This data protection policy and privacy notice tells you what to expect us to do with your personal information.

  1. Company Details
  2. What information we collect, use and why
  3. Lawful bases and data protection rights
  4. Where we get personal information from
  5. How long we keep information
  6. Who we share information with
  7. How to complain
  8. GDPR Policy
  9. Company Details
    Registered name: Finzean Bucket Mill CIC
    Address: Old School, Finzean, Banchory, Aberdeenshire. AB31 6NY
    Email: info@bucketmill.co.uk
  10. What information we collect, use and why
    We collect or use the following information to provide services and goods, including delivery:
     Names
     Contact Details
     Addresses
     Health and safety information including volunteer health details
     Website user information (including user journeys and cookie tracking)
     Photographs or video recordings
     Records of meetings and decisions
     Records of visitors
     Information relating to compliments or complaints
     Information relating to funding, such as sponsorship, grant funding and donations

Policy: Data Protection & Privacy

We collect or use the following information to distribute newsletters and publish annual reports:
 Names and contact details
 Photographs or video recordings
 Information relating to compliments or complaints
 Recorded images, such as photos or videos
 Records of consent, where appropriate
 Email addresses

  1. Lawful bases and data protection rights
    Under UK data protection law, we must have a “lawful basis” for collecting and using your personal
    information. There is a list of possible lawful bases in the UK GDPR. You can find out more about lawful
    bases on the Information Commissioner’s (ICO) website.
    Which lawful basis we rely on may affect your data protection rights which are in brief set out below. You
    can find out more about your data protection rights and the exemptions which may apply on the ICO’s
    website:
     Your right of access – You have the right to ask us for copies of your personal information. You can
    request other information such as details about where we get personal information from and who
    we share personal information with. There are some exemptions which means you may not receive
    all the information you ask for. You can read more about this right here.
     Your right to rectification – You have the right to ask us to correct or delete personal information
    you think is inaccurate or incomplete. You can read more about this right here.
     Your right to erasure – You have the right to ask us to delete your personal information. You can
    read more about this right here.
     Your right to restriction of processing – You have the right to ask us to limit how we can use your
    personal information. You can read more about this right here.
     Your right to object to processing – You have the right to object to the processing of your personal
    data. You can read more about this right here.
     Your right to data portability – You have the right to ask that we transfer the personal information
    you gave us to another organisation, or to you. You can read more about this right here.
     Your right to withdraw consent – When we use consent as our lawful basis you have the right to
    withdraw your consent at any time. You can read more about this right here.
    If you make a request, we must respond to you without undue delay and in any event within one month.
    To make a data protection rights request, please contact us using the contact details at the head of this
    privacy notice.

Policy: Data Protection & Privacy

Our lawful bases for the collection and use of your data
Our lawful bases for collecting or using personal information to provide services and goods are:
 Consent – we have permission from you after we gave you all the relevant information. All of your
data protection rights may apply, except the right to object. To be clear, you do have the right to
withdraw your consent at any time.
Our lawful bases for collecting or using personal information to distribute newsletters and publish
annual reports :
 Consent – we have permission from you after we gave you all the relevant information. All of your
data protection rights may apply, except the right to object. To be clear, you do have the right to
withdraw your consent at any time.

  1. Where we get personal information from
     Directly from you
     Via Volunteer Registration Forms
     Via Newsletter Signup Forms
     Third parties:
    o Birse Community Trust
    o Finzean Estate
    o Community Council
    o Finzean Hall Committee
  2. How long we keep information
    Finzean Bucket Mill CIC retains contact information for as long as is necessary. If you wish for your details
    to be removed, please contact the CIC through by post or email.
  3. Who we share information with
    We may share information with other relevant third parties:
     Birse Community Trust
     Finzean Estate
     Community Council
     Finzean Hall Committee

Policy: Data Protection & Privacy

  1. How to complain
    If you have any concerns about our use of your personal data, you can make a complaint to us using the
    contact details at the head of this privacy notice.
    If you remain unhappy with how we’ve used your data after raising a complaint with us, you can also
    complain to the ICO.
    The ICO’s address:
    Information Commissioner’s Office
    Wycliffe House
    Water Lane
    Wilmslow
    Cheshire
    SK9 5AF
    Helpline number: 0303 123 1113
    Website: https://www.ico.org.uk/make-a-complaint
  2. GDPR Policy
    GDPR requires the CIC to safely and responsibly manage the personal data that it holds. The CIC holds a
    limited amount of personal data on those who interact with the CIC which allows the CIC to:
    a) Contact others to provide updates as required (for example, dates of meetings and to send newsletters
    or copies of the Annual Report).
    b) React efficiently to requests for CIC products from returning customers (without ever contacting such
    individuals on an unsolicited basis)
    c) The CIC is committed to protecting all the personal data held by the CIC in line with its responsibilities
    under GDPR, and in particular ensuring that any processing of data by the CIC is lawful, fair and
    transparent. The Chairman is the Director nominated to ensure the CIC’s compliance with GDPR.
    d) As a not-for-profit, the CIC is exempt from registering as an organisation that processes personal data
    with the Information Commissioners office.

e) All the information held by the CIC has already been, and will continue to be in future, acquired with the
explicit permission of volunteers via application forms and/or by individuals contacting the CIC in order to
purchase CIC products. Any member or customer has the right to access their personal data or to ask for

Policy: Data Protection & Privacy

their data to be removed from the CIC records and the CIC will comply with their requests as quickly as
possible.
f) The CIC will ensure that personal data is adequate, relevant and limited to what is necessary in relation
to the purposes for which they are processed. The CIC will take reasonable steps to ensure personal data
is accurate and is kept up to date. The CIC will ensure that personal data is not kept for any longer than
necessary.
g) The CIC will ensure that any personal data is stored securely using software that is kept up-to-date with
appropriate back-up systems in place. Access to personal data shall be limited to personnel who need
access who will not share the data without a justified reason and are bound by the CIC’s Code of Conduct
(Confidentiality Clause). When personal data is deleted this should be done safely such that the data is
irrecoverable. The CIC holds names, addresses and email details of individuals who have contacted the
CIC in order to purchase CIC products. The CIC shall destroy obsolete computer equipment securely to
ensure any historic data held is not accessible.
h) The CIC Directors will investigate any breach of data security (accidental or unlawful destruction, loss,
alteration, unauthorised disclosure of, or access to personal data held by the CIC). The resulting report and
the actions identified will be reviewed at the next Directors meeting. The Chairman will be responsible for
ensuring that any actions are completed including, if necessary, reporting the incident to the Information
Commissioner’s Office.

i) This policy shall be reviewed at a minimum of every five years or sooner if regulatory requirements require
it.