The CSJ was established in 1983 to promote the Camino de Santiago, a network of ancient pilgrimage routes to Santiago de Compostela in northwest Spain, the 3^rd most popular pilgrimage destination in the world. We provide information, support and reassurance to people of all faiths or none, who are undertaking any of the various routes to Santiago, either on foot, by bike, on horseback or in a wheelchair.

This policy explains how we handle your personal data: how we collect, manage, use and protect it, in accordance with UK law and the EU General Data Protection Regulation (GDPR). We are classified as a Data Controller within this legislation.

Personal data includes any information which enables you to be identified as an individual.

We may change this document from time to time to reflect the latest view of how we handle your data so please check back frequently to see if changes have been made.

1. Who ‘we’ are
2. When we collect personal data
3. What personal data we collect
4. Cookies
5. How we use personal data
6. Lawful basis for processing personal data
7. How we share personal data
8. How we protect and store personal data
9. Your individual rights
10. Contact and complaint

1 - Who “we” are

The terms ‘Confraternity of Saint James’, ‘CSJ’, ‘we’ and ‘us’ refer to The Confraternity of Saint James Ltd, which is a registered charity in England & Wales (no. 1091140). It is a non-profit making company (no. 4096721) limited by guarantee, registered at 27 Blackfriars Road, London SE1 8NY.

2 - When we Collect Personal Data

We collect data when you subscribe, make purchases, register for events and activities, visit our premises, complete forms on our website, become a member or join our staff.

 

3 - What Personal Data do we Collect

You don’t have to disclose personal data to us to browse the website or to use our social media sites, but you do need to provide us with certain personal data in order for us to provide you with certain services.

            Data from                  Data collected

Direct from you	Basic personal data such as name, postal address, phone numbers, email address.   Order and payment history
Direct from you   -          CSJ Members	Basic data as above plus subscription and donation history, UK Gift Aid status   Additional optional information such as date of birth, occupation, personal skills/interests
From our website	What pages you visited, how long you spent on it, how you found us, if you have visited before - nothing that would trace it back to you!
From other websites	Notifications of payments made through Paypal or our Direct Debit providers, GoCardless. NB: We have no access to the bank account or credit/debit card details which you give these third parties.
From all sources	History of your consent, contact and marketing preferences
Other Third Parties	We may receive personal information from other third parties but only when you have given them permission to share the data.

3.1 - Children

The safety of children is very important to us. A parent or guardian may include a child aged under 16 as part of a Joint or Group membership but we do not knowingly communicate directly with a child, only with the first named adult member.

3.2 - Personal Data – Bank Accounts & Credit Cards

• Bank accounts

We use the GoCardless organisation to process regular subscription and donation payments by direct debit. We do not have access to the bank account details which you supply to them.

Occasionally, an individual makes a payment by international transfer and then we will keep the account details only until the payment is received into the CSJ bank account.

• Credit Cards

Office payments – credit card numbers are made unreadable immediately after the transaction has been processed.

Website payments are processed by PayPal and we do not have access to the credit card details.

.

4 - Cookies

With your permission, we will use cookies on our website to distinguish you from other users of the site. This helps us analyse and improve the user experience. For detailed information on how they work, please see the Cookie Policy on our website or ask for a copy from the CSJ office.

5. How we Use Personal Data

We use your personal data for the following purposes:-

(a) To provide you with the products, services and information that you ask us for

(b) To analyse transactions and improve our products, services and website

(c) To keep accurate membership records to support and engage with our members and to fulfil our obligations to them

(d) To support our volunteers and employees

(e) To record campaigning activities

(f) To send you CSJ and Camino related information about news, events, products, services, and activities

(g) To maintain regulatory records as required by UK law

(h) To record your consents, marketing preferences, implementation of changes arising from the rights of the individual (see section 9 below).

(i) To keep accurate financial records supported by internal control procedures

(j) To claim UK Gift Aid on donations and member subscriptions

(k) To perform our obligations under any contracts that we enter into with you

 

6. Lawful Basis for Processing Personal Data

There are up to six legal grounds for processing personal data of which we rely on the following four:-

6.1 – Legitimate Interest

The processes are needed to pursue our legitimate interests in ways which might reasonably be expected in running our business and which do not materially impact on your rights, freedom or interests.

This basis applies to the processes marked (a) to (e) above

6.2 - Consent

You give us specific permission to contact you, and details of your preferred contact method. You can withdraw your consent at any time by getting in touch with us.

Our contact details are set out in the ‘Contact and Complaints’ section below. However, this will not affect the lawfulness of any processing of your personal data which happened before you withdrew your consent

This basis applies to the processes marked (f) above.

6.3 - Legal Obligations

The processing is necessary for us, as the data controller, to comply with our legal obligations, such as sharing personal data where we are required to do so by UK law or by an order of a court.

This basis applies to the processes marked (g) – (j) above

6.4 - Contractual Obligations

The processing is necessary in order to perform a contract to which you are party, or to take steps that you have asked us to take before entering into a contract, such as buying a book or a DVD or other miscellaneous shop item.

This applies to the process marked (k) above

7 - How we Share Personal Data

We will not share personal data with any third party without your specific permission except

1. When forwarding your name and address to printers if you are a CSJ member and have signed up to receive physical copies of our quarterly magazine, The Bulletin However, once processed by the third party, your details are erased from their records.
2. When we send certain required personal information to UK Regulatory Organisations.

We will not sell your information and, unless you specifically consent, we will not share your information with other organisations other than as stated above.

8 - How we Protect and Store Personal Data

We know how much data security matters to you and we will treat your data with the utmost care and take all steps reasonably necessary to protect it and ensure that it is treated securely and in accordance with this Privacy Policy and applicable law.

1. All information electronically stored is backed up on our secure servers and/or on the servers of our suppliers who host some of our IT systems for us. All payment details are encrypted using TLS technology. Any account passwords for our site are also encrypted and cannot be shared.
2. For staff and volunteers who travel abroad, your personal data may be transferred to and/or stored at destinations within the European Economic Area, but we will ensure adequate protection and seek your permission before we do so.

• Whilst we do everything we can to ensure that electronic submission of data via email or our website is secure, we cannot guarantee total safety. Any transmission is at your own risk. Once we have received personal information, we will use strict procedures to keep it confidential.

1. Our mission is to promote the Camino de Santiago and offer information, support and reassurance to people undertaking it, be it on foot, by bike, on horseback or in a wheelchair, irrespective of motivation. We will keep supporters’ information only for as long as they engage with us in any of the above ways, and only as long as we need it:
   1. to administer their relationship with us;
   2. to comply with the law; or
   3. to ensure we do not communicate with supporters who have asked us not to.
   4. to analyse data as a basis for continuing to improve our products and services in the future.

We will, on a regular basis, review the personal data that we collect and hold, to ensure that such data is only kept for an appropriate length of time.

 

9 - Your Individual Rights

9.1 You have the following rights regarding personal data that we hold about you. If you would like to exercise any of the rights, please contact us using the contact details out in the “Contact and Complaints” section at the end of this Privacy Policy:

(a) Access. You have the right to ask us to provide you with a copy of your personal data and the other details we hold about you.
(b) Rectification. We will correct any inaccurate personal data and complete any incomplete personal data (including by providing a supplementary statement) that we hold about you, within one month.
(c) Prevention of processing likely to cause damage or distress. We will cease processing your personal data for a specific purpose, or in a specific way, if it is likely to cause unwarranted damage or distress, either to you or a third party.
(d) Erasure. We will delete your personal data at your request without undue delay.
(e) Restriction. We will restrict the processing of your personal data in certain circumstances (e.g if you believe that your personal data held by us is inaccurate), if requested by you to do so.
(f) Data portability. If you request it, we will provide records of your personal data in a structured, commonly-used and machine-readable format and we will transmit the said personal data to another data controller if required.
(g) Right to object. You can object to the processing of your personal data for a particular purpose.
(h) Right to object to marketing. You can object to us using your data to contact you for direct marketing purposes.
(i) Automated individual decision-making, including profiling. We will not make any automated decisions based on sensitive personal information unless we have obtained your explicit consent beforehand

9.2 - We will process all personal data in line with your rights in each case in accordance with the time limits and requirements of applicable law.

 

10 - Contacts and Complaints

You may ask any questions and make any requests or comments or objections regarding this policy and/or our use of your data by emailing [email protected] or writing to CSJ, 27A Blackfriars Road, London, SE1 8NY, UK

After getting in touch with us, you may also choose to contact the UK Information Commissioners Office (ICO) by phoning 0303 123 1113 or at www.ico.org.uk/

We are not a ‘public authority’ as defined by the Freedom of Information Act 2000 and we will therefore not respond to requests for information made under that Act.

Last Updated:        16 May 2018

Issued by:             The Confraternity of Saint James Ltd, 27 Blackfriars Road, London SE1 8NY

Charity no.           1091140.

Company no.        4096721 (Company Limited by Guarantee)

ICO no                   Z5102135.