LATCH Data Protection and General Data Protection Policy (GDPR)

1. Introduction

This policy provides information on how we as an organisation collect and process your personal data when you engage with us, whether that is as a beneficiary of our services, raising funds on our behalf, interactions with our donors and supporters or through the administration of our organisation by processing data about our staff, volunteers and charity trustees.

We need to gather and use information or ‘data’ about you as part of our services and to protect the legal rights of individuals, patients and staff in respect of confidentiality and privacy. We intend to comply with our legal obligations under the Data Protection Act 2018, the EU General Data Protection Regulation (‘GDPR’) and any subsequent legislation in respect of data privacy and security. We have a duty to notify you of the information contained in this policy. This policy also acts as the privacy

2. Important information and who we are

Latch Welsh Children’s Cancer Charity (“Latch”, “we”, “our”, “us”) is the controller and is responsible for your personal data. Our trustees are responsible for ensuring that our charity complies with the law and regulatory requirements, including data protection legislation. However, day to day compliance with data protection law is delegated to our Data Protection Lead (“DPL”), namely our interim CEO. If you have any questions about this privacy notice and policy or our data protection practices please contact the interim CEO.


Our full details are:

Full name of legal entity: Latch Welsh Children’s Cancer Charity
Title of Data Protection Lead: Interim CEO
Email address[email protected]
Postal address: Latch Wales Children’s Cancer Charity, Children’s Hospital for Wales, Heath Park,
Cardiff, CF14 4XW.
Telephone number: 029 2184 8858

3. GDPR Principles

We adhere to the principles relating to processing of personal data set out in the UK GDPR which
require personal data to be:

a. Processed lawfully, fairly and in a transparent manner (Lawfulness, Fairness and
b. Collected only for specified, explicit and legitimate purposes (Purpose Limitation);
c. Adequate, relevant and limited to what is necessary in relation to the purposes for which it
is Processed (Data Minimisation);
d. Accurate and where necessary kept up to date (Accuracy)
e. Not kept in a form which permits identification of Data Subjects for longer than is necessary
for the purposes for which the data is Processed (Storage Limitation);
f. Processed in a manner that ensures its security using appropriate technical and
organisational measures to protect against unauthorised or unlawful Processing and
against accidental loss, destruction or damage (Security, Integrity and Confidentiality);
g. Not transferred to another country without appropriate safeguards being in place (Transfer
Limitation); and
h. Made available to Data Subjects and allow Data Subjects to exercise certain rights in
relation to their Personal Data (Data Subject’s Rights and Requests).

We are responsible for and must be able to demonstrate compliance with the data protection principles listed above. Any questions in relation to these principles should be directed to the interim CEO.

4. What is Personal Data?

Personal data means information which relates to a living person who can be identified from that data (a ‘data subject’) on its own, or when taken together with other information which is likely to come into our possession. It includes any expression of opinion about the person and an indication of the
intentions of us or others, in respect of that person. It does not include anonymised data.

This policy applies to all personal data whether it is stored electronically, on paper or other materials.

5. Special types of personal data

Special categories of personal data are types of personal data consisting of information as to:
(a) your racial or ethnic origin;
(b) your political opinions;
(c) your religious or philosophical beliefs;
(d) your genetic or biometric data;
(e) your sex life and sexual orientation; and
(f) any criminal convictions and offences.

Processing of these types of data is only permitted if one of the following conditions applies:

i. The data subject has given explicit consent to the processing for one or more specific purposes, except where EU or member state law provides that the data subject may not consent to this particular type of processing.
ii. It is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law, insofar as it is authorised by EU or member state law or a collective agreement pursuant to member state law providing for adequate safeguards for the fundamental rights and the interests of the data subject.
iii. Processing is necessary to protect the vital interests of the data subject or of another natural person, where the data subject is physically or legally incapable of giving consent.
iv. Processing is carried out by a not-for-profit entity with a political, philosophical, religious or trade union aim in the course of its legitimate activities; with appropriate safeguards; and solely with regard to members or former members of that entity to persons who have regular contact
with it in connection with its purposes.

6. How we use your personal data

We will only use your personal data for the purpose for which we collected it, which include the

However, we can only do this if your interests and rights do not override ours (or theirs). You have
the right to challenge our legitimate interests and request that we stop this processing.

7. Processing

Processing means any operation which is performed on personal data such as:
(a) collecting, recording, organisation, structuring or storage;
(b) adaption or alteration;
(c) retrieval, consultation or use;
(d) disclosure by transmission, dissemination or otherwise making available;
(e) alignment or combination; and
(f) restriction, destruction or erasure.

We will process your personal data in accordance with the uses referred to above. This includes processing personal data which forms part of a filing system and any automated processing.

The Charity will process your personal data (including special categories of personal data) in accordance with our obligations under the Data Protection Act 2018.

We will not use your personal data for an unrelated purpose without telling you about it and the legal basis that we intend to rely on for processing it. We will only process special categories of your personal data (see above) in certain situations in accordance with the law. For example, we can do so if we have your explicit consent. If we asked for your consent to process a special category of personal data then we would explain the reasons for our request. You do not need to consent and can withdraw consent later if you choose by contacting the interim CEO.

We do not need your consent to process special categories of your personal data when we are processing it for the following purposes, which we may do:

(a) where it is necessary to protect your vital interests or those of another person where you/they are physically or legally incapable of giving consent;
(b) where you have made the data public;
(c) where processing is necessary for the establishment, exercise or defence of legal claims; and
(d) where processing is necessary for the purposes of occupational medicine or for the assessment of your working capacity, whether that is on a voluntary basis or as a supporter.

We do not take automated decisions about you using your personal data or use profiling in relation to

8. How we share your personal data

We may share your personal data within the Charity and with external third parties, such as Social Workers and Cardiff and Vale Health Board.

Personal data may need to be shared externally on a one-off basis, where an ISP or equivalent sharing document does not exist. Advice must be sought from the interim CEO in such circumstances. You may only share the Personal Data we hold with third parties, such as our service providers, if:

(a) they have a need to know the information for the purposes of providing the contracted services;
(b) sharing the Personal Data complies with the Privacy Notice provided to the Data Subject and, if required, the Data Subject’s Consent has been obtained;
(c) the third party has agreed to comply with the required data security standards, policies and procedures and put adequate security measures in place;
(d) the transfer complies with any applicable cross-border transfer restrictions; and
(e) a full executed written contract that contains UK GDPR-approved third party clauses has
been obtained.

9. International transfers

We will not transfer, store and process your personal data outside the UK. If this changes you will be notified of this and the protections which are in place to protect the security of your data will be explained.

10. Reporting a personal data breach

The UK GDPR requires Controllers to notify any Personal Data Breach to the Information Commissioner and, in certain instances, the Data Subject. We have put in place procedures to deal with any suspected Personal Data Breach and will notify Data Subjects or any applicable regulator where we are legally required to do so.

If you know or suspect that a Personal Data Breach has occurred, do not attempt to investigate the matter yourself. Immediately contact the person or team designated as the key point of contact for Personal Data Breaches to the interim CEO. You should preserve all evidence relating to the potential Personal Data Breach.

11. Your legal rights

You have the right to information about what personal data we process, how and on what basis as
set out in this policy.

You have the right to be notified of a data security breach concerning your personal data. In most situations we will not rely on your consent as a lawful ground to process your data. If we do however request your consent to the processing of your personal data for a specific purpose, you have the right not to consent or to withdraw your consent later. To withdraw your consent, you should contact the interim CEO.

You have the right to access your own personal data. You can correct any inaccuracies in your personal data. To do you should contact the interim CEO.

You have the right to request that we erase your personal data where we were not entitled under the law to process it or it is no longer necessary to process it for the purpose it was collected. To do so you should contact the interim CEO.

While you are requesting that your personal data is corrected or erased or are contesting the lawfulness of our processing, you can apply for its use to be restricted while the application is made. To do so you should contact the interim CEO.

You have the right to object to data processing where we are relying on a legitimate interest to do so and you think that your rights and interests outweigh our own and you wish us to stop.

You have the right to object if we process your personal data for the purposes of direct marketing.

You have the right to receive a copy of your personal data and to transfer your personal data to another data controller. We will not charge for this and will in most cases aim to do this within one month.

With some exceptions, you have the right not to be subjected to automated decision-making.

You have the right to make a complaint at any time to the Information Commissioner’s Office, the UK regulator for data protection issues. Full contact details including a helpline number can be found on the Information Commissioner’s Office website ( This website has further information on your rights and our obligations.

Further details

If you are looking for more information on how we process your personal data including on data security, data retention and lawful processing bases, please contact the interim CEO. Personal data will not be kept longer than is necessary for the purpose for which the data is processed.

12. Changes to this policy

We keep this Data Protection Policy and Privacy Notice under regular review. This Data Protection Policy does not override any applicable national data privacy laws and regulations in countries where the Charity operates.

Date approved: 28th September 2022