Last Updated on 2nd May 2019
PETA believes strongly in protecting the integrity and privacy of personal data gathered from our members and supporters as well as visitors to our websites. For the purposes of the General Data Protection Regulation (GDPR) and any subsequent UK legislation addressing data protection, the Data Controller is People for the Ethical Treatment of Animals (PETA) Foundation.
This Policy sets out why we collect personal data about individuals and how we use it. It also explains the legal basis for this and the rights you have regarding the way your personal data is used.
We may change this Policy from time to time. If we make any significant changes, we will advertise this on the website or contact you directly with the information. Please check this page occasionally to make sure you are happy with any changes.
If you have any questions about this Policy or concerning your personal data, please contact the data protection agent via e-mail at [email protected] or by writing to the mailing address below:
Data Protection Agent
PO Box 70315
Exclusion of External Content and Websites From This Policy
This Policy does not extend to external websites linked from or external content embedded in our website. Please check with the organisations that own and/or operate these websites for their policies regarding data privacy, including the use of “cookies”.
What Personal Data Does PETA Collect?
The type and amount of personal data we collect depends on why you are providing it to us.
The personal data we collect when you make an enquiry may include your name, e-mail address, postal address, and phone number.
If you are a supporter (for example, making a donation, volunteering, registering to fundraise, or signing up for an event), in addition to asking for your name, gender, and contact details (your full postal address, e-mail address, and phone number), we may also ask you for additional information about yourself, such as your reasons for supporting our work; your personal opinions about issues that affect animals; information about your background, such as your educational achievements; your age; and your personal circumstances relating to your animal rights advocacy. If you donate to us and provide your credit/debit card or bank account information, it will be encrypted using SSL technology. We do not store those details on our servers but use third-party credit card processing services.
You are always in control regarding the additional personal data you provide to us and can decline to provide such data.
If you are a job applicant, the personal data you are asked to provide is set out in the application and during the application process and necessary for the purpose of our consideration of the application.
If the postal contact information you provide to us is incomplete or contains errors, we may use services such as those provided by the Royal Mail to correct your address details in order to enable us to send you information about our work and how you can support us.
We may also collect any personal data provided by you that is contained in or regarding any communication you send to us, whether via e-mail, phone, or post, as may be necessary to enable us to communicate with you better in the future and to record the communication preferences you state to us.
You may not provide us with the personal information of anyone but yourself and any child of whom you are parent or legal guardian.
How We Collect Personal Data
We may collect personal data from you whenever you contact us or have any involvement with us, such as when you do any of the following things:
- Visit our website (See our cookies policy.)
- Donate to us or fundraise for us
- Enquire about our activities or services
- Sign up to receive news about our activities
- Send personalised letters or e-mail messages when participating in action alerts
- Create or update a profile
- Post content on our website or social media sites
- Volunteer for us
- Attend a meeting with us and provide us with information
- Take part in our events
- Participate in contests, giveaways, surveys, or petitions
- Contact us in any way, including online or via e-mail, phone, SMS, social media, or post
Where We Collect Personal Data From
We collect personal data in the following circumstances:
- You give it to us directly. You may provide personal data when you ask us for information, make a donation, volunteer, attend our events, or contact us for any other reason. Your personal data may be collected by an organisation we are working with (such as a professional fundraising agency), but we are still responsible for the data.
- You give it to us indirectly. Your personal data may be shared with us by other parties, such as fundraising sites like JustGiving or Virgin Money, if you are fundraising for us. You should review the applicable organisation’s privacy and other data policies if you have questions about how it processes personal data.
- You have given other organisations permission to share it. Your personal data may be provided to us by other organisations if you have given them your permission to do so. This might, for example, be a charity working with us or might occur when you buy a product or service from a third party. The personal data we receive from other organisations depend on your settings or the option responses you have provided to them.
- You use our website. When you use our website, personal data about you are recorded and stored. See the information about the use of “cookies” under that heading below.
- It is available on social media. Depending on your settings or the privacy policies of social media and messaging services you use (like Facebook, Instagram, or Twitter), you might give us permission to access personal data from those accounts or services.
- It is available from other publicly available sources and we have legitimate interests in collecting and using it.
How Do We Use the Personal Data We Collect?
We will use your personal data in a number of ways, which reflect the legal basis applying to the processing of your data. These may include the following:
- Providing you with the information or services you have asked for
- Processing donations you make, including processing for Gift Aid purposes
- Predicting whether you would be interested in, and contacting you about, donating a particular amount of money to us based on any previous donations you made to us
- Predicting whether you would be interested in, and contacting you about, donating to support a particular campaign of ours because you signed a petition or took some other action concerning that campaign
- Organising volunteer activities you have told us you want to be involved in, like fundraising
- Sending you communications – with your consent – that may be of interest, including marketing information about our services, activities, and campaigns; appeals asking for donations; and information about other fundraising activities and promotions for which we seek support
- When necessary for carrying out our obligations under any contract between us
- Seeking your views on our services or activities so that we can make improvements
- Maintaining our organisational records and ensuring we know how you prefer to be contacted
- Analysing the operation of our website and analysing your website behaviour to improve the website and its usefulness
- Processing job applications
Our Legal Basis for Processing Your Personal Data
The use of your personal data for the purposes set out above is lawful because one or more of the following applies:
- Where you have provided us with personal data for the purpose of requesting information or requesting that we carry out a service for you, we will proceed on the basis that you have given consent to us using the data for that purpose, based on the way that you provided us with the data. You may withdraw consent at any time by e-mailing us at [email protected]. This will not affect the lawfulness of the processing of your personal data prior to your withdrawal of consent being received and acted upon.
- It is necessary for us to hold and use your personal data so that we can carry out our obligations under a contract entered into with you or to take steps you ask us to take prior to entering into a contract.
- It is necessary to comply with our legal obligations, such as processing pursuant to a UK law or a court order.
- Where the purpose of our processing is the provision of information or services to you, we may also rely on the fact that it is necessary for your legitimate interests that we provide the information or service requested, and given that you have made the request, we would presume that there is no prejudice to you in our fulfilment of your request.
- We have identified some other legitimate interest in using the personal data.
If you want to contact us about your marketing preferences, please e-mail [email protected] or call +44 (0) 20 7837 6327.
How Long Will PETA Keep the Personal Data It Has Collected?
We will hold your personal data for as long as it is necessary for the relevant activity. Please see our Data Retention Policy here.
How We Keep Your Personal Data Safe
We are committed to ensuring that personal data is dealt with properly and securely and in accordance with the GDPR and other related legislation. We are also committed to the six data protection principles set forth in the GDPR and ensuring that at all times, anyone dealing with personal data is mindful of an individual’s rights under the law. In furtherance of these commitments, we will do the following:
- Inform individuals as to the purpose of collecting any information from them, as and when we ask for it
- Process and disclose personal data in accordance with the GDPR and other related law
- Be responsible for checking the quality and accuracy of the information
- Regularly review the records held to ensure that information is not held longer than is necessary, and that it has been held in accordance with the Data Retention Policy
- Ensure that when information is authorised for disposal it is done appropriately
- Ensure appropriate security measures to safeguard personal information whether it is held in paper files or on our computer network, and follow the relevant security policy requirements at all times
- Share personal information with others only when it is necessary and legally appropriate to do so
- Set out clear procedures for responding to requests for access to personal information known as subject access requests
- Report any breaches of the GDPR in accordance with the GDPR
We will take reasonable steps to ensure that our team and third party processors will only have access to personal data where it is necessary for them to carry out their duties. Our team and third party processors will be made aware of their duties under the GDPR. We will take all reasonable steps to ensure that all personal information is held securely and is not accessible to unauthorised persons.
How We Protect Your Personal Data
We take reasonable and appropriate administrative, technical, organisational, and physical security and risk-management measures in accordance with applicable laws to ensure that your personal data are adequately protected against accidental or unlawful destruction, damage, loss or alteration, unauthorised or unlawful access, disclosure or misuse, and all other unlawful forms of processing of your personal data in our possession.
Securing personal data is an important aspect of protecting privacy. We apply policies, standards, and supporting security controls at the level appropriate to the risk level and the services provided. In addition, appropriate security controls are communicated to applicable personnel across the organisation in order to support a secure operating environment.
We pay specific attention to the protection of personal data and the risks associated with processing this data.
These measures include the following:
- Physical safeguards: We lock doors and file cabinets, control access to our facility, and apply secure destruction to media containing your personal data.
- Technology safeguards: We use network and information security technology such as anti-virus and endpoint protection software, intrusion detection, and data loss prevention, and we monitor our systems and contractors to ensure that they comply with our security policies.
- Organisational safeguards: We conduct regular general as well as role-specific and targeted training and awareness programmes on security and privacy to make sure that our employees and contractors understand the importance of protecting your personal data and that they learn and maintain the necessary knowledge and skills to protect it in practice. Our organisational policies and standards also guide our handling of your personal data. Particular care is given to security and privacy of financial information and sensitive personal information. Access to personal data is strictly controlled and is provided only to those employees and contractors whose specific job duties require access to the data – and only to the extent required. Access is controlled through a number of user identification and authentication methods both internally and via remote access.
Personal Data Breaches
We take reasonable measures to prevent personal data breaches. If these were to occur, we have a process in place to take swift action within our responsibilities. These actions will be consistent with the role we have in relation to the services or processes affected by the breach. In all cases, we will work together with affected parties to minimise effects, to make all notifications and disclosures that are required by applicable law or otherwise warranted, and to take action to prevent future breaches. Our systems containing personal data are monitored 24/7 across our information technology (IT) platforms to ensure that any incident that could affect the IT infrastructure and/or personal data are dealt with in a timely manner. System monitoring includes (but is not limited to) loss of power or connectivity, capacity or performance issues, and intrusion attempts. The system-monitoring tools alert IT personnel via e-mail and/or text, and IT personnel triage the incident to confirm its severity and commence fixing the issue.
Storage of Your Personal Data
The data we collect from you may be stored, with risk-appropriate technical and organisational security measures applied to it, on in-house as well as third-party servers.
While we strive to safeguard your personal data, we cannot guarantee the security of any data you provide, and you provide it at your own risk.
- Third parties who provide services to or for us – for example, sending mailings, processing donations, or collecting, storing, or processing data – may have access. We select our third-party service providers with care. We provide them with the information that is necessary to provide the relevant service, and we have an agreement in place with each that requires them to operate with the same care regarding data protection as we do.
- Third parties may have access if we run an event in conjunction with them. We will let you know how your data are used when you register for any event.
- Analytics and search engine providers that help us to improve our website and its use may have access.
- PETA-named affiliates may have access if we have a legitimate interest in sharing it with them.
Because of financial or technical considerations, the personal data you provide to us may be transferred to countries outside the European Economic Area (EEA), which are not subject to the same data protection regulations as those in the UK. We may do this for the purpose of storage within our customer relations management software or other software or for the purpose of data analysis. We meet our obligations under the GDPR by ensuring that such data have the same protection as if they were being held within the EEA. We do this by ensuring that any third parties processing your data outside the EEA either benefit from an adequacy determination for GDPR purposes or, where appropriate, we have entered into a Data Processing Agreement with the third party that contains appropriate safeguards using model European Union clauses.
We may also disclose your personal data if we are required to do so under any legal obligation and may use external data for the purposes of fraud prevention and credit risk reduction or where doing so would not infringe your rights but is necessary and in the public interest.
Other than in these circumstances, we will not share your personal data with other organisations without your consent.
Our website allows you to share content to Facebook, Twitter, and Pinterest using those platforms’ tools as well as by other means and to other platforms using the AddThis tool:
Keeping Your Personal Data Up to Date
We would really appreciate it if you would let us know if your contact details or other personal data change. You can do this by contacting us at [email protected] or writing to Data Protection Agent, PETA Foundation, PO Box 70315, London, N1P 2RG, United Kingdom.
Do We Use ‘Cookies’ on Our Websites?
Depending on your settings and the privacy policies of social media sites like Facebook, Instagram, and Twitter, you might give us permission to access information about you from your accounts on those sites. We may provide personal information, like your e-mail address, in order to display our advertising to you on those social media platforms and other websites and to help us identify other audiences that are similar to you. We also make use of Facebook’s Custom Audiences feature, which enables us to display ads to existing or potential supporters via Facebook. We may also provide Facebook with personal information, such as your e-mail address, which allows the company to determine whether you are an account holder or not. Our ads may then appear on your Facebook feed. If you do not wish to see these ads, you can manage your privacy settings on your social media accounts. For more information, please read the Facebook Business page about Custom Audiences and Facebook’s Data Policy.
You have the right to request details regarding the processing activities that we carry out in relation to your personal data. Such requests must be made in writing. To make a request, contact the data protection agent via e-mail at [email protected] or by writing to:
Data Protection Agent
PO Box 70315
London, N1P 2RG
You also have the following rights:
- The right to access your personal data
- The right to request rectification of data that are inaccurate or out of date
- The right to erasure of your data (known as the “right to be forgotten”)
- The right to object to processing necessary for the purposes of legitimate interests pursued by us
- The right to restrict the way in which we are dealing with and using your data
- The right to request that your data be provided to you in a format that is secure and suitable for re-use (known as the “right to portability”)
- Rights in relation to automated decision-making and profiling, including profiling for marketing purposes
- The right to lodge a complaint with a supervisory authority
All these rights are subject to certain safeguards and limits or exemptions. To exercise any of these rights, contact us in writing at the above e-mail or mailing address. We will process your request without delay and, if appropriate, respond in full no later than one month from our receipt of the request. We may ask for additional information necessary to confirm your identity and process the request before processing the request in full. Requests will be denied in instances where an exemption in the GDPR or another law applies.
If you are not happy with the way in which we have processed or dealt with your personal data, you can complain to the Information Commissioner’s Office. Further details about reporting a concern can be found here.
This Policy may be changed from time to time. If we make any significant changes, we will advertise this on our website or contact you directly with the information.
Please check this Policy each time you consider giving your personal information to us.
Do You Have Additional Questions?
Data Protection Agent
PO Box 70315