Nothing Special   »   [go: up one dir, main page]

PRIVACY NOTICE

Last updated: 23 May 2024

1. Who are we?

We are the Conservative and Unionist Party, commonly known as the Conservative Party (The Party), and we are registered as a political party with the Electoral Commission under registration PP52 and a registered data controller with the Information Commissioner’s Office (ICO) under registration number Z5909711.

Our objective is to promote our values and to elect Conservative candidates at every level of government across the United Kingdom, or when we campaign in referenda.

This is the privacy notice for the Conservative Party and not just for our website www.conservatives.com. We have specific privacy notices for other areas such as Human Resources and Staffing, Candidates, Complaints/Code of Conduct and Party Conference. We are happy to make this notice available in other accessible formats such as braille. If you wish to obtain a copy in an accessible format please contact our Data Protection Officer.

In this privacy notice we also refer to “the wider Conservative Party”. This includes, but is not limited to, local associations, areas and regions of the Party, known as ‘accounting units’ and listed on the Electoral Commission website, elected representatives, candidates, members, volunteers and party officers. These bodies may be data controllers in their own right or data processors acting on behalf of the Party. It is intended that the wider Party will adopt the principles enshrined in this notice.

This privacy notice has been created to demonstrate the Party’s commitment to the protection of your data and to be transparent in how we deal with it. This notice provides the information as required by Articles 13 and 14 UK GDPR.

The Party will process your data in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018 (DPA) and related legislation.

This privacy notice was updated on 23rd May 2024.

From time to time we may make amendments to or update this privacy notice.

2. Contacting us about Data Protection

If you have any questions about this notice, or for more information about how we use your data, or if you would like to exercise any of your rights you can contact our Data Protection Officer at:

Data Protection Department, Conservative Campaign Headquarters, 4 Matthew Parker Street, London, SW1H 9HQ

E-mail: DataProtection@Conservatives.com.

Phone:  +44 (0) 20 7984 8300.

3. How the law protects your data

How we use your data is protected by law and we are only permitted to process your data where we have an acceptable reason for doing so. The lawful reasons we process your data are:

Some types of sensitive personal data are given extra protection under the law; information about your race, ethnicity, sexual orientation, sex life, religious or philosophical beliefs, criminal record, trade union membership and political opinion is “special category” data under data protection legislation and we will only process this data where we have a lawful reason to do so. The work of the Conservative Party, and the wider Conservative Party, is deemed to be of substantial public interest and therefore we are permitted to process special category personal data relating to your political opinion in so far as it is necessary for the purposes of our political activities.

Where we have identified “legitimate interest” as our lawful reason for processing your data we conduct a balancing test in order to determine whether our legitimate interests to process your data are overridden by your interests, rights and freedoms. For more information about our legitimate interest balancing tests please contact our Data Protection Officer.

4. How we use your information

We process data with the intention of using it primarily for the broad purpose of our political, campaigning and fundraising activities.

The tables below illustrate examples of how we commonly use your data, the typical categories of data that we might process and our justification and legal bases for doing so. Some data processing activities may not be covered in the tables below but we will seek to provide you with relevant information by another means (e.g. at the point of collecting your data).

4.1 Campaigning and Communications

Purpose Categories of Data Subject Typical Data Categories Legal Basis Special Category Legal Basis

Canvassing Political Opinions

Electors

Name, Address, Electoral Roll Number, Telephone Number, Political Opinion, Contact Details, Marketing Preferences

Public Task (Democratic Engagement)

Article 9(2)(g) UK GDPR – substantial public interest – DPA 2018, Schedule 1, Part 2, Paragraph 22 Political Parties.

Communicating with you via post about our policies, campaigns, events, fundraising appeals and opportunities to get involved with the party

Electors, Members/Former Members, Donors, Volunteers

Name, Address, Electoral Roll Number, Profiled Data

Public Task (Democratic Engagement)

 

Communicating with you via electronic message or SMS about our policies, campaigns, events, fundraising appeals and opportunities to get involved with the party

Electors, Donors, Volunteers

Name, Address, Contact Details (email, phone, social media etc)

Consent

 

Sending you surveys and processing your responses

Electors

Name, Address, Electoral Roll Number, Political Opinion, National and Local Issue Positions, Incidental Special Category data, Contact Details (email, phone, social media etc), Marketing Preferences

Public Task (Democratic Engagement)

  • Article 9(2)(g) UK GDPR – substantial public interest – DPA 2018, Schedule 1, Part 2, Paragraph 22 Political Parties.
  • Article 9(2)(a) UK GDPR - Explicit Consent for collection of incidental special category data

Conducting petitions and presenting the signatories to the specified recipient

Electors

Name, Postcode, Contact Details (email, phone, social media etc), Political Opinion, National and Local Issue Positions

Public Task (Democratic Engagement)

Article 9(2)(g) UK GDPR – substantial public interest – DPA 2018, Schedule 1, Part 2, Paragraph 22 Political Parties

Conducting Online Surveys, Petitions, etc…

Electors

Name, Address, Electoral Roll Number, Political Opinion, National and Local Issue Positions, Incidental Special Category data, Contact Details (email, phone, social media etc), Marketing Preferences, IP Address

Public Task (Democratic Engagement)

  • Article 9(2)(g) UK GDPR – substantial public interest – DPA 2018, Schedule 1, Part 2, Paragraph 22 Political Parties.
  • Article 9(2)(a) UK GDPR - Explicit Consent for collection of incidental special category data

Showing you adverts via social media platforms

Electors, Members/Former Members, Donors, Volunteers

Email Address

  • Legitimate Interests
  • Consent

 

Creating custom audiences for advertising on Social Media Platforms using existing supporters' details, profiled target audiences, and information from our cookies/pixels and using those audiences to create “lookalikes”

Electors, Members/Former Members, Donors, Volunteers, Supporters

Email Address, Address, Political Opinion

  • Legitimate Interests
  • Consent

Article 9(2)(g) UK GDPR – substantial public interest – DPA 2018, Schedule 1, Part 2, Paragraph 22 Political Parties.

Registering for a campaign event(s) organised by CCHQ and administering the event

Electors, Members/Former Members, Supporters

Name, Address, Contact Details (email, phone, social media etc), Political Opinion

Public Task (Democratic Engagement)

Article 9(2)(g) UK GDPR – substantial public interest – DPA 2018, Schedule 1, Part 2, Paragraph 22 Political Parties.

Polling Day Activities – e.g. “Knocking up” on the doorstep or via phone and “Telling” at polling stations

Electors

Name, Address, Electoral Roll Number, Polling Day Activity

Public Task (Democratic Engagement)

 

Signing up to Volunteer for the party and us sharing your details with the wider party

Volunteers

Name, Address, Contact Details (email, phone, social media etc), volunteering preferences, Political Opinion

Public Task (Democratic Engagement)

Article 9(2)(g) UK GDPR – substantial public interest – DPA 2018, Schedule 1, Part 2, Paragraph 22 Political Parties.

Maintaining and administering a database to store Electoral Register data, canvassing data, membership data, survey responses etc – including operating a test environment

Members, Donors, Electors, Volunteers, Candidates, Elected representatives, Supporters, Officers and Staff

Name, Contact Details (email, phone, social media etc), Addresses, Political Opinion, Age, Voting History, Relationships, Electoral Roll Information, Issue Positions, Memberships, Donations, Survey Responses, User profile names, Hashed Passwords, IP addresses, User authentication, Usage data and usage history, Free text notes, Titles, Suffixes, Gender, First Language, Positions Held, Location Information, Profiled data, Records of data subject rights requests, constituent record history, Telling and Knocking Up Information.

  • Public Task (Democratic Engagement)
  • Legitimate Interests
  • Legal Obligation (Compliance with Article 24 UK GDPR and S41 Political Parties, Elections and Referendums Act 2000)
  • Article 9(2)(g) UK GDPR – substantial public interest – DPA 2018, Schedule 1, Part 2, Paragraph 22 Political Parties.
  • Article 9(2)(a) UK GDPR - Explicit Consent for collection of incidental special category data

Providing our VoteSource Canvasser Application for doorstep data collection

Members, Donors, Electors, Volunteers, Candidates, Elected representatives, Supporters, Officers and Staff

Name, Address, Electoral Roll Number, Polling District, Political Opinion, Voting History, Contact Details (email, phone, social media etc), Survey Responses, Membership History, Telling and Knocking Up Information, Username, Hashed Password, IP Address, Geolocation, Device information, Usage data and history

  • Public Task (Democratic Engagement)
  • Legitimate Interests

Article 9(2)(g) UK GDPR – substantial public interest – DPA 2018, Schedule 1, Part 2, Paragraph 22 Political Parties.

4.2 Membership and Donations

Purpose Categories of Data Subject Typical Data Categories Legal Basis Special Category Legal Basis

Processing your application for membership and administration of your membership

Members

Name, Address, Political Affiliation, Contact Details (email, phone, social media etc), Date of Birth, Payment Information

  • Contract
  • Legal Obligation (Compliance with Article 24 UK GDPR and S41 Political Parties, Elections and Referendums Act 2000

Article 9(2)(g) UK GDPR – substantial public interest – DPA 2018, Schedule 1, Part 2, Paragraph 22 Political Parties.

Inviting you to renew your membership and/or re-join the party

Members/Former Members

Name, Contact Details (email, phone, social media etc), Address

Legitimate Interests

 

Sharing your membership details with your local Conservative Association

Members

Name, Address, Political Affiliation, Contact Details (email, phone, social media etc), Date of Birth

Contract

Article 9(2)(g) UK GDPR – substantial public interest – DPA 2018, Schedule 1, Part 2, Paragraph 22 Political Parties.

Communicating with you via electronic message about your membership, our policies, campaigns, events, fundraising appeals and opportunities to get involved with the party

Members/Former Members

Name, Address, Contact Details (email, phone, social media etc)

Contract

 

Conducting petitions and presenting the signatories to the specified recipient

Electors

Name, Postcode, Contact Details (email, phone, social media etc), Political Opinion, National and Local Issue Positions

Public Task (Democratic Engagement)

Article 9(2)(g) UK GDPR – substantial public interest – DPA 2018, Schedule 1, Part 2, Paragraph 22 Political Parties

Administering Membership Suspensions and Expulsions

Members/Former Members, Complainants, Witnesses,

Name, Details of Suspension/Expulsion, Contact Details, Address, Ethnicity, Religious or Philosophical Beliefs, Trade Union Membership, Health Data, Criminal Offence Data, Sex Life, Sexual Orientation, Political Opinion - incl Membership of a political party, Age, Social Media Activity (Public and Private), Personal Communications Data, Details of Complaint, Complaint Resolution, Witness Evidence

  • Contract
  • Public Interest/Legal Obligation (Compliance with the Equality Act 2010)
  • Article 9(2)(g) "Substantial Public Interest" - DPA Schedule 1, Part 2, Paragraph 6 - "Statutory Etc and Government Purpose" - there is a substantial public interest to ensure that engagement with politics complies with the Equality Act 2010
  • Article 9 UK GDPR - Schedule 1 DPA 2018; Schedule 1, Part 2 Paragraph 10 - Preventing or detecting unlawful acts
  • Article 10 UK GDPR - meet a condition of Schedule 1 DPA 2018; Schedule 1, Part 2 Paragraph 10 - Preventing or detecting unlawful acts

Process appeals against expulsion and suspension by Party Members

Members/Former Members, Complainants, Witnesses,

Name, Contact Details, Address, Ethnicity, Religious or Philosophical Beliefs, Trade Union Membership, Health Data, Criminal Offence Data, Sex Life, Sexual Orientation, Political Opinion - incl Membership of a political party, Age, Social Media Activity (Public and Private), Personal Communications Data, Details of Complaint, Complaint Resolution, Witness Evidence

  • Legitimate Interests
  • Contract
  • Public Interest/Legal Obligation (Compliance with the Equality Act 2010)
  • Article 9(2)(g) "Substantial Public Interest" - DPA Schedule 1, Part 2, Paragraph 6 - "Statutory Etc and Government Purpose" - there is a substantial public interest to ensure that engagement with politics complies with the Equality Act 2010
  • Article 9 UK GDPR - Schedule 1 DPA 2018; Schedule 1, Part 2 Paragraph 10 - Preventing or detecting unlawful acts
  • Article 10 UK GDPR - meet a condition of Schedule 1 DPA 2018; Schedule 1, Part 2 Paragraph 10 - Preventing or detecting unlawful acts

Processing your donation or loan and checking your eligibility to donate or loan sums of more than £500

Donors

Name, Address, Electoral Roll Number, Contact Details (email, phone, social media etc), Payment Information, Political Affiliation

  • Public Task (Democratic Engagement)
  • Legal Obligation – Compliance with Parts IV and 4A Political Parties, Elections and Referendums Act 2000

Article 9(2)(g) UK GDPR – substantial public interest – DPA 2018, Schedule 1, Part 2, Paragraph 22 Political Parties.

Reporting donations and loans to the Electoral Commission

Donors

Name, Address, Donation Amount, Political Affiliation

Legal Obligation – Compliance with Parts IV and 4A Political Parties, Elections and Referendums Act 2000

Article 9(2)(g) UK GDPR – substantial public interest – DPA 2018, Schedule 1, Part 2, Paragraph 6 Statutory and Government Purposes

Maintaining and administering a fundraising database

Members/Former Members, Donors

Name, Address, Political Opinion, Contact Details (email, phone, social media etc), Donation History, Biographical Information, Occupation, Correspondence, Family Connections, Marketing Preferences, Date of Birth

  • Legitimate Interests
  • Legal Obligation – Compliance with S41 Political Parties, Elections and Referendums Act 2000

Article 9(2)(g) UK GDPR – substantial public interest – DPA 2018, Schedule 1, Part 2, Paragraph 22 Political Parties.

4.3 Events

Purpose Categories of Data Subject Typical Data Categories Legal Basis Special Category Legal Basis

Registering for an event(s) organised by CCHQ and administration of the event

Attendees

Name, Address, Contact Details (email, phone, social media etc), Dietary Requirements, Biographical Information, Payment Information

  • Contract
  • Legal Obligation (Compliance with Article 24 GDPR and S41 Political Parties, Elections and Referendums Act 2000

Article 9(2)(g) GDPR – substantial public interest – DPA 2018, Schedule 1, Part 2, Paragraph 22 Political Parties.

Providing you with information about the event(s) for which you have registered

Attendees

Name, Contact Details (email, phone, social media etc)

  • Contract (for ticketed events)
  • Legitimate Interests

 

Hosting Video Conferencing and Virtual Events

Electors, Members/Former Members, Donors, Volunteers, Elected Representatives

Name, Contact Details (email, phone, social media etc), IP Address, Political Opinion, Images and Recorded Images

Legitimate Interests

Article 9(2)(g) UK GDPR – substantial public interest – DPA 2018, Schedule 1, Part 2, Paragraph 22 Political Parties.

4.4 Research, Due Diligence and Press

Purpose Categories of Data Subject Typical Data Categories Legal Basis Special Category Legal Basis

Political research using publicly available sources

Elected Representatives, Political Staff, Candidates, Members, Activists, Donors, Electors, Members of the public

Name, Publicly available information (e.g. occupation, social media posts, other internet posts, directorships, media history, property and financial holdings etc), Misconduct, Publicly available special category information (e.g. political opinion, trade union membership, criminal offences, etc)

Legitimate Interests

  • Article 9(2)(e) UK GDPR – Personal data manifestly made public by the data subject
  • Article 9(2)(g) UK GDPR – substantial public interest – DPA 2018, Schedule 1, Part 2, Paragraph 11 Protecting the public against dishonesty etc.

Due diligence of prospective members, potential appointees, donors and volunteers using publicly available sources

Members, Donors, Supporters, Volunteers, Potential Appointees

Name, Publicly available information (e.g. occupation, social media posts, directorships, media history, property and financial holdings etc), Misconduct, Publicly available special category information (e.g. political opinion, trade union membership, criminal offences, etc)

Legitimate Interests

  • Article 9(2)(d) UK GDPR – processing is carried out in the course of its legitimate activities with appropriate safeguards
  • Article 9(2)(e) UK GDPR – Personal data manifestly made public by the data subject
  • Article 9(2)(g) UK GDPR – substantial public interest – DPA 2018, Schedule 1, Part 2, Paragraph 11 Protecting the public against dishonesty etc.

Communication with media organisations

Elected Representatives, Political Staff, Candidates, Members, Activists, Donors

Name, Publicly available information (e.g. occupation, social media posts, directorships, media history, property and financial holdings etc), Misconduct, Publicly available special category information (e.g. political opinion, trade union membership, criminal offences, etc)

Legitimate Interests

  • Article 9(2)(e) UK GDPR – Personal data manifestly made public by the data subject
  • Article 9(2)(g) UK GDPR – substantial public interest – DPA 2018, Schedule 1, Part 2, Paragraph 11 Protecting the public against dishonesty etc.

4.5 Contacting us or visiting one of our offices

Purpose Categories of Data Subject Typical Data Categories Legal Basis Special Category Legal Basis

Contacting us by email, post, via one of our website “contact us” forms or telephone and CCHQ processing and keeping a record of your correspondence

Electors, Members of the public

Name, Contact Details (email, phone, social media etc), Correspondence, Political Opinion, Incidental Special Category Data, IP Address (on our website)

Legitimate Interests

  • Article 9(2)(a) UK GDPR - Explicit Consent for processing of incidental special category data
  • Article 9(2)(g) UK GDPR – substantial public interest – DPA 2018, Schedule 1, Part 2, Paragraph 22 Political Parties.

Managing security and your safety when you visit one of our offices

Visitors

Name, Time and date of visit, Person you are visiting, Log of your movements within our offices, CCTV Images, Thermal Image (as part of our Covid secure precautions), Details of accidents and/or security incidents

  • Legal Obligation (Compliance with Articles 24 and 32 UK GDPR, Health and Safety at Work Act 1974) 
  • Legitimate Interests
  • Article 9(2)(g) UK GDPR – substantial public interest – DPA 2018, Schedule 1, Part 1, Paragraph 1 Employment, Social Security and Social Protection
  • Article 10 UK GDPR - meet a condition of Schedule 1 DPA 2018; Schedule 1, Part 2 Paragraph 10 - Preventing or detecting unlawful acts

Reporting accidents and/or security incidents to relevant healthcare organisation or law enforcement authority

Visitors

Name, Details of accidents and/or security incidents

  • Legal Obligation (Compliance with Reporting of Injuries, Diseases and Dangerous Occurrences Regulations) 
  • Legitimate Interests
  • Vital Interests
  • Article 9(2)(g) UK GDPR – substantial public interest – DPA 2018, Schedule 1, Part 1, Paragraph 1 Employment, Social Security and Social Protection
  • Article 10 UK GDPR - meet a condition of Schedule 1 DPA 2018; Schedule 1, Part 2 Paragraph 10 - Preventing or detecting unlawful acts

4.6 Visiting our online shop or using our online services

Purpose Categories of Data Subject Typical Data Categories Legal Basis Special Category Legal Basis

Processing your purchase, delivering your order and administering your transaction

Customers

Name, Contact Details (email, phone, social media etc), Address, Payment Details, IP Address

Contract

 

Creating a user account

Customers

Name, Contact Details (email, phone, social media etc), Address, Payment Details, IP Address

Contract

 

Downloading and using one of our mobile applications (e.g. share2win)

Elected Representatives, Political Staff, Candidates, Members, Activists, Donors, Electors, Members of the public

Name, Contact details, identifiers, user content, usage data, diagnostics, political opinion

Contract

  • Article 9(2)(g) UK GDPR – substantial public interest – DPA 2018, Schedule 1, Part 2, Paragraph 22 Political Parties.

Sending us a message and us responding to you

Customers

Name, Contact Details (email, phone, social media etc), Correspondence

Legitimate Interests

 

Keeping a record of your transaction for accounting purposes

Customers

Name, Contact Details (email, phone, social media etc), Address, Payment Details

Legal Obligation (Compliance with S.41 Political Parties, Elections and Referendums Act 2000)

 

4.7 Voluntary Party Management, Engagement and Outreach

Purpose Categories of Data Subject Typical Data Categories Legal Basis Special Category Legal Basis

Providing advice, training and support on matters relating to the Constitution and the Voluntary Party

Association Officers, Association Staff, Staff, Members, Activists, Volunteers

Name, Contact Details (email, phone, social media etc), Correspondence

Legitimate Interests

Article 9(2)(g) UK GDPR – substantial public interest – DPA 2018, Schedule 1, Part 2, Paragraph 22 Political Parties.

Communication with Party Officers at Board, Regional and Association Level and Party Members

Party Officers, Members

NameName, Contact Details (email, phone, social media etc), Correspondence, Political Opinion, Incidental Special Category Data, Volunteering Interests, Events Interests

Legitimate Interests

Article 9(2)(g) UK GDPR – substantial public interest – DPA 2018, Schedule 1, Part 2, Paragraph 22 Political Parties.

Providing advice and support on the selection of local government candidates

Association Officers, Association Staff, Candidates

Name, Position, Contact Details (email, phone, social media etc), Correspondence, Candidate CV’s, Political Opinion

Legitimate Interests

Article 9(2)(g) UK GDPR – substantial public interest – DPA 2018, Schedule 1, Part 2, Paragraph 22 Political Parties.

Providing advice and support on local disciplinary issues

Association Officers, Association Staff, Members, Activists

Name, Details of Disciplinary Case, Correspondence

Legitimate Interests

 

Managing Young Conservative Groups

Members, Students

Name, Contact Details (email, phone, social media etc), Occupation, Region of Residence, Political Opinion, Correspondence

Public Task (Democratic Engagement)

Article 9(2)(g) UK GDPR – substantial public interest – DPA 2018, Schedule 1, Part 2, Paragraph 22 Political Parties.

Managing Affiliated Groups

Members

Name, Contact Details (email, phone, social media etc), Occupation, Region of Residence, Political Opinion, Correspondence

Public Task (Democratic Engagement)

Article 9(2)(g) UK GDPR – substantial public interest – DPA 2018, Schedule 1, Part 2, Paragraph 22 Political Parties.

Managing Affiliated Groups

Members

Name, Contact Details (email, phone, social media etc), Occupation, Region of Residence, Political Opinion, Correspondence

Public Task (Democratic Engagement)

Article 9(2)(g) UK GDPR – substantial public interest – DPA 2018, Schedule 1, Part 2, Paragraph 22 Political Parties.

Managing External Relationships

Members, Community Stakeholders, Candidates, Elected Representatives, Business Owners

Name, Contact Details (email, phone, social media etc), Occupation, Region of Residence, Political Opinion, Correspondence

Public Task (Democratic Engagement)

Article 9(2)(g) UK GDPR – substantial public interest – DPA 2018, Schedule 1, Part 2, Paragraph 22 Political Parties.

Providing support to Local Councillors and the Conservative Councillors’ Association

Elected Representatives

Name, Contact Details (email, phone, social media etc), Occupation, Region of Residence, Political Opinion, Correspondence

Public Task (Democratic Engagement)

Article 9(2)(g) UK GDPR – substantial public interest – DPA 2018, Schedule 1, Part 2, Paragraph 22 Political Parties.

4.8 Code of Conduct and The Social Media Complaints and Opposition Candidacy Rules

Purpose Categories of Data Subject Typical Data Categories Legal Basis Special Category Legal Basis

Processing, investigating, and administering breaches of our Code of Conduct in accordance with the procedures set out in our Code of Conduct

Complainants, Witnesses, Members of Parliament, Peers, Members of the European Parliament, Members of the Scottish Parliament, Members of the Welsh Assembly, Members of the Greater London Assembly, Police & Crime Commissioners, elected Mayors, Councillors and Association, area, regional, and national Party officers

Name, Contact Details, Address, Ethnicity, Religious or Philosophical Beliefs, Trade Union Membership, Health Data, Criminal Offence Data, Sex Life, Sexual Orientation, Political Opinion - incl Membership of a political party, Age, Social Media Activity (Public and Private), Personal Communications Data, Details of Complaint, Complaint Resolution, Witness Evidence

Public Task (Democratic Engagement)

  • Article 9(2)(g) "Substantial Public Interest" - DPA Schedule 1, Part 2, Paragraph 6 - "Statutory Etc and Government Purpose" - there is a substantial public interest to ensure that engagement with politics complies with the Equality Act 2010
  • Article 9 UK GDPR - Schedule 1 DPA 2018; Schedule 1, Part 2 Paragraph 10 - Preventing or detecting unlawful acts
  • Article 10 UK GDPR - meet a condition of Schedule 1 DPA 2018; Schedule 1, Part 2 Paragraph 10 - Preventing or detecting unlawful acts

Processing, investigating, and administering breaches of our Social Media Complaints and Opposition Candidacy Rules in accordance with the procedures set out in our Code of Conduct

Complainants, Witnesses, Members of Parliament, Peers, Members of the European Parliament, Members of the Scottish Parliament, Members of the Welsh Assembly, Members of the Greater London Assembly, Police & Crime Commissioners, elected Mayors, Councillors and Association, area, regional, and national Party officers

Name, Contact Details, Address, Ethnicity, Religious or Philosophical Beliefs, Trade Union Membership, Health Data, Criminal Offence Data, Sex Life, Sexual Orientation, Political Opinion - incl Membership of a political party, Age, Social Media Activity (Public and Private), Personal Communications Data, Details of Complaint, Complaint Resolution, Witness Evidence

Public Task (Democratic Engagement)

  • Article 9(2)(g) "Substantial Public Interest" - DPA Schedule 1, Part 2, Paragraph 6 - "Statutory Etc and Government Purpose" - there is a substantial public interest to ensure that engagement with politics complies with the Equality Act 2010
  • Article 9 UK GDPR - Schedule 1 DPA 2018; Schedule 1, Part 2 Paragraph 10 - Preventing or detecting unlawful acts
  • Article 10 UK GDPR - meet a condition of Schedule 1 DPA 2018; Schedule 1, Part 2 Paragraph 10 - Preventing or detecting unlawful acts

4.9 Finance

Purpose Categories of Data Subject Typical Data Categories Legal Basis Special Category Legal Basis

Processing Payments to Suppliers

Suppliers Staff

Name, Contact Details, Job Title

Contract

 

Processing Payments from donors, members and supporters and keeping a record for accounting purposes

Donors, Members, Supporters

Name, Address, Political Affiliation, Contact Details (email, phone, social media etc), Date of Birth, Payment Information

  • Contract
  • Legitimate Interests

Article 9(2)(g) UK GDPR – substantial public interest – DPA 2018, Schedule 1, Part 2, Paragraph 22 Political Parties.

Preparing and Reporting Election Spending Returns to the Electoral Commission

Campaign Staff, Suppliers, Association Officers, Association Staff, Candidates, Election Agents, Volunteers

Name, Address, Expense Details, Job Title, Correspondence (for preparing returns)

Legal Obligation (Compliance with Part V Political Parties, Elections and Referendums Act 2000)

 

4.10 Market Research and Opinion Polling

Purpose Categories of Data Subject Typical Data Categories Legal Basis Special Category Legal Basis

Performing Market Research to get a sense of political opinion across the UK

Electors

Name, Address, Telephone Number, Constituency, Gender, Age, Profiled data, National and local issue positions, Political Opinion

Public Task (Democratic Engagement)

Article 9(2)(g) UK GDPR – substantial public interest – DPA 2018, Schedule 1, Part 2, Paragraph 22 Political Parties.

Conducting Opinion Polling to get a sense of political opinion across the UK

Electors

Name, Address, Telephone Number, Constituency, Gender, Age, Profiled data, National and local issue positions, Political Opinion

Public Task (Democratic Engagement)

Article 9(2)(g) UK GDPR – substantial public interest – DPA 2018, Schedule 1, Part 2, Paragraph 22 Political Parties.

 

The Party also processes personal data in order to implement the findings of the Singh Investigation Report – The full report and all the recommended actions for the party to implement can be found here.

5. Data Analytics and Profiling

Like many organisations the Conservative Party uses data analytics to try and understand the people that we seek to represent and make best use of our limited resources. The Conservative Party uses some of the data that we collect about you to make an educated prediction about your lifestyle. We use automated means to analyse this variety of data and collate it (sometimes referred to as “profiling”). We combine personal data about electors (which is provided by local authorities to all political parties under electoral statute) with data from canvassing, the marked register of electors, from external data analytics and research partners, data brokers (such as Experian), opinion polling partners, fulfilment channels such as mail/telephone/Facebook, public bodies such as the Office for National Statistics, etc. This data is then used by CCHQ to inform how and whether we contact you, for example by:

We also use analytics to perform analysis of individual and aggregated data (for example, we might combine individual data relating to voting intention and details about the constituency) to provide us with competitive insight into the political landscape and general trends, and to allow us to better understand the electorate as a whole.

Examples of categories of data that we typically analyse are: political affiliation, political opinions and preferences, likelihood to vote, attitudes, geodemographic and socioeconomic characteristics.

We undertake these analyses as we have a legitimate interest to identify potential Conservative voters and supporters. Indeed, it also allows us to behave accordingly should voters request that we don’t contact them, for example.  Where our profiling processes special category data relating to your political opinion we consider that this is necessary for the purposes of our political activities and therefore permitted in accordance with Article 9(2)(g) UK GDPR – substantial public interest – DPA 2018, Schedule 1, Part 2, Paragraph 22 Political Parties.

Our analytics and profiling does not replace the direct contact that we make with individuals – these activities supplement our traditional campaigning methods such as canvassing and conducting surveys.

We have determined that this kind of profiling, and any decisions that are based solely on that profiling, is unlikely to create legal or significant affects for you. Where such decisions create legal or similarly significant affects you have the right not to be subject to that decision and you can exercise that right by contacting our Data Protection Officer. You can also contact us at any time and exercise your right to object and ask that we do not process your personal information for this purpose.

6. Our Relationship with the wider Conservative Party

The historical nature of the Conservative Party means that rather than being one single organisation we are an interconnected family consisting of the Party Headquarters, local associations, areas and regions of the Party (known as ‘accounting units’ and listed on the Electoral Commission website) elected representatives, candidates, members, volunteers and party officers.  We are all united by our common Conservative identity. One of CCHQ’s primary roles is to provide professional support to our family of volunteers who help to run the party across the UK.

Much of the work of the Party is conducted by the wider Conservative Party. For this reason we have a legitimate interest to share and make available certain personal information with the wider Party when it is necessary for our campaigns or other activities and vice versa via our Electoral Management Database, Field Campaigning Teams and Voluntary Party Managers. Sharing may also be necessary in the public interest, as being an activity that supports or promotes democratic engagement. Some examples of such data sharing include:

7. Where we collect personal data from

We collect personal data from a variety of sources:

Provided by you (Directly):

Third-Party Sources (Indirectly):

8. Who we share your data with

We will never sell your data but sometimes it is necessary to share your information, either within the wider Conservative Party, or with our service providers, data controllers and data processors. Data is only ever shared where we have a party reason and when the law allows us to do so.

We share data with:

Where we use a third-party data processor, in other words an organisation that processes data on our behalf and under our instruction, we ensure that this processing is governed by a legally enforceable data processing agreement which sets out their responsibilities for protecting your data and your rights. Where we share data with a third party controller, an organisation that determines how data will be processed, we ensure that this is governed by a Controller to Controller data sharing agreement.

Where we share data with the wider Conservative Party we ensure that the recipient of the data agrees to a terms and conditions that they will use the data only for the purposes for which it was provided and will take necessary measures to ensure its security. Members of the wider Party receive training on data protection.

9. Data processed with your consent

Where we use consent as our legal basis for processing your data, or process special categories of your data on the basis of your explicit consent, you have the right to withdraw your consent at any time. For further information on when we rely upon consent please see Section 4 “How we use your information”.

There are several ways that you can easily withdraw your consent, you can:

We will maintain a record of your withdrawal of consent.

10. Transferring your data outside of the United Kingdom

Some of our service providers are located outside of the UK and therefore it may be necessary to transfer your personal data outside of the UK. Where we do transfer your data outside of the UK we will make sure that it is protected in the same way as if the data was inside the UK.

We will use one of the following appropriate safeguards to ensure this:

If we are unable to rely on one of the appropriate safeguards when transferring data outside the UK, we may rely on a derogation for specific situations under Article 49 UK GDPR in order to transfer your data outside of the UK. This may be necessary for example to fulfil a contract that we have made with your or if you give us permission to do so.

You can get more information about the protection given to your data when it is transferred outside of the UK or to a third country or an organisation to which an adequacy decision has not been issued by contacting our Data Protection Officer using the contact information detailed in this notice.

11. How long we retain your data for

We retain your information in accordance with the CCHQ Data Retention Policy and Data Retention Schedule. We constantly review the data that we hold and regularly consider its relevance and our need to hold onto it. We use several factors to determine our retention periods. Factors we take into consideration are:

If you require more detailed information on how long your data will be kept for please contact our Data Protection Officer.

12. How we protect your data

We take the security of personal data seriously.  We use security technology, including firewalls, password protection and encryption to safeguard information and have procedures in place to ensure that our paper and computer systems and databases are protected against unauthorised disclosure, use, loss and damage.  We have processes in place to deal with a data breach in the unlikely event one should occur.

We only use third party service providers where we are satisfied that they provide adequate security for your personal data.

13. Cookies and similar technologies

We use cookies to provide you with a tailored experience on our website, as well as on other online platforms that we operate on, and to gather statistics on how are online services are used so that we can improve our services. Some of our cookies may also collect personal data. A cookie is a piece of code that is sent to your internet browser and is stored on your system. We also use ‘similar technologies’ such as web beacons, pixel tags, clear gifs or tracking pixels and we use these for example to track the campaigns emails that we send to learn whether you opened an email and how you interacted with it.

Please visit our cookie page for more information about how we use cookies and similar technologies on our websites and services. We always seek your consent to use cookies and/or similar technologies.

14. Your data rights

This section explains about your data subject rights you have. You can exercise any of these rights by contacting our Data Protection Officer or Data Protection Team.

Your Data Rights Explanation

Right to be informed

You have the right to be informed about the collection and use of your personal data. CCHQ provides this in the form of privacy notices and/or privacy information at the point of collection or within one month of obtaining your data. 

We may not provide privacy information where you either already have such information or it would involve a disproportionate effort to provide such information.

Right of access to your data

You have the right to request a copy of your personal information that we hold. This is commonly known as a Subject Access Request.

Right of rectification of your data

You have the right to request that inaccurate or incomplete information that we hold about you is corrected.

Right to be forgotten

In certain circumstances you can ask for the data we hold about you to be erased from our records. When we do so, we keep the bare minimum of your information in order to continue to respect your wishes when your personal data is next provided to us by a local authority, which is at least annually. There is some data that must be retained by law and other data that we may have a legitimate interest to retain

Right to restriction of processing

You have the right to request that we restrict the processing of your data where you are contesting the accuracy of the data or when the data has been unlawfully processed.

Right to data portability

You have the right to have the data we hold about you transferred to a third-party organisation and you can ask that we provide it in a machine readable format.

Information is only within the scope of the right to data portability if it is personal data that you have provided to us.

Right to object

You have an absolute right to object to your data being used for direct marketing, including profiling for direct marketing purposes – we mark your data clearly with a “no processing” label.

If we process your data on the basis of “legitimate interests” or “a task carried out in the public interest” then you have the right to object to us using your data in that way. This right is not absolute, and we may continue to process your data if we can demonstrate compelling legitimate grounds for the processing.

Automated individual decision-making, including profiling

We may use computer software to make decisions about you or to create a profile about you. You have the right not to be subject to such a decision or to that profiling where it creates legal effects concerning you or where it significantly affects you.

15. Making a complaint

If you are unhappy with the way that we have processed or handled your data, then you have a right to complain to the Information Commissioner’s Office (ICO). The ICO is the supervisory body authorised by the Data Protection Act 2018 to regulate the handling of personal data within the United Kingdom.

The contact details for the Information Commissioner’s Office are:

Support our mission

Sign up now