Data Protection Policy

Purpose

This policy sets out how Black Eve Foundation complies with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. It ensures we protect the personal data of our service users, supporters, staff, and volunteers — especially children and young people aged 7–22.

Scope

This policy applies to all trustees, staff, volunteers, and contractors who process personal data on behalf of Black Eve Foundation.

Our Commitment

We are committed to:

    • Lawful, fair, and transparent data processing
    • Collecting only what we need
    • Keeping data accurate and up to date
    • Protecting data from loss, misuse, or unauthorised access
    • Respecting individuals’ rights under UK GDPR

    Lawful Bases for Processing

    We process personal data under one or more of the following lawful bases:

      • Consent (especially for children under 13, with parental permission)
      • Legitimate interests (e.g. improving services)
      • Legal obligation (e.g. safeguarding)
      • Contract (e.g. volunteer agreements)

      Children’s Data

      We take special care when processing data of children under 13. We require parental consent before collecting personal data and ensure all communications are age-appropriate.
      We follow guidance from the Information Commissioner’s Office (ICO) on children’s privacy and online safety.

      Data We Collect

      We may collect:

        • Names, contact details, age, school or organisation
        • Feedback, participation records, safeguarding notes
        • Website usage data (via cookies and analytics)
          We do not collect more than necessary and do not use personal data for marketing or profiling.

        Data Security

        We use secure systems and restrict access to personal data. All staff and volunteers receive training on data protection and safeguarding.

        Data Sharing

        We do not share personal data with third parties unless:

          • We have consent
          • It is required by law (e.g. safeguarding)
          • It is necessary for service delivery (e.g. secure email platforms)

          Data Retention

          We retain personal data only as long as necessary. When no longer needed, data is securely deleted or anonymised.

          Individual Rights

          Individuals (or their guardians) have the right to:

            • Access their data
            • Correct or delete their data
            • Withdraw consent
            • Object to processing
            • Make a complaint to the ICO
              Requests should be sent to: privacy@blackevefoundation.org

            Governance

            Our Data Protection Lead is responsible for compliance and training. Trustees oversee implementation and review this policy annually.

            Contact

            For questions or concerns, contact:
            Data Protection Lead
            Email: privacy@blackevefoundation.org

              Last Updated: October 7, 2025