At the Royal British Legion Group, we believe in being open and up front with people about how we use their personal data.
The Royal British Legion Group includes:
- Royal British Legion, the main charity
- Royal British Legion Trading Limited, running our Poppy Shop (retail outlets and website)
We are committed to upholding fundraising best practice and being as transparent as possibleCharles Byrne, Director General at RBL
We have developed our privacy promise: a quick and simple summary explaining how we use and look after your information.
- Our promise
- Who is The Royal British Legion?
- We will protect your data
- You are in charge
- We are respectful
- We are accountable
- We keep in touch
- How we collect personal data
- Third parties who collect your data
- What personal data do we collect?
- How we use this information?
- Our Supporter Care
- Your choices
- The lawful basis we use to process your data
- Legitimate interests
- Your rights
- Rights of access
- Transfer of information outside of the EEA
- Children's data
- How we protect personal information
- How long will we keep your personal data?
- Will we disclose the information we collect to outside parties?
- Use of mobile phone data
- Personal changes
- Data Protection Regulator
- Fundraising Preference Service
Who is the Royal British Legion?
We provide lifelong support for members of the Royal Navy, British Army, Royal Air Force, veterans and their families all year round. We also campaign to improve their lives, organise the Poppy Appeal and remember the fallen.
We will protect your data
We will never sell your data to third party organisations.
We will collect and use your personal information only if we have your permission, or we have justified business reasons for doing so, such as collecting enough information to manage memberships.
We will be clear at the point when we collect your information about how we will use it, and who we might share it with.
We will use your personal information within the appropriate lawful basis for which it was collected, and we will make sure we delete it securely once we longer need it.
You are in charge
We will contact you with your permission via methods of communication you have consented to, or where we have a legitimate interest to do so.
As a supporter, member or volunteer of The Royal British Legion Group, you can contact our Supporter Services, any time you wish, to change the way we contact you, including opting in to, or out of, future communications.
We are respectful
We will not put undue pressure on you to make a gift, and if you do not wish to donate we will respect your decision.
We are accountable
We keep in touch
We will always provide easy ways for you to contact us, and our Supporter Services are on hand to help answer any queries you may have about your data.
If you are unhappy with anything we've done in relation to your data, please contact Supporter Services and we will look in to what’s happened straight away.
We have protocols in place to ensure your data protection, but in the event of a mistake, we will follow strict procedures to keep you informed and put things right.
The Royal British Legion Group of charities takes the privacy of our beneficiaries, supporters, members and volunteers very seriously, and we are committed to protecting your privacy. This policy tells you how we collect your personal information, how we store it, how we use it and what your rights are in relation to your personal information.
The Royal British Legion Group includes:
- Royal British Legion, the main charity
- Royal British Legion Trading Limited, running our Poppy Shop (retail outlets and website)
If you have any queries about this policy please contact us by post at The Data Protection Officer, Royal British Legion, Haig House, 199 Borough High Street, London SE1 1AA or via email@example.com.
How we collect personal data
The Royal British Legion Group is the data controller of the personal information you provide to us, and we will determine and tell you about the purpose for which we are collecting your information and how we will use it. We collect your personal information in a number of ways:
- When you provide it to us directly via telephone, letter, email, text / messaging service or the Royal British Legion Group forms or via an organisation working for us (eg a fundraising agency)
- When you give other organisations consent to share it with us
- When we collect it as you use our website or social media pages and apps
- When you have consented to third parties sharing it with us; for example from our service providers or from a friend who wants to tell you about our websites or the assistance we may be able to provide or the fundraising activities we carry out
We will collect your personal information when you enquire about our activities, register with us, send an email, make a donation to us, ask a question about our services or otherwise provide us with personal information.
Third parties who collect your data
When browsing third party platforms [including social media], where the Royal British Legion maintains a presence, we will be joint-controllers of your data with the third party platform’s owner. The third party platform will process your data in line with their privacy and cookie policies. In such circumstances, you will be able to update your cookie preferences directly on the third party platform. You will not be able to update your preferences through The Royal British Legion.
For example, when you visit the Royal British Legion’s Facebook page, Facebook may drop a cookie on your computer subject to their privacy and cookie policies. You are able to control the settings of any non-essential cookies by logging into your Facebook account.
Currently, the Royal British Legion maintains a presence on and therefore is a joint-data controller with the following third party platforms:
- Facebook: Read their Data Policy
- Instagram: Read their Data Policy
What personal data do we collect?
The personal data we collect might include name, date of birth, email address, postal address, telephone number and bank, credit or debit card details if you are supporting us financially.
We may also collect special category data (previously referred to as ‘sensitive personal information’) such as information about your health if this is required for the purpose you have contacted the Royal British Legion Group. We will be very clear about the reasons we need this information and would only do so with your specific consent, for example if you are accessing any of our Welfare Services.
How we use this information?
We will use your personal information for one or more of the following purposes:
- Dealing with your enquiries and requests
- Providing information about products and services
- Administering membership records
- Administering volunteer records
- Contacting you to promote our products and services. If we do not have your contact details such as your telephone number, e-mail address, or postal address, we may source this information via third party companies
- Providing and personalising our services
- Administering orders and accounts relating to our suppliers or customers
- Conducting market research
- Conducting research in to issues affecting the Armed Forces community
- Profiling and segmentation so that we can offer supporters / members / volunteers products relevant to them
- For administrative purposes
Where relevant, we may also assess your personal information for the purposes of fraud and credit risk reduction.
The Royal British Legion Group may analyse the personal data we collect to create a profile of your interests and preferences so that we can contact you in the most appropriate way, and with the most relevant information, to provide a better experience for you.
To do this, we may use additional external sources of data to increase and enhance the information we hold about you, such as Experian Mosaic. This may include obtaining details of changes of address, age data and other contact details and consumption and demographic data. It may also include information from public registers and other publicly available sources such as Companies House, newspapers and magazines. We regularly monitor our suppliers to ensure they meet our required standards and that they comply with current Data Protection legislation.
If you do not wish your data to be used in any of the ways listed above, or have questions about this, then please firstname.lastname@example.org.
If you enter your contact details in one of our online registration forms, we may use this information to contact you even if you don't "send " or "submit "the form. We will only do this to see if we can help with any problems you might be experiencing with the form or with our websites.
We may need to share your information with our contracted service providers and agents for the purposes described above.
Our Supporter Care
If you contact our Supporter Care Team you may choose to provide details of a personal nature. If you telephone our Supporter Care Team, your call may be recorded and if it is it will be stored for six months and then securely deleted.
Only the Royal British Legion Group will receive your personal information, and it will only be used for the purposes of dealing with your enquiry, training, and quality monitoring or evaluating the services we provide. The Royal British Legion Group will not pass on your details to anyone else (unless they are acting on our behalf as an entity of the Royal British Legion Group or a supplier under agreement with the Royal British Legion Group) without your consent; except in exceptional circumstances such as to comply with the law. Examples of this might include people contacting the service reporting abuse, anyone reporting serious self-harm, anyone expressing the intention of harming someone else, or any matter regarding national security.
Your personal information and details of the enquiries received are stored on a secure database. If for any reason you wish to have your personal details amended or removed, please contact Supporter Services whose details are below.
You have a choice about whether you want to receive information about our progress, fundraising activities, membership or campaigns. We will not use your personal information for marketing purposes if you have indicated that you do not wish to be contacted. You can change your marketing preferences (such as email, phone, text or post at any time), by contacting us using the details below.
- Post: Royal British Legion, Freepost Plus RTZT-ATBH-RGBZ, Bumpers Way, Bumpers Farm, Chippenham, SN14 6NG
- Telephone: 0345 845 1945
- Email: email@example.com
If you wish to change your preferences regarding participation in campaigns, please contact Supporter Care and your update will be passed to RBL's Public Affairs and Public Policy Team.
The lawful basis we use to process your data
We will process your personal data under one or more of the following lawful bases:
- You have given us clear consent
- You have entered into a contract with us
- We have a legal obligation to process the data
- The processing is necessary for your vital interests i.e. to protect your life
- We have a genuine and legitimate reason and we are not harming any of your rights and interests
Where we ask for your consent to process your personal information, we will use clear plain language so you can fully understand what you are consenting to. We will tell you what we will be doing with the information, and explain your right to withdraw consent and how you can do that. We will only use your personal information you have provided for the purpose we have gained your consent for. We may also ask you to confirm that you still consent where a considerable period of time has lapsed since you last had any contact with the Royal British Legion Group.
We may process your personal data where we have a genuine and legitimate reason to do so, and we are not harming any of your rights and interests. Our legitimate interests will be in providing lifelong support for the armed forces community, fundraising, organising events and campaigning.
This means that we may use your personal data for direct marketing, fraud prevention, network and information security, crime prevention/detection and analytics so that we can improve our services to give you the most appropriate information and ensure our fundraising campaigns are effective.
Our legitimate interests are as follows:
- Direct Marketing: We will send postal marketing and fundraising asks which further the aims and objectives of the Royal British Legion Group. We will also make sure our postal marketing is relevant for you, tailored to your interests.
- Ordering online: In order for us to process an order, payment has to be taken and contact information collected, such as name, delivery address and telephone number provided. The record of the transaction is made by Royal British Legion Trading Limited, running our Poppy Shop (website).
- Your best interest: Processing your information to protect you against fraud when transacting on our website, and to ensure our websites and systems are secure.
- Personalisation: Where the processing enables us to enhance, modify, personalise or otherwise improve our services/communications for the benefit of our supporters.
- Analytics: To process your personal information for the purposes of customer analysis, assessment, profiling and direct marketing, on a personalised or aggregated basis, to help us with our activities and to provide you with the most relevant information as long as this does not harm any of your rights and interests.
- Research: To determine the effectiveness of promotional campaigns and advertising, and to develop our products, services, systems and relationships with you.
- Due Diligence: We may need to conduct investigations on supporters, potential customers and business partners to determine if those companies and individuals have been involved or convicted of offences such as fraud, bribery and corruption.
We will process your personal data for our legitimate interests in a way we consider you would reasonably expect, to be proportionate and with minimal impact on your privacy. We will carry out assessments to ensure that we consider whether the processing is necessary and by balancing it out with your rights and freedoms.
You have a right to object to your personal data being processed under legitimate interests if you do not consider we have compelling legitimate grounds for the processing. Please see the section below for more information.
Under the General Data Protection Regulations (GDPR) you have the following rights:
- Transparency over how we use your personal information (right to be informed)
- Request a copy of the information we hold about you, which will be provided to you within one month (right of access)
- Update or amend the information we hold about you if it is wrong (right of rectification)
- Ask us to stop using your information (right to restrict processing)
- Ask us to remove your personal information from our records (right to be 'forgotten')
- Object to the processing of your information for marketing purposes (right to object)
- Obtain and reuse your personal data for your own purposes (right to data portability)
- Not be subject to a decision when it is based on automated processing (automated decision making and profiling)
If you would like to know more about your rights under the GDPR see the Information Commissioners Office website. If you would like to make a request for any of the above actions, please submit your request to us by post at The Data Protection Officer, Royal British Legion, Haig House, 199 Borough High Street, London SE1 1AA, or via firstname.lastname@example.org
Rights of accessing
You have the right to see what personal data we hold about you. We would ask that you submit your request for access to your personal data in writing. Please use our subject access request form to ensure you supply all the information we need to process your request. You can also use this form if you are requesting information on behalf of somebody else.
If you would like to make a request for any of the above actions, please submit your request to us by post at The Data Protection Officer, Royal British Legion, Haig House, 199 Borough High Street, London SE1 1AA, or via email@example.com.
Transfer of information outside of the EEA
Given that the Internet is a global environment, using it to collect and process personal data necessarily involves the transmission of data on an international basis. This means for instance that data you pass to us may be processed outside the European Economic Area (EEA) in certain specific situations. The data will always be held securely and we will take steps to ensure the organisation based outside of the EEA provides an adequate level of protection and we will put in place all necessary safeguards.
Whilst the Information Commissioners Officers guidance states that children can, over the age of 13, give their own consent to marketing, the Royal British Legion Group is concerned to protect the privacy of children aged under 16.
Where appropriate, we will seek consent from a parent or guardian before collecting personal information about a child aged under 16. Therefore, if you're aged 16 or under, you must get your parent/guardian's permission before you provide any personal information to us.
We do have activities and events for those under 16 so we may ask your age. Before taking part please ensure you speak to your parent or guardian.
Our events have specific rules about whether children can participate and we'll make sure advertising for those events is age appropriate.
Please note that we will not knowingly market to or accept orders for goods or services from persons aged under 16 years.
As a parent or guardian we encourage you to be aware of the activities in which your children are participating, both offline and online. If your children voluntarily disclose information, this may encourage unsolicited messages. We suggest that you discourage your child from providing any information without your consent.
For our raffle and gaming products, due to Gambling Commission regulations, we cannot allow people under the age of 16 to take part.
How to protect personal information
All of our online forms are protected by encryption. We also use a secure server when you make a donation or payment via our websites. We take appropriate measures to ensure that the personal data disclosed to us is kept secure, accurate, and up to date.
We ensure that there are appropriate technical controls in place to protect your personal details. For example, our online forms are always encrypted and our network is protected and routinely monitored.
We undertake regular reviews of who has access to information that we hold to ensure that your information is only accessible by appropriately trained staff, volunteers and contractors.
We use external companies to collect or process personal data on our behalf. We do comprehensive checks on these companies before we work with them, and put a contract in place that sets out our expectations and requirements, especially regarding how they manage the personal data they have collected or have access to.
Some of our suppliers run their operations outside the European Economic Area (EEA). Although they may not be subject to same data protection laws as companies based in the UK, we will take steps to make sure they provide an adequate level of protection in accordance with UK data protection law. By submitting your personal information to us you agree to this transfer, storing or processing at a location outside the EEA.
We may need to disclose your details if required to the police, regulatory bodies or legal advisors.
We will only ever share your data in other circumstances if we have your explicit and informed consent.
How long will we keep your personal data?
We will ensure that your personal data is kept only for so long as is necessary for the purpose for which it was collected, and is securely destroyed in accordance with our retention schedule. Where possible we will inform you of how long we will retain the personal data you are providing to us.
Where you no longer wish for RBL to contact you we may have to keep some basic data about you to ensure that we do not contact you in future.
Will we disclose the information we collect to outside parties?
We do not share or sell supporter or member details with other charities or other third parties.
We will only disclose data when obliged to disclose personal data by law, or the disclosure is 'necessary' for purposes of national security, taxation and criminal investigation, or we have your consent.
We may share your personal data with one or more of the following:
- Within the Royal British Legion Group, i.e. the Royal British Legion, the main charity and Royal British Legion Trading Limited, running our Poppy Shop (retail outlets and website)
- Other entities within the Royal British Legion family of charities, including PoppyScotland and the National Memorial Arboretum
- Suppliers we engage to process data on our behalf. In such cases information is only shared for the purpose of providing services on our behalf relating to communications, or agreements between yourself and the Royal British Legion Group. Such processing is conducted under relevant Data Processing Agreements
- If we run an event in partnership with other organisations
Use of mobile phone data
The Royal British Legion Group values your support. We would like to keep you up to date with information and fundraising appeals on our charitable work via your mobile phone and also by writing to you. If you have texted us, we will retain a copy of your mobile phone number, together with any other personal details you have given us, such as your name and address.
If you would prefer us not to contact you by mobile phone, or if you would prefer us not to contact you by mail you may call Supporter Services on 0345 845 1945 or via firstname.lastname@example.org .
If your personal details change, please help us to keep your information up to date by notifying the relevant department.
If you are a supporter, member or volunteer and wish to update us of your information please contact us at the following address: Supporter Services, Royal British Legion, 199 Borough High Street, London SE1 1AA.
Data Protection Regulator
Further information and advice about data protection law and compliance is available from the Information Commissioners Office. You can contact them using the details below.
- Address: Information Commissioners Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
- Phone: +44 (0) 01625 545 745
- Website: www.ico.org.uk
Fundraising Preference Service
The Royal British Legion Group is committed to empowering our supporters to manage how we communicate with you. The Fundraising Preference Service (FPS) enables you to take control of your charitable giving and conversations, and we want to help you use the service effectively. Visit the FPS website, and remember to use our charity number 219279 to avoid confusion with similar sounding charities.