Privacy Notices-Volunteers

May 23 2018

Version 1.0 Last updated 25 May 2018


in compliance with the Data Protection Act 2018 and the EU General Data Protection Regulation (“GDPR”)

We must be compliant with the new EU data protection laws, we have updated our Privacy Policy and internal processes.

These updates ensure we are complaint with the new European Laws (known as General Data Protection Regulations, or GDPR) and give you more transparency and control over how we deal with your personal information.

How we collect data

As a volunteer for St Paul’s Hostel, we collect personal data about you in connection with our service in the following ways;

From the volunteer agreement form you completed.

Through your interactions with us whether over the phone, in person, in writing or through emails.

From the Disclosure and Barring Service application you complete.


As a volunteer the main ways in which we may use your personal information are to:

  • Communicate with you and provide information on our services or information about events we are holding.
  • Maintain the safety of you and others in our services.

Sharing your personal information

As a volunteer we may share your personal information with third parties who provide services for us or for you such as;

The Disclosure and Barring Service.

Companies House (if you are a Trustee)

We will do this to:

  • To comply with the volunteer agreement.
  • Protect your vital interests, for example in case of a medical emergency.
  • Comply with our legal obligations, court orders, laws or regulations.

How the law protects you?

Data protection law say that we are allowed to use personal information only if we have proper reason to do so. When St Paul’s processes Personal Data, whether as a Data Controller or as a Data Processor, we will rely on the following grounds for processing each of the categories of data we hold.


Contract. The volunteer agreement provides the basis for the interaction between the volunteer and St Paul’s.

Necessary to protect your vital interest. For example, if you are seriously ill we will pass your medical information to the medical staff.

Legal reasons.  Where required by court orders, laws or regulations.






Retaining your personal information

We will retain your personal information for as long as is necessary for the purposes described above. Typically, we will retain your data for a minimum of three years to fulfil our business purposes, to comply with legal and regulatory requirements or for any legal claim.

We may keep your data for longer where this is necessary for statistical and historical research purposes. However, we will ensure all personally identifiable information is removed where technically feasible. We will maintain the security and protection of any information we hold.

Your data subject rights

As well as our obligations and commitment to respect the privacy of your information, you also have certain right relating to the personal information we hold about you which are outlined below. None of these are absolute and are subject to various exceptions and limitations. You can exercise these rights at any time by contacting us using the details provided in this notice.

You have rights to;

  • Request access to the information we hold about you (Subject Access Request)
  • You may request access to a copy of the personal information we hold about you. We can refuse to provide information where to do so may reveal another person’s personal data or would otherwise negatively impact another person’s rights.

Object to processing (Right to object)

You may object to us using your personal data for direct marketing. This includes any profiling we perform as part of our direct marketing activities. Once we receive and have processed your objection, we will stop using your personal data for these purposes.

Request a copy of your data (Data Portability)

Where you gave us the information directly or via the referral form sent to us, and it was processed electronically, you can request the data we hold on you in a commonly used machine-readable format.

Request that your data is deleted (Right to be forgotten)

You can ask us to delete the personal information we hold about you when it is no longer required for a legitimate business need, legal or regulatory obligations or for the purposes it was collected for.

Amend or correct your information (Right to rectification)

If you believe that the personal information we hold about you is incomplete, inaccurate or incorrect please contact us as soon as possible so we can update it.

Restrict the processing of your information (Right to restrict)

You may ask us to restrict our processing of your data whilst we resolve any complaint you have about the way your data is used, require it for legal claim or if you think our processing is unlawful but you do not want us to delete your data.

Rights in relation to consent (Right to withdraw)

At any time, you may withdraw the consent you granted for your personal information to be used for direct marketing. When you withdraw your consent, it will not affect the lawfulness of any past activities we have undertaken based on the previous consent.

How we respond to your rights

You can exercise these rights at any time by contacting us using the details in this notice. We may need to validate your identify before we can respond to your request.

If we are unable to confirm your identify, or have strong reasons to believe that your request is unreasonably excessive or unfounded, we may deny it.

Once we have validated your identify, we aim to respond to your requests within 30 days and not later than 3 months from receipt of complex requests. We will let you know if we need additional time to complete.

We will let you know whether we accept, or refuse your request.


We take all reasonable precautions to keep your personal information secure, including safeguards against unauthorised access, use, or data loss. This includes ensuring our staff, partners and any third parties who perform work on our behalf comply with security standards as part of their contractual obligations.

Making a data protection complaint

If you have any concerns about the use of your personal data, or the way we handle your requests relating to your rights, you can raise a complaint directly with us using the contact details in this notice.

If you are not satisfied with the way we handle your complaint, you are entitled to raise a complaint directly with the UK Information Commissioner’s Office via the details on their website: