Privacy policy

ABOUT THIS PRIVACY INFORMATION
This notice has been written to provide you with information about how we are handling or intend to handle personal information. This policy is effective from March 2025.

SCOPE OF POLICY

This policy sets out the basis on which any personal data the DEC collects from you, or that you provide to us through your use of our website, or that we create about you during our operations, will be processed by us. Please read the following carefully to understand our practices regarding your personal data and how we will treat it. For specific information on our use of cookies, please see our Cookie Policy.

Our Data Protection Officer is DQM GRC Ltd (a GRC Solutions company), who can be contacted by emailing: decdpo@dqmgrc.com.

You can also contact us using the online form at Contact Us | Disasters Emergency Committee.

INTRODUCTION

The data protection laws that apply to the DEC and govern how we use your personal information include the Data Protection Act 2018 (DPA), the UK General Data Protection Regulation (GDPR), the Data (Use and Access) Act 2025 and the Privacy and Electronic Communications Regulations 2003 (PECR). This privacy policy relates to all personal data we collect and process about you. We strive to process information about you fairly, lawfully, and in a transparent manner and the aim of this document is to provide you with sufficient information for you to be able to understand what we are doing with your personal data.

If you would like more information on how we are handling information about you, or you think we could improve our privacy information, please let us know at Contact Us | Disasters Emergency Committee.

INFORMATION WE COLLECT ABOUT YOU

The personal data we collect about you depends on your relationship with us. Examples of the types of data we collect include:

Your name and contact details (e.g., email address, telephone number, mobile number).
Your contact preferences (e.g., whether you want to receive marketing communications from us).
Financial information if you donate to us (including your gift aid status). This will be kept with records of your donation history.
Correspondence between us (e.g., questions regarding a donation you may have made or a complaint you might have).
Challenge event information. For example, if you set up a JustGiving page and undertake to raise money for us.
Employment information if you apply for a job with us. This includes your employment history, current and previous employer contact details (e.g., for referencing) and skills and ability.
Your interests, charitable giving and propensity to donate as part of our commitment to deliver appropriate content and communications to our audience.
Under data protection law, certain categories of personal information are recognised as particularly sensitive, including health information, race, religious beliefs, and political opinions (‘special categories personal data’). In very limited cases, we may collect special categories personal data about you. We would only collect such data if there were a clear reason for doing so, such as to ensure that we provide appropriate facilities, for example during a recruitment process, or enable you to participate in an event, where we might need prior knowledge of any relevant medical conditions.

We collect information in the following ways:

Information you provide to us directly

You may provide us with your information when you submit a query on our website, write to us or call us, or when you make or enquire about making a donation. This may include your name, address, email address, telephone number, amount of donation, payment details, appeal you wish to support, gift aid status and information you provide in any correspondence with us. You may also provide us with marketing and communications preferences (please see the section “How we use the personal data we collect” for information on the lawful basis for processing).

Information we collect about you indirectly

We may use information from external, publicly available, sources such as Royal Mail’s national change of address database and/or the public electoral roll to identify when we think you have changed address so that we can update our records and stay in touch. We may also contractually engage third party data cleansing companies to assist us in reviewing and updating our databases. We do this so we can continue to contact you where you have chosen to receive marketing messages from us and contact you if we need to make you aware of changes to our terms or assist you with problems with donations. This activity also prevents us from having duplicate records and out of date preferences, so that we don’t contact you when you’ve asked us not to. You may object to any data processing we undertake which involves direct marketing.

If you click on any of our appeals’ adverts, our digital marketing agencies will tell us. We undertake these activities and collect your personal data in this way to make sure our marketing communications are appropriate to the receiving audience, to help us prepare for any meetings we might have with you and to facilitate us making connections with other people like you that might be interested in hearing about the vital work we undertake.

We may receive information from our sub-contractors providing services to us, such as payment services to process any donation you may make.

We will also collect information about you from other sources such as event organisers and sources such as Companies House and the Electoral Register who are able to provide us with information about you and your charity affiliations to help us to understand you more as an individual.

From time to time our Trustees may send communications to their own contacts to inform them about DEC events and the work that we do. These communications are sent in a Trustee’s personal capacity, and their personal contacts will not be shared with the DEC unless this can be done in compliance with our data protection obligations.

Social Media

Depending on your settings or the privacy policies of the social media platforms and messaging services you use (e.g. Facebook, YouTube, Twitter, Instagram, WhatsApp etc.) you may allow us to access information from those services, for example if you publicly “like” or “follow” us we may be able to collect information from your social media profile. We strongly advise you check the privacy settings on your social media accounts and the applicable privacy policies to ensure that you know what information is shared with us and others.

Artificial Intelligence

For the purposes of this policy the term “Artificial Intelligence (AI)” refers to software, algorithms or systems that process and/or analyse data in an automated or semi-automated way, including machine learning, pattern recognition or other data-driven tools that analyse data and make predictions or recommendations.

Where and why we use AI

We use AI in certain systems and processes to support our charitable work efficiently, securely and responsibly. Examples of how we may use AI include:

Fraud detection and prevention – to help detect unusual or suspicious donation activity or payment-patterns and thereby protect our funds and supporters.
Content creation and communications support – to assist with the drafting of digital content (for example website text, social media posts, newsletters) and the segmentation of communications to improve relevance and effectiveness. ALL such content is reviewed and approved by humans before publication, and where appropriate will be marked as AI-generated material.
Supporter and engagement analytics – to help us understand patterns of supporter behaviour, preferences, and engagement, so that we may deliver more relevant appeals, updates and stewardship.
Administration and operations – to automate or assist tasks such as classification of enquiries, summarising information, or improving internal workflows, always in compliance with our data-protection standards.

Legal bases, transparency and oversight

When we process personal data using AI tools, we do so in accordance with the lawful bases described in Section “How we use the personal data we collect” of this policy. In addition:

We will not use AI to make solely automated decisions that have a legal or similarly significant effect on you. For example, we will not automatically decline your donation, restrict your rights or refuse services based on the output of an AI system alone.
We carry out assessments (such as Data Protection Impact Assessments) where required and take steps to ensure fairness, accuracy, non-discrimination and transparency in AI-related processing.
We apply data minimisation: we restrict personal data used in AI-driven processing to what is necessary for that purpose.

Third-party AI providers

The AI systems we utilise are provided by trusted external suppliers. In those cases:

The provider processes personal data strictly under our instructions and in accordance with our data-protection and contractual requirements.
We ensure contractual, technical and organisational safeguards are in place to protect your data, including security, confidentiality, audit rights, and limitation of purpose.
We review these arrangements periodically to ensure compliance with this policy, our AI Policy, and relevant data-protection law.
We do not use supporter personal data in open-source AI systems.

Your rights in relation to AI-driven processing

You have the same rights over personal data processed in connection with AI as you do under the broader rights detailed in this policy, see "Your Rights” section below.

Retention, security and review

We retain any personal data used in AI processing in accordance with the retention periods set out in the “Data retention” section of this policy. We apply appropriate security measures (see “Information security” section) and we review our AI tools periodically to ensure they remain effective, lawful, fair and proportionate.

We keep our use of AI under review. If we make significant changes in how we use AI (for example by adopting a new system with significantly different purpose or scope), we will update this policy and may notify you of the changes in line with the “Your Rights” section of this policy.

HOW WE USE THE PERSONAL DATA WE COLLECT

The main uses of personal data we collect, create and hold are set out in the table below along with information about the lawful grounds for processing.

If we would like to process your personal data for any other purpose compatible with the purposes listed below, we will provide you with additional privacy information at the appropriate time. Our commitment to you is that we will not process your data for any purpose other than those listed or like those listed in this Privacy Policy. If you interact with Member Charities in response to any of our appeals, those Charities will provide you with any additional privacy information relevant to their processing at that time.

Purposes for processing personal data	Lawful basis
Processing donations including handling card payments, cheques and other payments (e.g., Gift Aid), and acknowledging receipt of a donation or sending a thank you where appropriate.	Contract and Legal Obligation. The DEC and its applicable 3rd parties (see applicable sections below under ‘Sharing Private Information’) fulfil the donor’s wishes in donating (contractual basis), including obtaining Gift Aid information where applicable (legal obligation). The DEC then allocates the funds to the applicable appeal. This processing of donations will be made online and via phone, SMS and post. As part of these processes, we will also undertake transaction monitoring and fraud screening through the payment service providers we use, under our legal obligation to identify and prevent financial crime including fraud.
Responding to queries.	Legitimate interests of the DEC and those making requests. We use information provided by individuals to respond to questions they may raise with us in a timely, accurate and professional manner.
Marketing our appeals by post.	Legitimate interests of the DEC and our Member Charities. We contact our database of previous and prospective donors from time to time by post to inform them about the work of the DEC, and ask if they would like to support, for example by donating to an appeal, or by attending an event. Our fundraising activities are necessary so that we can fulfil our charitable objectives and raise funds for the appeals we run.
Marketing our work through digital direct marketing activities.	Consent. We contact our database of previous donors through a range of digital methods from time to time such as SMS and email and through social media channels to inform them of the work of the DEC, ask if they would like to make a donation to an appeal, send them an invitation to attend an event or webinar, etc. Each communication will include information on how to opt-out of receiving marketing related materials. Legitimate interests. We contact corporate/business-related supporters (e.g., our contacts at trusts, foundations, or corporates) by digital means to inform them of the work of the DEC, e.g., updating on the impact of their donations or seeking support for our appeals. For example, by sending them a newsletter to update them on our recent activities, or invitations to events. Our legitimate interests are to provide better stewardship and build stronger relationships with funders and to share more about the DEC and the added value we contribute to the sector. Our communications will include an unsubscribe option to facilitate the right to opt-out of receiving marketing materials in the future.
Updating you on the work Member Charities are doing with your funds	By Post: Legitimate interests of the DEC and our Member Charities. We contact those who have made donations from time to time to inform them of how their donation is being used and the success of our appeals. Each time we communicate with you we will provide you with the option to opt-out of such activity. By email or other electronic methods: Consent. Each communication will allow or provide information for you on how to opt-out of receiving marketing related materials.
Understanding our supporters and their engagement with our activities	Legitimate interests. The sorts of activities we undertake here include: · Using email monitoring services to monitor the emails we send (e.g., click and open rates). This helps us understand what we can do to improve and if our messaging and content are appropriate. · Using systems that enable us to link your social media accounts to our database records if registered with the same email address. This helps us understand more about you and your use of social media so that we can deliver appropriate content to you. · Segmenting our databases to understand how individuals interact with the DEC, including our digital marketing activities, so that we can serve you content and advertising that we think you might find interesting, for example information on a new fundraising appeal. · We may use social media platforms and their tools (e.g., Meta’s “look-alike” audiences) and marketing agencies to collate and/or review the above information to help us determine how to improve or maximise our campaigns. Consent. Utilising website non-strictly necessary Cookies to better understand the activities of our supporters, enabling us, for example to optimise the experience of visitors to the website, and to test different website content and functionality. We utilise a consent management platform (CMP) to manage Consents, enabling users to update their permissions whenever on the website. See the Cookie Policy for further information.
Research	Legitimate interests. We may collect data to carry out research on our supporter base. This is to improve our communications and ensure that we understand how best to interact with our valued supporters. Information we gather from individuals as part of this process is kept separately from our marketing database and is only used for research purposes.
Profiling	Legitimate interests. In some limited circumstances we may combine the personal information you have given us with information available in the public domain to create a profile of your interests and preferences where they are relevant to your potential engagement with the DEC. Information collected for these purposes may include information about your corporate directorships, shareholdings, published biographical information, employment, philanthropic interests and networks, charitable giving and relevant media coverage. We do this to help us understand the ways in which our supporters can support our work sooner, and more cost effectively. The use of publicly available sources helps us determine what support we should ask you for and helps us engage you in activities that are relevant to your areas of interest and influence. We may gather information about you from publicly available sources such as Companies House, the electoral register and the media to help us understand more about you as an individual and your ability to support the DEC. You can opt-out of your personal information being used for profiling or analysis by contacting us using our online form. We also undertake profiling for the trusts and foundations that support us based on legitimate interests. This may include processing the personal data of appointed representatives or staff of these entities, and their personal data is processed in that capacity (i.e., not in their personal capacities)
Due Diligence	Legitimate Interests. The DEC has a duty to ensure that there is no reputational or financial risk to accepting a donation or other kind of support, or with our supplier relationships. We may therefore use publicly available sources to carry out due diligence on you to ensure that we are fundraising within the law. For more information on the circumstances this may apply, and the type of information required please visit the Charity Commission’s website. In certain cases, we may process personal data to comply with legal obligations, such as those under anti-money-laundering or counter-terrorism legislation. We use an AI tool called Xapien to assist with searching and summarising open-source data. It is used purely to inform the respective DEC teams.
Supporter research as part of product development.	Legitimate interests. We use the information we collect and create to develop new ideas relating to fundraising. For example, inviting supporters to participate in surveys.
Recruitment	Contract for personal data collected for the purposes of interviewing you and, where you are successful, issuing an employment contract. Legal obligation for personal data collected for equality, diversity and inclusion or health and safety purposes. Legitimate interest for screening potential recruits through The Misconduct Disclosure Scheme, which is a 3rd party service that screens people against lists of those who have had disciplinary processes completed against them, or who are subject to ongoing investigation, but who may not have committed crimes or been investigated by the police.
Administration of the charity	Legitimate interests of the DEC and our Member Charities*. This purpose includes: · operational activities (e.g., management and planning), · financial management (e.g., processing invoices we might receive), · donor relationship management (e.g., maintaining communication and marketing preferences and a database of our current and potential supporters), and · compliance activities (e.g., maintain suppression files). · Recording and transcription of meetings - We may record and / or transcribe work-related meetings and calls we organise (for example using Microsoft Teams or Zoom) to support accurate record-keeping, internal governance, accessibility, and efficient administration of our work. Recordings and transcripts may include personal data such as names, voices, images, and meeting contributions. Participants are informed when meetings are recorded/transcribed, access is restricted, and recordings are retained only for as long as necessary. These activities are necessary for us to meet our legal responsibilities and to respond to complaints, queries etc. We also use information we collect from people who make enquiries about our appeals (e.g. abandoned baskets) to add to our database of potential donors and to help us to run an efficient organisation and increase the funds we raise for our appeals.

* Please note that the DEC does not disclose any personal data about those who support our campaigns to our Member Charities. You can find out more about our Member Charities here.

DATA RETENTION

The DEC removes personal data from our systems in line with our data retention schedules. The length of time each category of data will be retained will vary depending on our relationship with you, how long we need to process it, the reason it is collected and in line with any statutory or legal requirements. When deciding how long to keep your information, we consider:

The purpose(s) for which it was collected,
Any legal or best practice requirements for data retention that might apply,
Whether the use is limited to a specific timeframe (e.g., a time-limited project),
The amount of personal data, and it’s nature and sensitivity,
The potential risk of harm from unauthorised access to or disclosure of the personal data, and
Our understanding of the expectations of our supporters.

Overall, the DEC will hold your personal data unless:

you ask us to remove it or stop processing it for specific purposes (see Your Rights below);
we believe that you are no longer interested in our organisation and our appeals; and/or
we no longer need it for the purposes it was collected.

We always consider your best interests when we apply retention rules to our systems and are always happy to remove information about individuals on request. If you have any questions regarding how long we retain personal data please Contact Us | Disasters Emergency Committee.

DONATING ON BEHALF OF SOMEONE ELSE

If you provide us with any personal information other than your own, you are responsible for ensuring they know that you have done this and for providing them with access to this privacy policy. To comply with our obligations under data protection law, we may contact any such individual and inform them when, where and how we obtained their personal data including citing you as the source.

INFORMATION SECURITY

We will take all steps reasonably necessary including implementing policies, procedures and security controls to ensure that personal data is kept safe and protected from unauthorised and unlawful access and is used in accordance with this privacy notice. Examples of the security controls that we deploy include:

regular penetration testing,
multi-factor authentication.

Unfortunately, the transmission of information via the internet is not completely secure and although we will do our best to protect personal data transmitted to us via the internet, we cannot guarantee the security of any information transmitted to the DEC website from any device. Any transmission is therefore made at the user’s own risk.

SHARING PERSONAL DATA

We will share personal data that we hold with the following categories of organisations/people as necessary to undertake our processing activities. This list is not exhaustive and may change from time to time. If we add a different category of recipients, we disclose personal data to, we will update this privacy policy.

Payment platform providers

The DEC is a small team of less than 50 people, who launch UK-wide appeals processing donations from hundreds and potentially thousands of different people a year. To achieve this, we work with expert third parties to allow you to make donations as efficiently, effectively and securely as possible. This means the donations we receive may pass through a third-party platform to get to us. Each organisation we appoint is carefully reviewed and maintains the same security and standards towards data protection as we do. Examples of the third parties we engage in this category are set out below:

Names of Organisation	Purpose
Stripe, Ryft, and Braintree (PayPal, Barclaycard SmartPay)	Online Donation Processing
Woods Valldata	Postal Donation Processing
Spoke and Cashflows	Phone Donation Processing
Angel	Call Centre Phone Donation Processing
Fonix	SMS (TXT) Donation Processing

We may also receive donations from Meta (Facebook) and JustGiving if you choose either of these platforms to create a challenge or other event to raise money for us.

Official organisations and our advisors

We share personal data from time to time with:

government agencies and official authorities such as HMRC (e.g. for Gift Aid processing); and
our professional advisors (e.g. to enforce or apply our terms of use and other agreements; protect the rights, property, or safety of the DEC, our customers, or others including exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction; if we are under a duty to disclose or share personal data to comply with any legal obligation; or fulfil any service that you request from us (e.g. enquiry via our website ).

Other types of organisation

We employ specialist companies to host our website, databases, fulfil direct mailings, and provide facilities for our email marketing and social media presence. We also engage suppliers to support us with event management. These organisations are data processors and governed by legal obligations in a compliant data processing agreement. Examples of the third parties we engage in this category are:

Names / Categories of Organisation	Purpose
Homemade Digital	Donation management system
Dotdigital	Customer engagement platform
Paragon/DCX	Direct Mail Printers
Salesforce	Central database and marketing
Zendesk	Customer service enquiries
Open Creates	Targeting via Direct Mail
Organisations who run focus groups	Sometimes we run small 10 people focus groups to help streamline our appeals, if you have opt-in to communication, we may contact you to see if you would like to attend
Zoom	Online webinars
Organisations that run / organise events together with the DEC	Promote the work of the DEC and its member charities, to raise awareness and fundraise.

We may also work with trusted third parties in other capacities. For example, when delivering a fundraising or awareness event, we may work with a sponsor or partner that acts as a separate or joint data controller. In these scenarios, we ensure we have a data sharing agreement in place to protect your information and appropriate privacy information will be provided to you at the relevant time (e.g., when you’re signing up to an event that has been sponsored or jointly hosted by a corporate partner).

international transfers of personal data

We do not routinely transfer personal data to a country outside of the European Economic Area. If we do need to transfer personal data internationally, we will only do so in compliance with the GDPR. Examples of the transfer mechanisms we might use to safely transfer your data include:

the receiving country has an adequacy regulation in place that demonstrates its data protection laws are equivalent to those in the UK. This applies for the personal data we transfer to the EEA; or
the third party and the DEC sign an international data transfer agreement (using the ICO’s template), commonly referred to as “standard data protection clauses”.

If you would like to know more about any international transfers and the safeguards in place, please Contact Us | Disasters Emergency Committee.

Your rights

You have certain rights set out in the data protection law as set out below. If you would like to find out more about or exercise any of your rights, please Contact Us | Disasters Emergency Committee.

Right of access.	You have the right to access the information we hold about or concerning you, and to obtain a copy of that information.
Right of rectification or erasure	If you feel that any data that we hold about you is inaccurate you have the right to ask us to correct or rectify it. You also have a right to ask us to erase information about you where you can demonstrate that the data we hold is no longer needed by us, or if you withdraw the consent upon which our processing is based, or if you feel that we are unlawfully processing your data. Your right of rectification and erasure extends to anyone we have disclosed your personal information to and we will take all reasonable steps to inform those with whom we have shared your data about your request for erasure.
Right to restriction of processing	You have a right to request that we refrain from processing your data where you contest its accuracy, or the processing is unlawful and you have opposed its erasure, or where we don’t need to hold your data anymore but you need to establish, exercise or defend any legal claims, or we are in dispute about the legality of our processing your personal data.
Right to data Portability	You have a right to receive any personal data that you have provided to us to transfer it onto another data controller where the processing is based on consent and is carried out by automated means. This is called a data portability request.
Right to Object	You have the right to object to: Our processing of your information where we rely on legitimate interests, including activities such as donor due diligence, profiling, or AI-assisted analysis. Our use of your data for direct marketing purposes. If you raise an objection, we will stop processing your data for that purpose unless we can demonstrate compelling legitimate grounds to continue (for example, legal, regulatory, or fraud-prevention purposes). In some cases, we may retain minimal information to record and respect your objection (for example, to ensure you are not contacted again).
Right to Withdraw Consent	You have the right to withdraw your consent for the processing of your personal data where the processing is based on consent. You can do so by contacting our supporter care team and they will immediately mark our records accordingly, and this will then take effect as soon as possible. Please be aware that some activities may already have left our system at time of consent withdrawal so we kindly ask that you ignore any correspondence you may receive in the days immediately following your request. You can also register with the Telephone Preference Service, to opt-out from receiving unsolicited marketing and sales calls to your landline or mobile phone
Right of Complaint	If you are not happy with the way that we have processed your personal data we would welcome the opportunity to discuss the matter with you and resolve it if possible. However, if we have not been able to help you or addressed your complaint to your satisfaction, you have a right to lodge a complaint with the UK’s Information Commissioner’s Office. The ICO can be contacted at https://ico.org.uk/make-a-complaint/, by calling them on 0303 123 1113 or writing to them at Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
Rights related to automated decision-making and AI	We do not make solely automated decisions that have a legal or similarly significant effect on you. If we ever do so in the future, we will tell you and explain your rights, including your right to request human review and to challenge the outcome.

COOKIES

For more information on which cookies the DEC website uses see our cookie policy here.

PRIVACY POLICY HISTORY

This privacy policy was last updated in March 2026 (v30).

Version Control

V.30 - The Policy includes the following updates:

Simplified our opening sections for ease of reading.
Added a bullet in Section 3 on what (very limited) sensitive data we may collect.
Added Section 4 on AI usage.
In Section 5, updated our lawful basis for using personal data for the processing of donations, and on keeping you informed of updates on what our member charities are doing with the funds raised. In addition, we added information in our Marketing sections related to our running of events (also in section 9.3), and our use of Cookies.
We also added detail in Section 5 on how we may use some data for the purposes of research, profiling and due diligence.
Updated the Recruitment process to note our use of the Misconduct Disclosure Scheme.
Updated the Administration of the charity process to note our use of recording and transcription of some work-related meetings.
Updated Section 6 regarding our approach to record retention.
Updated ‘Your Rights’ section to clarify your ‘Right to Object’ and added information on your ‘Rights related to automated decision-making and AI’.
We also updated a few typos and small clarifications throughout.
Added a sentence to section 3.2 that references where our Trustees may engage their own personal networks in support of the DEC.