GDPR Compliance

Our commitment to UK GDPR and your data protection rights

YouthFinance Birmingham is committed to full compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. This page explains how we meet our obligations and protect your rights.

Data Controller Information

For the purposes of UK GDPR, the data controller is:

YouthFinance Birmingham
47 Colmore Row
Birmingham, B3 2BS
United Kingdom
Email: [email protected]

Your Data Protection Rights

Under UK GDPR, you have the following rights regarding your personal data:

1. Right of Access

You have the right to obtain confirmation that we are processing your personal data and to receive a copy of that data. You can also request information about how we process your data.

2. Right to Rectification

You have the right to have inaccurate personal data corrected and incomplete data completed.

3. Right to Erasure (Right to be Forgotten)

You have the right to request deletion of your personal data in certain circumstances, including:

  • The data is no longer necessary for the purpose it was collected
  • You withdraw consent and there is no other legal basis for processing
  • You object to processing and there are no overriding legitimate grounds
  • The data has been unlawfully processed

4. Right to Restriction of Processing

You have the right to request that we restrict processing of your personal data in specific situations, such as when you contest the accuracy of the data or object to processing.

5. Right to Data Portability

You have the right to receive your personal data in a structured, commonly used, and machine-readable format and to transmit it to another controller.

6. Right to Object

You have the right to object to processing of your personal data based on legitimate interests or for direct marketing purposes.

7. Rights Related to Automated Decision-Making

We do not use automated decision-making or profiling. All decisions regarding your participation in our programmes are made by humans.

8. Right to Withdraw Consent

Where processing is based on consent, you have the right to withdraw that consent at any time, without affecting the lawfulness of processing before withdrawal.

How to Exercise Your Rights

To exercise any of your data protection rights, please contact us:

We will respond to your request within one month. In complex cases, we may extend this by two additional months, and we will inform you if this is necessary.

We may need to verify your identity before processing your request. This is a security measure to ensure personal data is not disclosed to unauthorized persons.

Lawful Bases for Processing

We only process your personal data when we have a lawful basis to do so. Our lawful bases include:

Consent

We obtain your consent for certain processing activities, such as marketing communications and non-essential cookies. You can withdraw consent at any time.

Contract

Processing is necessary to fulfill our contract with you when you enroll in our programmes, including providing the service, processing payments, and communicating about programme details.

Legitimate Interests

We process data based on our legitimate interests in operating our business, improving services, and ensuring security. We always balance these interests against your rights and freedoms.

Legal Obligation

We process data when required to comply with legal obligations, such as tax and accounting requirements.

Data Protection Principles

We adhere to the UK GDPR principles ensuring personal data is:

  • Lawfully, fairly, and transparently processed: We are clear about how and why we use your data
  • Collected for specified, explicit purposes: We only collect data for defined, legitimate purposes
  • Adequate, relevant, and limited: We only collect data necessary for our purposes
  • Accurate and kept up to date: We take steps to ensure data accuracy
  • Kept no longer than necessary: We delete or anonymize data when no longer needed
  • Processed securely: We implement appropriate technical and organizational measures

Data Security Measures

We implement appropriate technical and organizational measures to protect your personal data, including:

  • Encryption of sensitive data in transit and at rest
  • Regular security assessments and audits
  • Access controls limiting data access to authorized personnel only
  • Staff training on data protection and security
  • Secure backup procedures
  • Incident response procedures

Data Breach Notification

In the unlikely event of a personal data breach that poses a risk to your rights and freedoms, we will:

  • Notify the Information Commissioner's Office (ICO) within 72 hours of becoming aware of the breach
  • Notify affected individuals without undue delay if the breach is likely to result in high risk to their rights
  • Document all data breaches, including facts, effects, and remedial action taken

International Data Transfers

If we transfer your personal data outside the United Kingdom, we ensure appropriate safeguards are in place, such as:

  • Standard Contractual Clauses approved by UK authorities
  • Adequacy decisions recognizing equivalent data protection standards
  • Other legally approved transfer mechanisms

Children's Data

While our programmes serve children and teenagers, we collect personal data from parents or guardians. We take additional precautions when processing information about children:

  • We obtain parental consent before collecting children's data
  • We limit data collection to what is necessary for programme delivery
  • We implement enhanced security measures for children's information
  • We do not use children's data for marketing purposes

Data Retention

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected or as required by law. Our retention periods vary based on data type:

  • Programme participant data: Retained for the duration of programme participation plus 3 years for warranty and liability purposes
  • Financial records: Retained for 7 years to comply with tax and accounting regulations
  • Marketing consent records: Retained until consent is withdrawn plus 3 years to demonstrate compliance
  • Website analytics data: Retained for 26 months

Third-Party Data Processors

We work with carefully selected third-party service providers who process personal data on our behalf. All processors are bound by data processing agreements ensuring:

  • Data is processed only according to our instructions
  • Appropriate security measures are implemented
  • Confidentiality obligations are in place
  • Sub-processors are only engaged with our authorization
  • Data is deleted or returned at the end of the service relationship

Accountability and Governance

We demonstrate accountability through:

  • Maintaining records of processing activities
  • Conducting Data Protection Impact Assessments (DPIAs) for high-risk processing
  • Regular staff training on data protection
  • Implementing privacy by design and default principles
  • Regular review and updates of our policies and procedures

Right to Lodge a Complaint

You have the right to lodge a complaint with the supervisory authority if you believe we have not handled your personal data properly.

In the United Kingdom, the supervisory authority is:

Information Commissioner's Office (ICO)
Wycliffe House
Water Lane
Wilmslow
Cheshire SK9 5AF
Tel: 0303 123 1113
Website: ico.org.uk

However, we encourage you to contact us first so we can address your concerns directly.

Updates to This Page

We may update this GDPR compliance information from time to time to reflect changes in our practices or legal requirements. Please check this page periodically for updates.

Contact Us

If you have any questions about our GDPR compliance or wish to exercise your data protection rights, please contact us:

Email: [email protected]
Address: 47 Colmore Row, Birmingham, B3 2BS, United Kingdom