7. Our lawful basis for processing your data The General Data Protection Regulation (GDPR) states that organisations must have a lawful basis in order to process personal data. Details of the six legal bases for the processing of data are outlined below. 7.1 Specific consent Where you have provided your consent for us to process your data. This is where we will have asked explicitly if we can use your information for specified purposes, for example, so we can send you marketing information via SMS and email. For our services we generally ask for consent to process your details as we require health information. Due to the nature of our services, we may not always be able to obtain consent directly from the patient due to their condition or age. In this instance we may instead obtain consent from an authorised third-party representative of the patient (e.g. parent, guardian, power of attorney, next-of-kin). You have the right to withdraw consent for any purpose at any time. Please see the ‘Contact Us’ section later in this policy. 7.2 Legal obligation Where we must comply with a legal or regulatory obligation such as reporting to the Charity Commission, Fundraising Regulator, Information Commissioner or Gambling Commission, or to process gift aid. 7.3 Contract Where the processing of such information is necessary for a contract we have with you, for example, the processing of your financial information to enable you to make a donation to Leeds Hospitals Charity, the gathering of health information in order to register you for an event, or the gathering of personal information so we can communicate with our Fund Advisors. 7.4 Legitimate interests Where we process your data when it is in our interests (or the interests of a third party) to do so; providing such interests are not overridden by your interests or fundamental rights and freedoms. These can include commercial interests, individual interests or broader societal benefits. Leeds Hospitals Charity undertakes a legitimate interests assessment (LIA) to demonstrate compliance which can be broken down in three parts: Purpose test: Are we pursuing a legitimate interest? Necessity test: Is the processing necessary for that purpose? Balancing test: Do the individual’s interests override the legitimate interests? In order to meet our charitable objects, we need to undertake processing activities to enable us to deliver against our mission, ensure we are meeting our governance requirements, and to support operational administration. These activities may include the following. Recording your communication preferences and consent, including keeping limited data to ensure we don’t contact you if you have asked us not to. Using data we have collected to analyse and profile our supporter base, provided this does not override your rights and freedoms, in which case we will ask for your consent. Using data we have collected to analysis and profile those who use our services to enable us to manage and evaluate the service and recognise and implement improvements. Administering your donations by sending your bank details to our bank or yours to set up a direct debit. Keeping records of our supporters and what support they have provided to Leeds Hospitals Charity. Keeping records of our beneficiaries and what support they have received from Leeds Hospitals Charity. Keeping records up to date and accurate through the use of third-party registers; such as National Change of Address from the Royal Mail, the National Deceased Register, and the Bereavement Register. Sharing your data with third party organisations when you have signed up to their event (such as the Leeds 10K). Use of personal information for monitoring the use of our website. Collecting data during the recruitment process such as information provided in CVs and notes taken during interviews. Contacting you by post or phone (through live calling only; we do not use automated messages). Unless you have advised us otherwise, we may contact you with marketing requests such as: Ways you can support Leeds Hospitals Charity Invitations to events Sending you details of products available to buy from Leeds Hospitals Charity Investigating and responding to any feedback you provide. Research & Profiling We rely on legitimate interests to enable us to undertake research and profiling activities which provides an improved experience for our supporters. When building our supporter profile, we may analyse geographic and demographic information, online behaviour, and purchase history, to better understand your interests so we can ensure our communications are relevant to you. For example, by identifying your location, we can then share information about relevant events or volunteering opportunities in your local area. We may also profile supporters in terms of financial and practical support. For example, we may keep track of the amount, frequency and value of each person’s support to Leeds Hospitals Charity to help us ensure communications are relevant and timely. Where our research and profiling would override your rights and freedoms if we were to continue, we will ask for your consent. 7.5 Vital interests Where the processing is necessary to protect someone’s life. This basis is unlikely to be used by Leeds Hospitals Charity as it generally only applies where processing personal data is necessary to protect someone’s life such as in the case of emergency medical treatment. 7.6 Public task Where the processing of data is necessary in order to perform a task in the public interest or for our official functions, and the task or function has a clear basis in law. Although it is not required to have a specific statutory power to process personal data, it is necessary to have a clear basis in law which must be documented. This basis is unlikely to be used by Leeds Hospitals Charity.