Privacy Statement

Preservation of your privacy is important to the Norwich Historic Churches Trust. We are committed to using your data responsibly, at all times in accordance with data protection law and your rights as an individual. 

Why do we have a privacy statement?

We want you to feel comfortable with the privacy of your personal information   This statement is provided to inform you on how we use and protect the information we collect and hold.

This statement sets out why we process your data and provides key information to enable you to understand how your data is used. 

As a data controller we are committed to protecting and respecting your personal information.

We will not sell your data and will give you ways to manage and review your contact preferences.

 

Who are we? 

The Norwich Historic Churches Trust (NHCT) is a charity registered in England and Wales (Registered Charity number 266686 ), and a Limited Company (Registered Company no 01134684).  

The Responsible Officer is Simon Smith.

We (NHCT) are the controller of your personal data. A data controller has the responsibility of deciding how personal data is processed and protecting it from harm.

For more information on controllers and their responsibilities please see the ICO website  on data protection principles, definitions, and key terms.

 

Our contact details

Post:  St. Martin At Palace, 15 St. Martin At Palace Plain, NORWICH, Norfolk, NR3 1RW

Telephone: 01603 611530

Email: [email protected]

 

What information we collect, use, and why

We collect or use the following information to receive donations or funding and organise fundraising activities

  • Names and contact details
  • Addresses
  • Bank account details
  • Donation history
  • Tax payer information (for Gift Aid purposes)
  • Gifts in wills

 We use your personal data for the following purposes:

  • To maintain our own accounts and records (including the processing of Gift Aid applications)
  • To inform you of news, events, activities of the Trust. To organise events which you attend.
  • To make payments to you.

 We collect or use the following personal information to comply with legal requirements:

  • Name
  • Contact information
  • Bank account details
  • Financial transaction information
  • Any other personal information required to comply with legal obligations

 

 We use your personal data for the following purposes:

  • To maintain our own accounts and records
  • To make payments to you

Lawful bases and data protection rights

Under UK data protection law, we must have a “lawful basis” for collecting and using your personal information. There is a list of possible lawful bases in the UK GDPR. You can find out more about lawful bases on the ICO’s website.

Our lawful bases for collecting or using personal information to receive donations or funding and organise fundraising activities are:  

  • Consent – we have permission from you after we gave you all the relevant information. All of your data protection rights may apply, except the right to object. To be clear, you do have the right to withdraw your consent at any time.  
  • Legitimate interests – we’re collecting or using your information because it benefits you, our organisation or someone else, without causing an undue risk of harm to anyone. All of your data protection rights may apply, except the right to portability. Our legitimate interests are:

The Trust is unable to provide you with details of our activities if you do not provide certain information to us. Therefore, we collect the following information from you when you become a supporter of the Trust, take part in its events or supply service to the Trust: Name, Address, Email, telephone numbers. In relevant circumstances we will also collect bank account details to allow for the payment of invoices.

 For more information on our use of legitimate interests as a lawful basis you can contact us using the contact details set out above.

 

Your Data protection rights

Which lawful basis we rely on may affect your data protection rights which are set out in brief below. You can find out more about your data protection rights and the exemptions which may apply on the ICO’s website:

  • Your right of access – You have the right to ask us for copies of your personal information. You can request other information such as details about where we get personal information from and who we share personal information with. There are some exemptions which means you may not receive all the information you ask for.
  • Your right to rectification– You have the right to ask us to correct or delete personal information you think is inaccurate or incomplete.
  • Your right to erasure– You have the right to ask us to delete your personal information.
  • Your right to restriction of processing– You have the right to ask us to limit how we can use your personal information.
  • Your right to object to processing– You have the right to object to the processing of your personal data.
  • Your right to data portability– You have the right to ask that we transfer the personal information you gave us to another organisation, or to you.
  • Your right to withdraw consent– When we use consent as our lawful basis you have the right to withdraw your consent at any time. If you make a request, we must respond to you without undue delay and in any event within one month.

To make a data protection rights request, please contact us using the contact details at the top of this privacy notice.

Our lawful bases for collecting or using personal information to comply with legal requirements are:  

  • Contract – we have to collect or use the information so we can enter into or carry out a contract with you. All of your data protection rights may apply except the right to object.
  • Legal obligation – we have to collect or use your information so we can comply with the law. All of your data protection rights may apply, except the right to erasure, the right to object and the right to data portability.

 Our lawful bases for collecting or using personal information for dealing with queries, complaints or claims are:

  • Consent – we have permission from you after we gave you all the relevant information. All of your data protection rights may apply, except the right to object. To be clear, you do have the right to withdraw your consent at any time.
  • Contract – we have to collect or use the information so we can enter into or carry out a contract with you. All of your data protection rights may apply except the right to object.

 

 Where we get personal information from

  • Directly from you
  • Regulatory authorities

 

How long we keep information

We will keep your personal information for as long as we have reasonable organisation needs, which include managing our ongoing relationship with you.  Thereafter we will keep your personal information in line with legal and regulatory requirements or guidance.

 

How is this information kept safe?

We have appropriate security measure in place to prevent personal information from being accidentally lost or used or access in an unauthorised way.   We limit access to your personal information to those who have a genuine need to know it.  Those processing your information will do so only in an authorised manner and are subject to a duty of confidentiality

We have procedures in place to deal with any suspected data security breach.  We will notify you or any applicable regulator of a suspected data security breach where we are legally required to do so.

You are responsible for your contact information to us, and you should notify us immediately of any unauthorised use.

Who we share information with

Data processors : Mailchimp

This data processor manages mass digital mailings advising our supporters of activities and fundraising activities.

Others we share personal information with

  • Professional advisors
  • Relevant regulatory authorities
  • External auditors or inspectors
  • Organisations we’re legally obliged to share personal information with

 

 

Sharing information outside the UK

Where necessary, we will transfer personal information outside of the UK. When doing so, we comply with the UK GDPR, making sure appropriate safeguards are in place.

For further information or to obtain a copy of the appropriate safeguard for any of the transfers below, please contact us using the contact information provided above.

Organisation name: Microsoft 365

Category of recipient: Storage provider

Country the personal information is sent to: USA

How the transfer complies with UK data protection law: The country or sector has been assessed as providing adequate protection to data subjects (also known as Adequacy Regulations or UK data bridge)

 

Organisation name: Mailchimp

Category of recipient: Digital mailing provider

Country the personal information is sent to: U.S.A

How the transfer complies with UK data protection law: Addendum to the EU Standard Contractual Clauses (SCCs)

 

How to complain

If you have any concerns about our use of your personal data, you can make a complaint to us using the contact details at the top of this privacy notice.

If you remain unhappy with how we’ve used your data after raising a complaint with us, you can also complain to the ICO.

The ICO’s address:           

Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Helpline number: 0303 123 1113

Website: https://www.ico.org.uk/make-a-complaint

Last updated

28 October 2025