GDPR policy

Data Protection Act 2018

The Data Protection Act 2018 brought the EU’s General Data Protection Regulation into UK law (UK GDPR). It governs an individual’s data rights, including the way organisations handle personal data in order to help protect people’s data and privacy.

As a small, non-commercial, Unincorporated Voluntary Association, the Management Committee members consider that Edinburgh Building Retrofit and Improvement Collective (the Collective) is exempt from certain requirements of the Act under Schedule 2 (Exemptions etc from the Act), at Part 2, Para 7 (Functions designed to protect the public interest).

However, irrespective of any exemption, as best practice we abide by the following principles of the Act, set out in the guidance from the Information Commissioner’s Office (ICO). Namely: 

  • We will not keep personal data for longer than we need it.
  • We think carefully about – and are able to justify – how long we keep personal data. This will depend on our purposes for holding the data.
  • We review the data we hold annually.
  • We carefully consider any challenges to our retention of data. Individuals have a right to erasure if we no longer need the data.
  • We may keep personal data for longer if we are only keeping it for public interest archiving, scientific or historical research, or statistical purposes.


  • We will make our consent request prominent, concise, separate from other terms and conditions, and easy to understand. 
  • We will confirm the information is to be collected by the Collective.
  • We will use the data for administration purposes only.
  • We will not sell or otherwise utilise the information with any organisation that is not a managing partner of the Collective.
  • You may withdraw your consent to us storing or using your personal data at any time.


  • We only hold contact details, in order to permit communications, where our request to do so has been specifically agreed. Such details may include name, address and email address.
  • We hold phone numbers of contacts who have specifically accepted our request to do so, in order than we can communicate with them using media like WhatsApp.
  • In relation to management of the Collective, we hold the information required by and relevant authorities or funders. Specifically in relation to GDPR, this includes the name and address details of the Management Committee of the Collective.
  • All data is securely held on password protected computer systems.


  • We obtain consent from persons whose data we hold at the point where they provide the data (the provision of data, as noted above, being explicitly for communications). 
  • We will periodically review – at least annually – the need to continue to hold the data.