Privacy notice: Your personal data and how we use it

  1. About us: The Maidstone and Tunbridge Wells NHS Charitable Fund is the dedicated charity for the Maidstone and Tunbridge Wells NHS Trust. Donations support the patient and staff experience across Trust services. We are registered with the Charity Commission and funds are used to support Trust objectives which include the provision of a wide range of equipment and facilities for patients and staff. More details of the charity are available on the Charity Commission’s website

2. Your personal data

“Personal data” is data that relates to you as an individual who can be identified. The ways in which we use your personal data are governed by law. The principal law that applies is the European Union’s General Data Protection Regulation (GDPR) and the UK’s Data Protection Act 2018 (DPA). When we use your information, the law calls this “processing”. The personal data we process may include:

  • Name, date of birth, email address, postal address, telephone number and credit/debit card detail; cheque numbers. We only collect your debit/credit card details if you provide them to us to make a donation. The card details are redacted once the donation is processed. We only collect bank account details if you set up a direct debit payment for regular donations to us. These details are held securely.
  • Details of any specific ways you have instructed us to expend your donation e.g. to support a particular service
  • Email correspondence
  • Whether you are a UK tax payer so that we can claim Gift Aid (we don't collect information about your tax payments, only whether you are a UK tax payer)
  • Activities by the charity that you may be interested in
  • Personal data may be provided by you online, in paper or electronic form, over the phone or face to face. Your data may also be available to our website provider to enable us and them to deliver their service to us, carry out analysis and research on demographics, interests and behaviour of our users and supporters to help us gain a better understanding of them to enable us to improve our services. This may include connecting data we receive from you on the website to data available from other sources. Your personally identifiable data will only be used where it is necessary for the analysis required, and where your interests for privacy are not deemed to outweigh their legitimate interests in developing new services for us. In the case of this activity the following will apply:
  1. Your data may also be made available to our website provider
  2. The data that may be available to them include any of the data we collect as described in this policy.
  3. Our website provider will not transfer your data to any other third party, or transfer your data outside of the European Economic Area (EEA).
  4. They will store your data for a maximum of 7 years.
  5. This processing does not affect your rights as detailed in this privacy notice.Our main method for collecting data is when you give us your information when you make a donation. Additionally, your information may be shared with us by independent organisations, for example fundraising sites like Just Giving and Virgin Money Giving. These independent third parties will only do so when you have indicated that you wish to support and with your consent. You should check their privacy notices when you provide your information to understand how they will process your data. 

3.    The legal basis for processing your personal data and your associated rights

The charity relies on the “legitimate interest” legal basis to process your personal data. The legitimate interests we have identified are as follows:

  • Updating our supporters on how Charity money has been spent;
  • Informing our supporters of our latest Charity appeals;
  • Updating our supporters on Charity and relevant Hospital news;
  • Sending promotional communications which are relevant to their previous support and possible future giving;
  • Complying with our legal and regulatory obligations;
  • Handling supporter queries.


As we rely on the “legitimate interest” legal basis, the following rights under the GDPR apply:

  • The right to be informed. This means that we must provide you with information about why we process your personal data, how long we hold that data, and who we share that data with. The Information Commissioner’s Office (ICO) calls this “privacy information”, and the Trust meets its obligations under this right through this Privacy Notice, which has been developed to comply with the ICO’s expectations.


  • The right of access. You have the right to access the personal data that we hold about you. This is commonly referred to as “subject access”, and asking to see your personal data is called a “Subject Access Request” (SAR). A Subject Access Request can be made by contacting [email protected] and completing a Subject Access Form.


  • The right to rectification. You have the right to have inaccurate personal data rectified, or completed if it is incomplete. The DPA states that personal data is “inaccurate” if it is incorrect or misleading as to any matter of fact. The GDPR obliges us to respond to such requests within 1 month. However, we can refuse a request for rectification if the request is manifestly unfounded or excessive (including taking into account whether the request is repetitive). There may also be some other exemptions under the GDPR or DPA that we judge should apply, but these exemptions will only be applied on a case by case basis. If you wish to request that your personal data be rectified, you should contact our Data Protection Officer (see their contact details below), and specify what data you believe should be rectified and why.


  • The right to restrict processing. Restricting data processing means that we can store your personal data but not use it. You have the right to request that we restrict or suppress your personal data if:
  • You believe your personal data is inaccurate and you wish to verify the accuracy of that data;
  • You believe your personal data has been unlawfully processed (i.e. that we have breached the first principle of the GDPR;
  • We no longer need your personal data but you need us to keep it in order to establish, exercise or defend a legal claim; or
  • You have objected to us processing you data under Article 21(1) of the GDPR (the right to object – see below), and we are considering whether our legitimate grounds override your legitimate grounds


The GDPR obliges us to respond to requests to restrict processing within 1 month. If you wish to request that your personal data be restricted, you should contact the Trust’s Fundraising Manager, Laura Kennedy, via, [email protected], and specify what data you believe should be restricted and why (making reference to one of the 4 reasons listed above).


  • The right to object. You have the right to ask us to stop processing your personal data. However, you must give specific reasons why you are objecting to us processing your data, and these reasons should be based upon your particular situation. You should also note that this is not an absolute right, and we can continue processing if we can demonstrate compelling legitimate grounds for the processing, which override your interests, rights and freedoms. If you wish to object to us processing your personal data, you should contact the Trust’s Fundraising Manager, Laura Kennedy, via, [email protected], and specify what data processing you are objecting to and why. However, if we are satisfied that we do not need to stop processing your personal data, we will let you know, and explain our decision. In such circumstances, you have the right to make a complaint to the ICO (see below for their contact details) and/or seek to enforce your right through a judicial remedy (i.e. through the law courts).


  • Rights in relation to automated decision making and profiling. Automated individual decision-making is when a decision is made solely by automated means without any human involvement. Profiling is the automated processing of personal data to evaluate certain things about an individual. Profiling can be part of an automated decision-making process. The GDPR has additional rules to protect individuals if they are subject to automated decision making and profiling. However, we do not process your personal data in this way, so those rules, and the associated rights, do not apply.


  • The right to erasure. You have the right to have your personal data erased if
  • the personal data is no longer necessary for the purpose which we originally collected or processed it for;
  • you object to the processing of your personal data, and there is no overriding legitimate interest to continue this processing;
  • we have processed your personal data unlawfully or
  • we have to do it to comply with a legal obligation


To request the erasure of your personal data, you should contact the Trust’s Fundraising Manager, Laura Kennedy, via, [email protected].


  • Why and how do we use your personal data and keep it safe?We do not and never will sell or swap your personal data.


    1. We will use your personal data to provide you with the services, updates or information you have requested, for administration purposes and to further our charitable objects, including for fundraising activities.
  • Marketing communicationsOur supporters will only ever receive marketing communications e.g. newsletters if they ‘opt in’ to receive such materials. 

    • Data retention - How long do we keep your data?Charity supporter personal data is held securely on the database for as long as is deemed reasonable and necessary in accordance to the original purpose it was gathered for.

      • Children's dataIf you are aged 16 or under, please get your parent/guardian’s permission before giving us your personal details.

        • The accuracy of your data and keeping it up to dateWe ask that you please let us know when you move house or change your contact details, then we can keep our records up to date. If mail (postal or electronic) addressed to you is returned to us as 'moved away' (or something similar) then we may use publicly available sources, such as the Post Office's National Change of Address database, to double-check and update your details.While we endeavour to ensure that the information we hold about you is accurate and, where possible, kept up to date, we shall assume that in the absence of evidence to the contrary, the information you provide us with is accurate. Should there be any inaccuracies in the information of which you inform us, or of which we become aware, it shall be promptly rectified by us. 

          • Digital data

          1. Website If you do nothing other than read pages or download information while using this website, we will capture and store information about your visit. However, we will not be able to identify you from this; it relates to (i) the Internet domain and IP address from which you access the website (ii) the type of browser and operating system you use (iii) the date and time of your visit, (iv) the pages you visit, and (v) the address of the website from which you linked to us (if applicable). 
          2. We collect this anonymous information to make each visit more rewarding, and to provide us with information to help improve our service.
          3.  How we use 'cookies' Like most websites, we use 'cookies' to help make our site, and the way we use it, better. Cookies mean that a website will remember you. They're small text files that sites transfer to your computer (or phone or tablet). They make interacting with a website faster and easier. We also collect this information so we can see what type of device and operating system you're using to access our website. This helps us optimise our website for the most frequently used devices. The use of cookies can be stopped by amending your internet browser settings. Each browser has its own process for disabling cookies. To disable cookies for your browser please visit: which has instructions for most browser types. If you have any questions or technical issues, please contact your browser provider directly. Securing your passwords Our website contains links to other websites belonging to third parties, for which we have no responsibility.  We do not control the privacy practices of these other sites. You should therefore make sure when you leave our site that you have read that site’s privacy policy.Emails terms of use 
          4. Emails aren't always secure so please bear this in mind when you get in touch. The information in emails is confidential, so if you've received one by mistake, please delete it without copying, using, or telling anyone about its contents.
          5. Other websites
          6. Where we have given you (or where you have chosen) a password which enables you to access certain parts of our site, you are responsible for keeping the password confidential. You agree not to share that password with anyone else.
          • About this privacy noticeWe may modify, add or remove sections of this privacy notice from time to time. You may like to check this page from time to time. 

            • Our Data Protection Officer (DPO)The Data Protection Officer (DPO) for the charitable fund is the Trust Secretary of Maidstone and Tunbridge Wells NHS Trust. They can be contacted via email ([email protected]) or telephone (01622 228 698).