Maintaining your privacy and your trust is very important. We strive to be especially clear on how we use your personal information if and when we collect it, and on the ways in which we can work together to protect your privacy.

This document is for compliance with the Data Protection & Privacy legislation.

This Privacy Policy explains the:

  • Identity and contact information of the data controller
  • Legitimate interests of the data controller or third party (if applicable)
  • Purpose of the processing and the lawful basis for the processing
  • Categories of personal data to be processed
  • Details of whether personal data came from direct or indirect sources
  • Recipients or categories of recipients of the personal data
  • Details of data transfers to a third country and safeguards
  • Length of time personal data is processed and any criteria used to establish the length of time the data is processed
  • Data Subject’s Rights (Your rights)
  • Right to complain to the supervisory authority/regulator
  • Details of any part of a statutory or contractual requirement and possible consequences of failing to provide the personal data
  • The existence of any automated decision making, including profiling and information about how decisions are made

What products and services are covered by this policy?

This Privacy Policy applies to the information that we may obtain from you through your use of our website(s), supporters, members and/or partners, collectively called the “Services”. If you have any questions or need more information about these Services, please contact us at the email address in the section below.

Data Controller

Botanic Gardens Conservation International (“I”, “we”, “us,” “our”)

Legal Status: registered in the United Kingdom as a charity (Charity Reg. No. 1098834) and a company limited by guarantee (No. 4673175).

Descanso House
199 Kew Road
Richmond,
Surrey
TW9 3BW

Data Protection (Charges and Information) Regulations 2018

We are not currently registered with the supervisory, we rely on exemptions in Schedule 2(2): (c),(d),(e),(f),(g) Source: https://bit.ly/38Z3Fr2

(c) for the purpose of the maintenance of a public register;
(d) for the purposes of matters of administration in relation to the members of staff and volunteers of, or persons working under any contract for services provided to, the data controller;
(e) for the purposes of advertising, marketing and public relations in respect of the data controller’s business, activity, goods or services;
(f) subject to sub-paragraph (4), for the purposes of—
(i) keeping accounts, or records of purchases, sales or other transactions,
(ii) deciding whether to accept any person as a customer or supplier, or
(iii) making financial or financial management forecasts,

in relation to any activity carried on by the data controller;

(g) carried out by a body or association which is not established or conducted for profit and which carries out the processing for the purposes of establishing or maintaining membership or support for the body or association, or providing or administering activities for individuals who are either a member of the body or association or who have regular contact with it; or

(4) The processing of personal data by or obtained from a credit reference agency (within the meaning of section 145(8) of the Consumer Credit Act 1974(1)) does not fall within the description of processing set out in sub-paragraph (2)(f).

Purpose and legitimate interest

We may use the information we collect for a variety of purposes, including to:

  • provide you with the services or information that you have asked for;
  • keep a record of your relationship with us;
  • membership, supporter and donor administration, including renewals;
  • keeping our members, their employees, our donors, supporters and friends informed about the benefits derived from our relationship;
  • advertising other relevant publications, events and opportunities from ourselves, our members and partners, as per our mission of fostering a community of botanic institutions;
  • requesting information for the purpose of research or quality control, to support our mission;
  • advertising membership and its benefits to non-members, with their consent;
  • involving friends, supporters and donors in any relevant fundraising campaign, with consent.
  • send you correspondence and communicate with you in relation to our services;
  • meet our legal obligations;
  • protect your vital interests;
  • respond to or fulfil any requests, complaints or queries that you may have;
  • understand how we can improve our services or information;
  • generate reports on our work and service; and
  • safeguard our staff, customers, suppliers, visitors and contractors.

Lawful Basis of Processing

General Personal Data

  1. Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
  2. Processing is necessary for compliance with a legal obligation to which the controller is subject;
  3. Processing is necessary in order to protect the vital interests of the data subject or of another natural person;
  4. Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child;
  5. The data subject has given consent to the processing of his or her personal data for one or more specific purposes.  Consent may be withdrawn at any time.

Special Category Personal Data

The data subject has given explicit consent to the processing of those personal data for one or more specified purposes;

  1. Processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by UK law or a collective agreement pursuant to UK law providing for appropriate safeguards for the fundamental rights and the interests of the data subject;
  2. Processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent;
  3. Processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity;
  4. Processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body without the consent of the data subjects.

Categories of personal data and Sources

What information do we collect from you, and how is it used?

Direct

Purposes of processing Categories of individuals Categories of personal data
Staff administration Employees Contact details
    Financial details
    Health details
  Emergency contacts Contact details
Membership Members, friends &; supporters Contact details
    Financial details
  Non-members Contact details
Donations Donors Contact detail
    Donation history
Projects, Training, Events; Congresses Partners Contact details
  Participants Contact details
Professionals and directories of expertise Participants Contact details*
Visitors Visitors Contact details
    Vehicle details
    Health, Safety & Security details**

‘*’ – where the lawful basis of processing is consent only and the personal data is multimedia material (i.e. pictures, video etc.) once published it may not be possible to withdraw consent.

‘**’ – only processed in in case of accident, or incident requiring investigation.

Children: We do not facilitate processing personal data of data subjects under the age of consent (children (13)).

Indirect

From cookies: We may also collect “cookie” information that we may save to your computer or electronic device. If you do not accept cookies, you may not be able to use all functionality of our Services.

For specific information on cookies, please read our cookie policy.

Logs: We may record certain information and store it in log files when you interact with our Services. This information may include Internet protocol (IP) or other device addresses or ID numbers as well as browser type, Internet service provider, URLs of referring/exit pages, operating system, date/time stamp, information you search for, locale and language preferences, your mobile carrier, and system configuration information.

Analytics: We and our analytics providers also collect and store analytics information when you use our Services to help us improve our Services. We make sure this data is anonymous by not connecting any analytics data to personally identifiable data such as a name, email address, physical address, or phone number.

Public sources: Personal data may be obtained from public registers (such as Companies House), news articles, sanctions lists, and Internet searches.

Recruitment services: We may obtain personal data about candidates from an employment agency, and other parties including former employers, and credit reference agencies.

How might we share information?

We are not in the business of selling or disclosing your personal information. We consider this information to be a vital part of our relationship with you. There are, however, certain circumstances in which we may share your personal information with third party data processors, as set forth below:

Payment Processing: We use a third-party service provider to manage credit card processing. This service provider is not permitted to store, retain, or use billing information except for the sole purpose of such processing.

Newsletter Service: We use a commercial application to facilitate our newsletter service.

Projects, Training, Events & Congresses: When the project, initiative or training/event is funded externally, some of the information is collected as part of the contract with the funder; personal data is used for administration of the project and the activities related to it, as well as for reporting purposes.

Where projects/initiatives or training/events are organised by multiple partners, personal data will be shared with and among all the partners, through suitable platforms, for operational effectiveness, depending on the nature of the project/initiative, training or event.

Participants will always be informed of the specific details.

With your consent: We will not share your personal information with companies, organisations, or individuals who are not associated with us unless we have your affirmative consent to do so.

Where we are required to do so under statutory obligation: HMRC, Accountants and other professional service organisations.

Compliance with Laws and Law Enforcement Requests; Protection of Our Rights

We may disclose your information (including your personal information) to a third party if:

  • We believe that disclosure is reasonably necessary to comply with any applicable law, regulation, legal process or governmental request
  • To protect the security or integrity of our products and services
  • To protect our property, rights, and safety and that of our staff, members, friends, supporters, donors or the public from harm or illegal activities
  • To respond to an emergency which we believe in the good faith requires us to disclose information to assist in preventing the death or serious bodily injury of any person; or
  • To investigate and defend ourselves against any third-party claims or allegations.

Business Transfers: We may share or transfer your information in connection with, or during negotiations of, any merger, sale of company assets, financing, or acquisition of all or a portion of our business to another company. We will notify you of such a change in ownership or transfer of assets by posting a notice on our website.

Data Transfers

Our staff and associates are based in Richmond, United Kingdom; Nairobi, Kenya; Moscow, Russia; Singapore; and Guangzhou, China.

BGCI (US) is a tax exempt 501(c)(3) non-profit organisation in the USA, based in San Marino, CA.

All associates acting on behalf of the data controller have appropriate safeguards in place.

The data controller does not transfer personal data outside of the United Kingdom, unless indicated below.

Data Processor Information: All third-party service providers are used by us and only process data in accordance with the instructions from the data controller.

How long will we keep the personal data?

Retaining some data may be subject to a statutory retention period and this must be adhered to, (to keep certain data for a minimum period of time). This may include personal data (name, address, contact details), but on expiry of such statutory requirement, such data will be destroyed securely. Where possible any personally identifiable data will be anonymised or pseudonymised.

Your information we use for marketing purposes will be kept with us until you notify us that you no longer wish to receive this information. Our backup routine keeps data for a rolling 30-day period after which time the data is removed from all systems.

Statutory or other requirements

The data controller does not process personal data in respect of any statutory requirement, nor require personal data to be supplied as part of any contractual agreement, however in respect of the controller’s services, certain communications may not be possible without such personal data being supplied, for example an email to furnish with updates information etc. or an address to fulfil an order.

Profiling and Automated Decision Making:We do not use profiling or automatic decision-making.

Your rights

Your fundamental rights as a Data Subject are:

  1. The right to be informed
  2. The right of access
  3. The right of rectification
  4. The right of erasure (often known as the right to be forgotten)
  5. The right to prevent processing
  6. The right to data portability
  7. The right to object
  8. Rights in relation to automatic decision making and profiling

Under the right of access (2), you have the right to have:

  • confirmation that your data is being processed;
  • access to your personal data; and
  • other supplementary information

So that you are aware of and can verify the lawfulness of the processing.

Your right to access can be exercised by contacting the data controller as above.

Not all fundamental rights are absolute.

Your right to complain to the supervisory authority/regulator: You have the right to complain about organisations processing your personal data.  You can exercise this right by contacting the supervisory authority of the data controller as follows:

Head office

Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Tel: 0303 123 1113 (local rate) or 01625 545 745 if you prefer to use a national rate number