Injured Jockeys Fund and Injured Jockeys Company Ltd are both registered with the Information Commissioner’s Office (ICO) as a Data Controller for the personal data that we hold and process. Our registered address is Peter O’Sullevan House, 7a Newmarket Road, Newmarket, Suffolk, CB8 7NU, our ICO registration numbers are Z4929460 and Z7969977 respectively.
Our Data Protection Officer (DPO) can be contacted by emailing dpo@ijf.org.uk
We act as a Data Controller. A Data Controller decides what personal data needs to be collected and how it is used, and is responsible for processing it in line with the law.
We can use your information in the ways we tell you about in this notice. More information is given below to explain what types of data are used in different situations.
If you have questions about anything in this notice, you can contact us by emailing us on DPO@ijf.org.uk
You have rights in respect of our processing of your personal data. The relevant rights are:
If you want to exercise any of these rights, please email us on DPO@ijf.org.uk
You also have the right to lodge a complaint about our processing with a supervisory authority — in the UK that is the Information Commissioner’s Office (ICO) whose details are here: https://ico.org.uk/make-a-complaint/
We use personal data about people (data subjects) with different relationships to us, in different ways. Below, we have provided Privacy Notices for each different type of data subject. Each notice sets out what data is used and why, where we got the data from, how long it is kept, and what lawful basis we use to process it.
We have a number of processors (such as cloud service providers) who act on our behalf. We have Data Processing Agreements in place with all of these processors to ensure that your data is processed in compliance with the law and only upon our instruction. We never sell your data. If we need to share your data with a Third Party, this will be outlined in the relevant notice below.
We only transfer data outside of the UK or EEA if it is to a country or organisation that is deemed by the UK or EU to have adequate protection of data, or if appropriate safeguards have been put in place, for example EU Standard Contractual Clauses or the UK IDTA. When we rely on Standard Contractual Clauses/IDTA, we also carry out due diligence and transfer impact assessments to ensure they provide enough protection within the local legal framework.
We do not use your personal data in any automated processes to make decisions about you.
We will take all reasonable steps to protect your personal information in order to prevent unauthorised access to or alteration or destruction of personal information in our possession. All the personal information we collect is stored securely. All areas of our premises that hold personal data are protected by secure physical access controls and covered by CCTV. Data stored in electronic form is secured using industry-standard cloud service providers and security configurations are reviewed regularly. Computing devices used to access personal information are centrally managed to ensure access controls, encryption, antivirus and system security are maintained
We may, from time to time, expand or reduce our organisation and this may involve the sale and/or the transfer of control of all or part of our organisation. Any personal data that you have provided will, where it is relevant to any part of our organisation that is being transferred, be transferred along with that part and the new owner or newly controlling party will, depending on the lawful basis, be permitted to use that data only for the same purposes for which it was originally collected by us.
In the event that any of your data is to be transferred in such a manner, you will be contacted in advance and informed of the changes.
We may change this Privacy Notice from time to time (for example, if the law changes). We recommend that you check this page regularly to keep up-to-date.
If we make any significant changes to the manner in which we process and use your personal data, we will contact you to let you know about the change.
To see more about how we use your personal data, read the notice or notices below which apply best to your relationship with us:
Data that we hold and how we use it
We will have received most or all of the data from you directly. If you were referred to us, we will have received your name and contact details and possibly some health information from the party who referred you.
Lawful basis for processing
For processing your health data, which is a protected Special Category of personal data, our lawful basis under UK GDPR is Article 9(2)(g) ‘Reasons of substantial public interest’, with the condition ‘Support for individuals with a particular disability or medical condition’. Processing this data enables us to provide you with clinical care benefits and services. We have an Appropriate Policy Document which outline why this is our lawful basis and how we protect your data.
For the following purposes, our lawful basis for processing your data is Legitimate Interests: arranging meetings and appointments, inviting you to events, introducing you to our volunteers, electronic gym entry.
When we pay expenses, our lawful basis for processing your data is for the performance of a Contract.
If we feature you - and possibly information about why you have had our support - in our materials such as TV adverts or social media posts or our newsletter, this would be with your explicit consent to take part and the lawful basis for processing your data is legitimate interests.
For Clinical Service Users, when we process your data to invoice health insurance providers, our lawful basis for processing your data is for the performance of a Contract.
Retention Periods
We store most of your data, including data about health, for the length of time that you are a Beneficiary or Clinical Service User plus 8 years.
If you are a Beneficiary we store data about expenses, and your contact details to connect you with volunteers or to invite you to charity events, for the length of time that you are a beneficiary plus 8 years.
For social media posts, the retention period is driven by the platform. For TV adverts, the retention period is the length of the advertisement run.
If you are a Clinical Service User we store the data that we use to invoice health insurance providers, for 8 years after the processing. For access to training programme data for gym members, the data is held for 8 years. For enabling electronic gym entry, the data is held for 120 days after your last visit.
Data that we hold and how we use it
If you are a Donor to the Injured Jockeys Fund, the data that we hold about you includes your name, contact details, the value donated, any notes or requests you’ve made regarding your donation or your legacy wishes, and whether you are a fundraiser.
We use the data to record the details of donations and legacy payments for the charity, to collect those payments, to invite people to charity related events, and to send postal communications.
Lawful basis for processing
Our lawful basis for processing your data in this way is Legitimate Interest. It’s necessary for the purpose and you would reasonably expect us to use the data in this way.
Retention Periods
We store your data for 7 years from your last activity (donation made, payment received, event attended, legacy wishes completed). In the case of postal communications we send, we store your name and address data until you let us know you no longer wish to receive those communications.
Data that we hold and how we use it
If you make a purchase through our online shop, The Injured Jockey Company Ltd processes the following data about you: name, contact details (email address, phone number, address), credit card details, payment details, purchase details, amount donated via purchase (if applicable).
We use the data to process the order and send a receipt.
If you purchase membership of the Injured Jockeys Fund Supporter Club, the data that we hold about you includes: your name, contact details including your address, and the value donated.
We use the data to record the details of donations for the charity, to keep track of active yearly supporters, and to send postal communications.
Lawful basis for processing
Our lawful basis for processing your data is Contract when the data is used to enable us to fulfil our contract with you (i.e. to complete a transaction).
Our lawful basis for processing your data is Legitimate Interest when data is used to send your receipt, keep track of donations, keep track of active yearly supporters, and to send postal communications.
Retention Periods
We store supporter data for as long as you remain a membe. In the case of postal communications we send, we store your name and address data until you let us know you no longer wish to receive those communications.
We store customer data for seven years after your most recent purchase, in case of dispute.
Data that we hold and how we use it
If you work for us as a volunteer, we hold the following data about you: name, address, work email address, work telephone number, personal email address, personal telephone number, gender, date of birth, start date, role, nationality, national insurance number, probationary end date, method of recruitment, emergency contact details, details of references given, bank details, expense request details, training attended.
This information will be used to provide you with information and support as part of your work, including providing training and paying your expenses. We do this based on the contract we have with you.
We also carry out DBS (Disclosure and Barring Service) checks to check for criminal convictions. This helps us to check whether it is suitable for someone to work with vulnerable people. This means we hold the data about whether you have any criminal convictions.
We use CCTV at our sites, in order to protect the safety of individuals and security of premises. If you attend one of our sites, we may hold images of you.
If we feature you in our materials such as a newsletter, social media posts or TV adverts, we may also have your image. In this case we use your data to help us inform about the Fund and promote our activities.
Lawful basis for processing
Our lawful basis for processing your data is Contract and Legitimate Interest (for your training record, HR file details and CCTV).
Under UK GDPR our lawful basis for processing criminal offence check data is Article 9(2)(g) - ‘substantial public interest’, with the condition DPA 2018 Schedule 1 Part 2(12) – ‘regulatory requirements relating to unlawful acts and dishonesty’.
If we feature you in our materials such as TV adverts or social media posts or our newsletter. The lawful basis for processing your data is legitimate interest based in you having consented to take part.
Retention Periods
We store your data for 7 years after you leave as a volunteer.
We store CCTV data for 30 days.
For social media posts, the retention period is driven by the platform For TV adverts, the retention period is the length of the TV advert run.
Data that we hold and how we use it
If you are a solicitor or executor of an estate, handling the legacy wishes of someone who has died, we may hold the following data about you: your name, contact details, the value donated, any notes or requests you make in correspondence to us about the donation or legacy wishes.
We will have received this data from you directly.
We use the data to record the details of donations and legacy payments for the charity, and to collect those payments.
If you are a Next of Kin, we may hold the following data about you: your name, contact details, the value donated, any notes or requests you make in correspondence to us about the donation or legacy wishes, the details of any donation you make in memory of a deceased person.
We will have received this data from you directly, or from a Donor who identified you as their Next of Kin.
We use the data to record the details of donations and legacy payments for the charity, to collect those payments, and to send letters of acknowledgement.
Lawful basis for processing
Our lawful basis for processing your data in this way is Legitimate Interest. It’s necessary for the purpose and you would reasonably expect us to use the data in this way.
Retention Periods
We store your data for 7 years from your last activity (donation made, payment received, event attended, legacy wishes completed).
Data that we hold and how we use it
We use CCTV at our sites, so if you are a visitor to one of our rehabilitation sites, we may hold images of you.
We use CCTV in order to protect the safety of individuals and security of premises.
We will also ask you to sign in when you visit our sites and will record your name so we can monitor who is physically on site for health and safety reasons.
If you attend one of our centres as a Beneficiary or Clinical Service User, please see the other Privacy Notice sections that apply to you.
Lawful basis for processing
Our lawful basis for processing your data is Legitimate Interest.
Retention Periods
We store CCTV data for 30 days
We store names on visitors books for a period of 3 months
If you are issued with a key fob then the data processed is kept for 120 days after your last visit.
Data that we hold and how we use it
As a visitor to the Injured Jockeys Fund website or online shop, we hold the following data on you: IP address, pages visited, length of time spent on pages, your preferences and settings.
This data would have come directly from you, using cookies. Cookies are small text files that are stored on your browser or device by websites, apps, online media, and advertisements. We use cookies to:
Lawful basis for processing
Our lawful basis for processing your data for essential cookies is legitimate interest and for non-essential cookies it is Consent.
Retention Periods
Further information about the purpose and storage duration of the specific cookies that we use can be found in the Cookie Settings tool available on the website
Data that we hold and how we use it
If you opt to subscribe to our communications then we will process the following data about you: basic contact details, name, address, email address.
We use the data to stay in touch with you via our newsletter, catalogues and marketing.
You are given the chance to opt out of this in every communication. If you wish to stop receiving communications from us please just let us know.
Lawful basis for processing
Our lawful basis for processing your data is Consent. We give you the chance to opt out of all marketing on anything that we send you.
Retention Periods
We will hold your data until the point at which you opt out of communications. If you ask to unsubscribe from our newsletter/marketing, we will move your details to our suppression list to ensure that we don’t accidentally contact you again in the future. If you make a purchase and become a Customer, then that Privacy Notice will apply.
Data that we hold and how we use it
If you are a supplier to us, we hold the following details: name, contact details, vendor company information, address and bank details, type of grant or expense.
We use these details to manage relationships and fulfil contracts with suppliers, who may be supplying goods or outsourced services or may be involved in charity events.
Some out-sourced suppliers of services to the Injured Jockey Fund may be approved to use our software system, which involves processing your logon details, contact details and any event logging.
If you are a potential supplier to us, we store your name, contact details and type of service, in case we need your services in the future.
Lawful basis for processing
Our lawful basis for processing your data is Contract; the data is used to enable us to fulfil our contract with you, including paying you and managing our relationship with you.
Retention Periods
For suppliers, we keep your data for as long as we have a relationship with you plus 7 years, for potential suppliers, we hold you data for the length of time that we are considering a relationship with you.
Data that we hold and how we use it
If you apply for a job with us we will hold the following data on you: name, contact details, CV, interview notes, and any correspondence relating to a potential contract.
The data we hold will have come directly from you.
If you are successful in gaining employment with us then you will fall under the Employee Privacy Notice going forward; please refer to the employee handbook.
Lawful basis for processing
Our lawful basis for processing your data is Contract. When you applied for a job it was with a view to entering into an employment contract with us.
Retention Periods
If you are not successful in securing a role, then we will keep your details on our database for a period of 6 months.
Data that we hold and how we use it
If you join us for a work experience placement, we hold the following data about you: name, address, email address, telephone number, qualifications, some background information and personal bio, emergency contact details.
This information will be used to provide you with information and support as part of your work experience.
Lawful basis for processing
Our lawful basis for processing your data is legitimate interest.
Retention Periods
We store your data only for the duration of your work experience.
Data that we hold and how we use it
If you are a Trustee of the Injured Jockeys Fund, the data that we hold about you includes name, address, bank details, and type of expense. We use this data to manage our relationship with you and fulfil our legal obligations as a charity and UK based company.
If we feature you in our materials such as publications, social media posts or TV adverts, we may also have your image. In this case we use your data to help us inform about the Fund, our trustees and promote our activities.
Lawful basis for processing
Our lawful basis for processing your expense data is Contract; the data is used to enable us to fulfil our contract with you and Legal Obligation.
If we feature you in our materials such as TV adverts or social media posts or our newsletter, this would be with your explicit consent. The lawful basis for processing your data is legitimate interest based in you having consented to take part.
Retention Periods
We store your expense data for 7 years after your last activity.
For social media posts, the retention period is driven by the platform For TV adverts, the retention period is the length of the TV advert run.
If you are an event attendee then we will process data necessary for your attendance (Contact details, role etc) as well as any dietary preferences and considerations we may need to take to ensure your attendance goes as smoothly as possible. If we process any other data that time of the event, or need to share data with a Third Party (for example a co-hosted event), then we will let you know at the time and give you the chance to opt out as appropriate.
Our lawful basis for processing is legitimate interest, and we retain the data so we can invite you to future events and keep you up to date with our activities. If you wish to be removed from our database, you can always let us know.