Single poppy in a wheat field

Privacy Notice

The Royal British Legion Group takes your privacy seriously. We'll always keep your personal information safe and secure and will never sell your details.

This privacy notice tells you how we collect your personal data, what data we collect, and why we use it. It also tells you about your data protection rights and how you can contact us.

1. About us

The Royal British Legion is at the heart of a national network that supports our Armed Forces community. We're here through thick and thin, ensuring their unique contribution is never forgotten. We've been here since 1921 and we'll be here as long as they need us.

The Royal British Legion Group includes:

  • Royal British Legion, a registered charity (number: 219279).
  • Royal British Legion Trading Limited, a registered company (number: 04783730), which runs our Poppy Shop retail outlets and website.

2. How we collect personal data

We collect your personal information when:

  • You provide it to us directly, by phone, email, live chat, text, or other messaging service, by post, or in person.
  • You provide it to an organisation working directly on our behalf. For example, by providing your information to our contact centres or a fundraising agency.
  • You permit a third party to share your information with us. For example, if you consent to another organisation making a welfare referral to us on your behalf.
  • We collect it as you use our websites, or third-party digital platforms, such as websites, social media platforms, and apps

3. What personal data we collect

The information we collect about you depends on your relationship with us.

3.1. Personal data

In most cases, we collect basic personal information when you contact us. This normally includes your name and contact details (such as your address, email address, and telephone number), as well as other information, such as your date of birth. We collect this information so we know who you are and can contact you. We ask for information such as your date of birth to help us verify who you are, when you get back in touch.

When we need to, we also process your financial information, such as your credit or debit card details, bank account details, and whether you are a UK income taxpayer (for Gift Aid purposes). We may also collect information about your income, expenditure, savings, or debts, where that is relevant to our relationship.

As examples, we may collect financial information when you:

  • Make a donation.
  • Purchase something from our Poppy Shop.
  • Complete a Gift Aid declaration.
  • Request financial assistance from us.
  • Are being supported by our Benefits, Debt, and Money Advice service.
  • Pay a membership fee.
  • Claim permitted expenses as a volunteer.

3.2. Special category data

In certain circumstances, we may need to process special categories of personal data, which include information about your health, racial or ethnic origin, religious or philosophical beliefs, trade union membership, sex life and sexual orientation, or genetic and biometric information.

As examples, we may process special category data when you:

  • Are being supported by our Independent Living Advice or Admiral Nurse services, or other welfare support that requires us to process special category data.
  • Engage with our recovery services, such as when you apply for or are enrolled on a course at our Battle Back Centre.
  • Register your interest, apply, or take part in events, such as by joining Team UK at the Invictus Games.
  • Are a resident at one of our care homes, or are otherwise being supported by them.
  • Take part in research or a campaign where processing your sensitive information is necessary.
  • Apply to attend an event and have access or dietary requirements.
  • Are a beneficiary, member, supporter, or volunteer and we require the information related to monitoring equality, diversity, and inclusion (where this cannot be collected anonymously).

3.3. Criminal offence data

In limited circumstances we may process information related to criminal convictions, offences, and related security measures. Where we need to process this information, we usually do so with your consent.

As examples, we may process criminal offence data if you:

  • Have been involved with the criminal justice system and seek assistance from us, and processing criminal offence data is necessary in relation to your request.
  • Want to volunteer in a role that requires a suitable criminal records check, such as a DBS check, or where we require you to complete a volunteer vetting self-declaration.
  • Take part in research or a campaign and it is necessary to process criminal offence data.

Other circumstances where we may process criminal offence data include:

  • Fraud detection and prevention.
  • Ensuring network and information security.
  • Indicating possible criminal acts or threats to public security.
  • Where information related to criminal activity, allegations, investigations, or proceedings is uncovered while carrying out audits, investigations, or other legitimate organisational functions.

3.4. Children's data

When we collect children’s data, we ensure the information we provide about how we use it is written in clear and age-appropriate language.

When offering online services (known as “information society services”) directly to a child, and when our use of personal data relies on consent, we require that only a child aged 13 or over can provide their own consent. For children under this age, we request consent from someone who holds parental responsibility for the child (a parent or guardian).

For other consent-based uses of children’s data, we generally consider that a child aged 16 or over can consent to their data being used. However, where the data may be particularly sensitive, such as when a person under 18 approaches us for welfare support, we consider the individual’s capacity to consent on a case-by-case basis.

We do not knowingly provide fundraising marketing to anyone aged under 18. Also, we do not allow people under the age of 18 to take part in our lotteries, raffle, or gaming products.

As examples, we may process children’s data when:

  • A person we are supporting has children and knowing about the individual’s family circumstances is relevant to the ways we are supporting them.
  • A child applies to or joins our organisation as a youth member.
  • A child participates in research, such as research focused on the children of service families.

4. Why we use personal data

We use personal information to help us meet our charitable aims and objectives, legal and regulatory obligations, and other legitimate interests.

4.1. Our purposes

Our purposes are to:

  • Provide support to members of the Armed Forces Community, which includes those who are currently serving and ex-service personnel, as well as their dependents and carers.
  • Conduct research into and campaign on issues that affect the Armed Forces community.
  • Support the membership and the activities of members of our organisation.
  • Organise and deliver remembrance and commemorative events and activities.
  • Carry out activities to raise funds, including the Poppy Appeal.

To meet our aims and objectives, we also have purposes related to ensuring we meet our obligations under applicable law, including our obligations to relevant regulators.

4.2. Our uses of personal data

In relation to our purposes, and depending on our relationship with you, we may use your personal information to:

  • Deal with general queries and requests, and provide information about our activities, products, and services.
  • Create and maintain appropriate records of our relationships with our beneficiaries, members, supporters, and volunteers, which may include providing administrative and service communications, and conducting relevant checks as may be required.
  • Administer orders and accounts relating to our suppliers or customers.
  • Conduct marketing and fundraising activities, including administering fundraising events, sending marketing and fundraising communications, and conducting profiling and segmentation, which allows us to offer supporters, members, and volunteers information that is most relevant to them, and to minimise us sending information that is not relevant.
  • Create case studies and other material related to our purposes and to use that material to promote our aims and objectives.
  • Conduct market research and research into issues affecting the Armed Forces community, and campaigning on issues affecting the Armed Forces community.
  • Register, investigate, and resolve concerns and complaints.
  • Exercise good governance, ensuring legal and regulatory obligations are met.
  • Undertake actions to prevent and identify fraud and reduce credit risk.
  • Protect our reputation.

5. When we share personal data

To meet our charitable purposes most effectively, we engage other organisations to provide services to us, or to you on our behalf. Where it is relevant to your relationship with us, we may also share your personal information with other third parties.

5.1. Data processors

Data processors are individuals or organisations that perform functions on our behalf. Before engaging a data processor, we conduct due diligence checks to ensure they appropriately protect the personal data they will use. The terms of our arrangements with our data processors are set out in suitable contracts with specific clauses to ensure high data protection standards are maintained. Our data processors are limited to only using the personal data we share with them for the purposes that we decide and instruct them to perform.

The categories of services provided by organisations that process personal data on our behalf are:

  • Companies that provide contact centre services, who may receive calls, emails, live chats, letters, and other correspondence on our behalf. These processors may respond directly to you to provide relevant information and will add your personal information to our systems, for our record, or for us to take further action.
  • Providers of IT systems and infrastructure that permit us to manage our organisational information efficiently and securely. These include companies that provide general and specialist system and software solutions, as well as companies that provide specialist services to help ensure our systems and infrastructure are kept secure.
  • Payment collection and processing organisations, including providers of contactless card payment equipment, cheque processing, web-based secure payment gateway providers, payment processing intermediaries, and banking and other financial service providers.
  • Website and online service providers, including companies that host our websites, provide online security, conduct online monitoring, analytics, and profiling functions, and deliver cookies functionality and cookies management tools.
  • Companies that provide specialist communications tools and correspondence related services, which include digital tools to conduct large-scale email communication activities, companies that conduct outgoing post fulfilment activities and incoming mail sorting and processing services, and companies that provide marketing services on digital platforms.
  • Providers of audit and accountancy functions, legal advice, and other functions that assist us to exercise good governance and legal and regulatory compliance.

5.2. Third parties we may share your personal information with

Where it is relevant to our relationship or is necessary for us to meet our legal obligations or legitimate interests, we may share your personal information with third parties.

As examples, we may share your personal data when:

  • You have signed up to attend one of our events that is being hosted by a third party.
  • You have requested welfare support and other organisations are either better placed to provide elements of that support or can contribute to the support we provide.
  • We are supporting someone whose eligibility for our support relies on your connection to the Armed Forces. In this case, we may approach relevant organisations, such the Ministry of Defence, for them to confirm your connection to the Armed Forces to us.

5.3. Disclosures of personal data

From time to time, we may be asked to disclose personal data we hold.

As examples, we may receive a request from:

  • A police force.
  • A coroner.
  • A regulator, such as the Care Quality Commission or Nursing and Midwifery Council.

6. Marketing and fundraising communications

Keeping in touch with our supporters, members, and volunteers is vital to our charitable work.

6.1. About our marketing and fundraising communications

Where you have consented, we may send you marketing and fundraising emails, texts, or other electronic mail messages. We may also send marketing and fundraising communications by post or call you, unless you have opted out of receiving these types of contact.

To ensure our fundraising is conducted efficiently, and to make sure we contact you with the most relevant information in the most appropriate way, we analyse the personal data we collect to create profiles of individuals’ interests and preferences. We may increase and enhance the information we hold about you by obtaining further information from external sources, such as Experian Mosaic. This may include obtaining details of changes of address, and other contact details, age, as well as consumption and demographic data. It may also include information from public registers and other publicly available sources, such as Companies House, newspapers, and magazines.

Where we intend to market to you by phone, and you have not opted out of hearing from us in this way, we will screen your details against the Telephone Preference Service exclusion list, to ensure we do not contact you if you have registered that you do not want to be contacted.

6.2. How to change your communication preferences

You have a choice about whether you receive marketing and fundraising information from us. Our communications contain details of how to change your preferences. As examples, our marketing emails contain a link that lets you easily unsubscribe from email marketing. Our postal marketing includes details of how to contact us to change your preferences.

As a supporter, you can change your marketing preferences online, by visiting and entering your name, post code, and unique supporter number.

Alternatively, you can change your marketing preferences by contacting our Supporter Care team, at: [email protected].

Email is our preferred way of communicating. It is quicker, more convenient, cheaper, and has less impact on the environment. If you would prefer to contact us by phone, please call: 0345 845 1945.

If you need to write to us, you can contact us at:

Supporter Care

The Royal British Legion

199 Borough High Street,



If you wish to change your preferences regarding participation in campaigns, please contact the Supporter Care team and your update will be passed to our Campaigns, Policy, and Research team.

6.3. The Fundraising Preference Service

We are committed to empowering you to manage how we communicate with you. The Fundraising Preference Service (FPS) lets you take control of your charitable giving and conversations, and we want to help you use the service effectively. Visit the FPS website, and remember to use our charity number 219279, to avoid confusion with similar sounding charities.

6.4. Administrative and service messages

Unsubscribing from marketing and fundraising communications does not affect us sending you administrative or service messages, which provide you with important information as part of your relationship with us.

As examples, administrative or service messages can include:

  • A letter to notify you that your membership is due to expire.
  • An email update about an order you have placed with us.
  • A telephone call to provide information about a fundraising event you are participating in.

In limited circumstances, such as when you enter your details into an online event registration form, we may use this information to contact you even when you have not submitted the form. We only do this to check if we can help, such as to resolve any problems you may have experienced, or to avoid you thinking your registration is submitted when it has not been.

7. Digital and social media platforms

To interact with our audiences online we have our own digital presence, such as our websites. We also maintain a presence on a range of third party digital and social media platforms.

7.1. Our websites and digital platforms

We may use our websites to collect personal data directly from you, such as through secure online forms.

We also gather general information about the use of our websites, such as which webpages users visit most often, and which services, activities, or events are of most interest. We may also track which pages users visit when they click on links in the Royal British Legion Group emails. We may use this information to personalise the way our websites are presented when users visit them, to make improvements to our websites, and to ensure we provide the best service for users. Wherever possible, we use aggregated or anonymous information which does not identify individual visitors to our websites. In addition, we may use this information to build profiles of people who may be interested in our services. Please see our Cookie Policy for further information.

7.2. Third parties that may collect your personal data

Our websites may include links to third-party websites, plug-ins, and applications. Clicking those links or activating those plug-ins or applications may allow third parties to collect your information.

When you interact with third parties online, such as by visiting their website or digital or social media platform where we maintain a presence, both the Royal British Legion and the third party may process your personal information. In this regard, we may be a joint controller of your data, alongside the third-party platform.

Examples of this are if you:

  • Set up a fundraising page using a third-party digital fundraising platform.
  • Use a third-party portal to apply to participate in a fundraising activity or to attend a commemorative event.
  • Seek welfare assistance via a third-party application or referral portal, such as to apply for an individual financial grant.
  • Interact with us or content we have posted on a social media platform.

When you interact with a third-party platform, the third party will process your data in line with their privacy and cookies policies. You can update your privacy and cookie preferences directly with the third party. We are not able to update your preferences for how third parties use your information.

7.3.Our presence on third party digital and social media platforms

We use third party digital and social media platforms to share a range of content, including videos, images, graphics, stories, information, and web links, that our followers can interact with by liking, commenting, and sharing. We interact on those platforms by responding to post comments and mentions and receiving and responding to private messages.

We analyse data from activity on digital and social media platforms and create reports to understand how our content has performed, in terms of reach and engagement; how it has been received, in terms of comment and private message volume and sentiment; as well as analysing our overall channel performance, in terms of audience size, reach, and engagement.

In addition to our presence on digital and social media platforms, we use third party social media tools to schedule and publish content, reply to comments and messages, compile reports, and monitor insights.

7.4.Our marketing on digital and social media platforms

To provide relevant messaging to our supporters, or reach potential new supporters, we conduct marketing on social media and other digital platforms.

For our current supporters, we may provide limited data to social media platforms, such as an email address or phone number, to enable them to identify your social media profile. That information is shared through a secure interface, which hashes or scrambles the data, making it unreadable to anyone but the intended recipient.

Depending on our marketing campaign, you are then either excluded from the campaign, if it is not relevant to you, or included, if we think it is something you will be interested in seeing.

The information we provide to digital and social media platforms may also be used by them to identify and market to people with similar interests and characteristics to our current supporters, who we think may be interested in finding out about our work.

You can object to your personal data being used for direct marketing on digital and social media platforms by contacting our Supporter Care team, at [email protected].

Email is our preferred way of communicating. It is quicker, more convenient, cheaper, and has less impact on the environment. If you would prefer to contact us by phone, please call: 0345 845 1945.

If you need to write to us, you can contact us at:

Supporter Care

The Royal British Legion

199 Borough High Street,



8. The lawful basis used to process personal data

We process your personal data under one or more of the following lawful bases:

  • Consent: You have given clear consent for us to use your personal data for a specific purpose.
  • Contract: We need to use your information for a contract we have with you, or because you have asked us to do something before entering into a contract with us.
  • Legal obligation: Using your information is necessary for us to comply with the law.
  • Vital interests: Using your personal data is necessary to protect someone’s life.
  • Legitimate interests: Using your personal information is necessary for our legitimate interests or the legitimate interests of a third party, and your own interests or any impact the processing may have on you do not override those legitimate interests.

8.1. Consent

Some of the ways we may use your personal information require your consent. We rely on your consent when we are obliged to, and when the information we process about you is sensitive and we can offer you genuine choice and control over our use of your information.

As examples, we obtain your consent when:

  • We send you direct marketing by email, text, or other forms of electronic mail message.
  • You request welfare support and providing you with assistance requires us to process special category data, such as health data.
  • You apply to volunteer in a role that requires a suitable criminal records check, such as a DBS check.

When you have consented to us using your information, you can withdraw that consent at any time.

Our consent requests use plain language, so you can fully understand what you are consenting to. We will tell you what we will do with the information and explain how you can withdraw your consent. We will only use the personal information you have provided for the purpose we have obtained your consent for, but we may also need to use it for other purposes that are not incompatible with those purposes (such as to meet our legal obligations). Where a significant time has passed since we obtained your consent, we may contact you to ask if your consent is still valid.

8.2. Legitimate interests

We may process your personal data when we or a third party have a legitimate interest in doing so. This may include where those interests are wholly aligned with your own interests. We only process your personal data for legitimate interests when there is a defined purpose, the processing is necessary for that purpose, and we are satisfied that, on balance, your own interests and the privacy impact of the processing do not override the interest in using the data.

Our legitimate interests are as follows:

  • General queries and other contact: When we are contacted, such as when a supporter calls our Supporter Care team, or a member of the public or beneficiary get in touch with our contact centre, we and the individual have a legitimate interest in us processing information to enable us to resolve the matter we have been contacted about. Where this involves us collecting special categories of data, we request the individual’s consent.
  • Direct Marketing: We will send postal marketing and fundraising asks which further the aims and objectives of the Royal British Legion Group. We may also make contact by live phone call for these purposes. To help limit any negative impact, we conduct profiling, analysis, and segmentation, to help ensure our marketing is relevant to your interests.
  • Administering ‘do not contact’ and exclusion lists: Where you have opted out of receiving contact from us, have registered your preferences with a third-party statutory exclusion list, or have made a self-exclusion from certain types of contact, we will keep appropriate details (such as your name and contact details) to permit us to exclude you from relevant contact.
  • Donations, legacies, gifts, and grants: We will process data that is necessary for us to receive and record the donation, legacy, gift, or grant.
  • Ordering online: Where providing goods is not covered by a contract, we will share your name and delivery address with a reputable third-party delivery company, so the goods can be delivered to you. Whether the provision of goods is covered by a contract or not, we may also provide the third party with additional contact information, such as your email address or telephone number, so they can provide you with delivery updates.
  • Gift Aid: Where you have informed us that a donation is eligible for Gift Aid, by completing a Gift Aid declaration, we will use your personal data to claim Gift Aid.
  • Preventing fraud: We may process your information to protect you and us against fraud, such as when transacting on our website, and to ensure our websites and systems are secure.
  • Personalisation: Where the processing enables us to enhance, modify, personalise, or otherwise improve our services/communications for the benefit of our supporters.
  • Analytics: To process your personal information for the purposes of supporter analysis, assessment, and profiling, on a personalised or aggregated basis, to help us with our activities and to provide you with the most relevant information.
  • Research: To determine the effectiveness of promotional campaigns and advertising, and to develop our products, services, systems, and relationships.
  • Verifying eligibility and suitability: In relation to those who apply for membership or a voluntary position, as well as verifying that those who request our support are eligible to receive it from us. This can include requesting and obtaining references, such is in relation to volunteering roles, as well as establishing a person’s connection to the Armed Forces and their financial eligibility, in relation to the support we provide to our beneficiaries.
  • Major donor research: To identify if someone may be able and inclined to support us as a major donor we may conduct research into that individual, making use of publicly available information and other information available to us. We avoid processing sensitive data for this purpose. Where this activity results in us approaching those individuals to establish a relationship, we will tell them about our research. In other cases, records are not created.
  • Due Diligence: We may need to conduct due diligence checks to determine if companies and individuals we may engage with have been involved in or convicted of offences such as fraud, bribery, or corruption, or if us engaging with those individuals or organisations otherwise stands against our charitable purposes or presents reputational risk.

You have a right to object to your personal data being processed under legitimate interests if you do not consider we have compelling legitimate grounds for the processing. Please see the section below for more information.

9. Your data protection rights

Under data protection law, you have rights we need to make you aware of. The rights available to you depend on our reason for processing your information.

9.1. Your right of access

You have the right to request a copy of your personal information. This is commonly known as a Subject Access Request. The right covers access to your own personal data, subject to applicable exemptions, but does not cover information that relates to other people, or information that is not personal data. This means that, if you make a request, you may not always receive all the information that we process about you. You can read more about this right here.

Please be aware that The Royal British Legion Group is not subject to Freedom of Information legislation. To ensure our resources are directed toward our charitable aims and objectives, we do not accept freedom of information requests.

9.2.Your right to object to processing

You have the right to object to us processing your personal data. For our purposes of sending you direct marketing, this is an absolute right. To opt out of receiving direct marketing from us, you can contact our Supporter Services team using the contact details contained in the “Marketing and fundraising communications” section of this notice, above.

In some other circumstances, such as where we are required to process your information to meet a legal obligation, your right to object may not apply. You can read more about this right here.

9.3. Your right to erasure

You have the right to ask us to erase your personal information, in certain circumstances. However, where we need to keep information about you to meet our legal obligations, or for other legitimate purposes, your right of erasure may not apply. You can read more about this right here.

9.4.Your right to rectification

You have the right to ask us to rectify information you think is inaccurate, or to complete information you think is incomplete. You can read more about this right here.

If your personal details change, please help us to keep your information up to date by notifying the relevant department.

9.5. Your right to restriction of processing

You have the right to ask us to restrict the processing of your information in certain circumstances. You can read more about this right here.

9.6. Further information about your data protection rights

You are not required to pay a charge for exercising your data protection rights. However, before we can accept a request from you, we may need to conduct checks to establish that you are entitled to make the request. We may also need to clarify your request with you.

We respond to rights requests without undue delay and in normal circumstances within one month. Where requests are complex, we may take up to a further two months to respond, in line with applicable law. We will tell you if this is the case.

9.7. How to make a data protection rights request

If you would like to make a request related to your data protection rights, you can contact us by email at: [email protected].

Email is our preferred way of communicating. It is quicker, more convenient, cheaper, and has less impact on the environment. If you need to write to us, you can contact us at:

The Data Protection Officer

The Royal British Legion

199 Borough High Street



9.8. The right to complain

If you are unhappy with how we have handled your personal information, we want to hear from you. Contact us about your data protection concerns by emailing: [email protected].

Email is our preferred way of communicating. It is quicker, more convenient, cheaper, and has less impact on the environment. If you need to write to us, you can contact us at:

The Data Protection Officer

The Royal British Legion

199 Borough High Street



You also have the right to complain to a data protection supervisory authority. In the UK, this is The Information Commissioner's Office (ICO). The ICO states that you should give us the chance to make things right, before contacting them about a complaint.

If you have contacted us about your concern but you remain dissatisfied, you can contact the ICO using the following details: By using the: Information Commissioner's Office complaints tool,

Or, by writing to the Information Commissioner’s Office, at:

Information Commissioner's Office

Wycliffe House

Water Lane




Please note: the regulator asks that you send them a copy of any letters and emails about your complaint, between you and us, as well as any other information that supports your complaint.


10. International transfers

We sometimes need to transfer personal data outside of the United Kingdom. As examples, we transfer data outside the UK when we interact with a member or supporter who lives abroad, or when we provide welfare support to a beneficiary who lives overseas. Organisations that process personal data on our behalf may also be based outside the UK, as may third parties with whom we engage.

It is our preference that our data processors store and process personal data within the United Kingdom, and we request this whenever we can. Where this is not practical, we prefer that the data is processed within the European Economic Area, or other countries or territories identified in UK data protection law as providing adequate protection of personal data.

Where a processor stores and processes personal data outside of the UK, in a country or territory that is not considered to provide adequate protection under UK adequacy regulations, we incorporate appropriate safeguards into our legally binding agreements with those processors. Those safeguards impose contractual obligations on us and the processor, ensuring the personal data is protected and individuals’ rights are upheld.

Where a data processor uses a sub-processor outside the UK, it is the processor’s responsibility to ensure that appropriate safeguards are applied to the data transfer. As part of the due diligence we undertake before engaging a data processor, we gain assurance regarding the arrangements they have in place with their sub-processors.

Where we may need to transfer personal data to a recipient or third party outside of the UK, we consider these transfers on a case-by-case basis. Where required, we conduct a transfer risk assessment, and only transfer the data if we are satisfied it can be appropriately protected and individuals’ rights and freedoms would not be harmed.

11. How we protect personal data

We are committed to making sure the personal data we hold is always appropriately protected. We do this by implementing and maintaining a range of technical and organisational measures.

We make sure our systems are appropriately configured to prevent unauthorised access or disclosure, and we apply relevant technical controls to keep our systems secure. These include applying security updates, software patches, bug fixes, malware and virus scans, and vulnerability testing. We routinely review who has access to our systems, to ensure the information we hold is only accessible to those we authorise, and who need to use it.

We apply appropriate security at points where data is collected and shared, such as by ensuring our online data capture forms are encrypted, and online payments and donations are made via secure payment gateways. We apply data transfer security measures, such as industry-standard email encryption, to help keep data secure. Where the data we share is sensitive, we may apply additional security.

Our policies and procedures reflect our commitment to keeping data secure, and they are reviewed as necessary. Our staff, volunteers, and contractors who may access your personal data are provided with appropriate data protection training when they first join us, and this is regularly refreshed to ensure they maintain a good awareness and understanding of their data protection responsibilities.

12. How long we keep personal data

We only keep hold of personal data for as long as we need to, related to the purposes for which it was collected, or for other purposes that are compatible with those purposes (such as to meet our legal obligations). We record how long we need to keep personal data in our data retention schedule. When we no longer need personal data, it is securely deleted or destroyed. Where practical, we inform you how long we will retain your data, at the time you provide it to us.

For example, where our uses of personal data involve financial data being stored (including data related to tax), we normally keep those records for 7 years, from the time of a relevant transaction or decision. This is so we can demonstrate compliance with financial record keeping requirements, tax and charity law, and other applicable rules and regulations. This timeframe applies to records related to purchases, donations, gifts, legacies, and grants that we receive, as well as records related to lotteries, raffles, and gaming products, and where data is processed to claim Gift Aid. This period also applies to records created when financial assistance, benefits and debt or other advice, or grants are provided.

13. Changes to our privacy notice

We keep this privacy notice under review. Where we need to make changes to our privacy information, we will update this privacy notice. If those changes are significant, we may contact individuals who are potentially affected by the changes, to bring our updated privacy information to their attention.

If you have any queries about this privacy notice, please contact us at: [email protected].

Email is our preferred way of communicating. It is quicker, more convenient, cheaper, and has less impact on the environment. If you need to write to us, you can contact us at:

The Data Protection Officer
The Royal British Legion
199 Borough High Street

This privacy notice was last updated on 17 November 2023. Previous versions of our published privacy notice can be found at the following link: Our privacy policy and promise

14. Recruitment

The Royal British Legion (TRBL) takes your privacy seriously. We'll always keep your personal information safe and secure and will never sell your details.

This privacy notice tells you how we collect and use your personal data, related to our recruitment processes.

The information you provide to us, and that we may obtain from other sources, such as in employment references, will be used for progressing your application and assessing your suitability for the role you have applied for. It will also be used in a confidential manner to help us monitor our recruitment processes. Where necessary, we will use your personal information to meet our legal obligations, and for our legitimate purposes, such as in relation to managing complaints about the recruitment process.

We ask you for your personal details, including name and contact details. We will also ask about your previous employment, experience, education, and details of referees, as well as information relevant to the role. Our recruitment team and hiring managers will have access to this information. We do not collect more information than we need to fulfil our stated purposes and will not retain it for longer than is necessary.

You will also be asked to provide equality and diversity information. You don't have to provide this information but doing so helps us monitor and improve our equality and diversity measures. The information you give, or choose not to give, is not accessible by hiring managers and will not affect your application.

If you use our online application system, your details will be collected by our data processor. We will not share any of the information you provide during the recruitment process with any third parties for marketing purposes or store any of your information outside the European Economic Area. We and/or our data processors will hold the information you provide securely in electronic and/or physical format.

If your application is successful, and you take up employment with us, the information you have supplied will be used to administer your contract of employment with us, in accordance with our data protection policies and Employee Privacy Notice.

If you are unsuccessful, your information will be kept on file for 24 months and then is anonymised.

If you are invited for interview, and/or we make a conditional offer of employment, we'll ask you for more information so that we can carry out pre-employment checks. You must successfully complete pre-employment checks to progress to a final offer.

We must confirm the identity of our staff and their right to work in the United Kingdom, and seek assurance as to their trustworthiness, integrity, and reliability.

You must therefore provide:

  • Proof of your identity and right to work in the UK. You will be asked to produce the original documents. Copies of these will be held on your employee file.
  • Proof of your qualifications. If these are needed for your role, you will be asked to evidence these. Copies of these will be held on your employee file.
  • You may be asked for a criminal records declaration to declare any unspent convictions.
  • If the role you are applying for has been assessed as requiring a criminal records check, we will share your name, email address, and details of the role with our third-party supplier, to facilitate a check being conducted with the relevant disclosure service (e.g., Disclosure and Barring Service, Disclosure Scotland, Access NI, etc.).
  • We'll contact your referees, using the details you provide in your application, to obtain references. Copies will be held on your employee file.
  • We'll also ask you to complete a questionnaire about your health, to establish your fitness to work. We may ask you to complete an independent health assessment. Your name and email address will be used to register you for this.
  • We’ll request your bank account details to process salary and other payments.
  • We will ask for emergency contact and next of kin details, so we know who to contact in case you have an emergency at work.

The information you provide at any stage of the application process will be subject to verification, and we may need to contact people and/or organisations (e.g., referees, previous employers, educational establishments, professional bodies, etc.) to confirm that information.

Not quite what you're looking for?

Our team are on hand to provide you with the support you need.
Get in touch
Back to top