At Resilient Scotland we are committed to protecting any personal information you share with us, or that we receive from other organisations, and keeping it safe.
Please read the following notice to understand how your personal information will be treated.
We are subject to the legal jurisdiction of Scotland and any data protection legislation that applies in that jurisdiction.
For the purpose of the Data Protection Act 1998 (DPA) and the General Data Protection Regulation 2016 (GDPR), the Data Controller is Resilient Scotland.
Who are we?
Resilient Scotland is an independent charity registered in Scotland with the Office of Scottish Charity Regulator (SC042994) and a company limited by guarantee (SC411661). Resilient Scotland Limited is the corporate trustee of the JESSICA (Scotland) Trust (SC043048).
Why do we need your information?
Resilient Scotland was established to provide social investment enabling social enterprises, community organisations and charities to contribute to the sustainable regeneration of areas and communities affected by long term economic decline. Our investments allow organisations to become more enterprising and self-sufficient, and to have an impact on local regeneration.
In order to do this effectively we work with a range of individuals, groups, and businesses. We use the knowledge we have about people (personal data) only for the purpose of furthering the work of Resilient Scotland now and in the future.
We understand our responsibilities as stewards of this data and will protect your privacy. This notice describes how we do this.
Whose information do we collect?
We hold data on those who have received financial or other support from Resilient Scotland, those who might do, and those who apply to Resilient Scotland for funds, whether on behalf of an organisation or personally.
This Privacy Notice applies to:
Our customers where you are an individual acting in your own capacity who is
• Making an enquiry about our products and services
• Applying for or entering into a finance package from us
• Giving a guarantee or other security.
Our customers where you are a key individual (staff member, owner, director, trustee, partner or authorised signatory) of a company or other incorporated organisation which is
• Applying for or entering into a finance package from us
• Giving a guarantee or other security.
Our stakeholders and business contacts where your organisation supply us with goods or services, provide professional services, or have any other business or stakeholder relationship with us.
Our Board, Panel members and other volunteers
How do we collect information from you?
The majority of the information we hold about you has been provided directly to us by you. Examples include when you enquire about our products and services, apply for investment, provide us with your business card, enter into a contract with us or attend events organised by us.
We may also receive information about you from someone else, for example as a referral from another person or organisation.
In some cases we may collect data from publically available sources such as Companies House or the Electoral Register.
What type of information is collected and why?
The data we collect depends on the nature of our relationship with you. At any time you can ask us to see what information we hold about you, ask us to correct or update information, or ask us to delete the information we hold.
We will process your personal data for the purpose of providing our services to your organisation, including entering into contracts with your organisation and thereafter carrying out our obligations under the contract(s). Such processing will include assessing the application for investment against our criteria. Where we have agreed to provide an investment, such processing will also include:
- operating your account
- administering and managing our products and services (including monitoring,
- auditing, and evaluating those products and services)
- managing the relationship with you
- managing our credit risk
- dealing with payments and arrears, and dealing with or investigating any complaints or enquiries
- contacting you from time to time by telephone, e-mail or post or otherwise for the purpose of administering you’re your organisation’s account, including informing you of any arrears
- obtaining goods or services, including on a voluntary basis, from you
- working in partnership with you.
We will from time to time use this information to communicate with our supporters. When we do so, we will be processing your data in line with one of the legal bases permitted by current data protection legislation. In most cases this will be because we have a legitimate business interest in contacting you as an investee, but it may also be because you have given us specific consent to do so. You can withdraw consent at any time by following the unsubscribe link in our emails, or by contacting us.
What is a cookie?
Cookies are small text files that are placed on your computer by websites that you visit. They are widely used in order to make websites work, or work more efficiently, as well as to provide information to the owners of the site.
What information is captured by cookies?
Here at Resilient Scotland we want to reassure you that your privacy is respected and safe in our hands. We only ever collect information from you that helps us to help you get the most out of your visit to our site.
Most web browsers allow some control of most cookies through the browser settings. To find out more about cookies, including how to see what cookies have been set and how to manage and delete them, visit www.allaboutcookies.org.
Resilient Scotland – We sometimes use ‘pop up’ messages (like the one that tells you about the cookies on this site) to make sure our visitors are aware of important information. If you choose to acknowledge the message, the pop up will no longer appear when you visit the site. These kinds of messages include a cookie that ‘remembers’ you have already acknowledged the message when you visit.
Google Analytics – Google sets these cookies on our Website. These cookies are used to collect information about how visitors use our site. Google stores the information collected on servers in the United States. Google may transfer this information to third parties where required to do so by law, or where third parties process the information on Google’s behalf. Google state that they will not associate your IP address with any other data held by them.
How long do you keep my data for?
We will keep data for as long as is needed to complete the task for which it was collected, or is necessary for legal reasons. Relationships between investees and Resilient Scotland are often long term, and so we expect to keep your data for as long as the relationship exits, or until we no longer need it.
Is my personal data securely stored?
We store personal data primarily in electronic form with paper records being scanned wherever possible. Electronic records are all held in secure servers with strong password protection. Paper records are held securely in our office or, in the case of archived information held for legal compliance, in a secure area of our office buildings.
The primary electronic systems we use to process your personal information include:
- Our customer relationship management system (currently Salesforce) and related systems such as dotmailer
- Our financial system
- Emails, documents, and spreadsheets held on local devices or cloud-based servers.
Non-sensitive details, such as your email address, when transmitted normally over the internet, can’t be guaranteed to be 100% secure. Whilst we take all possible means to protect your personal information, we cannot guarantee the security of any information you transmit electronically to us, and you do so at your own risk.
Where we have given you a password to access certain parts of our website, you are responsible for keeping this password confidential, we ask you not to share this password with others.
Who has access to my data?
Staff, Board and Panel Members at Resilient Scotland will be granted access to your personal information only where it is necessary for them to carry out their duties as employees, Trustees or Panel members.
All staff are given training in data protection and are required to comply with our internal data protection policy.
Will my personal data be shared with third parties?
We will only ever share your personal information with third parties where it helps us to carry out our business functions and charitable activities or where we have a legal obligation to do so. We will never sell or trade your information with third parties.
Foundation Scotland processes personal data on behalf of Resilient Scotland Ltd in order to provide relevant services, such processing to include:
- Delivery of all key activities required in relation to governance
- Provision of administrative services for the board and all sub-panels established by the board
- Provision of services, including assessment of applications and management of investments
- Provision of communications functions.
Foundation Scotland processes the following types of personal data on behalf of Resilient Scotland Ltd when required to do so in order to provide services:
- Personal data of directors. Information held on each director includes name, personal address, telephone number, email address, date of birth, NI number and copies of required identification
- Personal data of other volunteers (external sub-panel members). Information held is name, personal address, telephone number and email address
- Personal data of key people in applicant organisations (includes staff members and directors/trustees of organisations). Information held is name, personal address, telephone number and email address.
The categories of data subject to whom the personal data relates
Foundation Scotland processes personal data for the following categories of data subjects on behalf of the Resilient Scotland Ltd when required to do so in order to provide services:
- Volunteers (directors and sub-panel members);
- Applicants for investment (key staff and directors/trustees of applicant organisations); and
- Subscribers to the Trust newsletter (first name, last name and email address required)
Other third parties we may share your data with include:
- Our software suppliers, for example in processing communications sent to you
- Our bankers (for payments)
- We will share information on applicants with Investment Panel members. We will ensure that personal information isn’t shared as far as possible. We will also publish data on investments to organisations (amounts/name of organisation /purpose)
- We may pass data to other organisations, known as Data Processors, to provide specific services to us. A contract is always in place with a Data Processor, and they are not allowed to do anything with your data other than that which we have requested
- We may share basic information on the attenders at an event
- Service providers acting as processors who provide marketing and communications services ( such as Dotmailer)
- Any relevant research organisations including those undertaking social impact surveys on our behalf.
The law requires us to tell you the basis on which we process your data.
Some activities may require your consent. If the law requires your consent to process data in a certain way then we will obtain it before carrying out that activity.
Other activities are carried out to fulfil a contract or agreement. Examples include holding investments which are subject to an Agreement or organising an event. Each requires us to know who you are and to process your information in order to do the thing you have asked us to do. If a contract is in place then we will process your data based on that contract.
If personal data is required to be collected and processed in order to comply with the law, then consent is not required. This is the case for some data related to taxation.
In all other cases the law allows us to process your data if it is in our legitimate interest to do so, but only so long as we need to and your “interests or your fundamental rights and freedoms are not overridden”. Practically speaking this means we carry out an exercise to check that we will not cause you harm by processing your data, that the processing is not overly intrusive and that we will only do so in a way which is described in this privacy notice.
The law requires us to tell you that you have a variety of rights about the way we process your data. These are as follows:
- Where our use of your data requires consent, you may withdraw this consent at any time
- Where we rely on our legitimate interest to process data, you may ask us to stop doing so
- You may request a copy of the data we hold about you (known as a ‘data subject access request’).
You may change or stop the way in which we communicate with you or process data about you, and if it is not required for the purpose you provided it, then we will do so. We will always endeavour to comply with such a request.
If you are not satisfied with the way we have processed your data then you can complain to the Office of the Information Commissioner https://ico.org.uk/ .
Rachel Peacock, Resilient Scotland, 15 Calton Road, Edinburgh EH8 8DL
T: 0131 524 0345