Section 3

| Resume a previously saved form
Resume Later

In order to be able to resume this form later, please enter your email and choose a password.

Password must contain the following:
  • 12 Characters
  • 1 Uppercase letter
  • 1 Lowercase letter
  • 1 Number
  • 1 Special character

Please provide any comments you have on the redrafted code rules below. You can comment on as many rules as are relevant to you. You can also save your responses and return to them later.

You can see how rules in the current code relate to the redrafted code in the Table of Changes.

The supporting documents include Code Compliance Guides which will help you understand how to meet the requirements of the redrafted code, and a Glossary with definitions of specific terms in the redrafted rules. CCG01: Documenting your Fundraising Decisions is relevant to Section 3.

3. Processing personal data

Protecting personal data makes sure people can trust you to use their data legally, fairly and responsibly. This section sets out the standards we expect when you process personal data, including standards related to direct marketing.

More information on data protection and the law can be found here.

3.1. Direct Marketing and Processing Personal Data

In this section, ‘you’ means a charitable institution or third-party fundraiser. 

3.1.1

You must have appropriate systems and procedures in place to ensure that:
  • you do not send direct marketing to people who have told you they do not want to receive it;

  • you stop sending communications to people you know have died;

  • databases are accurate and, where necessary, kept up to date; and

  • you comply with your obligations under data protection legislation.


Consent 

3.1.2

If you have a person's consent to send them electronic direct marketing, you must:
  • offer an easy way for them to withdraw consent (such as an “unsubscribe” link in emails); and

  • remind them of their contact preferences and offer an easy way to change these (such as an “update marketing preferences” link).


3.1.3

You must ensure consent statements included in your fundraising materials are clear, easy to read, and suitably prominent.

Under Article 7 of UKGDPR you are legally required to update the person’s record as necessary to reflect changes to their consent or contact preferences. For more information about consent, see the Information Commissioner's Office's (ICO’s) guidance on obtaining, recording and managing consent.

For more information on marketing preferences and fundraising materials see Section 9 Fundraising Communications.

Legitimate Interest

3.1.4

If you rely on the legitimate interest condition as the lawful basis to process personal data, you must record your decision-making to help show that you meet the legal conditions.

Selling and sharing data

3.1.5

You must not sell a person’s personal data to nor share it with any other organisation unless you can show you have that person’s freely given, specific, informed, and unambiguous consent to do so.

If you are sharing personal data for fundraising or direct marketing purposes, the ICO expects you to tell the person concerned the name of any third party you are sharing their personal data with.


Personal Data Processing for Specific Fundraising Approaches

The principles for responsible personal data processing are likely to be relevant in the following aspects of fundraising:

  • Fundraising with volunteers

    • You must ensure volunteer contact information and personal data is stored and processed appropriately.

  • Fundraising with children

    • You must exercise additional care when processing children’s personal data.

  • Fundraising with third-party fundraisers

    • Third-party fundraisers will need to meet the requirements of data protection legislation and wider requirements (such as the Telephone Preference Service) while fundraising for you.

    • Third-party fundraisers must not share confidential information they get from you unless it is clearly allowed under law.

  • Fundraising communications

  • Digital Fundraising

    • You must be clear about how you collect and use personal data in digital/online environments and explain your use of cookies on websites.

  • Legacy Fundraising

    • You must respect the wishes of someone planning to leave a legacy about your level of contact and whether they receive marketing communications.

Additional feedback