Data Protection and Privacy
Commonwealth War Graves Commission Privacy Notice
- Introduction 1
- Notice summary 2
- What is covered by this notice? 3
- Identity of the Data Controller 3
- How do we collect personal information? 3
- The personal information we may collect 3
- The lawful basis of processing your information 4
- Information Rights 5
- Debit and credit card information 5
- How we use the information you submit 6
- Automated decisions and profiling 6
- Data retention 6
- Cookies 6
- Sharing your information 7
- Consent 7
- Security 7
- Complaints 7
- Breach management 8
- Version Control 8
Annex 1. Volunteering for the Commonwealth War Graves Commission (CWGC) or Commonwealth War Graves Foundation (CWGF).................................................................................................................... 9
The Commonwealth War Graves Commission (“CWGC”) takes your personal information and your privacy seriously. This Privacy Notice sets out how we use and protect any information about you which is obtained via our website or you send to us by post or e-mail. As we may change this notice from time to time you should check our website to view the most recent version of this notice.
Should you have any queries about the content of this notice, please contact the Commission’s Data Protection Officer at email@example.com or alternatively you may write to:
Data Protection Officer
Commonwealth War Graves Commission 2
Marlow Road Maidenhead Berkshire SL6 7DX
The UK information Commissioners Office is the supervisory authority for all matters concerning the processing of your personal data within the Commission where our head office is located.
Information Commissioner's Office Wycliffe House
Water Lane Wilmslow Cheshire SK9 5AF
Telephone: 0303 123 1113
Fax: 01625 524510
If you are based in another EU country, you may contact the relevant authority for your jurisdiction: Commission Nationale de l'Informatique et des Libertés
3 Place de Fontenoy TSA 80715
75334 PARIS CEDEX 07
Commissie voor de bescherming van de persoonlijke levenssfeer Drukpersstraat 35, 1000 Brussel
Commissioner for the Protection of Personal Data 1 Iasonos Street
1082 Nicosia, Cyprus
Garante per la protezione dei dati personali (Italian Regulatory Authority) (the “Garante”) Piazza di Monte Citorio 121
00186 Roma Italy
2. Notice summary
We respect your privacy and we take care of the information we obtain. We will only ask for personal data when it is necessary to provide you with the service you have requested, such as answering an enquiry or
dealing with your subscription to our newsletter. We may also make your personal information anonymous to undertake statistical analysis for internal use. If we want to use your data for any purpose outside of the terms of this notice, we will ask you first.
3. What is covered by this notice?
This notice covers all web pages on our website and any correspondence (electronic or otherwise) between you and the Commonwealth War Graves Commission or the Commonwealth War Graves Foundation.
This notice does not include information that you submit to us through our recruitment process or throughout your employment with the Commission. These details are covered in the HR specific Staff Privacy Notice, a copy of which is provided to applicants directly.
4. Identity of the Data Controller
The Commonwealth War Graves Commission is the Data Controller, which means that it is the body which determines the manner and purpose of processing your personal data.
This notice does not cover external sites which may have links on our website. We are not responsible for the content of these sites and any personal data collected by these organisations is not our responsibility.
5. How do we collect personal information?
We respect your privacy and take great care with the information we obtain. We may collect information from you via our website, by e-mails and post sent to our offices. For example:
- correspondence with us when making an enquiry
- buying something through our website
- subscribing to our newsletter
- registering as a user of our website
- when you voluntarily upload content, share stories and/or images with us for specified purposes
- When you accept cookies, certain analytics are formed from your use of the site. See Paragraph
6. The personal information we may collect
We may ask you to provide the following information:
- your name
- e-mail address
- postal address
- telephone number (mobile and/or landline)
Any personal information you provide will be transferred and stored on secure servers in a safe, confidential and secure environment. We will use all reasonable efforts to safeguard your personal information. However, you should be aware that the use of the internet is not entirely secure and for this reason we cannot guarantee the security or integrity of any personal information which is transferred
from you or to you via the internet.
7. The lawful basis of processing your information
The Commission will process personal data collected from the website on the following basis:
- You have provided your consent
Such as when you as a member of the public contacts the Commission and we obtain your details to follow up on your enquiry; or when a member of the public visits a cemetery and signs our visitor book. We ask for your consent to send you marketing and promotional material about our activities or the activities of our partners. We are obligated to keep a record of your consent.
- The processing is necessary to comply with legal obligations
Such as our obligations to maintain financial, records, evidence of right to work or health and safety assessments. Some of these details are necessary for employment law obligations, more detail can be found in the HR specific Staff Privacy Notice.
- The processing is necessary for the performance of a contract that you have with the Commission
Such as when you have successfully applied and been selected to undertake a role with the Commission; or where you are a third-party contractor undertaking tasks on behalf of the Commission in the role of a data processor.
- The Commission has a legitimate interest in processing the personal data
Such as when a member of the public volunteers to undertake work on behalf of the Commission, we will keep a copy of their personal details for the length of the volunteering period; Where we have obtained business details from an individual we will retain these for the duration of our business interactions; where we believe that a record has lasting historical value that supports or reflects the core business and values of the Commission we will retain these indefinitely as historical records in our Archive; examples include, research, building developments, documents which reflect changes in personnel, structure or culture within the Commission.
- The processing is necessary for the performance of a task carried out in the public interest or official authority
The Commission considers that it conducts a number of tasks in the public interest. These include but are not limited to processing personal data for commemorative events, to maintain grounds, cemeteries and memorials, to maintain records for the correct commemoration of the War Dead, for historical and research significance and to further education and awareness of events during the First and Second World Wars.
In the course of its business the Commission will process some special categories of data. These categories may include but are not limited to:
- Religious or philosophical beliefs
- Political views
- Biometric data
- Genetic Data
These types of data may be provided through enquiries received from the public, throughout the recruitment process, and through the course of an individual’s employment with the Commission.
8. Information Rights
You have the following rights under the General Data Protection Regulation Information – you have a right to clear and transparent details of our data processing. Access – You may request a copy of the personal data we hold relating to you.
Rectification – You may have personal data corrected if it’s inaccurate or incomplete.
Erasure – You may in certain circumstances request the deletion or removal of personal data where there is no legitimate reason for its continued processing.
Restriction – You may request that we restrict the use of your personal data and do not further process it as an alternative to erasure.
Portability – You can expect the Commission to hold your personal data in a common and reusable format where practicable.
Objection – You may object to:
- Processing based on the Commission’s legitimate interests
- Direct marketing
- Processing for purposes of scientific/historical research and
- Any automated decision taking and profiling
If you would like to exercise any of these rights, please contact the Data Protection Officer whose details appear on the second page of this document.
9. Debit and credit card information
All debit and credit card payments made online are processed through PayPal and we do not store or have access to any card information that you provide through this method of payment.
We will never request credit/debit card information from you via e-mail. Please do not send this information or other sensitive information to us via email.
10. How we use the information you submit
The personal data we collect from you will be used to perform the service you have requested, for example answering your enquiry, fulfilling your order, registering you to our newsletter or website, or processing a membership request for the Foundation.
In addition, it may be used for the following:
- For customer research: we may contact you to ask you about the service you have received, why you requested it and how it can be improved;
- General administration of the services we
We may also use the information you provide to carry out internal research in order to:
- Gain a greater understanding of the requirements of visitors to our website and cemeteries and memorials;
- Develop more relevant and appropriate content on our website and publications;
- Provide better services.
11. Automated decisions and profiling
The CWGC does not currently undertake profiling activity or automated decision making.
The Commission may use contact details published in the public domain to contact individuals who may have an interest in the work of the Commission but will not use this information to engage in direct marketing unless we have obtained your explicit consent beforehand. We make every effort to ensure that we do not use information placed in the public domain in ways that the individual would not expect or be unlikely to anticipate.
12. Data retention
The length of time your personal data is retained is dependent on the purpose for which it was collected. Once the purpose of processing ceases to exist we will take steps to delete your personal data if there is no other lawful reason to retain it.
Personal data that you send via email is automatically retained in our email archive for a period of up to 15 years. If during the period of its retention you wish to receive a copy of your personal data you may make a request to do so.
Please note that the Commonwealth War Graves Commission was established with a duty to keep and maintain records relating to the Commonwealth war dead in perpetuity. Therefore, the Commission will retain documents relating to or supporting its legitimate interests in this regard indefinitely.
Cookies are small files of letters and numbers that are downloaded onto a user's device and allow the website to recognize the user's device.
Most browsers are automatically set to accept cookies but users can usually change their settings to prevent cookies being stored on their device.
The keyboard / screensaver combo uses a single cookie called kiosk which can have a value of either
on or off. No user data is stored.
14. Sharing your information
We do not share your information, including your personal details, with anyone outside of the CWGC unless we have sought your express permission or have a lawful basis to do so. A list of third party recipients of personal data is available on the website. In certain circumstances, it may be necessary to pass your personal details to one of our member Governments. Should this be the case, you will be notified and informed of the legal basis for processing using the contact details you have provided. In the majority of circumstances this will be based on your explicit consent.
As a Commonwealth organisation and by the nature of our work, we operate in a number of countries around the world. In order to deal with your enquiry or other correspondence it may be necessary for us to transfer and process your personal details to countries outside the United Kingdom which do not have in place similar protection as provided by the General Data Protection Regulation.
We take steps to ensure the adequacy of the territory and the security of your information. If you would like to obtain further information about the steps, we have takento ensure the protection of your information please contact the Data Protection Officer at firstname.lastname@example.org.
Where the processing of your data is based on your consent, you will have been fully informed of our activity in unambiguous terms and actively opted in to the processing based on this understanding. If you wish to withdraw your consent, you have the right to do so by contacting the Data Protection Officer at email@example.com.
Please be advised that if you withdraw your consent to processing your personal information there may be another lawful basis that we rely on to continue processing. We will advise you if this is the case. If you withdraw your consent and another lawful basis does not exist for us to process your personal data, services which you had previously opted into will stop accordingly.
We also take our commitment to Information Security very seriously. We have put in place appropriate physical, electronic and managerial procedures and safeguards to prevent unauthorised access or disclosure of any personal and other information. For example, we hold data in secure data centres, regular internal audits are carried out to ensure procedures are complied with and senior management monitor controls and outcomes. Any information you give to us either through our website, by e-mail or by any other means is stored securely and managed in accordance with the General Data Protection Regulation.
If you are dissatisfied with any aspect of our processing of your personal details and would like to make a complaint we would request that in the first instance you contact the Data Protection Officer so that we may resolve the issue for you swiftly.
If you remain dissatisfied with our response, under the General Data Protection Regulation you have the right to complain to the Information Commissioners Office whose details are found at the beginning of this document.
18. Breach management
We take every care to prevent breaches of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to your personal data.
In the unlikely and unfortunate event that this does happen, we will take all reasonable steps to mitigate any damage and notify you of the actions we have taken promptly. If you have concerns regarding the handling of your personal data and would like to raise these with the Data Protection Officer.
Your concerns will be handled and investigated confidentially.
19. Version Control
Date for Review
Data Protection Officer
Annex 1. Volunteering for the Commonwealth War Graves Commission (CWGC) or Commonwealth War Graves Foundation (CWGF)
This annex specifically relates to processing personal data of volunteers:
Purposes for collecting Volunteer data
We collect your name, address, postcode, telephone number, mobile number, email address, work preferences and county in which you would like to volunteer.
This information is collected for the following purposes:
- To contact you about the specific volunteer opportunity for which you have expressed an interest
- To contact you about future volunteer opportunities
- To follow your posts on social media so we can retweet news and pictures you share about key events regarding your volunteer work
- To update you about the progress of volunteer work in your area
- We may share information and images from the event internally with the Commonwealth War Graves Foundation and use images and content to promote the work of the project for Foundation members.
We collect this information using both an electronic form and a postal form. Forms containing volunteer details will be held by the Volunteer Co-ordinator operating regionally and by the United Kingdom & Northern Area (UKNA) Human Resources department at the CWGC Head Office.
Lawful basis for processing Volunteer data
Volunteer information collected by the Commonwealth War Graves Commission or Commonwealth War Graves Foundation is done so under Article 6(1)(f) of the GDPR as a legitimate interest.
The legitimate interest being pursued is the appropriate administration and retention of a network of volunteers to assist with initiatives which support or promote the work of the Commonwealth War Graves Commission or the Foundation. A Legitimate Interest Test has been conducted for this data processing and is retained by the Data Protection Officer.
The processing involves no sensitive categories of personal data and is not thought to have an adverse or disproportionate risk to privacy.
The information provided by volunteers will not be used for direct marketing, unless the volunteer specifically opts in to receiving such communications.
Please notify the Data Protection Officer (firstname.lastname@example.org) should you have any objections to the processing of your personal data for the purposes listed above.
Sharing data with us
You should avoid publishing on social media or newspapers etc. any information that you would not want to be shared, or information which might impact on the privacy of other living individuals during your
volunteer work. This may include photograph images of members of the public.
Any images that you do share may be used to highlight and promote the volunteer activity that you are undertaking and to promote events either through the production of leaflets and articles or through online media.
Please note that volunteer details may be shared internally between the Commonwealth War Graves Commission and the Foundation to ensure co-ordination of local events and volunteer opportunities.
How we process your personal data
The personal data that you share with us may be held for a trial basis on our volunteer database software provided by ‘Better Impact’.
We may use this software to create volunteer profiles, search for information using date ranges, schedule events, email volunteers and produce statistics such as the hours and numbers of volunteers per project or to gather volunteer feedback.
If we decide to adopt the software, we will ensure a Data Protection Impact Assessment has been completed to ensure your information is kept safe and to preserve the privacy of your personal data.
The information you provide us will be held for at least the duration of your volunteering activities. The current volunteer network is anticipated to run for a period of three years. Six months following the closure of volunteering activity your personal data will be routinely deleted, although some data may be retained for longer where there are statutory obligations to do so. In addition, information which identifies you may be retained in our closed historical archive as a record of significant events and initiatives across the Commission or longer.