1.0 Processing personal data fairly and lawfully
1.1 Toby’s Magical Journey respects your privacy. The personal information you share is safe and will only be passed on to third parties with your consent. Your personal data is used only to support your volunteering activities and this can include your name, address, telephone number and email address.
1.2 For some volunteering activities, in addition to your personal details, more details may be required through a Disclosure. A Disclosure is a Scottish Government scheme to verify an individual is of good nature and holds no criminal convictions nor is banned from working with children or vulnerable people. Any applications for Disclosure shall be treated with respect and the privacy required. Assistance can be given to you to complete the application. Your data will be collected fairly and lawfully in accordance with the new GDPR (General Data Protection Regulations).
1.3 Soft copies, known as “electronic data” is stored on a sole dedicated computer that is not connected to any exchange servers or networks and only two Directors have access, Richie Etheridge and Alison Etheridge. The internet connection is via a password and is frequently changed.
1.4 Hard copies, or paperwork as we know is, is generated using the dedicated computer and only printed when necessary, such as financial transaction. Paper copies are stored in a lockable storage unit with the key held by the Directors.
2.0 Data collected shall only be used for the purposes intended
2.1 The purpose of collecting your data is to be able to volunteer with Toby’s Magical Journey. Your name, address, email address and date of birth are required so we need to know your basic details for purposes of communication and to ensure you are of volunteering age.
2.2 Should a new intention purpose arise, you will be contacted and asked for permission to use the data for the new intention. If you decline permission, then the data will not be used for that new intention. Toby’s Magical Journey generally do not email you with newsletters or emails of products. All or some products available can be and are not limited to being advertised on Facebook, Prestashop, Instagram and any other outlets deemed fit. A potential customer will make contact with Toby’s Magical Journey in the first instance.
2.3 If products are to be sent via the postal system, an address shall be required, for where the parcel is to be delivered. For security, if the Post Office of courier asks, the item contained will be declared. This will be verbal only and should have zero impact on the data retained. A receipt for the sending of the parcel retained, should it become lost in the post.
3.0 Data collected shall be adequate, relevant and not excessive
3.1 This means that we won’t ask you for other personal data such as ethnic origin or religious beliefs, as it bears no relevance nor contractual obligation.
3.5 Cash transactions are offered as a means of payment and a paper receipt will be offered to the customer. Only a name is required for this and a note of the product and cost of sale will be made. This will be used for financial recording only. Should you wish for more information to be sent to you, this can be arranged by request (ie further information of other products).
3.6 Bank transfers are possible, where customers can make payment from their personal bank account to Toby’s Magical Journey. We will only see the name, value and any reference of the transaction (if you choose to make a reference) when payment shows on Toby’s Magical Journey bank account. Toby’s Magical Journey take no responsibility for your own security, malfunctions, nor erroneously paying in the wrong account number.
3.7 Craft fayres or other attended shows can attract a mixture of these payment transactions. Toby’s Magical Journey shall discuss options with customers if they require further information to be sent out. It is the onus of the potential customer to communicate with Toby’s Magical Journey should they wish to progress with a purchase as Toby’s Magical Journey will not make “cold calls” or pressure the customer in to making a purchase.
3.8 HMRC requires all companies to retain financial transactions such as a sales spreadsheet, VAT values and bank statements for 6 years. This is a statutory requirement and cannot be changed by Toby’s Magical Journey. All financial records shall be retained and upon the 6 year anniversary; electronic data shall be deleted and hard copies shall be shredded.
4.0 Keeping up to date
4.1 Should any of your contract details change between after signing up to be a volunteer, please contact Toby’s Magical Journey to update these. Our contact details are on the website.
4.2 Newletters and emails of our activities are not sent out via email. Facebook, Twitter and Instagram are our “news” items which you can follow.
4.3 Toby’s Magical Journey has a calendar of activities on it’s website advertising where we will be. If you are interested in volunteering, please make contact with Toby’s Magical Journey.
5.0 Data should not be kept longer than necessary
5.1 Data is kept only for the duration required. Volunteering records are kept on file all the time you are active with Toby’s Magical Journey. Should you no longer wish to volunteer, your file will be moved to the archive and retained for a further year from the date you chose to finish volunteering. At the 1 year anniversary, your file will be shredded and any electronic records of you shall be deleted.
5.2 Financial transactions, regardless of volunteering or not, shall be kept for a period of 6 years from date of sale. This is a HMRC requirement and cannot be changed by Toby’s Magical Journey. At the 6 year anniversary, hard copies (ie paperwork) will be removed from the storage location and shredded. All soft copies (ie electronic), such as spreadsheet entries and PDFs of invoices, receipts etc, shall be permanently deleted.
6.0 Keeping your data secure
6.1 As described above, hard copies and soft copies of personal data shall be securely held for their intended purpose. Should a security breach occur which involves your data being lost, stolen or hacked, you will be contacted to make you aware of a potential breach. We will inform the Information Commissioner’s Office (the regulatory public body overseeing the implementation and governance of GDPR) and conduct an investigation. The findings of a data breach shall be communicated with you to confirm if there has been a security breach and what actions we will need to take, if any. If an ICO appoint a case worker, we shall work with the ICO to establish the facts and prevent recurrence. You will be communicated with as appropriate.
6.2 Should you wish to know what personal data we hold of yours, please make a written request. This can be via email or letter preferably (although not mandatory) with a reference: Subject Access Request (SAR). Once we have received the request, we shall acknowledge receipt of your request. We will also give you an estimated date of when we expect to feed this information back to you, but by the latest, it will be within one calendar month at the maximum.
6.3 We shall give you all the details we hold on record and communicate this back to you in writing. Once you have received this, you have a few options. You can accept it and choose to acknowledge it. You can accept it and not acknowledge it. You can accept it and ask to make an amendment to it. Changes to your personal data can be made via written communication (email or letter). You can choose to delete the information, if it is eligible to be deleted. This service is free of charge in accordance with GDPR.
6.4 Should you wish to offer compliments, discuss a concerning issue or raise a complaint, please do so with Richie Etheridge or Alison Etheridge. Our contact details are on the website and we will be glad to open dialogue with yourself.