• 01324 610950
    admin@csrec.org.uk
    10-4 Mon–Fri
    • Menu
    close
    green digital characters from The Matrix

    Privacy Policy

    1. About us

    Central Scotland Regional Equality Council, (“CSREC”, “we”, ”our”, “us”) respects your privacy (“you”) and we recognise the need for appropriate protections and management of your Personal Data (defined below). 

    When we, and our service providers, collect and use your Personal Data, CSREC or the relevant partner you otherwise engage with is the Data Controller for the purposes of Data Protection Legislation (defined below).

    2. Purpose of this Privacy Notice

    We have prepared this Privacy Notice to assist you in understanding what Personal Data we collect about you and how that information is used by us and by third parties as part of the relationship we have with you. 

    It is important that you read and retain this Privacy Notice, together with any other privacy notice we may provide on specific occasions when we are collecting or processing Personal Data about you, so that you are aware of how and why we are using such information and what your rights are under the Data Protection Legislation. This Privacy Notice supplements the other notices available on our websites and other platforms and is not intended to override them.

    Please see section 5 for an explanation of the capitalised terms used in this Privacy Notice. 

    Our platform is not intended for children and we do not knowingly collect data relating to children without permission from parents or guardians.

    3. Contact us

    If you have any questions regarding this Privacy Notice you can contact us as follows: 

    Post: Central Scotland Regional Equality Council, 146 Drip Road, Raploch, Stirling FK8 1RW

    Email: admin@csrec.org.uk

    Telephone: 01324 610950

    4. Changes to this Privacy Notice

    We may update this Privacy Notice at any time by amending this page. You are expected to visit this page from time to time to note any changes we make, as they affect you. This Privacy Notice was last updated on 25/06/2025

    5. Glossary

    When we refer to Data Protection Legislation we mean the UK GDPR and the Data Protection Act 2018.

    Personal Data or Personal Information is any information identifying you as a specific individual. It can identify you directly from that information alone or indirectly in combination with other information we hold or can reasonably access. As well as identifying you as a specific individual, to be Personal Data, the data must also relate to you. Truly anonymous information is not Personal Data.

    Processing is almost anything that can be done with Personal Data, including collecting, recording, storing, using, analysing, combining, disclosing or deleting it.

    Special Category Personal Data means information revealing racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership, physical or mental health conditions, sexual life, sexual orientation, biometric or genetic data.

    Criminal Convictions Data means Personal Data relating to the alleged commission of offences by you; or proceedings for an offence committed or alleged to have been committed by you or the disposal of such proceedings, including sentencing.

    Data Controller is someone who decides why Personal Data is to be collected and how it will be used and treated. 

    ICO means the UK Information Commission’s Office, the UK supervisory authority for data protection issues

    UK Addendum isthe Information Commissioner’s standard data protection clauses to the EU Commission Standard Contractual Clauses for the transfer of Personal Data from the UK to controllers established in third countries (processor-to-controller transfer) issued under section 199A(1) of the Data Protection Act 2018

    Standard Contractual Clauses is the European Commission's Standard Contractual Clauses for the transfer of Personal Data from the European Union to controllers established in third countries (processor-to-controller transfers), as set out in the Annex to Commission Decision 2010/87/EU as adapted for the UK.

    UK GDPR is as defined in section 3(10) (as supplemented by section 205(4)) of the Data Protection Act 2018.

    To Process your Personal Data we need to be able to rely on one of the following Legal Basis: 

    1. Consent: you have given your consent for us to process your Personal Data for that purpose. 
    2. Contract: the use of your Personal Data is necessary for the performance of a contract we have with you, or because you have asked us to take specific steps before entering into a contract.
    3. Legal Obligation: the use of your Personal Data is necessary for us to comply with law.
    4. Vital Interests: the use of your Personal Data is necessary to protect your vital interests e.g. your life. 
    5. Public Task: we need to process Personal Data (a) in the exercise of official authority (e.g. public functions and powers that are set out in law) or (b) to perform a specific task in the public interest that is set out in law.
    6. Legitimate Interests: the use of your Personal Data is necessary for legitimate interests pursued by us or a third party. Before we rely on this legal basis we will balance your interests against the legitimate interests pursued by us. In particular, if you would not reasonably expect your Personal Data to be used in a certain way, or it would cause unwarranted harm, your interests are likely to override the legitimate interests. However, your interests do not always have to align with the legitimate interests. 

    To process your Special Category Personal Data and / or Criminal Convictions Data, as well as having a Legal Basis, we need to be able to apply an Additional Condition (which is almost like a second type of Legal Basis): 

    1. Consent: you have given your explicit consent for us to Process your Personal Data for that purpose.
    2. Vital Interests: the use of your Personal Data is necessary to protect your vital interests e.g. your life. 
    3. Manifestly Public: relates to Personal Data which are manifestly made public by you.
    4. Legal Claims: necessary for the establishment, exercise or defence of legal claims.
    5. Substantial Public Interest: necessary for reasons of substantial public interest, on the basis of law.

    6. What Personal Data do we process about you?

    We may collect, use, store and transfer different types of Personal Data about you during your relationship with us. We have grouped together these types of Personal Data as follows:

    • Contact Data includes personal or business contact details, such as address, email address, telephone number, billing address, social media account names, and contact preferences.  
    • Transaction Data includes details of the services you provide, details of the services we provide to you and all other information in connection with the provision of services. 
    • Identity Data includes first name, last name or similar identifier and geographical location. This may disclose Special Category Personal Data.
    • Marketing Data includes your preferences in receiving marketing from us and our third parties and your communication preferences.
    • Technical Data includes internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access our website, apps or other platforms.
    • Recruitment Data includes Personal Data used to consider your application for your role with us, including for example, information provided in your CV/application form, information from your references, and notes taken during your interview. This also includes any information provided when enquiring or applying for an opportunity we post on our website and other platforms and your log-in details for saving applications on our website and platforms. 
    • Other data includes any other information provided by yourself to us.
    • We also collect, use and share Aggregated Data such as statistical or demographic data for any purpose. Aggregated data may be derived from your Personal Data but is not considered personal data in law as this data does not directly or indirectly reveal your identity. For example, we may aggregate your usage data to calculate the percentage of users accessing a specific website or platform feature. However, if we combine or connect aggregated data with your Personal Data so that it can directly or indirectly identify you, we treat the combined data as Personal Data which will be used in accordance with this notice.

     7. Collecting your Personal Data. 

    Direct interactions. You may give us your Personal Data directly by letter, email, telephone, filling in our forms (such as completing the ‘Contact Us’ section on our platform or speaking with us in person for example throughout a case appointment).

    Indirect interactions. We may also receive Personal Data about you indirectly. For example: 

    • From your use of our website, apps or platforms; 
    • Your named referees;
    • The Disclosure and Barring Service in respect of criminal convictions data;
    • From publicly available sources such as your personal social media accounts
    • From third parties who have your consent to share your Personal Data with us.

     8. How do we use your Personal Data and why? 

    Generally, we will use your Personal Data for the purposes of managing our relationship with you. We have set out in the table below further detail of all the ways we plan to use your Personal Data, and which of the Legal Basis and, if applicable, Additional Condition we rely on to do so. We have also identified what our Legitimate Interests are where appropriate.

    PROCESSING PURPOSESTYPE OF DATA LEGAL BASIS 
    Services - To execute a contract we enter into or propose to enter into with you.  - To deliver our service to you.  - To process or respond to your enquiry.  - To comply with any contractual, legal or regulatory obligations.   Personal Data  Special category personal data Contact Data Financial Data Other DataContract  Legal Obligation  Consent   
    Marketing and Communication  To provide you with information relating to products or services delivered by us.   To monitor the use of our platform to better understand its use and inform our services. To respond to any submissions via our contact form (csrec.org.uk) To promote our business, product and/or service through advertising, marketing and promotional activities.   Personal Data  Contact Data Marketing Data  Technical Data  Other dataOur lawful basis differs depending on whether you are an individual consumer contact or a business contact  If you are an individual consumer contact:  For e-mail and texts we will ask for your prior consent to send this form of marketing materials, unless we are relying on the “soft opt-in” exemption. This exemption applies when you already receive services/goods from us and we send you information on similar goods/ services. This is because it is necessary for our legitimate interests (to develop our products/ services and grow our service offering).  For telephone and postal marketing it is necessary for our legitimate interests (to develop our products/services and grow our business).  If you are a business contact, for all methods of contact it is necessary for our legitimate interests (to develop our products/services and grow our business) We are carrying out the necessary steps in relation to a contract to provide our services. 
    Goods and Services (supplied by you) - To respond to your enquiry - To comply with any contractual, legal or regulatory obligations. Identity Data Contact Data Financial Data Other Data  IT and Digital Data   Contract  Legal Obligation  Consent  Legitimate Interests   
    Recruitment  - To respond to your enquiry about career and volunteering opportunities. - To hold your name on our system for any future opportunities and communications specific to recruitment. - To review and process any application or information you may submit for one of our opportunities. Identity Data Contact Data Other Data Recruitment Data   Contract   Consent     
    Cookies  To collect internet traffic data and data regarding your browser type and computer. To look at how our platform is used. To monitor use of our platform so that we may better understand its use and inform our services.See cookie policy for further information. We do not usually collect Personal Data via our cookies.  We are carrying out processing on the basis of your consent which you to provide to us to process your data, unless the cookies are strictly necessary.  

    Marketing 

    You can ask us to stop sending you marketing messages at any time by following any opt-out links on any marketing message sent to you or by contacting us at any time. 

    Where you opt-out of receiving these marketing messages, this will not apply to personal data provided to us for other purposes. 

    Business records 

    Your Personal Data may be included in business records e.g. voicemails, e-mails, correspondence, documents, and other work product and communications created, stored or transmitted using our networks, applications, devices, computers or communications equipment. We have this information as it is necessary for our business and therefore in our Legitimate Interests (and where we have a Contract in place with you, it is necessary for your Contract). 

    We require to use any or all types of your Personal Data for litigation purpose depending on the specific nature of the litigation. We rely on the Legal Basis of our Legitimate Interests for this purpose, and as necessary for the establishment, exercise or defence of Legal Claims.

    Change of Purpose

    We will only use your Personal Information for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your Personal Information for an unrelated purpose, we will notify you and we will explain the Legal Basis which allows us to do so.

    Please note that we may process your Personal Information without your knowledge or Consent, in compliance with the above rules, where this is required or permitted by law or regulation.

    9. Keeping your Personal Data accurate

    It is important that the Personal Data we hold about you is accurate and current. Please keep us informed if your Personal Data changes during your relationship with us.

    10. Retention periods

    We will in many circumstances retain the Personal Data that we collect. Where we do, the length of time we shall retain it for shall be determined by a number of factors, including the type of data, the purpose for which we use that data including our legal and regulatory obligations which we must comply with when we collect and process Personal Data. We will also take into account the amount, nature and sensitivity of the Personal Data, the potential risk of harm from unauthorised use or disclosure of Personal Data.

    We will not retain personal data for longer than is necessary. 

    In some circumstances you can ask us to delete your data: please see section 13 below. We will only retain your Personal Data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. 

    In some circumstances we may anonymise your Personal Data so that it can no longer be associated with you, in which case we may use such information without further notice to you. 

    11. Sharing of Personal Data

    We share your Personal Data with others in certain circumstances as detailed below.

    The data that we collect from you will usually be stored inside the UK. However, we may transfer data outside the UK.

    • Legal and regulatory. We will provide your Personal Data to third parties where there is a legal obligation to do so, for example to regulators (such as the Health and Safety Executive), government departments, law enforcement authorities (such as Police Scotland, tax authorities and any relevant dispute resolution body or the courts).
    • Change of structure, We may also provide your Personal Data to third parties in connection with any sale, merger, acquisition, disposal, reorganisation or similar change in our business or assets.
    • Authorised third party. We will provide information about you to any person who is authorised to act on your behalf.
    • Professional service providers. We may provide your Personal Data to our professional service providers such as accountants, professional advisors, insurance providers and lawyers. 
    • Service providers. We contract with third party service providers and suppliers to deliver certain services some of whom may store personal data in cloud based data centres. Our service providers change from time to time and we will inform you if this is the case by updating this Privacy Notice. We currently use the following service providers:
    Name or category of Service ProviderRole of Services Provider Location of Service Provider 
    Website Developer / HostDeveloper and hosting partner for CSREC website.UK
    MailchimpEmail software supplierUSA
    MicrosoftOffice administration softwareUSA
    SalesforceCase management softwareUSA
    GoogleProvision of services that enable functionality and recording of site usage.USA

    12. Automated decision-making

    Automated decision-making takes place when an electronic system uses Personal Data to make a decision without human intervention. We do not envisage that any decisions will be taken about you using automated means, however we will notify you in writing if this position changes.

    13. Your rights

    You have certain rights under the Data Protection Legislation which apply in certain circumstances:

    • Access: Request access to your Personal Data (commonly known as a "data subject access request"). This enables you to receive a copy of the Personal Data we hold about you and to check that we are lawfully Processing it.
    • Rectification: Request correction of the Personal Data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.
    • Erasure: Request erasure of your Personal Data. This enables you to ask us to delete or remove Personal Data where there is no good reason for us continuing to Process it. You also have the right to ask us to delete or remove your Personal Data where you have successfully exercised your right to object to Processing (see below), where we may have Processed your information unlawfully or where we are required to erase your Personal Data to comply with local law. 
    • Object: Object to Processing of your Personal Data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to Processing on this ground as you feel it impacts on your fundamental rights and freedoms. You also have the right to object where we are Processing your Personal Data for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to Process your information which override your rights and freedoms.
    • Restriction: Request restriction of Processing of your Personal Data. This enables you to ask us to suspend the Processing of your Personal Data in the following scenarios: (a) if you want us to establish the data's accuracy; (b) where our use of the data is unlawful but you do not want us to erase it; (c) where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims; or (d) you have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.
    • Portability: Request the transfer of your Personal Data to you or to a third party. We will provide to you, or a third party you have chosen, your Personal Data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided Consent for us to use or where we used the information to perform a Contract with you.
    • Withdraw Consent at any time where we are relying on Consent to Process your Personal Data. However, this will not affect the lawfulness of any Processing carried out before you withdraw your Consent. If you withdraw your Consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your Consent.

    You can exercise you rights by contacting us using the details outlined above.  

    You will not usually have to pay a fee to access your Personal Data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.

    We may need to request specific information from you to help us confirm your identity and ensure your right to access your Personal Data (or to exercise any of your other rights). This is a security measure to ensure that Personal Data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

    We may not always be able to comply with your request to exercise your rights for specific legal reasons which will be notified to you, if applicable, at the time of your request.

    Further details about your rights can be found on the ICO’s website at https://ico.org.uk/

    14. Cookies

    In common with many other website operators, we use standard technology called “cookies” on our platform. Please see our cookie notice explaining the cookies we use on our platform.

    15. Other websites or platforms 

    This platform may include links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements. This Privacy Notice only relates to csrec.org.uk. If you link to a third-party website from our platform, you should read the terms and conditions and privacy notice on those third-party websites before continuing. We are not responsible for any use of your information that is made by other websites and/or organisations.

    16. Complaints

    You have the right to make a complaint at any time to the ICO (www.ico.org.uk). 

    We would, however, appreciate the chance to deal with your concerns before you approach the ICO so please contact us in the first instance. 

    Accessibility by WAH
    linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram