Privacy and Data Protection Policy

The Edinburgh Communities Climate Action Network (ECCAN) takes your privacy seriously. We never pass your personal data to anyone else, without your permission. 

If you have any concerns about the data we retain or the way in which we use it, you have a right to: 

  • Request that we correct personal data if you believe it is inaccurate / incomplete

  • Request that we delete your personal data 

  • Change communication preferences or restrict processing of your personal data

  • Access the personal data that we hold about you via a “subject access request”. 

Please contact us at office@eccan.scot for any of these purposes. Or write to us c/o ECCAN, 14 Forth Street, Edinburgh EH1 3LH.

Under data protection legislation we are a “controller” of personal data you share with us. We have undertaken a Data Audit and this Policy provides notice on how and why we process your data and for how long we will keep your personal data, and where it is held. 

We retain your data in different ways depending on the application: 

  1. Group and Individual Membership 

What we do with your data: We use your data to provide both group and individual membership services, including e-newsletters, communications regarding relevant collaborations, events, ECCAN proposals and decisions, including your organisation’s description and website in our online database. 

Data held: Organisation name, address, website, phone number, email, description; names, email addresses, phone numbers of two contact people; any other data on organisation activities you supply us with through the online form including target communities, your organisation’s reach (local / citywide etc) and the sector you are working in. 

Individual name, address, email, phone number and description of why you wish to join. 

This contact information is private, the email address being the exception, and will not be given out to a third party including other members without your permission. 

We also collect graphical images of the group logo and ask your areas of interest within climate action to enable collaborative processes.

Legal basis for processing data: Legitimate interest – as you have signed up. 

Storage: Data is held in a password protected database accessed only by nominated ECCAN representatives who have signed our Confidentiality Agreement. Email addresses are also held on our Mailchimp account to enable us to circulate our newsletter to contacts. Restricted data of those contributing to subgroups may be held on specific service providers such as Microsoft Teams where it is used with agreement of each individual – to facilitate active collaboration. 

Retention: We keep your personal data only to provide you with membership services. We will update or delete your data on request. 

  1. Mailing list subscribers 

What we do with your data: We send you an e-newsletter and other occasional mailings about relevant events or projects. 

Data held: First name, Last name & email address, community organisation (optional), address, phone number, website address, socials and areas of interest. 

Legal basis for processing data: Consent – as you have signed up. 

Storage: Data is held on our Mailchimp and Airtable accounts. Their servers are based in the US and they uphold the EU Privacy Shield to certify their data security. 

Retention: We will keep you on this mailing list until you request any change. You can unsubscribe any time you want by following the link at the bottom of each mailing. 

  1. Event attendees 

What we do with your data: When you attend an event we organise, we collect data to demonstrate trends to funders or for internal monitoring and evaluation purposes. We may also take photos for documentation or to be used in our future communications. 

Data we may collect: Name, email, address, photo. 

Legal basis for processing data: Consent – as you have signed up. 

Storage: Data is held in a password protected database accessed only by key staff.

Retention: We keep details only as needed for reporting purposes, maximum 5 years. 

  1. Contracted work 

What we do with your data: We are required to use your data to enter into a contract and to remunerate those who do paid work.

Data collected: Name, address, phone number, email, bank account details. Legal basis for processing data: Contract - that you have signed. 

Storage: Correspondence is held in a password protected folder. Bank details are also stored in our online bank account with our bank, to enable them to process payment transactions securely on our behalf. 

Retention: 7 years or as required under current legislation. 

  1. Website visitors 

Like most other organisations, we use Google Analytics on our websites. This software captures data from website visitors in the form of an advanced web server log. It records: 

  • What website you came from.

  • How long you stay for. 

  • The kind of computer used. 

This helps us to understand who comes to our sites and what content they’re reading and enables us to make better decisions about design and writing. 

We occasionally compile aggregate statistics about numbers of site visitors and browsers being used. No personal data is included in this type of reporting and all this activity falls within the bounds of the Google Analytics Terms of Service. 

  1. Your rights 

If you have any concerns, which are not resolved by communicating with us, you can raise a complaint with the Information Commissioner’s Office at www.ico.org.uk. 

  1. Other uses of your personal information 

We may ask you if we can process your personal information for other purposes. If we do so, we will provide you with an additional privacy notice explaining how we will use your information for these purposes. 

  1. Third party suppliers with limited access to members’ data 

We may use third party suppliers to provide services. These suppliers may process personal data on our behalf as “processors” and are subject to contractual conditions to only process that personal information under our instructions and to protect it. 

If we share personal information with external third parties, we only share such information strictly required for the specific purposes and take reasonable steps to ensure recipients shall only process the disclosed personal information in accordance with those purposes.

  • The Co-operative Bank process payment transactions securely on our behalf 

  • Airtable stores our membership data as well as events’ feedback forms. Their servers are based in the US and they uphold the GDPR to certify their data security.

  • Mailchimp distributes some of our email communications. Their servers are based in the US and they uphold the EU Privacy Shield to certify their data security.

  • We use Eventbrite’s ticketing service for some of our events. They comply with GDPR, see their privacy policy online. 

  • Instructors, coaches and event organisers receive details of training participants. Data Protection 

The Edinburgh Communities Climate Action Network (ECCAN) and our established working groups (e.g. those planning an annual gathering) take privacy and data protection seriously. 

Everyone handling data on our behalf, must follow these guidelines: 

  1. Ensure passwords for files, databases, and accounts are securely stored and not shared with anyone without the consent of the Network Lead. 

  2. Do not leave your computer logged in to encrypted files / folders.

  3. Delete emails containing personal data and / or password information as soon as possible.

 

If you need a password or are unsure about any of these guidelines, please contact the Operations Lead on office@eccan.scot