Privacy Policy

Thames21 Privacy Policy

WE ARE COMMITTED TO PROTECTING YOUR PRIVACY

Thames21 is committed to protecting your privacy by storing your data securely and always using it responsibly in accordance with:

  • The Data (Use and Access) Act 2025
  • UK General Data Protection Regulation (UK GDPR)
  • Data Protection Act 2018
  • Privacy and Electronic Communications Regulations (PECR)
  • Charity Commission Guidance
  • ICO Guidance
  • Fundraising Regulator Code of Conduct

This policy explains how and why we use your personal data, to ensure you remain informed and in control of your information.

 

ABOUT US

Thames21 is an environmental charity that works across London and the Thames Basin to deliver high-impact nature-based solutions to the climate and biodiversity crisis by restoring rivers, whilst also connecting communities to their local green-blue spaces and inspiring long-term stewardship of them.

 

HOW WE USE OUR SUPPORTERS’ INFORMATION

We are committed to protecting and respecting your privacy when using and storing your personal information.  We may use your personal information for different purposes:

  • Sending you information about Thames21 activities you can be involved in, where we have consent or are otherwise allowed to. You may opt-out/unsubscribe at any time.
  • Processing donations that you make, thanking you and informing you of the impact your donation has made.
  • Events management and fundraising – You may give us your information indirectly when you sign up to events such volunteering at a “Litter Pick” or create a fundraising page on sites like Plinth or Just Giving. These independent third parties will pass your data to us where you have indicated that you wish to support us and have given your consent, or it is a necessary part of completing a contract with you.
  • Claiming Gift Aid on donations.
  • Taking event and course bookings.
  • Processing job applications.
  • Processing grant or programme applications.
  • Asking participants in our activities and programmes for feedback to help us with market research and improving our operations.
  • Responding to your enquiries, compliments and complaints.
  • To show you content that is relevant and appropriate to your interests.
  • To record correspondence in our database.
  • To ensure we do not send unwanted information to supporters or members of the public who have informed us they do not wish to be contacted

 

HOW WE USE TRUSTEE, STAFF & EVENT SUPPORT CONTRACTORS PERSONAL INFORMATION

We collect and store personal information from employees, event support contractors, trustees and job applicants.  We may use your personal information for different purposes:

  • Recruitment and onboarding
  • Employment administration (HR, payroll, pensions)
  • Health & safety and safeguarding
  • IT and security monitoring
  • Statutory reporting and audit

 

SOCIAL MEDIA

We may also use your email address to match to your account on Facebook or other social media sites to show you Thames21 content while using these services. We only do this where you have opted in to marketing emails and we keep your data secure by encrypting it. No data we hold about you is retained by the third party.

In addition, we may also use your email address to link to Facebook or other social media sites to identify other users of these sites whom we believe would be interested in Thames21, and we may then show them Thames21 content. No data we hold about you is retained by the third party.

There are two ways to prevent this use of your data, you can either update your preferences at Thames21 by opting out of the relevant channel of communication or you can do this via the social media site:

Facebook: https://www.facebook.com/help/568137493302217
LinkedIn: https://www.linkedin.com/help/linkedin/answer/62931

Updating your preferences with Thames21 will not guarantee that you never see Thames21 content on social media, since the social media site may select you based on other criteria and without your data having been provided by Thames21.

 

CHILDREN

If you are under 16, please make sure you have your parent or guardian’s permission before you provide us with any personal information. Children under 16 must not provide us with personal information without this permission.

 

INFORMATION WE MAY COLLECT FROM YOU

When you register online or make a donation we may collect information relevant to the type of transaction you are entering with details such as your name, email address, postal address, telephone or mobile number, bank account details to process donations and whether you are a tax payer so that we can thank you and claim Gift Aid.

When you book or attend certain events we may ask for information about your health. We do this to ensure that we supply appropriate facilities and support, and to ensure that our staff are prepared to respond to incidents appropriately. Clear notices will be given when this information is collected. All sensitive personal data is stored on a secure database, to which only a limited number of relevant staff have access. It is deleted when no longer relevant.

In the case of an incident where it is in the person’s vital interests for us to share sensitive data, for example with a hospital, we may share sensitive information.

 

PHOTOGRAPHY & VIDEOS

We may take photos or videos at our events which we may use to promote our cause.  If you do not wish to be to be photographed, please ensure that you let the event organiser know.  We will always ask for parental consent to take images of children.

 

LEGAL BASIS FOR DATA PROCESSING

To comply with UK data protection rules, we must have a legal justification for collecting and using your personal data.

The legal basis that we rely on will depend upon the circumstances in which we collect and use your data. In almost all cases, our processing will fall into one of the following categories:

Where you have provided your consent to allow us to use your data in a certain way:

  • Such as sending you Thames21 e-newsletters, you may opt-out at any time.
  • When you fundraise for us via fundraising sites like Just Giving we will process some of your personal information so that we can record the money you raise. These independent third parties will pass your data to us. We will respect whether you opt-in or out of communications from us.
  • Responding to your enquiries, compliments and complaints.

Where the processing of your personal information is necessary to carry out the performance of a contract with you.

  • Taking event and course bookings.
  • Managing competition entries.
  • Employee administration.
  • Processing job applications.
  • Processing grant applications.

Where the processing of your personal information is necessary for us to comply with a legal obligation:

  • Claiming Gift Aid on donations.
  • Our legal duty to maintain accurate information, keep financial records for auditing purposes.
  • Our legal duty to maintain participant information for insurance purposes.
  • Our legal duty of care to our participants on Thames21 facilitated courses, experiences etc.

Where it is in our legitimate interests to contact you to raise funds and achieve our objective to save our natural world. Our legitimate interests may include:

  • Sending you information about Thames21, because of activities you have been involved in, or asking you for feedback on the activities you have been involved in. You may opt-out at any time.
  • Thanking you and inform you of the impact your donation has made.
  • To record correspondence in our database, and to keep relevant information for people who have informed us they do not wish to be contacted, so that we ensure we do not send unwanted information.

 

SENSITIVE PERSONAL DATA

We do not normally collect or store sensitive personal data (such as information relating to health, beliefs or political affiliation) about supporters and members. However, there are some situations where this will occur (e.g. if you volunteer at an event with us and tell us about a pre-existing medical condition, or if required to do so by law). If this does occur, we’ll take extra care to ensure your privacy rights are protected.

 

ANONYMISED DATA

We may aggregate and anonymise personal data so that it can no longer be linked to any particular person. This information can be used for a variety of purposes, such as recruiting new supporters, or to identify trends or patterns within our existing supporter base.  This information helps inform our actions and improve our campaigns, products/services and materials and when making funding applications.

 

BUILDING PROFILES OF SUPPORTERS

We develop a better understanding of a small number of supporters by researching them using publicly available sources, so that we gain a better understanding of how we may offer them the best ways they might want to support Thames21.  We may research their potential to be a significant donor to Thames21 and collect additional details relating to their employment and any philanthropic activity. We may also estimate their gift capacity, based on their visible assets, history of charitable giving and how connected they are to Thames21.

 

STORING YOUR DATA

Thames21’s operations are based in the UK and we store our data within the European Union. Some organisations which provide services to us may transfer personal data outside of the EEA, but we’ll only allow them to do if your data is adequately protected.

For example, some of our systems use Microsoft products. As a US company, it may be that using their products result in personal data being transferred to or accessible from the US. However, we’ll allow this as we are certain personal data will still be adequately protected (as Microsoft is certified under the USA’s Privacy Shield scheme).

 

PROTECTING YOUR DATA

We employ a variety of physical and technical measures to keep your data safe and to prevent unauthorised access or disclosure of your personal information.

Electronic data and databases are stored on secure computer systems and we control who has access to information (using both physical and electronic means). Our staff receive data protection training and we have a set of detailed data protection procedures which personnel are required to follow when handling personal data.

 

SHARING PERSONAL INFORMATION

We will never sell your personal information.

We may need to share limited information with trusted third parties who help us to aggregate and analyse scientific data, prepare and send you communications or process donations and other responses.

We have a legal duty to ensure that we hold up-to-date information about our supporters (e.g. if you move to a new house, we have a duty to remove your old address). From time to time, we will ask a trusted third party to ‘clean’ the data that we have for our supporters. This means that our trusted supplier will use records that are in the public domain such as the Postcode Address File and registers of people deceased to remove out of date information.

We have a legal duty of care to our participants on Thames21 facilitated courses, experiences etc. In an emergency we may disclose personal information and health information to protect your vital interests.

 

COOKIES

Our website uses local storage (such as cookies) to provide you with the best possible experience and to allow you to make use of certain functionality (such as being able to shop online). Further information can be found in our Cookies Policy at www.thames21.org.uk/cookiespolicy.

 

LINKS TO OTHER SITES

Our website contains hyperlinks to many other websites. We are not responsible for the content or functionality of any of those external websites (but please let us know if a link is not working by using the ‘Contact us’ link at the top of the page).

If an external website requests personal information from you (e.g. in connection with an order for goods or services), the information you provide will not be covered by the Thames21’s Privacy Policy. We suggest you read the privacy policy of any website before providing any personal information.

When purchasing goods or services from any of the businesses that our site links to, you will be entering into a contract with them (agreeing to their terms and conditions) and not with Thames21.

 

CLOSED CIRCUIT TELEVISION (CCTV)

We, or our landlords, operate CCTV at our offices to maintain the security of the premises, protect the safety of staff and visitors, and prevent or detect crime. CCTV is used only in clearly marked areas.

Live footage from our Bow Office is monitored on selected mobile handsets.  All recordings are stored securely, with access strictly limited to authorised personnel. Recordings are retained only for as long as necessary to fulfil these purposes, unless a longer retention period is required for an investigation or to meet a legal obligation.

 

YOUR RIGHTS

Subject access request

To submit a Subject Access Request please contact us by emailing dataprotection@thames21.org.uk or write to Thames21 at The City of London, Guildhall, PO Box 270, LONDON EC2P 2EJ.   Please provide your full name, address and the projects that you have been involved in with us as well as a brief description of what information you are requesting. We will process your request within 30 days.

Thames21 will respond to Subject Access Requests (SARs) in accordance with applicable data‑protection legislation, while ensuring that only the minimum necessary personal data is disclosed.

In processing any SAR, Thames21 will take reasonable steps to verify the requester’s identity, clarify the scope of the request where appropriate, and apply all lawful exemptions relating to confidentiality, third‑party privacy, legal privilege, safeguarding, and commercially sensitive information. Data will only be released where its disclosure is legally required, proportionate, and does not adversely impact the rights and freedoms of others. The organisation will maintain robust internal procedures to ensure efficient handling of requests while minimising operational disruption and organisational risk. This is provided free of charge. However, we may charge a reasonable fee if the request is manifestly unfounded or excessive.

For more information about your rights to request a SAR, please read the guidance issued by the Information Commissioner’s Office ( www.ico.org.uk ).

 

HOW TO MAKE A COMPLAINT

If you have any concerns or wish to make a complaint about how we collect, use, or protect your personal information, we encourage you to contact us so we can address the issue promptly and fairly. You can raise a complaint by emailing us at dataprotection@thames21.org.uk or write to Thames21 at The City of London, Guildhall, PO Box 270, LONDON EC2P 2EJ. Please provide as much detail as possible so we can investigate your concerns effectively. We will acknowledge your complaint, review the matter, and respond within a reasonable timeframe. If you are not satisfied with our response, you also have the right to escalate your complaint to the UK Information Commissioner’s Office (ICO).

 

FURTHER INFORMATION

Please contact us if you would like further information or have any questions about this Privacy Policy dataprotection@thames21.org.uk

If you have a concern about Thames21’s data protection practises please contact us dataprotection@thames21.org.uk or the  Information Commissioner’s Office on 0303 123 1113 or www.ico.org.uk/make-a-complaint/

 

NOTIFICATION OF CHANGES

This privacy notice may change from time to time. For example, we may update this notice to reflect any relevant changes to legislation and regulation.

Please visit this website section periodically to keep up to date with the changes in our notice.

Updated April 2026