The Brilliant Club is a charity registered with The Charity Commission in England and Wales under registration number 1147771, and with the Office of the Scottish Charity Regulator (OSCR) in Scotland under SC048774. The Brilliant Club is a company limited by guarantee in England and Wales under registration number 7986971. The registered office address is 17th Floor, Millbank Tower, 21-24 Millbank, SW1P 4QP.
The Brilliant Club must process personal data (including special categories of data / sensitive personal data) so that it can provide its services and deliver its programmes of work – in doing so, the charity acts as a data controller.
You may give your personal details to The Brilliant Club directly, such as on an application or registration form or via our website, or we may collect them from another source such as directly from a school, another partner organisation or an online fundraising platform.
Our virtual learning environment (VLE) is hosted by Titus Learning using Amazon Web Services. You can read about how we maintain your privacy on this platform here.
The Brilliant Club must have a legal basis for processing your personal data. For the purposes of administering all aspects of The Brilliant Club’s work, and for monitoring, evaluating, and researching the effectiveness of its programmes, the charity will only use your personal data in accordance with this privacy statement. At all times we will comply with current data protection laws.
If you have any queries about our Privacy Statement, please contact the charity’s Data Protection Officer, Tom Vasov, at email@example.com or firstname.lastname@example.org.
The EU General Data Protection Regulation (GDPR) is the most significant piece of European privacy legislation in recent history, replacing that of the 1995 EU Data Protection Directive (European Directive 95/46/EC). It aims to support the rights individuals have on data about themselves which is collected and stored. It also aims to detect, identify and mitigate against data breaches or leaks for all companies in the EU, as well as enforcing the reporting on these issues. Any business that deals with EU nationals must comply with the legislation.
The Brilliant Club also uses Third Party suppliers and software to process, control and manage data. These systems have been audited in line with GDPR commitments. In the context of this statement, ‘data subject’ refers to the person or entity submitting data and can include employees, pupils, tutors, programme participants, and other individuals or organisations that The Brilliant Club works with.
The Brilliant Club collects information in the following ways:
We may also collect sensitive personal data if you make the information public or if you tell us about your experiences on one of our programmes. In any such instances, we will always make it clear to you when we collect this information what sensitive personal data we are collecting and why, and where applicable, seek your consent for us to do this.
We must have a legal basis to process your personal data and sensitive personal data. The legal bases we rely upon to offer our programmes and services to you are:
In some instances, we will rely on obtaining your consent for use of your personal information. This legal basis is most commonly used to send marketing information to you (for example, where we seek to obtain your consent to receive emails about our events) or where we would like to share your personal information with a partner (a ‘third party’) for their own purposes (for example, a university that is tracking the impact of one of our programmes where we didn’t tell you about this when you joined the programme). We will not use consent as our legal basis where you have no choice about giving us your information.
This is where The Brilliant Club has a legitimate reason to process your data provided it is reasonable and does not go against what you would reasonably expect from us. Where the charity has relied on a legitimate interest to process your personal data our legitimate interests is/are as follows:
The Brilliant Club is required by law to treat certain categories of personal information with even more care. These are called sensitive or special categories of personal information and different lawful bases apply to processing them. The Brilliant Club collects sensitive personal information relating to the ethnicity and disability information of its programme participants. It does so, so that it may manage and administer its equal opportunities reporting, as well as ensure that where applicable, applicants and participants are afforded any reasonable adjustments they may require.
The Brilliant Club has certain legal and contractual requirements to collect personal data (e.g. to comply with immigration and tax legislation, safeguarding requirements, processing charitable donations.) Our partner organisations may also require this personal data, and/or we may need your data to enter into a contract with you. If you do not give us the personal data we need to collect, we may not be able to continue to provide our services to you or be able to effectively administer our core programmes of work.
We are passionate about providing a high-quality and engaging experience to all of our supporters and to raising vital funds to support our work. In order to ensure our communications are relevant and tailored to your interests, we may supplement what we know about you with information about you from publicly-available sources.
In accordance with our legal and regulatory obligations and our internal policies and procedures, we may also supplement what we know about you with publicly available information to carry out due diligence on potential or actual donors. If you opt out of analysis of your data for due diligence purposes, we may not be able to accept donations from you.
If you choose to donate to us via a third party, such as Virgin Money Giving, your data will be processed by that third party as data processor for us, and will then be shared with us.
If you use your credit or debit card to donate to us, buy something or pay for a registration online or over the phone, we will ensure that this is done securely and in accordance with the Payment Card Industry Data Security Standard (PCI DSS), whether we do this through a third party or by ourselves. Find out more information about PCI DSS here.
We do not store your credit or debit card details at all, following the completion of your transaction. All card details and validation codes are securely destroyed once the payment or donation has been processed. Only staff authorised and trained to process payments will be able to see your card details.
The Brilliant Club may transfer the information you provide to us to countries outside the European Economic Area (‘EEA’) for the purposes of administering, monitoring, evaluating, and researching the effectiveness of its programmes. We will take steps to ensure adequate protections are in place to ensure the security of your information. The EEA comprises the EU member states plus Norway, Iceland and Liechtenstein.
The Brilliant Club will retain your personal data only for as long as is necessary for the purpose we collect it and never longer than seven years. Different laws may also require us to keep different data for different periods of time. For example, we must keep payroll records, holiday pay, sick pay and pensions auto-enrolment records for as long as is legally required by HMRC and associated national minimum wage, social security and tax legislation.
Where The Brilliant Club has obtained your consent to process your personal/sensitive personal data, we will do so in line with our retention policy. Upon expiry of that period the charity will seek further consent from you. Where consent is not granted The Brilliant Club will cease to process your personal data/sensitive personal data and or anonymise it in full.
You as the data subject have the following data protection rights:
Where you have consented to The Brilliant Club processing your personal / special categories of data you have the right to withdraw that consent at any time by contacting the charity’s Data Protection Officer, Tom Vasov, via email to email@example.com or firstname.lastname@example.org. Please note that if you withdraw your consent to further processing that does not affect any processing done prior to the withdrawal of that consent, or which is done according to another legal basis.
There may be circumstances where The Brilliant Club will still need to process your data for legal or official reasons. Where this is the case, we will tell you and we will restrict the data to only what is necessary for those specific reasons.
If you believe that any of your data that the charity processes is incorrect or incomplete, please contact us using the details above and we will take reasonable steps to check its accuracy and correct it where necessary. You can also contact us using the above details if you want us to restrict the type or amount of data we process for you, access your personal data or exercise any of the other rights listed above.
If you wish to complain about this privacy notice or any of the procedures set out within it please contact the charity’s Data Protection Officer, Tom Vasov, at email@example.com or firstname.lastname@example.org.
You also have the right to raise concerns with the Information Commissioner’s Office on 0303 123 1113 or at https://ico.org.uk/concerns/, or any other relevant supervisory authority should your personal data be processed outside of the UK, if you believe that your data protection rights have not been adhered to.
The charity takes the security of your data seriously and takes every precaution to protect our users’ information. The Brilliant Club has internal policies and controls in place to ensure that your data is not lost, accidentally destroyed, misused or disclosed, and is not accessed except by its employees in the performance of their duties. Measures applied include:
Where the charity engages third parties to process personal data on its behalf, they do so on the basis of written instructions, are under a duty of confidentiality and are obliged to implement appropriate technical and organisational measures to ensure the security of data as outlined within the GDPR.
It is The Brilliant Club’s policy to be fair and proportionate when considering the actions to be taken to inform affected parties regarding breaches of personal data. In line with the GDPR, where a breach is known to have occurred which is likely to result in a risk to the rights and freedoms of individuals, the relevant supervisory authority will be informed within 72 hours.
We will update this privacy statement from time to time. We will post any changes on the statement with revision dates. If we make any material changes, we will notify you.