Skip to content

Privacy policy

At King Charles III Charitable Fund, respecting your data privacy rights is a top priority. This policy explains why and how we collect personal data about you, how we may process such data, and what rights you have regarding your personal data.

We collect and process your data based on the type of data subject that you are. This policy is laid out such that the general provisions are at the top of this notice. We collect personal data specific to different data subjects as listed in the headings below.

Please read the General Information and the most relevant category(ies) of data subject for your situation. The lawful bases we rely on for processing your information can be found in the data subject categories below.

Contents

General Information

The information in this section is relevant to all categories of data subject.

Our contact details

King Charles III Fund is responsible for your personal data.

3 Orchard Place

Broadway

London

SW1H 0BF

You can contact a representative by sending an email to the following address:

contact@kccf.org.uk

Last reviewed:  13th October 2023

The Privacy Manager for King Charles III Charitable Fund

The King Charles III Charitable Fund has appointed Yvonne Abba-Opoku ACG as our Privacy Manager. They can be contacted at the following email address: contact@kccf.org.uk

Your data protection rights

Under the General Data Protection Regulation (GDPR) you have rights. You can make a request to exercise these rights at any point. There are rules and exceptions in relation to these rights. They may not be exercisable in all situations.

The GDPR rights are:

  1. The right to be informed.
    • You have the right to be informed about how King Charles III Charitable Fund processes your personal data. Typically, King Charles III Charitable Fund communicates this information through privacy notices such as this one.
  2. The right of data access
    • You have a right to obtain a copy of the personal data we hold about you.
  3. The right of data rectification
    • You have a right to ask for the correction of inaccurate or incomplete personal data which we hold about you.
  4. The right of data erasure
    • You have the right to request that personal data be erased when it is no longer needed, where applicable law obliges us to delete the data, or the processing of it is unlawful. You may also ask us to erase personal data where you have withdrawn your consent or objected to the data processing.
  5. The right to restrict data processing
    • You have the right to restrict the processing of your personal data. Where that is the case, we may still store your information, but not use it further.
  6. The right to data portability
    • You have the right to receive your personal data in a structured, machine-readable format for your own purposes, or to request us to share it with a third party.
  7. The right to object to data processing
    • You have the right to object to our processing of your personal data based on the legitimate interests, where your data privacy rights outweigh our reasoning for legitimate interests. You may also object to our marketing activities or activities related to research.
  8. Rights in relation to automated decision making and profiling.
    • You have the right not to be subjected to a decision based solely on automated processing, including profiling, which produces legal or similarly significant effects. Currently, King Charles III Charitable Fund only uses profiling as part of our Due Diligence process. This processing is conducted by a reputable third party and the results are manually reviewed by the Executives and Trustees at King Charles III Charitable Fund.

You may request to enforce your data privacy rights by emailing contact@kccf.org.uk

In certain circumstances, we may need to restrict the above rights to safeguard the public interest (e.g., the prevention or detection of crime) or our business interests (e.g., the maintenance of legal privilege).

Consent as a legal basis for processing

For some data processing, King Charles III Charitable Fund uses consent as a legal basis. If you have consented to processing by King Charles III Charitable Fund, please be aware that you have the right to withdraw this consent at any point. If you would like to withdraw consent for a particular type of data processing that King Charles III Charitable Fund performs, please email the following address:

contact@kccf.org.uk

Complaints to a Supervisory Authority

You have the right to lodge a complaint with a supervisory authority with regards to the way that King Charles III Charitable Fund processes your personal data. The King Charles III Charitable Fund recommends lodging a complaint with the ‘Information Commissioner’s Office (ICO)’. This is the UK’s supervisory authority and is the one which King Charles III Charitable Fund is registered with.

How we share your data

We will not share your information with any third parties for the purposes of direct marketing.

We use data processors who are third parties who provide elements of services for us. We have contracts in place with our data processors. This means that they cannot do anything with your personal information unless we have instructed them to do it. They will not share your personal information with any organisation apart from us unless it has been authorised by King Charles III Charitable Fund. They will hold it securely and retain it for the period we instruct.

In some circumstances we are legally obliged to share information. For example, under a court order. In any scenario, we will satisfy ourselves that we have a lawful basis on which to share the information and document our decision making and satisfy ourselves we have a legal basis on which to share the information.

King Charles III Charitable Fund will always try to use third party providers who are located in the UK or EU, or who host data in UK or EU data centres. This is not always possible. Where this is not possible, King Charles III Charitable Fund will ensure that we use GDPR compliant contracts with the third parties. We will use Appropriate Safeguards, such as International Data Transfer Agreements, to ensure the ongoing protection of your data.

How we protect your information

We implement appropriate technical and organisational measures to protect personal data that we hold from unauthorised disclosure, use, alteration, or destruction. Where appropriate, we use encryption and other technologies that assist in securing the data you provide. We also require our service providers to comply with strict data privacy requirements where they process your personal data.

How long we keep your personal data

We only keep your personal data for as long as necessary for the purposes described in this privacy notice, or until you notify us that you no longer wish us to process your data. After this time, we will securely delete your personal data, unless we are required to keep it to meet legal or regulatory obligations, or to resolve potential legal disputes.

Contact and further information

If you have any questions about how we use your personal data or wish to make a complaint about how we handle it, you may contact King Charles III Charitable Fund at: contact@kccf.org.uk

In case you would like to be provided with information about a specific personal data processing activity, you can request that by submitting a request at contact@kccf.org.uk

We collect only the personal data from you that we need for the purposes described above. Certain personal data collected from you relates to your next of kin and emergency contacts. In these cases, you are requested to inform such persons about this notice.

What happens if you do not provide us with the information we have requested?

Where it concerns processing operations related to your employment (as described below), King Charles III Charitable Fund will not be able to fulfil its legal and contractual obligations and adequately employ you without certain personal data and you may not be able to exercise your employee rights if you do not provide the personal data requested. Although we cannot mandate you to share your personal data with us, please note that this then may have consequences which could affect your employment in a negative manner, such as not being able to exercise your statutory rights or even to continue your employment.  Whenever you are asked to provide us with any personal data related to you, we will indicate which personal data is required, and which personal data may be provided voluntarily.

  • If the legal basis for processing your personal data is legitimate interest, then you may obtain a copy of our assessment regarding our legitimate interest to process your personal data by submitting a request to contact@kccf.org.uk
  • In some cases, we process your personal data on the basis of statutory requirements, for example, on the basis of employment law, allowances, tax or reporting obligations, cooperation obligations with authorities or statutory retention periods in order to carry out our contractual responsibilities as an employer.
  • In exceptional circumstances we may ask your consent at the time of collecting the personal data, for example photos, communications materials, and events. If we ask you for consent in order to use your personal data for a particular purpose, we will remind you that you are free to withdraw your consent at any time and we will tell you how you can do this.

Regarding special categories of personal data we will only process such data in accordance with applicable law and:

  • with your explicit consent for specific activities in accordance with applicable law.
  • when necessary for exercising rights based on employment, or social protection law or as authorised by collective agreement, or for preventive and occupational medicine or and evaluation of working abilities; or
  • where necessary for establishment, exercise, and defence of legal claims.

Regarding personal data concerning criminal convictions and offences, we will only process such data where such processing is permitted by applicable (local) law.

Employees

The information in this section applies to current, past, or potential employees and temporary staff including secondees. Depending on your specific circumstances, your data may be used in all, some of, or none of the below listed processes:

Purpose of Processing

Description of ProcessingLawful Basis for ProcessingLegitimate Interest
Employee RecruitmentAgreement of vacancy through to employment or secondment offer and acceptance by candidate. This will include new employee completing diversity monitoring form which includes special category data.ContractNot applicable
Employee OnboardingFrom candidate acceptance to fully onboarded employee with all training and IT accounts set up, on payroll, pension etc.ContractNot applicable
Employee MattersIncluding: Sickness, Maternity/Paternity, Disciplinary & Grievance, Termination. From notification of an employee matter, following of relevant organisational procedures, through to completion of matter. This may include special category data.ContractNot applicable
Employee Appraisal and Management NotesAnnual performance appraisal and development plan and management notes on employee performance.Legitimate interestTo effectively manage the development and progress of employees.
Employee TrainingAll employee training either of individuals for specific purposes to mass training such as GDPR or H&S.Legitimate interestTo effectively manage the training of staff.
Employee BenefitsOnboarding and management of employees who are on company benefit schemes. Annual review of benefit schemes and communication with staff on those.ContractNot applicable
Ex-Employee ReferencesProviding references for ex-employees to future employers.ConsentNot applicable
SecondmentsProviding information to or receiving information from a third party in relation to secondment arrangements.ContractNot applicable
Payroll & PensionsProcessing staff pay & PensionsContractNot applicable
Accounts PayablePayment of Grantees, Suppliers and expenses.ContractNot applicable
External Auditor EngagementAnnual External Audit. Sample of information can be requested by external Auditors. Information is uploaded to a secure file sharing platform called We TransferLegal ObligationNot applicable
Account (ID) Management and IT user supportSet up and ongoing management of all IT software and hardware including user accounts, IT security etcLegitimate interestTo effectively manage the IT systems of the charity and monitor security of various systems.
Public RelationsPress releases and engagement with the media.Legitimate interestTo effectively promote and manage the brand and international name of the charity and founder.
Contact with potential donorsReceipt of information on potential donors through either referral or direct contact and follow up by email/phone/meeting and confirmation of their wish to donateLegitimate interestTo provide donors with updates on how their donations have been used by the charity.

Transfers of Personal Data to Third Parties

King Charles III Fund may transfer your personal data to third parties. King Charles III Charitable Fund may transfer your personal data to the following categories of recipients:

  • Recruiters & Recruitment Management Tools
  • Third party host organisation that PWCF has entered into a secondment arrangement with.
  • Cloud Storage & Document Management Tools
  • Employee Management & Training Tools
  • Remote Working & Calendar Planning Tools
  • Sales and Marketing Management Tools
  • Office Suppliers & Travel Bookings
  • IT Security and Management Tools
  • Accountants & Financial Management Tools
  • Banks
  • Pension Providers
  • Auditors
  • Legal Representatives & Legal Tools
  • Insurance Companies

King Charles III Charitable Fund will use best endeavours to ensure that your personal data is hosted in UK and/or EU servers. King Charles III Charitable Fund will also ensure that contracts with these third parties meet all UK-GDPR requirements.

Donors

The information in this section applies to current, past and potential donors. Depending on your specific circumstances, your data may be used in all, some of, or none of the below listed processes:

Purpose of ProcessingDescription of ProcessingLawful Basis for ProcessingLegitimate Interest
Contact with potential donorsReceipt of information on potential donors through either referral or direct contact and follow up by email/phone/meeting and confirmation of their wish to donate.Legitimate interestTo provide donors with updates on how their donations have been used by the charity.
CrowdfundingSelf-service online donations portal managed by JustGiving. Donors provide their name and email address to make donations. JustGiving liaises with HMRC processes all gift aid payments on qualifying donations from UK taxpayers.Legitimate InterestNecessary for taking and processing the donation payments via JustGiving platform and HMRC tax relief/gift aid
Due diligencePerforming due diligence on both incoming and outgoing funds. This process investigates both individuals and institutions. This involves, eligibility checks using search engines, regulatory public registers, sector-specific public databases, reviews of charitable status, public profiles, recent accounts, reports and key policies.Legal ObligationNot Applicable
Donor & Grant ApprovalThe process of KCCF committees & Trustees reviewing and deciding upon acceptance of donations and grant applications.Legal ObligationNot Applicable
Public RelationsPress releases and engagement with the media.Legitimate interestTo effectively promote and manage the brand and international name of the charity and founder.
Receipt of IncomeBank transfer, chequesLegal ObligationNot applicable
External Auditor EngagementAnnual External Audit. Sample of information can be requested by external Auditors. Information is uploaded to a secure file sharing platform called We TransferLegal ObligationNot applicable
Stakeholder EngagementProviding reporting and updates on the charities activities to Donors, Key stakeholders, and the Royal Household. This is conducted via email, postal, phone, events, in person engagement, and reports.Legitimate interestTo provide stakeholders with relevant information and updates on KCCF activities.

Transfers of Personal Data to Third Parties

King Charles III Charitable Fund may transfer your personal data to third parties. King Charles III Charitable Fund may transfer your personal data to the following categories of recipients:

  • Cloud Storage & Document Management Tools
  • Government organisations
  • Due Diligence Researchers
  • Sales and Marketing Management Tools
  • Public Relations Managers
  • Accountants & Financial Management Tools
  • Banks
  • Auditors

King Charles III Charitable Fund will use best endeavours to ensure that your personal data is hosted in UK and/or EU servers. King Charles III Charitable Fund will also ensure that contracts with these third parties meet all UK-GDPR requirements.

Grantees

This section applies to past, current, and potential grantees. Depending on your specific circumstances, your data may be used in all, some of, or none of the below listed processes:

Purpose of ProcessingDescription of ProcessingLawful Basis for ProcessingLegitimate Interest
Grant ApplicationsThe management of applications relating to third parties applying for a grant. This includes from receipt of applications to a grant decision.Public taskNot Applicable
Grant QueriesThe management of personal data relating to grant queries that are received via website form, email, or phone.Legitimate interestNecessary to be able to respond to query
Grant reportingThe generation of automated reminders which are sent to grantees. These reminders prompt grantees to provide status reports on the progress of grants.Public taskNot Applicable
Founder Grant RequestsReceipt of Founder’s request.ContractNot applicable
Founder Grant Review and DecisionBanking details of beneficiary are requested by email and stored on a third-party tool.ContractNot applicable
Due diligencePerforming due diligence on both incoming and outgoing funds. This process investigates both individuals and institutions. This involves, eligibility checks using search engines, regulatory public registers, sector-specific public databases, reviews of charitable status, public profiles, recent accounts, reports and key policies.Legal ObligationNot Applicable
Donor & Grant ApprovalThe process of KCCF committees & Trustees reviewing and deciding upon acceptance of donations and grant applications.Legal ObligationNot Applicable
Social Media and Website ContentManagement of personal data and content used to promote impact of KCCF’s work on online platforms. This includes the use of case studies and images from the grantees.ConsentNot Applicable
Stakeholder Mailing ListEmail campaigns undertaken internally or via third parties.Legitimate interestNecessary in order to contact stakeholders
Public RelationsPress releases and engagement with the media.Legitimate interestTo effectively promote and manage the brand and international name of the charity and founder.
Accounts PayablePayment of Grantees, Suppliers, and expenses.ContractNot applicable
Receipt of IncomeBank transfer, chequesLegal ObligationNot applicable
External Auditor EngagementAnnual External Audit. Sample of information can be requested by external Auditors. Information is uploaded to a secure file sharing platform called We TransferLegal ObligationNot applicable
Stakeholder EventsInvitations to KCCF or third-party events and associated email correspondence and telephone calls.Legitimate interestNecessary in order to invite individuals to events.
Stakeholder EngagementProviding reporting and updates on the charities activities to Donors, Key stakeholders, and the Royal Household. This is conducted via email, postal, phone, events, in person engagement, and reports.Legitimate interestTo provide stakeholders with relevant information and updates on KCCF activities.

Transfers of Personal Data to Third Parties

King Charles III Charitable Fund may transfer your personal data to third parties.  King Charles III Charitable Fund may transfer your personal data to the following categories of recipients:

  • Cloud Storage & Document Management Tools
  • Sales and Marketing Management Tools
  • Accountants & Financial Management Tools
  • Government Organisations
  • Due Diligence Researchers
  • Social Media & Advertising Platforms
  • Public Relations Managers
  • Banks
  • Auditors

King Charles III Charitable Fund will use best endeavours to ensure that your personal data is hosted in UK and/or EU servers. King Charles III Charitable Fund will also ensure that contracts with these third parties meet all UK-GDPR requirements.

Suppliers

This section applies to past, current, and potential third-party suppliers. Depending on your specific circumstances, your data may be used in all, some of, or none of the below listed processes:

Purpose of ProcessingDescription of ProcessingLawful Basis for ProcessingLegitimate Interest
Accounts PayablePayment of Grantees, Suppliers and expenses.ContractNot applicable
Receipt of InvoiceSupplier invoices are received by email and uploaded on to DEXT document management system and XeroLegal ObligationNot applicable
External Auditor EngagementAnnual External Audit. Sample of information can be requested by external Auditors. Information is uploaded to a secure file sharing platform called We TransferLegal ObligationNot applicable
Supplier ManagementManagement of personal data relating to suppliers. Includes: prospecting for a supplier, adding vendors onto any systems, and creating contracts.Legal ObligationNot applicable

Transfers of Personal Data to Third Parties

King Charles III Charitable Fund may transfer your personal data to third parties. King Charles III Charitable Fund may transfer your personal data to the following categories of recipients:

  • Cloud Storage & Document Management Tools
  • Banks
  • Auditors
  • Office Suppliers & Travel Bookings
  • Accountants & Financial Management Tools

King Charles III Charitable Fund will use best endeavours to ensure that your personal data is hosted in UK and/or EU servers. King Charles III Charitable Fund will also ensure that contracts with these third parties meet all UK-GDPR requirements.

Non-Executive & Executive Managers

This section applies to past, current, and potential Directors, Trustees and other members of senior management. Depending on your specific circumstances, your data may be used in all, some of, or none of the below listed processes:

Purpose of ProcessingDescription of ProcessingLawful Basis for ProcessingLegitimate Interest
Public RelationsPress releases and engagement with the media.Legitimate interestTo effectively promote and manage the brand and international name of the charity and founder.
Bank & Investment ManagementSetting up new bank accounts, bank mandates and investment accounts.Legitimate interestSetting up new bank accounts, bank mandates and investment accounts.
External Auditor EngagementAnnual External Audit. Sample of information can be requested by external Auditors. Information is uploaded to a secure file sharing platform called We TransferLegal ObligationNot applicable
Trustee and Director OnboardingFrom identifying a skill gap to onboarding a new trustee or director. This involves agreeing a skill gap, identifying and shortlisting potential candidates, appointment offer, acceptance by candidate, induction training and set up on third party portal.Public taskNot Applicable
Statutory Audit RequirementsDirectors asked to complete annual declaration of interest and third-party transactions forms.Legal ObligationNot Applicable
Regulatory and Statutory ReportingDirector and Trustee details submitted to regulators including Companies House, Charity Commission, Intellectual Property Office and Information Commissioner as part of registration, renewal, or annual return process.Legal ObligationNot Applicable
Trustee and Director RetirementRegulatory notification of Trustee or Director’s end of tenure.Public taskNot Applicable
Stakeholder EngagementProviding reporting and updates on the charities activates to Donors, Key stakeholders, and the Royal Household. This is conducted via email, postal, phone, events, in person engagement, and reports.Legitimate interestTo provide stakeholders with relevant information and updates on KCCF activities.

Transfers of Personal Data to Third Parties

King Charles III Charitable Fund may transfer your personal data to third parties.  King Charles III Charitable Fund may transfer your personal data to the following categories of recipients:

  • Cloud Storage & Document Management Tools
  • Government Organisations
  • Investment Management
  • Public Relations Managers
  • Banks
  • Auditors
  • Legal Representatives & Legal Tools

King Charles III Charitable Fund will use best endeavours to ensure that your personal data is hosted in UK and/or EU servers. King Charles III Charitable Fund will also ensure that contracts with these third parties meet all UK-GDPR requirements.

Key Stakeholders

This section applies to past, current, and potential Key Stakeholders for King Charles III Charitable Fund projects. Depending on your specific circumstances, your data may be used in all, some of, or none of the below listed processes:

Purpose of ProcessingDescription of ProcessingLawful Basis for ProcessingLegitimate Interest
Stakeholder EventsInvitations to KCCF or third-party events and associated email correspondence and telephone calls.Legitimate interestNecessary in order to invite individuals to events.
Stakeholder EngagementProviding reporting and updates on the charities activates to Donors, Key stakeholders, and the Royal Household. This is conducted via email, postal, phone, events, in person engagement, and reports.Legitimate interestTo provide stakeholders with relevant information and updates on KCCF activities.

Transfers of Personal Data to Third Parties

King Charles III Charitable Fund may transfer your personal data to third parties.  King Charles III Charitable Fund may transfer your personal data to the following categories of recipients:

  • Cloud Storage & Document Management Tools

King Charles III Charitable Fund will use best endeavours to ensure that your personal data is hosted in UK and/or EU servers. King Charles III Charitable Fund will also ensure that contracts with these third parties meet all UK-GDPR requirements.

Other Data Subject Types

This section applies to other data subject types who may not have been captured in the above listed categories. Depending on your specific circumstances, your data may be used in all, some of, or none of the below listed processes:

Purpose of ProcessingDescription of ProcessingLawful Basis for ProcessingLegitimate Interest
Subject Access RequestManagement of GDPR data subject requests.Legal ObligationNot Applicable
Data BreachResponding to data breaches involving personal data.Legal ObligationNot Applicable
Safety IncidentHealth and safety reporting.Legal ObligationNot Applicable

Transfers of Personal Data to Third Parties

King Charles III Charitable Fund may transfer your personal data to third parties.  King Charles III Charitable Fund may transfer your personal data to the following categories of recipients:

  • Cloud Storage & Document Management Tools
  • Government Organisations
  • Office Landlord

King Charles III Charitable Fund will use best endeavours to ensure that your personal data is hosted in UK and/or EU servers. King Charles III Charitable Fund will also ensure that contracts with these third parties meet all UK-GDPR requirements.

Unsolicited Personal Information

If you send King Charles III Charitable Fund unsolicited personal information, for example a CV, King Charles III Charitable Fund reserves the right to immediately delete that information without informing you or to decide which category of data subject that you appear to be and manage your personal data within the remit of that category as described elsewhere in this Privacy Notice.

Retention Schedule

King Charles III Charitable Fund uses the following retention schedule. The following minimum retention periods shall apply:

 Data TypeRetention TriggerRetention PeriodAction
The data type.The event that triggers the retention period.How long the data is kept after the trigger event has occurred.What happens after the retention period has expired.
Unsuccessful recruitment candidateNotification of unsuccessful application6 monthsDelete
Employee and secondee dataEnd of employment6 yearsDelete
Employee IT accounts, audit logs, training records and related dataEnd of employment1 yearDelete
Basic employment data for providing referencesDate of birth100 yearsDelete
All Financial dataEnd of financial year6 yearsDelete
Banking and Investment Management dataClosure of the account1 yearDelete
Due diligence reports for ProgrammesLast action3 yearsReview data
Due diligence reports for DonorsLast action7 yearsReview data
Event Management DataEvent date6 yearsReview data
Mailing List DataSubscription date3 yearsReview data
Potential Donor DataLast contact2 yearsReview data
Social Media & Website ContentNoneIndefinitely or until requested to removeN/A
Approval decisions for Grants and DonorsDecision dateSuccessful – 7 years

Unsuccessful – 12 months

Delete
Grant Applications and Reporting to StakeholdersLast action3 yearsReview data
Grant QueriesLast action1 yearReview data
Stakeholder Engagement DataLast action6 yearsReview data
Data subject requestsLast action/case closed1 yearDelete
Data breachLast action2 years if no action taken

6 years if reportable data breach

Delete
Safety incidentLast action6 yearsReview data
Trustee & Director Onboarding, and Regulatory & Statutory Reporting DataEnd of tenure/resignation dateImmediateDelete
Statutory Auditing DataDirector retirement7 yearsDelete
Trustee & Director Retirement DataCompletion of regulatory notificationImmediateDelete

Where it is not practical to segregate and manage specific data types uniquely, then a blanket 7-year policy will be applied to all data with a prescribed retention period of 6 years or less.


This policy was reviewed and updated in October 2023.