Data Protection and Privacy

1. Introduction

2. Notice summary

3. What is covered by this notice?

4. Identity of the Data Controller

5. How do we collect personal information?

6. The personal information we may collect

7. The lawful basis of processing your information

8. Information Rights

9. Debit and credit card information

10. How we use the information you submit

11. Automated decisions and profiling

12. Data retention

13. Cookies

14. Sharing your information

15. Consent

16. Security

17. Complaints

18. Breach management

19. Version Control

Annex 1

Privacy on our website

Annex 2

Volunteering for the Commonwealth War Graves Commission (CWGC) or Commonwealth War Graves Foundation (CWGF)

1. Introduction

The Commonwealth War Graves Commission (“CWGC” or “Commission”) and the Commonwealth War Graves Foundation (“CWGF” or Foundation) takes your personal information and your privacy seriously. This Privacy Notice sets out how we use and protect any information about you which is obtained via our website or you send to us by post or e-mail. As we may change this notice from time to time you should check our website to view the most recent version of this notice.

Should you have any queries about the content of this notice, please contact the Commission’s Data Protection Officer at dpo@cwgc.org or alternatively you may write to:

Data Protection Officer
Commonwealth War Graves Commission
2 Marlow Road
Maidenhead Berkshire SL6 7DX

The UK information Commissioners Office is the supervisory authority for all matters concerning the processing of your personal data within the Commission where our head office is located.

Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Telephone: 0303 123 1113

Fax: 01625 524510

If you are based in another EU country, you may contact the relevant authority for your jurisdiction.

2. Notice summary

We respect your privacy and we take care of the information we obtain. We will only ask for personal data when it is necessary to provide you with the service you have requested, such as answering an enquiry or dealing with your subscription to our newsletter. We may also make your personal information anonymous to undertake statistical analysis for internal use. If we want to use your data for any purpose outside of the terms of this notice, we will ask you first.

3. What is covered by this notice?

This notice covers all web pages on our website and any correspondence (electronic or otherwise) between you and the Commonwealth War Graves Commission or the Commonwealth War Graves Foundation.

This notice does not include information that you submit to us through our recruitment process or throughout your employment with the Commission. These details are covered in the specific Privacy Notices, a copy of which is provided to applicants directly.

4. Identity of the Data Controller

The Commonwealth War Graves Commission is the Data Controller, which means that it is the body which determines the manner and purpose of processing your personal data.

This notice does not cover external sites which may have links on our website. We are not responsible for the content of these sites and any personal data collected by these organisations is not our responsibility.

5. How do we collect personal information?

We respect your privacy and take great care with the information we obtain. We may collect information from you via our website, by e-mails and post sent to our offices. For example:

6. The personal information we may collect

We may ask you to provide the following information:

Any personal information you provide will be transferred and stored on secure servers in a safe, confidential and secure environment. We will use all reasonable efforts to safeguard your personal information. However, you should be aware that the use of the internet is not entirely secure and for this reason we cannot guarantee the security or integrity of any personal information which is transferred from you or to you via the internet.

7. The lawful basis of processing your information

The Commission will process personal data collected from the website on the following basis:

Such as when you as a member of the public contacts the Commission and we obtain your details to follow up on your enquiry; or when a member of the public visits a cemetery and signs our visitor book.

We ask for your consent to send you marketing and promotional material about our activities or the activities of our partners. We are required to keep a record of your consent.

Such as our obligations to maintain financial, records, evidence of right to work or health and safety assessments. Some of these details are necessary for employment law obligations or engaging volunteers. More detail can be found in the specific Privacy Notices.

Such as when you have successfully applied and been selected to undertake a role with the Commission; or where you are a third-party contractor undertaking tasks on behalf of the Commission in the role of a data processor.

Such as when a member of the public volunteers to undertake work on behalf of the Commission, we will keep a copy of their personal details for the length of the volunteering period (see Annex 2); Where we have obtained business details from an individual we will retain these for the duration of our business interactions; where we believe that a record has lasting historical value that supports or reflects the core business and values of the Commission, we will retain these indefinitely as historical records in our Archive; examples include, research, building developments, documents which reflect changes in personnel, structure or culture within the Commission.

The Commission considers that it conducts a number of tasks in the public interest. These include but are not limited to processing personal data for commemorative events, to maintain grounds, cemeteries and memorials, to maintain records for the correct commemoration of the War Dead, for historical and research significance and to further education and awareness of events during the First and Second World Wars.

In the course of its business the Commission will process some special categories of data. These categories may include but are not limited to:

8. Information Rights

You have the following rights under the General Data Protection Regulation Information and the UK Data Protection Act 2018 for those in the UK – you have a right to clear and transparent details of our data processing.

Access – You may request a copy of the personal data we hold relating to you.

Rectification – You may have personal data corrected if it’s inaccurate or incomplete.

Erasure – You may in certain circumstances request the deletion or removal of personal data where there is no legitimate reason for its continued processing.

Restriction – You may request that we restrict the use of your personal data and do not further process it as an alternative to erasure.

Portability – You can expect the Commission to hold your personal data in a common and reusable format where practicable.

Objection – You may object to:

If you would like to exercise any of these rights, please contact the Commission’s Data Protection Officer whose details appear at the top of this document.

9. Debit and credit card information

All debit and credit card payments made online are processed through STRIPE or other on-line payment providers and we do not store or have access to any card information that you provide through these methods of payment.

Further details on the STRIPE privacy policy can be found at:

Privacy Policy (stripe.com)

in addition, some payments may be made through PayPal and Go Cardless. We share information with HMRC as legally required where donations are made and we receive a completed gift aid form.

PayPal Privacy Notice

Go Cardless Privacy Policy

HMRC Privacy Notice

We will never request credit/debit card information from you via e-mail or other means. Please do not send this information or other sensitive information to us via email.

10. How we use the information you submit

The personal data we collect from you will be used to perform the service you have requested, for example answering your enquiry, fulfilling your order, registering you to our newsletters or website, or processing a membership request for the Foundation.

In addition, it may be used for the following:

We may also use the information you provide to carry out internal research in order to:

11. Automated decisions and profiling

We do not currently undertake profiling activity or automated decision making.

The Commission or the Foundation may use contact details published in the public domain to contact individuals who may have an interest in the work of the Commission/Foundation but will not use this information to engage in direct marketing unless we have obtained your explicit consent beforehand. We make every effort to ensure that we do not use information placed in the public domain in ways that the individual would not expect or be unlikely to anticipate.

12. Data retention

The length of time your personal data is retained is dependent on the purpose for which it was collected. Once the purpose of processing ceases to exist we will take steps to delete your personal data if there is no other lawful reason to retain it.

Personal data that you send via email is automatically retained in our email archive for a period of up to 15 years. If during the period of its retention you wish to receive a copy of your personal data you may make a request to do so.

Please note that the Commonwealth War Graves Commission was established with a duty to keep and maintain records relating to the Commonwealth war dead in perpetuity. Therefore, the Commission will retain documents relating to or supporting its legitimate interests in this regard indefinitely.

13. Cookies

Cookies are small files of letters and numbers that are downloaded onto a user's device and allow the website to recognize the user's device.

When you come to our website for the first time, you will be asked to either select “Accept All Cookies” or “Cookie Settings”. By choosing “Accept All Cookies” you are agreeing to these text files being added to your device. By choosing “Cookie Settings” you can choose the groups of Cookies to be added to your device.

Necessary cookies help make our website usable by enabling basic functions like page navigation and access to secure areas of the website. The website cannot function properly without these cookies.

Preference cookies enable our website to remember information that changes the way the website behaves or looks, like your preferred language or the region that you are in.

Statistic cookies help our website team to understand how visitors interact with the website by collecting and reporting information anonymously.

Marketing cookies are used to track visitors across the website. The intention is to display ads that are relevant and engaging for the individual user and thereby more valuable for publishers and third-party advertisers.

Unclassified cookies are cookies that we are in the process of classifying, together with the providers of individual cookies.

You can change your cookie preferences at any time by going to our Cookie Policy.

14. Sharing your information

We do not share your information, including your personal details, with anyone outside of the CWGC or CWGF unless we have sought your express permission. However, in certain circumstances, it may be necessary to pass your personal details to one of our member Governments. Should this be the case, you will be notified and informed of the legal basis for processing using the contact details you have provided. In the majority of circumstances this will be based on your explicit consent.

As a Commonwealth organisation and by the nature of our work, we operate in a number of countries around the world. In order to deal with your enquiry or other correspondence, it may be necessary for us to transfer and process your personal details to countries outside the United Kingdom or EEA which do not have in place similar protection as provided by the UK Data Protection Act 2018 or the General Data Protection Regulation. However, we have taken steps to ensure the adequacy of the territory and the security of your information. If you would like to obtain further information about the steps we have taken to ensure the protection of your information please contact the Commission’s Data Protection Officer.

Where the processing of your data is based on your consent, you will have been fully informed of our activity in unambiguous terms and actively opted into the processing based on this understanding. If you wish to withdraw your consent, you have the right to do so by contacting the Commission’s Data Protection Officer.

Please be advised that if you withdraw your consent to processing your personal information there may be another lawful basis that we rely on to continue processing. We will advise you if this is the case. If you withdraw your consent and another lawful basis does not exist for us to process your personal data, services which you had previously opted into will stop accordingly.

16. Security

We also take our commitment to Information Security very seriously. We have put in place appropriate physical, electronic and managerial procedures and safeguards to prevent unauthorised access or disclosure of any personal and other information. For example, we hold data in secure data centres, regular internal audits are carried out to ensure procedures are complied with and senior management monitor controls and outcomes. Any information you give to us either through our website, by e-mail or by any other means is stored securely and managed in accordance with the General Data Protection Regulation and UK Data Protection Act 2018.

17. Complaints

If you are dissatisfied with any aspect of our processing of your personal details and would like to make a complaint, we would request that in the first instance you contact the Commission’s Data Protection Officer so that the issue may be swiftly resolved.

If you remain dissatisfied with our response, under the UK Data Protection Act 2018 and General Data Protection Regulation you have the right to complain to the relevant authority for your jurisdiction.

18. Breach management

We take every care to prevent breaches of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to your personal data.

In the unlikely and unfortunate event that this does happen, we will take all reasonable steps to mitigate any damage and notify you of the actions we have taken promptly.

If you have concerns regarding the handling of your personal data and would like to raise these with the Commission’s Data Protection Officer, please send your concerns to the address at the beginning of this document.

Your concerns will be handled and investigated confidentially.

19. Version Control

Document Name

Privacy Notice

Version

5.0

Document Owner

Data Protection Officer

Effective Date

September 2024

Date for Review

September 2025

Annex 1

Privacy On Our Website

As part of our commitment to keep you informed about how your information is used, this document explains the various functions and services that support our website.

The Website

The website is developed and maintained by Enjoy Digital. To provide these services Enjoy Digital may have access to contact information, including email addresses, demographic data, preferences, interests, customer surveys and IP addresses.

We have taken appropriate contractual measures to ensure the safety of this information.

Website Search

Our website search is powered by Microsoft Azure Elastic Search and delivered via our website platform utilizing Umbraco. Search queries, results and user journeys are logged anonymously within Umbraco to help us improve our website and search functionality. Unless you are logged into an account, no user-identifiable data is collected by either the CWGC or any third party.

Microsoft Azure Privacy Policy

Mailing List and Newsletters

We use Umbraco to collect email addresses for those people who want to stay in touch with the CWGC. We use a third-party tool, MailChimp, to send all of our mailings and newsletters, complying with the consents provided to us at the time of signing up. All of our mailings include the option to unsubscribe and/or manage individual preference settings and we always respect the decision of users who unsubscribe MailChimp Privacy Notice

No information is shared with any other organization.

e-Commerce

We use our website for e-Commerce for selling products as well as receiving donations and people signing up for the Supporters scheme. We use STRIPE, PayPal and Go Cardless as our payment providers and no credit card data is stored on the CWGC’s servers or systems. We do obtain and store personal data necessary to fulfil the business process of shipping products or maintaining relevant records concerning membership. We use various third-party fulfilment agents for shipping products and we only share with them the information necessary to be able to ship purchased items. We share information with HMRC as legally required where donations are made and we receive a completed gift aid form.

Privacy Policy (stripe.com)

PayPal Privacy Notice

Go Cardless Privacy Policy

HMRC Privacy Notice

Performance

We use third-party tools from Google to support analysis of website traffic and performance where users have agreed to Analytics Cookies. All data collected in this way is anonymous, does not contain personal information and is not shared with any external parties. We use this data to analyse the website’s performance and user journeys around the website. Google Tag Manager is used to supply, Facebook Pixel and Twitter Pixel to every page of the website. Facebook and Twitter Pixel capture individuals details whose demographics and interests are similar to those of our existing audience for marketing purposes.

Facebook Pixel Privacy Notice

Twitter Pixel Privacy Notice

Google Analytics Privacy Notice

Crowd Sourcing

We use Stackla.com to support our crowd sourcing activities. We do not collect personal information beyond that necessary to provide the crowd sourcing service. Some of the personal data may be in an audio format where individuals’ stories of events are captured, or visual images submitted by the individual which will be collected in Stackla and displayed on the website.

Stackla Privacy Notice

No information is shared with any other organization.

People who Contact us via Social Media

We use a third-party provider, Hootsuite and Salesforce to manage our social media interactions. If you send us a private or direct message via social media the message will be stored by one or both of these systems in accordance with our retention policies.

Hootsuite Privacy Policy

Salesforce Privacy Policy

No information is shared with any other organization.

People who contact our Enquiries Team

We use a third-party product, Salesforce.com, to manage our enquiries service. All incoming enquiries, whether on paper, email or telephone are stored on the system and retained in accordance with our retention policies. When you call we collect Calling Line Identification (CLI) information to help improve the efficiency and effectiveness of the service we provide.

Salesforce Privacy Notice 

No information is shared with any other organization.

Version Control

Document Name

Privacy Notice – Annex 1

Privacy On Our Website

Version

4.0

Document Owner

Data Protection Officer/Digital Team

Effective Date

September 2024

Date for Review

September 2025

Annex 2

Volunteering for the Commonwealth War Graves Commission (CWGC) or Commonwealth War Graves Foundation (CWGF)

This annex specifically relates to processing personal data of volunteers:

Purposes for collecting Volunteer data

We collect your name, address, postcode, telephone number, mobile number, email address, work preferences and county in which you would like to volunteer.

This information is collected for the following purposes:

We collect this information using both an electronic form and a postal form. Forms containing volunteer details will be held by the Volunteer Co-ordinator operating regionally and held on our internal volunteer database and systems.

Lawful basis for processing Volunteer data

Volunteer information collected by the Commonwealth War Graves Commission or Commonwealth War Graves Foundation is done so under Article 6(1)(f) of the GDPR and the UK Data Protection Act 2018 for those in the UK as a legitimate interest.

The legitimate interest being pursued is the appropriate administration and retention of a network of volunteers to assist with initiatives which support or promote the work of the Commonwealth War Graves Commission or the Foundation. A Legitimate Interest Test has been conducted for this data processing and is retained by the Data Protection Officer.

The processing involves no sensitive categories of personal data and is not thought to have an adverse or disproportionate risk to privacy.

The information provided by volunteers will not be used for direct marketing.

Please notify the Data Protection Officer (dpo@cwgc.org) should you have any objections to the processing of your personal data for the purposes listed above.

Sharing data with us and others

You should avoid publishing on social media or newspapers etc. any information that you would not want to be shared, or information which might impact on the privacy of other living individuals during your volunteer work. This may include photograph images of other volunteers or members of the public.

We may use any images that you do share, either directly or through social media, to highlight and promote the volunteer activity that you are undertaking and to promote events either through the production of leaflets and articles or through online media.

Please note that volunteer details may be shared internally between the Commonwealth War Graves Commission and the Foundation to ensure co-ordination of local events and volunteer opportunities.

How we process your personal data

The personal data that you share with us is held on our internal volunteer database and systems.

We may use this software to create volunteer profiles, search for information using date ranges, schedule events, email volunteers and produce statistics such as the hours and numbers of volunteers per project or to gather volunteer feedback.

Your Rights

You have the following rights under the General Data Protection Regulation Information and the UK Data Protection Act 2018 for those in the UK – you have a right to clear and transparent details of our data processing.

Access – You may request a copy of the personal data we hold relating to you.

Rectification – You may have personal data corrected if it’s inaccurate or incomplete.

Erasure You may in certain circumstances request the deletion or removal of personal data where there is no legitimate reason for its continued processing.

Restriction – You may request that we restrict the use of your personal data and do not further process it as an alternative to erasure.

Portability – You can expect the Commission to hold your personal data in a common and reusable format where practicable.

Objection – You may object to:

If you would like to exercise any of these rights, please contact the Commission’s Data Protection Officer whose details appear at the top of this document.

Data Retention

The information you provide us will be held for at least the duration of your volunteering activities. Six months following the closure of volunteering activity, your personal data will be routinely deleted, although some data may be retained for longer where there are statutory obligations to do so. In addition, information which identifies you may be retained in our closed historical archive as a record of significant events and initiatives across the Commission.

Version Control

Document Name

Privacy Notice – Annex 2

Volunteering for the Commonwealth War Graves Commission (CWGC) or Commonwealth War Graves Foundation (CWGF)

Version

2.0

Document Owner

Data Protection Officer

Effective Date

September 2024

Date for Review

September 2025