If you do not agree to this Policy, please do not submit any personal information to us. Should you decide not to consent, please be aware this will affect our ability to proceed with granting your child’s wish and therefore please contact us as soon as possible to discuss this further.
The processing of your information is carried out by Make-A-Wish Foundation® UK, a registered charity in England & Wales (295672) and Scotland (SC037479).
Some useful definitions:
What is Personal data?
- Personal data is information that relates to an identified or identifiable individual.
- What identifies an individual could be as simple as a name, address, email address or a number or could include other identifiers such as an IP address or a cookie identifier, or other factors.
- If it is possible to identify an individual directly from the information you are processing, then that information may be personal data.
What is Special data?
- Special category data is personal data that is more sensitive, and so needs more protection.
- In order to lawfully process special category data, you must identify both a lawful basis under Article 6 and a separate condition for processing special category data under Article 9.
- This is because special category data is more sensitive, and so needs more protection. For example, information about an individual’s;
- ethnic origin;
- trade union membership;
- biometrics (where used for ID purposes);
- sex life; or
- sexual orientation.
- In particular, this type of data could create more significant risks to a person’s fundamental rights and freedoms. For example, by putting them at risk of unlawful discrimination.
Does this Policy apply to you?
This Policy applies specifically to parents or legal guardians who are making enquiries, or referring, their child for a wish (referred to as the “wish child”). This Policy also applies to the wish children themselves.
This Policy applies to any personal and/or special category data you provide us, including information about yourself, the wish child, and any other family members.
Please note that wish applications cannot progress without the involvement and explicit consent of the parents or guardians of the wish child.
In the remainder of this Policy, any reference to “you” and “your” means the parent or guardian of a wish child or the wish child themselves.
Why we use your information
We will only use your information where we have lawful and legal basis to do so and will always respect the data protection and human rights under all existing UK and EU data protection legislation and the Human Rights Act 1998.
Where we do rely on the lawful basis of legitimate interest under the General Data Protection Regulation (GDPR) to process your information, we will always ensure that this is done in a way that is not intrusive or does not cause distress. We may also use your information because we have a legal obligation to do so or because we need to fulfil a contractual obligation.
Some examples of what we mean by this include:
- processing and responding to applications, queries or requests
- fulfilling wishes on behalf of the wish child and liaising with medical professionals and/or carers in respect of such activities,
- gathering information as part of investigations by regulatory bodies or in connection with legal proceedings or requests,
- ensuring business policies are adhered to,
- statistical analysis and research, or
- to notify you of changes to our services.
Other reasons include:
- To pursue our charitable purpose to deliver our mission and vision
- To raise vital funds for our work, for example, through our online Sponsor-A-Wish programme (further explicit consent would be obtained from you in such instances)
- To ensure we meet our regulatory requirements as a charity
- To manage our ongoing relationship with our supporters and anyone we work with
- To manage our financial transactions and prevent fraud
How we use your information
To assess if the wish child is eligible for a wish
We have medical criteria that the wish child must fall within for us to be able to grant their wish. To establish this eligibility, we will use the medical information provided by you and your medical consultant/s. Your primary medical consultant / professional may also ask us to seek further advice from other medical professionals. In such cases, we will seek explicit consent from you to do so, prior to actioning.
To grant the wish child’s wish
The process of granting a wish requires obtaining, assessing and storing information regarding the wish child and other relevant family members. In addition to collecting information from enquiry forms and application forms, we may also collect personal information during visits or other meetings with you, or via telephone conversations or emails.
To respond to any enquiries, requests, queries or complaints you make to us
This may include responding to your query or feedback, or sending you relevant information or materials. We may also keep a record of conversations we have with you, feedback you provide and any materials we send out to you.
To comply with the law
As with all charities, we ensure that our activities comply with the law. Therefore, we may need to share or use your personal information if we are required to do so by law (for example, in response to a warrant or court order), and we may use information from other sources for the purposes of fraud prevention, for example to comply with money laundering regulations, or to protect people’s rights, property or safety.
To share wish stories as part of our charitable activities
Where we gain consent to do so, we may photograph and film wishes to share the stories of wish children and their families to encourage charitable activities. A Wishgranter or a member of the Marketing team will always be in touch to discuss the details of how photos and films may be used, prior to asking for your consent. To find out more about this, or to change your consent for us to use images, please contact email@example.com.
There is no obligation or assumption at this time that your consent must be given with regard to the above statement, in order to qualify for a wish.
The Make-A-Wish community includes a network of Volunteers that help us raise funds and assist with the wish journey.
In order for our Volunteers to perform their role for Make-A-Wish, we will share your personal and/or special category data with them. Volunteers will only receive relevant information necessary to fulfil their role.
For example, our Wish Visitors, who, with your agreement, will visit your home to understand the wish child’s One-True-Wish, will require your name, address and telephone number to arrange the wish visit. Subject to you having provided your explicit consent during the wish application process, the Wish Visitors will also require the condition/health information of the wish child so that, in cooperation with yourself and the wish child’s medical professionals, we ensure that medical requirements such as carer attendance or oxygen needs are fulfilled on the wish. If you wish for specific information not to be shared, please advise us.
Volunteers are subject to the same safeguarding and data protection training and policies as our employees.
Please see our cookies policy here.
For those that have opted in, we will be in touch to tell you about our work including our fundraising, volunteer opportunities, events and other charitable activities, via email, telephone or text. You are able to opt-out of these communications at any time by contacting firstname.lastname@example.org.
We do not sell any information to third parties for marketing purposes. We may transfer your data to selected and carefully vetted third parties in order to process your data for fundraising or marketing purposes.
We fully comply with the Privacy and Electronic Communication Regulation (PECR).
Keeping your details up to date
We regularly review our data retention periods for all personal information that we hold. We shall endeavour to contact you on a regular basis to ensure that the personal information we hold about you is accurate and up-to-date as required under the GDPR.
Sharing your information with other organisations
We will never share your information with third parties for their own purposes, unless this is explained to you at the time we collect your information and you give us your explicit consent to, or we are legally required to do so.
We may share your personal information with the types of organisations listed below. The information we share may include the wish child and/or the wish family’s special data, such as health records, medical condition and requirements.
- Make-A-Wish Foundation International, a United States entity, in its role as provider of administrative and technical support to us, or as a liaison, in connection with any of the IT service providers mentioned below;
- Any Make-A-Wish affiliate located in any other country, where the wish is taking place in that other country or where we need to liaise with that overseas affiliate to assist us in delivering the wish. That overseas affiliate will only have access to the information it needs in order to provide us with that assistance. Details of where our affiliates are based can be found at https://www.worldwish.org/en/make-a-wish-story;
- The trusted operators of secure cloud-based platforms accessed by us and/or our Make-A-Wish affiliates to provide centralised data storage, and data management and transaction processing services. Specifically, this includes Salesforce Inc., an entity established in the United States, which hosts a customer relationship management platform used by Make-A-Wish affiliates to enable them to administer, co-ordinate and track wish applications. Such operators or service providers shall only be permitted access to your information to the extent required by them in order to provide us with contracted system maintenance, support or related services, or to provide (or assist us in performing) any related data back-up, restoration or other error correction or bug fixing activities.
- Where we are unable to fulfil a wish, we may introduce you to other charities that might be able to help grant a wish. In the course of doing so, we may share your contact details with them, together with an outline description of the wish child’s medical condition, and mobility/disability requirements.
- Third party suppliers in the process of granting the wish child’s wish. In these cases, we will only share data relevant to the service they are supplying. We will also ensure that they are under a contractual obligation to only use your information in accordance with our instructions and for no other purposes.
We also reserve the right to disclose some or all of the wish child’s and/or the wish child’s family’s personal information to:
- government bodies or law enforcement agencies, or response to other legal or regulatory requests, but only if and to the extent required by law to do so; and
- our auditors, lawyers or other professional advisers for any auditing, accounting or related business purposes, or in the enforcement, defence or settlement of any legal proceedings brought by or against us, but only if and to the extent such disclosure is strictly necessary for these purposes.
Transferring your information out of the EEA
In addition to the data storage in Salesforce explained above, sometimes third party organisations who work on our behalf may manage information outside the European Economic Area (EEA). In those circumstances, we will make sure that we have a valid reason for transferring your information out of the EEA under current Data Protection legislation and have relevant data protection agreements in place with them.
How long we keep your information for
As a general rule, we will hold your information for a period of up to seven years from the end of your relationship with the charity in accordance with our data retention policy. In some circumstances, we may hold your data for a shorter period of time, for example, we keep pictures and other media for up to three years and may ask you if we can continue to keep using your pictures and media past this point.
If you would like to know how long we will hold any specific information, then please contact us at email@example.com and we can provide further details.
Your data rights
The General Data Protection Regulation (GDPR) stipulates that you have the following rights. We are happy to explain how we can help you with any requests around these rights or explain them in more detail for you.
- Information Right – the right to receive the information contained in this policy and our data collection forms about the way we process your personal data.
- Personal Data Access Right – the right to know that we are processing your personal data and, in most circumstances, to have a copy of the personal data of yours that we hold. You can also ask for certain other details such as what purpose we process your data for and how long we hold it.
- Personal Data Correction Right – You have the right to request that we correct inaccurate data or complete incomplete data that we hold on you.
- Personal Data Erasure Right – Known as the Right to be forgotten. In certain circumstances, you may request that we erase your personal data held by us.
- Personal Data Restriction Right – You have the right to restrict the way we process your personal data in certain circumstances, for example if: you contest the accuracy of the data, if our processing is unlawful, to pursue legal claims, where we are relying on legitimate interests to process data.
- Data Processing Objection Right – You have the right to object to us processing your data for (i) direct marketing purposes (ii) scientific or historical research or statistical purposes and (iii) purposes of profiling related to direct marketing or based on our legitimate interests or on the performance of a task in the public interest
- Data Portability Right – you have the right to receive a copy of certain personal data or to have it transferred to another organisation in some circumstances
Right to Withdraw Consent at any time
Where we use your personal information based on your prior consent, or where you have given us permission to send you marketing communications by email, mobile messaging and by direct message on social media, you can withdraw your consent at any time by contacting firstname.lastname@example.org.
If you have any complaints about how we handle your personal data, please contact us so we can resolve the issue, where possible. If you need to make a complaint, you can find out more about how you can do this in our Complaints Policy. You also have the right to lodge a complaint about any use of your information with the Information Commissioners Office, the UK data protection regulator.
How we keep your information secure
We take appropriate measures to ensure data is held confidentially and with integrity in our systems. Our employees and volunteers are trained in the correct procedures for managing and handling data and our processes are regularly reviewed. We protect your data in a range of ways including secure servers, firewalls and encryptions. We follow industry standard compliance requirements such as PCI compliance (for payment card processing).
We believe that we have taken all technical and organisational steps reasonably necessary to ensure that any personal information under our control is held securely and in accordance with applicable law and this Policy. However, please note that the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal information, we cannot guarantee the security of any information that is transmitted to us via the internet.
We may update this policy to reflect changes in how we use your information. You may wish to check this policy each time you provide us with your information. Where appropriate, we will provide you with notice of any significant changes to how we use your information.
Wish Qualifications, Make-A-Wish Foundation UK, Seventh Floor, Thames Tower, Station Approach, Reading, RG1 1LX
You can also get in touch by emailing us at email@example.com.