Last updated April 2022

1.  Introduction

1.1  We, International Medical Corps UK, a company limited by guarantee incorporated in England (Company number 04474904) and registered as a charity in England (Registered Charity Number 1093861) with its registered office at 161 Ground Floor Marsh Wall, London, England, E14 9SJ (‘IMC UK’, ‘we’, ‘our’ or ‘us’ being interpreted accordingly) are committed to protecting your privacy and personal information.

1.2  Personal information relating to you that either identifies you or from which you can be identified is called personal data (‘Personal Data’)

1.3  This privacy policy (‘Privacy Policy’) tells you about the Personal Data that IMC UK may collect or receive; how we handle or process such Personal Data; and who we may share it with. It also provides information about the legal basis on which we process your Personal Data; how long we hold it for; and information on certain legal rights you have in relation to your Personal Data.

2.  Changes to this Privacy Policy

2.1  This Privacy Policy was last updated on the date referred to above. From time to time we may change the way we use your Personal Data. This means that we may have to amend or update this Privacy Policy. Please therefore check that you have seen the latest version.

3.  What Personal Data do we collect and use?

3.1  The Personal Data about you that we collect and use includes the following:

(a) your name, address, phone; email and other contact details, for example if you sign up to receive our newsletter;

(b) information that you provide to us when you donate (including whether or not you are a UK tax payer for Gift Aid purposes);

(c) information you provide about yourself, when you submit a comment to us;

(d) Personal Data contained in correspondence between you and us, which we may retain on file;

(e) information obtained through cookies or other tracking technology, including your IP address, when you browse this Website (see below); as well as any other Personal Data that you may provide to us from time to time.

4.  How your Personal Data is collected

4.1  We collect Personal Data about you in various ways as follows:

(a) when you submit a form through our Website;

(b) if you engage with us through social media channels;

(c) when you browse and interact with our Website;

(d) if you respond to a campaign or volunteer to help us;

(e) you attend an event that we hold;

(f) through your relationship and communications with us with us;

5.  Please also note that occasionally, some of the Personal Data you supply and that we process may include what is known as ‘special category’ data about you, for example, information regarding your ethnic origin or political, philosophical and religious beliefs.

6.  What we use your Personal Data for

Other than as stated above, we may use your Personal Data for one or more of the following purposes:

(a) to contact our supporters, campaign and raise funds;

(b) to analyse information you provide to us so that we can better understand your main interests. This helps us to deliver personalised content and make suggestions to you on how you can get involved in our work. Where we have received location information about you, we may use it to tailor our communications to you;

(c) to deal with any comments, enquiries or any requests that you submit;

(d) to provide you with newsletters and other direct marketing communications about what we are doing as well as products, services and/or campaigns which may be of interest to you by post or phone. If required under applicable law, where we contact you by SMS, email, fax, social media and/or any other electronic communication channels for direct marketing purposes, this will be subject to you providing your express consent. You can object or withdraw your consent to receive direct marketing from us at any time, by contacting us using the email address below

(e) to enforce and/or defend any of our legal claims or rights; and/or

(f) for any other purpose required by applicable law, regulation, the order of any court or regulatory authority.

7.  The lawful grounds on which we collect and process your Personal Data

7.1  IMC UK will process your Personal Data for the above purposes relying on one or more of the following lawful grounds:

(a) where you have freely provided your consent for particular purposes, such as to receive e-newsletters;

(b) where we agree to provide any goods or services to you, in order to take any pre-contract steps at your request and/or to perform our contractual obligations to you;

(c) where we need to use your Personal Data for legitimate purposes relevant to IMC UK being able to campaign and promote our charity as well as to efficiently and effectively fundraise; communicate with supporters and manage our affairs. We will always seek to pursue these legitimate interests in a way that does not unduly infringe on your other legal rights and freedoms and, in particular, your right of privacy; and/or

(d) where we need to collect, process or hold your Personal Data to comply with a legal obligation.

7.2  If we process special category data as referred to under paragraph 5 we will only do this with your explicit consent; or, where you have already publicised such information; or, where we need to use such sensitive data in connection with a legal claim that we have or may be subject to.

8.  Our Legal Obligations regarding your data

8.1  We collect and process your Personal Data in accordance with applicable laws that regulate data protection and privacy. This includes, without limitation, the General Data Protection Regulation ((EU) 2016/679) as retained under UK law (‘UK GDPR‘) and the UK Data Protection Act 2018 (‘DPA‘) (together, ‘Data Protection Law‘).

9.  Disclosing your Personal Data to third parties

9.1  We may need to disclose your Personal Data to certain third party organisations who are handling that data only on our behalf and in accordance with our instructions under contract (called ‘data processors‘) in the following circumstances:

(a) companies and/or organisations that act as our service providers (e.g. IT suppliers or data hosting companies);

(b) companies and/or organisations that assist us in processing and/or otherwise fulfilling transactions that you have requested (e.g. payment processors) and Donor Box, who provides the software for our online donations system.

In relation to these data processors, we will make sure that they act only in accordance with our instructions and that adequate safeguards are put in place by them to protect your Personal Data in accordance with Data Protection Law.

9.2  We may also disclose your Personal Data to and/or obtain certain Personal Data about you from third party service providers or professional advisers whom we inform you about from time to time. These third parties will make their own determination as to how they process your Personal Data and for what purpose(s) (and are therefore called ‘data controllers’). For example:

(a) To comply with anti-money laundering, terrorism and sanctions laws and regulations, there are times when we need to confirm (or reconfirm) the name, date of birth, address and other details of our donors and business partners (including their directors, officers, board members, owners, shareholders, authorised representatives and affiliates and their circumstances). We may need to do this whether you are applying to be a new donor or business partner or have been one for some time. This information may be shared with third party service providers for this purpose.

(b) We may also collect publically available information to verify the details of donors and business partners. Some laws and regulations oblige us to disclose information to certain bodies with statutory powers.  If at any time you do not provide us with satisfactory information about you or your circumstances as required to comply with these laws and regulations, we may not be able to accept your donation or accept you as a business partner.

It is important that you give us accurate information, if asked. We will check your details and if you give us false or inaccurate information and we suspect crime or fraud, we will record this and may (if legally required) pass this to law enforcement or other organisations involved in crime and fraud prevention.

9.3  The third-party data controllers we use will handle your Personal Data in accordance with their own chosen procedures and you should check the relevant privacy policies of these companies or organisations to understand how they may use your Personal Data. Since these controller organisations are acting outside of our control, we have no responsibility for their data processing practices.

9.4  Other than as described above, we will treat your Personal Data as private and will not disclose your Personal Data to third parties without you knowing about it.  The exceptions are in relation to legal proceedings or where we are legally required to do so and cannot tell you.

9.5  In all cases we always aim to ensure that your Personal Data is only used by third parties for lawful purposes and in compliance applicable Data Protection Law.

10.  International Transfers

10.1  We are based in the United Kingdom and primarily collect and process data in the UK.

10.2  However, we do use third party processors who process data on our behalf and are based in the United States. The US is one of the territories outside the UK and European Union whose laws are currently not considered to meet the same legal standards of protection for Personal Data as set out under Data Protection Law in UK or Europe.

10.3  These US based third parties we use are:

(a) Mailchimp (who handle supporter emails). Mailchimp is part of the Intuit Group of companies . For more information regarding Mailchimp’s current privacy practices and how they protect personal data that is transferred to the US, see https://mailchimp.com/legal/privacy/.

(b) Donorbox (who handle donations on our behalf) who have servers based in the United States and to whom you may provide your information directly if you make a donation. For more information about Donorbox’ privacy practices and how they handle your data, see https://donorbox.org/privacy.

10.4  We may also sometimes transfer Personal Data to our affiliates including our parent, International Medical Corps based in the US.

10.5  In order to safeguard your Personal Data, we only allow such a transfer referred to above under an applicable derogation or appropriate mechanism which is authorised under Data Protection Law.  This is to make sure that your Personal Data is safeguarded in accordance with the same legal standards that apply to IMC UK in the United Kingdom.

11.  Cookies

11.1  We used cookies on this Website, which are primarily ‘session based’ cookies. A cookie is a small file which asks permission to be placed on your computer’s hard drive. If your browser settings are not set to block cookies, the file is added and the cookie helps analyse web traffic or performs other functions which improve the smooth running of the website. Cookies allow web applications to respond to you as an individual. The web application can tailor its operations to your needs, likes and dislikes by gathering and remembering information about your preferences.

11.2  We use traffic log cookies to identify which pages are being used. This helps us analyse data about web page traffic and improve our website in order to tailor it to visitor needs. We only use this information for statistical analysis purposes.

11.3  Overall, cookies help us provide you with a better website, by enabling us to monitor which pages you find useful and which you do not. A cookie in no way gives us access to your computer or any information about you, other than the data you choose to share with us.

11.4  When you donate, we use cookies to track how donors come to our website. For example, we use approach codes in our internet addresses (URLs) to show us whether a donation came from a particular online campaign, a social media link or a partner. If you click a link we’re tracking, a session cookie will be dropped on your machine. This lets us know whether you donate subsequently.

11.5  When we send you an email, we may use technology to measure the success of the emails we send so we know what stories and titles people like the most. While we can identify who opened an email and the stories viewed, we don’t sell or share this information with anyone else.

11.6  In order to remember that you have accepted our use of cookies we will place a temporary cookie to remember this setting for 3 months.

11.7  Third party cookies are also used as follows:

(a) We sometimes embed photos and video content from websites such as YouTube, Facebook, Instagram. As a result, when you visit a page with content embedded from such services, you may be presented with cookies from these websites. Our website does not control the dissemination of these cookies. You should check the relevant third party website for more information about these.

(b) Google – These cookies are used by Google to provide different Google services for the user and to collect anonymous data about the user. For more information about Google Analytics and related privacy practices, see https://support.google.com/analytics/answer/6004245

(c) Social sharing tools – Any site with a social sharing button may set a cookie when you are also logged in to their service. We do not control the dissemination of these cookies and you should check the relevant third-party website for more information about these.

11.8  You can choose to accept or decline our cookies. Most web browsers automatically accept cookies, but you can modify your own browser settings to decline cookies if you prefer. The Help menu on the menu bar of most browsers will tell you how to prevent your browser from accepting new cookies, how to have the browser notify you when you receive a new cookie and how to disable   cookies altogether. Please note, declining cookies may prevent you from taking full advantage of this website.

11.9  You  can  find  more  information  about  cookies  at  www.allaboutcookies.org and www.youronlinechoices.eu.

12.  How long we retain your Personal Data for

12.1  IMC UK only retains Personal Data identifying you for as long as you have a relationship with us; or as necessary to perform our obligations to you (or to enforce or defend contract claims); or as is required by applicable law.

12.2  We have a data retention policy that sets out the different periods we retain data for in respect of relevant purposes in accordance with our duties under Data Protection Law. The criteria we use for determining these retention periods are based on:

(a) various legislative requirements, such as requirements to hold transaction records and Gift Aid information under tax law;

(b) the potential need to refer back to that data if there is a future claim or legal dispute; and

(c) guidance issued by relevant regulatory authorities including but not limited to the UK Information Commissioner’s Office (ICO).

12.3  Personal Data we no longer need is securely disposed of and/or anonymised so you can no longer be identified from it.

13.  Security

13.1  We employ appropriate technical and organisational security measures to protect your Personal Data from being accessed by unauthorised persons and against unlawful processing, accidental loss, destruction and damage. For example:

(a) Our server is located in a locked, secure environment, with a guard posted 24 hours a day.

(b) Any payment card details such as credit or debit cards that we receive through our donation websites are passed securely to our payment processing provider according to the Payment Card Industry Security Standards. We do not store your credit or debit card details on our website.

(c) All online financial transactions will be encrypted using SSL (Secure Sockets Layer).

13.2  We also endeavour to take all reasonable steps to protect Personal Data from external threats such as malicious software or hacking. However, please be aware that there are always inherent risks in sending information by public networks or using public computers and we cannot 100% guarantee the security of all data sent to us (including Personal Data). You should not send any financial information to us by email.

14.  Your personal data rights

14.1  In accordance with your legal rights under applicable law, you have a ‘subject access request’ right under which can request information about the Personal Data that we hold about you, what we use that Personal Data for and who it may be disclosed to as well as certain other information. Usually we will have a month to respond to such as subject access request. We reserve the right to verify your identity if you make such a subject access request and we may, in case of complex requests, require a further two months to respond.

14.2  We may also reject any manifestly unreasonable or excessive requests for access.

14.3  We may also require further information to locate the specific information you seek before we can respond in full and apply certain legal exemptions when responding to your request.

14.4  Under Data Protection Law you also have the following rights, which are exercisable by making a request to us in writing:

(a) that we correct Personal Data that we hold about you which is inaccurate or incomplete;

(b) that we erase your Personal Data without undue delay if we no longer need to hold or   process it;

(c) to object to any automated processing (if applicable) that we carry out in relation to your Personal Data, for example if we conduct any automated credit scoring;

(d) to object to our use of your Personal Data for direct marketing;

(e) to object to and/or restrict the use of your Personal Data for purpose other than those set out above unless we have a legitimate reason for continuing to use it; or

(f) that we transfer Personal Data to another party where the Personal Data has been collected with your consent or is being used to perform contact with you and is being carried out by automated means.

14.5  All of these requests may be forwarded on to a third-party provider who is involved in the processing of your Personal Data on our behalf.

14.6  If you would like to exercise any of the rights set out above, please contact us at the address below.

14.7  We hope that we can resolve any query or concern you raise about our use of your Personal Data.  If you make a request and are not satisfied with our response, or believe that we are illegally processing your Personal Data, you have the right to complain to the Information Commissioner’s Office (ICO) – see https://ico.org.uk/.

15.  Contact

If you have any queries regarding this Privacy Policy or wish to make a further request relating to how we use your Personal Data as described above, please contact:

Martin Mongalla

International Medical Corps UK, 161 Ground Floor Marsh Wall, London, England, E14 9SJ

Telephone: 44 (0) 2038709993

Email: mmongalla@InternationalMedicalCorps.org.uk