This "Privacy Policy" was last updated on 25 January 2024.
This Privacy Policy applies to personal data we process in order to assess grant applications, make grants, administer grants and retain outputs of research generated by grants.
This Privacy Policy is provided by Galen and Hilary Weston Foundation ("we", "us" or "our") with registered office at Squire Patton Boggs (UK) LLP (Ref: Csu) Rutland House, 148 Edmund Street, Birmingham, England, B3 2JR, and registered in England and Wales (Company no.09899315). We are a "controller" for the purposes of the UK General Data Protection Regulation ("UK GDPR"), the Data Protection Act and other applicable data protection laws (together the "Data Protection Laws").
We take your privacy very seriously. We ask that you read this Privacy Policy carefully as it contains important information about our processing and your rights.
How to contact us
If you have any questions about this Privacy Policy, how we handle your personal data, or want to exercise any of your rights, please contact:
- Name of data protection contact: Amy Buskirk
- Address: 20 St. Clair Avenue East, Suite 1900, Toronto, ON M4T 2S7 Canada
- Telephone number: +1 437-239-2338
- Email: amy.buskirk@hgwf.org
Changes to the Privacy Policy
We may change this Privacy Policy from time to time. You should check this Privacy Policy occasionally to ensure you are aware of the most recent version that will apply each time you access this website.
What personal data do we collect and why?
We only collect personal data about you that you provide to us. The table below sets out the data we collect, what we use it for and why we are allowed to use it (called the 'lawful ground for processing').
| Personal data | Purpose for processing | Lawful ground for processing |
|---|---|---|
| Name, contact details, job title, organisation of person submitting an application or detailed proposal (on behalf of an organisation) | We need to use these details in order to process and manage your grant application. | Performance of contract |
| Where you are successful and awarded a grant, we need to use your details in order to administer, manage and (if necessary) enforce the grant funding agreement. | Performance of contract | |
| Where you are successful, we will publish your details and an abstract of the research generated. | Legitimate interests | |
| Details of individuals who are the subject of research carried out following award of a grant. This could include special category data of the research subjects. | In order to evidence that a grant has been spent on the research as agreed, we will have a copy of the research. This means we will process data of people which appears in the research that has been undertaken. | Performance of contract research purposes |
We will collect information about your usage of our website through cookies. Please see our Cookie Policy. (This information is statistical and aggregated and is not processed for the purpose of understanding your particular usage of the website.) We collect this information so that we can monitor and manage our website to improve its content, layout and performance.
How is processing your personal data lawful?
The table above sets out why we process your data and the lawful grounds for processing your data. Those grounds are:
- performance of contract: this is the grant funding contract which awards successful applicants a grant for research, or steps we need to take before entering into that contract;
- legitimate interest: this is where, on balance it is necessary for your legitimate interests; and
- research purposes (for special category data): we will have a copy of the research produced as a result of the grant. We retain this simply as evidence that the grant was spent for the purposes for which it was awarded, i.e. research. Data in research is pseudonymised to the maximum extent possible to protect the privacy of the research subjects.
Who will have access to your personal data?
We need to share your personal data with external experts with the relevant expertise who assist us with reviews of grant applications and detailed proposals. We also share personal data with our affiliated companies who provide services to us.
Like any organisation, we use external providers that process your personal data as part of the services they offer to us such as: payment services, web hosting providers, security, interaction analytics and storage.
We take steps to ensure that our service providers process your data in accordance with the Data Protection Laws, only use it in accordance with our contract with them and keep it secure. If you would like more information about our processors, please contact us using the details set out above.
Service providers include the Weston Family Foundation and Wittington Investments Limited (Toronto, Ontario, Canada).
Transfers of your information out of the UK
Some of our suppliers and group companies are based outside of the UK and EEA, so when we share your personal data with them, your data is transferred out of the UK and EEA.
Any transfer of your data will be carried out in accordance with the Data Protection Law to safeguard your privacy rights and give you remedies in the unlikely event of a security breach or to any other similar approved mechanisms. If you would like more information about the countries and transfer mechanisms involved, please contact us using the details set out above.
How we keep your data secure
We strive to implement appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. We aim to ensure that the level of security is appropriate for the risks presented.
In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.
We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
When will we delete your data?
We will only retain your personal data for as long as reasonably necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements.
To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting or other requirements.
The table below provides details about how long we will process your data.
| Data we process | How long this will be held for |
|---|---|
| Unsuccessful applicants | Until you are deemed unsuccessful, at which point your data is deleted. |
| Successful applicants | For contractual enforcement purposes, we keep your data for 6 years following termination of the grant funding agreement. |
| Research | We may keep research papers indefinitely for use only for further research purposes. |
Your rights
As a data subject, you have the following legal rights:
- the right of access to personal data relating to you;
- the right to correct any mistakes in your information;
- the right to prevent your personal data being processed in some circumstances;
- the right to object to processing of your data where processed on the grounds of legitimate interests; and
- the right to erasure in some circumstances.
If you would like to exercise your rights, please contact us at the details set out above.
We will respond to any rights that you exercise within a month of receiving your request, unless the request is particularly complex, in which case we will respond within three months.
Please note that exceptions apply to some of these rights which we will apply in accordance with the law.
Complaints to the regulator
If you do not think that we have processed your data in accordance with this Privacy Policy, you should let us know as soon as possible. You also have the right to complain to the Information Commissioner's Office. Information about how to do this is available on their website at www.ico.org.uk.