditors
- Legal Representatives & Legal Tools
- Insurance Companies
King Charles III Charitable Fund will use best endeavours to ensure that your personal data is hosted in UK and/or EU servers. King Charles III Charitable Fund will also ensure that contracts with these third parties meet all UK-GDPR requirements.
Donors
The information in this section applies to current, past and potential donors. Depending on your specific circumstances, your data may be used in all, some of, or none of the below listed processes:
| Purpose of Processing | Description of Processing | Lawful Basis for Processing | Legitimate Interest |
| Contact with potential donors | Receipt of information on potential donors through either referral or direct contact and follow up by email/phone/meeting and confirmation of their wish to donate. | Legitimate interest | To provide donors with updates on how their donations have been used by the charity. |
| Crowdfunding | Self-service online donations portal managed by JustGiving. Donors provide their name and email address to make donations. JustGiving liaises with HMRC processes all gift aid payments on qualifying donations from UK taxpayers. | Legitimate Interest | Necessary for taking and processing the donation payments via JustGiving platform and HMRC tax relief/gift aid |
| Due diligence | Performing due diligence on both incoming and outgoing funds. This process investigates both individuals and institutions. This involves, eligibility checks using search engines, regulatory public registers, sector-specific public databases, reviews of charitable status, public profiles, recent accounts, reports and key policies. | Legal Obligation | Not Applicable |
| Donor & Grant Approval | The process of KCCF committees & Trustees reviewing and deciding upon acceptance of donations and grant applications. | Legal Obligation | Not Applicable |
| Public Relations | Press releases and engagement with the media. | Legitimate interest | To effectively promote and manage the brand and international name of the charity and founder. |
| Receipt of Income | Bank transfer, cheques | Legal Obligation | Not applicable |
| External Auditor Engagement | Annual External Audit. Sample of information can be requested by external Auditors. Information is uploaded to a secure file sharing platform called We Transfer | Legal Obligation | Not applicable |
| Stakeholder Engagement | Providing reporting and updates on the charities activities to Donors, Key stakeholders, and the Royal Household. This is conducted via email, postal, phone, events, in person engagement, and reports. | Legitimate interest | To provide stakeholders with relevant information and updates on KCCF activities. |
Transfers of Personal Data to Third Parties
King Charles III Charitable Fund may transfer your personal data to third parties. King Charles III Charitable Fund may transfer your personal data to the following categories of recipients:
- Cloud Storage & Document Management Tools
- Government organisations
- Due Diligence Researchers
- Sales and Marketing Management Tools
- Public Relations Managers
- Accountants & Financial Management Tools
- Banks
- Auditors
King Charles III Charitable Fund will use best endeavours to ensure that your personal data is hosted in UK and/or EU servers. King Charles III Charitable Fund will also ensure that contracts with these third parties meet all UK-GDPR requirements.
Grantees
This section applies to past, current, and potential grantees. Depending on your specific circumstances, your data may be used in all, some of, or none of the below listed processes:
| Purpose of Processing | Description of Processing | Lawful Basis for Processing | Legitimate Interest |
| Grant Applications | The management of applications relating to third parties applying for a grant. This includes from receipt of applications to a grant decision. | Public task | Not Applicable |
| Grant Queries | The management of personal data relating to grant queries that are received via website form, email, or phone. | Legitimate interest | Necessary to be able to respond to query |
| Grant reporting | The generation of automated reminders which are sent to grantees. These reminders prompt grantees to provide status reports on the progress of grants. | Public task | Not Applicable |
| Founder Grant Requests | Receipt of Founder’s request. | Contract | Not applicable |
| Founder Grant Review and Decision | Banking details of beneficiary are requested by email and stored on a third-party tool. | Contract | Not applicable |
| Due diligence | Performing due diligence on both incoming and outgoing funds. This process investigates both individuals and institutions. This involves, eligibility checks using search engines, regulatory public registers, sector-specific public databases, reviews of charitable status, public profiles, recent accounts, reports and key policies. | Legal Obligation | Not Applicable |
| Donor & Grant Approval | The process of KCCF committees & Trustees reviewing and deciding upon acceptance of donations and grant applications. | Legal Obligation | Not Applicable |
| Social Media and Website Content | Management of personal data and content used to promote impact of KCCF’s work on online platforms. This includes the use of case studies and images from the grantees. | Consent | Not Applicable |
| Stakeholder Mailing List | Email campaigns undertaken internally or via third parties. | Legitimate interest | Necessary in order to contact stakeholders |
| Public Relations | Press releases and engagement with the media. | Legitimate interest | To effectively promote and manage the brand and international name of the charity and founder. |
| Accounts Payable | Payment of Grantees, Suppliers, and expenses. | Contract | Not applicable |
| Receipt of Income | Bank transfer, cheques | Legal Obligation | Not applicable |
| External Auditor Engagement | Annual External Audit. Sample of information can be requested by external Auditors. Information is uploaded to a secure file sharing platform called We Transfer | Legal Obligation | Not applicable |
| Stakeholder Events | Invitations to KCCF or third-party events and associated email correspondence and telephone calls. | Legitimate interest | Necessary in order to invite individuals to events. |
| Stakeholder Engagement | Providing reporting and updates on the charities activities to Donors, Key stakeholders, and the Royal Household. This is conducted via email, postal, phone, events, in person engagement, and reports. | Legitimate interest | To provide stakeholders with relevant information and updates on KCCF activities. |
Transfers of Personal Data to Third Parties
King Charles III Charitable Fund may transfer your personal data to third parties. King Charles III Charitable Fund may transfer your personal data to the following categories of recipients:
- Cloud Storage & Document Management Tools
- Sales and Marketing Management Tools
- Accountants & Financial Management Tools
- Government Organisations
- Due Diligence Researchers
- Social Media & Advertising Platforms
- Public Relations Managers
- Banks
- Auditors
King Charles III Charitable Fund will use best endeavours to ensure that your personal data is hosted in UK and/or EU servers. King Charles III Charitable Fund will also ensure that contracts with these third parties meet all UK-GDPR requirements.
Suppliers
This section applies to past, current, and potential third-party suppliers. Depending on your specific circumstances, your data may be used in all, some of, or none of the below listed processes:
| Purpose of Processing | Description of Processing | Lawful Basis for Processing | Legitimate Interest |
| Accounts Payable | Payment of Grantees, Suppliers and expenses. | Contract | Not applicable |
| Receipt of Invoice | Supplier invoices are received by email and uploaded on to DEXT document management system and Xero | Legal Obligation | Not applicable |
| External Auditor Engagement | Annual External Audit. Sample of information can be requested by external Auditors. Information is uploaded to a secure file sharing platform called We Transfer | Legal Obligation | Not applicable |
| Supplier Management | Management of personal data relating to suppliers. Includes: prospecting for a supplier, adding vendors onto any systems, and creating contracts. | Legal Obligation | Not applicable |
Transfers of Personal Data to Third Parties
King Charles III Charitable Fund may transfer your personal data to third parties. King Charles III Charitable Fund may transfer your personal data to the following categories of recipients:
- Cloud Storage & Document Management Tools
- Banks
- Auditors
- Office Suppliers & Travel Bookings
- Accountants & Financial Management Tools
King Charles III Charitable Fund will use best endeavours to ensure that your personal data is hosted in UK and/or EU servers. King Charles III Charitable Fund will also ensure that contracts with these third parties meet all UK-GDPR requirements.
Non-Executive & Executive Managers
This section applies to past, current, and potential Directors, Trustees and other members of senior management. Depending on your specific circumstances, your data may be used in all, some of, or none of the below listed processes:
| Purpose of Processing | Description of Processing | Lawful Basis for Processing | Legitimate Interest |
| Public Relations | Press releases and engagement with the media. | Legitimate interest | To effectively promote and manage the brand and international name of the charity and founder. |
| Bank & Investment Management | Setting up new bank accounts, bank mandates and investment accounts. | Legitimate interest | Setting up new bank accounts, bank mandates and investment accounts. |
| External Auditor Engagement | Annual External Audit. Sample of information can be requested by external Auditors. Information is uploaded to a secure file sharing platform called We Transfer | Legal Obligation | Not applicable |
| Trustee and Director Onboarding | From identifying a skill gap to onboarding a new trustee or director. This involves agreeing a skill gap, identifying and shortlisting potential candidates, appointment offer, acceptance by candidate, induction training and set up on third party portal. | Public task | Not Applicable |
| Statutory Audit Requirements | Directors asked to complete annual declaration of interest and third-party transactions forms. | Legal Obligation | Not Applicable |
| Regulatory and Statutory Reporting | Director and Trustee details submitted to regulators including Companies House, Charity Commission, Intellectual Property Office and Information Commissioner as part of registration, renewal, or annual return process. | Legal Obligation | Not Applicable |
| Trustee and Director Retirement | Regulatory notification of Trustee or Director’s end of tenure. | Public task | Not Applicable |
| Stakeholder Engagement | Providing reporting and updates on the charities activates to Donors, Key stakeholders, and the Royal Household. This is conducted via email, postal, phone, events, in person engagement, and reports. | Legitimate interest | To provide stakeholders with relevant information and updates on KCCF activities. |
Transfers of Personal Data to Third Parties
King Charles III Charitable Fund may transfer your personal data to third parties. King Charles III Charitable Fund may transfer your personal data to the following categories of recipients:
- Cloud Storage & Document Management Tools
- Government Organisations
- Investment Management
- Public Relations Managers
- Banks
- Auditors
- Legal Representatives & Legal Tools
King Charles III Charitable Fund will use best endeavours to ensure that your personal data is hosted in UK and/or EU servers. King Charles III Charitable Fund will also ensure that contracts with these third parties meet all UK-GDPR requirements.
Key Stakeholders
This section applies to past, current, and potential Key Stakeholders for King Charles III Charitable Fund projects. Depending on your specific circumstances, your data may be used in all, some of, or none of the below listed processes:
| Purpose of Processing | Description of Processing | Lawful Basis for Processing | Legitimate Interest |
| Stakeholder Events | Invitations to KCCF or third-party events and associated email correspondence and telephone calls. | Legitimate interest | Necessary in order to invite individuals to events. |
| Stakeholder Engagement | Providing reporting and updates on the charities activates to Donors, Key stakeholders, and the Royal Household. This is conducted via email, postal, phone, events, in person engagement, and reports. | Legitimate interest | To provide stakeholders with relevant information and updates on KCCF activities. |
Transfers of Personal Data to Third Parties
King Charles III Charitable Fund may transfer your personal data to third parties. King Charles III Charitable Fund may transfer your personal data to the following categories of recipients:
- Cloud Storage & Document Management Tools
King Charles III Charitable Fund will use best endeavours to ensure that your personal data is hosted in UK and/or EU servers. King Charles III Charitable Fund will also ensure that contracts with these third parties meet all UK-GDPR requirements.
Other Data Subject Types
This section applies to other data subject types who may not have been captured in the above listed categories. Depending on your specific circumstances, your data may be used in all, some of, or none of the below listed processes:
| Purpose of Processing | Description of Processing | Lawful Basis for Processing | Legitimate Interest |
| Subject Access Request | Management of GDPR data subject requests. | Legal Obligation | Not Applicable |
| Data Breach | Responding to data breaches involving personal data. | Legal Obligation | Not Applicable |
| Safety Incident | Health and safety reporting. | Legal Obligation | Not Applicable |
Transfers of Personal Data to Third Parties
King Charles III Charitable Fund may transfer your personal data to third parties. King Charles III Charitable Fund may transfer your personal data to the following categories of recipients:
- Cloud Storage & Document Management Tools
- Government Organisations
- Office Landlord
King Charles III Charitable Fund will use best endeavours to ensure that your personal data is hosted in UK and/or EU servers. King Charles III Charitable Fund will also ensure that contracts with these third parties meet all UK-GDPR requirements.
Unsolicited Personal Information
If you send King Charles III Charitable Fund unsolicited personal information, for example a CV, King Charles III Charitable Fund reserves the right to immediately delete that information without informing you or to decide which category of data subject that you appear to be and manage your personal data within the remit of that category as described elsewhere in this Privacy Notice.
Retention Schedule
King Charles III Charitable Fund uses the following retention schedule. The following minimum retention periods shall apply:
| Data Type | Retention Trigger | Retention Period | Action |
| The data type. | The event that triggers the retention period. | How long the data is kept after the trigger event has occurred. | What happens after the retention period has expired. |
| Unsuccessful recruitment candidate | Notification of unsuccessful application | 6 months | Delete |
| Employee and secondee data | End of employment | 6 years | Delete |
| Employee IT accounts, audit logs, training records and related data | End of employment | 1 year | Delete |
| Basic employment data for providing references | Date of birth | 100 years | Delete |
| All Financial data | End of financial year | 6 years | Delete |
| Banking and Investment Management data | Closure of the account | 1 year | Delete |
| Due diligence reports for Programmes | Last action | 3 years | Review data |
| Due diligence reports for Donors | Last action | 7 years | Review data |
| Event Management Data | Event date | 6 years | Review data |
| Mailing List Data | Subscription date | 3 years | Review data |
| Potential Donor Data | Last contact | 2 years | Review data |
| Social Media & Website Content | None | Indefinitely or until requested to remove | N/A |
| Approval decisions for Grants and Donors | Decision date | Successful – 7 years Unsuccessful – 12 months | Delete |
| Grant Applications and Reporting to Stakeholders | Last action | 3 years | Review data |
| Grant Queries | Last action | 1 year | Review data |
| Stakeholder Engagement Data | Last action | 6 years | Review data |
| Data subject requests | Last action/case closed | 1 year | Delete |
| Data breach | Last action | 2 years if no action taken 6 years if reportable data breach | Delete |
| Safety incident | Last action | 6 years | Review data |
| Trustee & Director Onboarding, and Regulatory & Statutory Reporting Data | End of tenure/resignation date | Immediate | Delete |
| Statutory Auditing Data | Director retirement | 7 years | Delete |
| Trustee & Director Retirement Data | Completion of regulatory notification | Immediate | Delete |
Where it is not practical to segregate and manage specific data types uniquely, then a blanket 7-year policy will be applied to all data with a prescribed retention period of 6 years or less.
This policy was reviewed and updated in October 2023.