Privacy notice

1. Introduction 

This privacy notice is directed at people living with arthritis, their families, carers, researchers, healthcare professionals, friends, parents, fundraisers, donors, supporters, volunteers, involved people, staff, trustees, website visitors, authorities and any interested parties that have their personal data processed by Arthritis UK (Arthritis UK), a charity registered in England and Wales (number 207711) and in Scotland (SC041156), and a company incorporated in England and Wales (number 490500). 

Personal data relates to a living person that can be identified either directly or indirectly from the data. Processing personal data refers to any action we take with someone’s personal data that includes but is not limited to, collecting, recording, storing, altering, retrieving, using, disclosing, restricting, erasing, or destroying personal data. 

At Arthritis UK we are committed to protecting your personal data and being transparent about what we do with it. We will use your personal data in accordance with data protection law and the Information Commissioner’s Office (ICO) best practice guidelines – this is our supervisory authority in the UK that regulates organisations across the UK using personal data.  

This Privacy Notice includes the following key information: 

  • Why we process your data under the law 
  • Your Rights 
  • How we keep your data safe 
  • A child’s personal data 
  • How we collect and use your personal data 
  • How long we keep your personal data  
  • Disclosure to third parties 
  • Our online shop 
  • Our website 
  • Our contact information 
  • Changes to our Privacy Notice 

2. Why we process your data under the law

Arthritis UK processes personal data in accordance with the law. The Data Protection Act 2018 requires Arthritis UK to rely on at least 1 lawful basis out of a total of 6 to ensure we have valid grounds for processing any personal data. 

Arthritis UK commonly uses at least 1 of the following 5 lawful bases to process personal data: legitimate interest, consent, legal requirement, performance of a contract and vital interest. 

2.1 Legitimate interest  

We take reasonable steps to ensure we are using this legal basis in the correct way by conducting 3 tests: a purpose test (assessing whether there is a legitimate interest), a necessity test (assessing whether the processing is needed) and a balancing test (assessing the kind of personal data). The main questions we ask before relying on this legal basis are as follows:  

  • What benefit will there be from processing the personal data? 
  • Will the processing help us achieve the purpose for collecting the personal data? 
  • What kind of personal data is it, e.g., sensitive, criminal, confidential or children’s data? 
  • Will the processing cause harm or risk to the freedom of the person?  
  • Is it reasonable for the person to expect the data to be used in this way? 

For some supporters, we will send fundraising material by post and telephone, because we want to provide campaigning, promotional, and/or fundraising material to supporters. We reach out to families, carers, researchers, healthcare professionals, friends, parents, fundraisers and volunteers to help raise funds, so that we are united in our ambition to ensure that one day, no one will have to live with the pain, fatigue and isolation caused by arthritis.  

We will never rely on legitimate interest to send communications where we are already relying on consent to do so.  

You can opt out at any time if you no longer want to receive communications from us, using the information provided in our postal communications or by registering with the fundraising preference service. Alternatively, you can opt out by contacting supporter care, either by calling 0300 7900444 or emailing supportercare@arthritis-uk.org

2.2 Consent

We provide people free choice to give us their personal data. When asking for consent we ensure we are clear and specific, and consent is easy to withdraw at any time. 

For example, Arthritis UK arranges health activity programmes for people with arthritis. We send a form to those interested in the programme, asking for consent to use their personal information so they can attend the programme. The form clearly states the purpose for consent, a box they will need to tick to confirm they agree to their personal data being used in the ways outlined, and the ability to opt out at any time, as well as a link to our privacy notice for further information. 

2.3 Legal requirement

In some situations, Arthritis UK must process personal data as it is essential to fulfil a legal obligation.  

For example, Arthritis UK may need to process personal data to comply with its legal obligation to HM Revenue and Customs (HMRC), as detailed on the HMRC website. 

2.4 Performance of a contract

Arthritis UK may need to process personal data because it is needed to enter a contract. We will only do this if there is a clear connection between the personal data and the contract. 

For example, if you order an item via our online shop, we collect your personal data to process your order and send the item to the correct address.

2.5 Vital interest

This is a legal basis that we may rely on in rare situations, to save someone’s life.  

For example, we may need to disclose personal data for emergencies and medical care. 

The 6th and final lawful basis is public interest, which is not a lawful basis that Arthritis UK relies on to use personal data.  

3. Your rights 

Below is a summary of all your rights under data protection law. We always consider and respect your rights when we process your personal data. 

  • Your right to be informed - we must provide you with information about how we process your data.
  • Your right of access – You can ask us for access to the personal information we hold about you. 
  • Your right to rectification – You can ask us to rectify your personal information if you believe it is no longer accurate.  
  • Your right to erasure – You can ask us to delete your personal data in some situations. 
  • Your right to restriction of processing – You can ask us to restrict the processing of your personal data in some situations. 
  • Your right to object to processing – You can object to us processing your personal information in some situations. 
  • Your right to data portability – You can ask us to transfer the personal information you provided to us, to another organisation, or to you in some situations. 

4. How we keep your data safe 

We use appropriate technical controls to protect your personal details. Below are key examples of how we keep your personal data safe at Arthritis UK.

  • Our online forms are always encrypted, and our networks are protected and routinely monitored. 
  • We conduct regular security audits and reporting, e.g., we do penetration tests on our networks and applications. 
  • We comply with Cyber Essentials Plus security accreditation and best practices set by the National Cyber Security Centre, for all systems and suppliers.  
  • We regularly engage in independent testing of our digital and data security for weaknesses; aligning with Cyber Essentials Plus requirements, to bolster our security measures and guarantee adherence to high cybersecurity standards. 
  • Our contracted suppliers manage card transactions securely in line with the Payment Card Industry Data Security Standard (PCI DSS). All credit and debit card details are securely destroyed once any payment or donation is processed. 
  • We ensure General Data Protection Regulation training is mandatory for all our staff. 
  • We sometimes use external companies to collect or process personal data on our behalf. We do comprehensive checks on these companies before we work with them and put a contract in place that sets out our expectations and requirements, especially regarding how they manage the personal data they have collected or have access to. 
  • Where personal data is no longer required (either because a request is sent for the personal data to be deleted or the personal data retention period has expired in accordance with our data retention policy), we will ensure it is disposed of in a secure manner. 
  • For changes to existing data collection or processing new data, which may result in a high risk to the rights and freedoms of the data subject, we undertake a Data Protection Impact Assessment (DPIA), to ensure changes to existing or new data collection is compliant with ICO guidelines. 

5. A child's data

Any personal data that Arthritis UK collects from or about a child will be managed in a way appropriate to the age of the child. Data protection law requires a child to be 13 years or older in the UK, to legally provide consent to their personal data being processed. Arthritis UK verifies a child’s age before processing their personal data and/or seeks parental/guardian consent on the child’s behalf if needed. 

We are required to share information with law enforcement authorities should they ask, to effectively safeguard children from harm and promote their wellbeing. As such, we may keep a child’s personal data until they are 18 years old. Under data protection law, we rely on the following legal bases to justify why we process and keep a young person’s and/or family’s personal data: 

  • Legal requirement: the law states that we are bound to report illegal activity.   
  • Legitimate interest: we must disclose the personal data of a child to law enforcement authorities in the event law enforcement authorities request the data, as our interest to prevent any further criminal act and cooperate with law enforcement outweighs any interests of the young person/family to keep their information hidden. 
  • Vital interest: we may need to share personal data to save a young person’s life. This is only applicable in very limited circumstances where a young person’s life is at risk. 

6. How we collect and use your personal data 

Being open and transparent about how and why we process personal data is central to our Arthritis UK values as a charity. Below is a high-level summary of all the business areas within Arthritis UK where personal data is collected; what personal data is collected; how it is collected; why; and the lawful bases we rely on to collect it. 

Where special category data is collected, we undertake a DPIA for new processing. 

6.1 When we process your donations, card payments or invoices, or deal with your enquiries and complaints

Area in Arthritis UK: Finance

Personal data collected:

  • Name
  • Email (Optional)
  • Telephone (Optional)
  • Financial Information(Bank and card details)
  • Home Address

How is the data collected?

  • Forms (Supplier/expense claim documentation)
  • Telephone

Why is the data collected?

  • Card information is needed to process donations. Note: card payments are processed and managed by our fulfilment house, Allied Publishing Services (APS)
  • Invoices are processed to pay third parties i.e., insurance companies, suppliers etc. 
  • Bank details are stored for individuals on the Finance System, to enable payment of out-of-pocket expenses.  

Lawful basis relied on:

  1. Consent
  2. Legal Requirement
  3. Performance of a contract

Area in Arthritis UK: Supporter Care

Personal data collected:

  • Name
  • Email
  • Home Address
  • Telephone
  • Bank account information for direct debit/ standing order supporters

How is the data collected?

  • Forms
  • Contracts with third parties (E.g. APS)
  • Telephone
  • Email
  • Post

Why is the data collected?

  • Personal data is shared with third parties to process data on our behalf e.g., APS. 
  • Data is collected from supporters for donations, to generate income to fund Arthritis UK's services, research and provide support for the benefit of people with arthritis. 
  • To answer supporters' questions, address complaints, provide information, process product orders (including reviews), cross promote products and process any requests received from supporters.

Lawful Basis relied on:

  1. Consent
  2. Legal Requirement
  3. Performance of a contract
  4. Legitimate interest (when for marketing, post and telephone only). 
  5. Vital interest

6.2 When we carry out duties required under law and/or regulation

Area in Arthritis UK: Governance Assurance and Legal  

Personal data collected:

  • Name
  • Email
  • Home address
  • Telephone
  • Date of birth
  • Passport number
  • Country of residence
  • Nationality

How is the data collected?

  • Forms
  • Legal documents/consent
  • Insurance policy

Why is the data collected?

  • To send information to Arthritis UK’s board of trustees and/or Senior Leadership Team
  • Statutory requirements (i.e., to meet the terms of our Anti-Bribery Policy, or Conflict of Interest Policy). 
  • Serious incident investigations.
  • Legal investigations.

Lawful basis relied on:

  1. Consent
  2. Legal requirement

Area in Arthritis UK: Legacy

Personal data collected:

  • Name
  • Email
  • Home address
  • Telephone

How is the data collected?

  • Letters
  • Email
  • Telephone

Why is the data collected?

  • Data is collected so the legacy can be administered. 
  • To appoint third-party specialists to take receipt of the legacy. 

Lawful basis relied upon:

  1. Consent
  2. Legitimate interest
  3. Performance of a contract

Area of Arthritis UK: Facilities

Personal data collected:

  • Name
  • Email
  • Telephone
  • Home address

How is the data collected?

  • Landlord and tenant contracts
  • Supplier contracts (I.e., cleaners)
  • Health and safety accident log

Why is the data collected?

  • To effectively manage building arrangements (landlord and tenant).
  • To destroy confidential waste documents securely.
  • To maintain the Health & Safety log as per the Health and Safety Executive guidelines. 

Lawful basis relied on:

  1. Consent
  2. Legal requirement
  3. Performance of a contract

Area of Arthritis UK: Awards and procurement

Personal data collected:

  • Name
  • Address
  • Email
  • Telephone
  • Sex
  • Gender
  • Age
  • Ethnicity
  • Disability
  • Sexual orientation
  • Religion 
  • Marital status

How is the data collected?

  • Forms
  • Supplier contracts

Why is the data collected?

  • Awards team collects personal data to ensure there is effective governance and reduced risk when spending the charity’s money. 
  • To enrol successful applicants in our Fellows Network.
  • To promote equity and diversity in our applicant group
  • Procurement team processes personal data to support in the tender and procurement process, contract management, due diligence and Arthritis UKlue for money assessments.   

Lawful basis relied on:

  1. Consent
  2. Legitimate interest
  3. Performance of a contract

6.3 When we process data in surveys and/or online forms. 

Area of Arthritis UK: Information and communications technology

Data collected:

  • Name
  • Email
  • Home address
  • Telephone

How is the data collected?

  • Forms

Why is the data collected?

  • Website gathered information needed for Arthritis UKrious reasons.
  • Personal data is needed for destruction of laptops when an employee leaves Arthritis UK.
  • Home address needed to send equipment to homes (shared with couriers) for flexible working. 

Lawful basis relied on:

  1. Consent
  2. Legitimate interest

Area of Arthritis UK: Improvement and impact

Data collected:

  • Age
  • Gender
  • Location (first half of the postcode)
  • Ethnicity
  • Health data

How is the data collected?

  • Survey data (external facing)
  • Survey data (internal facing)
  • Smart survey

Why the data is collected?

  • To assess the groups of individuals that Arthritis UK impacts and how Arthritis UK can improve its services based on the information collected. 

Lawful basis relied on:

  1. Consent

6.4 When we collect and share your stories, create website content and/or communications to enhance engagement with our charity.

Area of Arthritis UK: Creative and content

Data collected:

  • Name
  • Age
  • Email
  • Telephone
  • Health data
  • Photo
  • Video/audio

How is the data collected?

  • Photo and video consent forms
  • Stories usage consent (for print, web, social, media/PR purposes).

Why is the data collected?

  • Personal data in stories, photographs, and videos are used widely across the organisation and social channels so people with arthritis can share their experiences.

Lawful basis relied on:

  1. Consent

Area of Arthritis UK: Strategic communications

Data collected:

  • Name
  • Email

How is the data collected?

  • Forms

Why is the data collected?

  • To manage content on websites regarding email newsletter sign-up  
  • Strategic email communications are sent to enhance engagement with the charity and raise awareness of arthritis, through monthly e-newsletters.
  • To build a campaign landing page for teams. 

Lawful basis relied on:

  1. Consent

6.5 When we process data to build relationships with individuals, groups and decision makers, that help us generate income and influence decisions to support people with arthritis. 

Area of Arthritis UK: Strategic Partnerships

Data Collected:

  • Name
  • Email
  • Home address
  • Telephone
  • Financial information
  • Family details
  • Work details

How is the data collected?

  • Forms
  • Desk Research for due diligence 
  • Public data sources such as 192.com 
  • Payroll giving agencies 

Why is the data collected?

  • Data is collected to build relationships with high-net-worth individuals; mid Arthritis UKlue donors and payroll givers
  • Personalised journeys are developed, which increase loyalty through engagement, donations and relationship building. 
  • To develop giving programmes
  • To steward existing major donors
  • To qualify whether to accept or reject a donation 
  • For research. 

Lawful basis relied on:

  1. Consent
  2. Legitimate interest

Area of Arthritis UK: Mass engagement and fundraising

Data collected:

  • Name
  • Ethnicity
  • Title
  • Age
  • Email
  • Telephone
  • Postal address

How the data is collected?

  • Forms 
  • Surveys
  • Letters
  • Emails
  • Telephone

Why the data is collected?

  • Data is collected to build relationships with individuals
  • To ensure we create a personalised supporter journey to increase engagement and loyalty, which ultimately drives income and ensures charitable sustainability. 

Lawful basis relied on:

  1. Consent
  2. Legitimate interest

Area of Arthritis UK: Policy, Public Affairs and Campaigns 

Data Collected:

  • Name
  • Email 
  • Telephone
  • Postal address
  • Health data
  • Age

How the data is collected?

  • Forms
  • Survey
  • Email
  • Via third parties

Why the data is collected?

  • We collect data to build relationships with individuals.
  • To ensure we create a personalised supporter journey to increase engagement and loyalty, which helps drive action and policy/political change.
  • To influence decision makers across the UK.

Lawful basis relied on:

  1. Consent
  2. Legitimate interest 

6.6 When we process data related to services that we provide to support people with arthritis.

Area of Arthritis UK: UK delivery

Data collected:

  • Name
  • Postal address
  • Email
  • Telephone
  • Gender
  • Emergency contacts
  • Nationality
  • Criminal records (volunteers only)
  • Health data
  • Ethnic origin
  • Date of birth

How the data is collected?

  • MS forms
  • Surveys in person and transferred onto online MS form

Why the data is collected?

  • Dedicated staff and service volunteers require personal data to manage services and support activities for people with arthritis/beneficiaries across all 4 nations of the UK.
  • To understand the conditions of the people we support and the reach and diversity. 

Lawful basis relied on:

  1. Consent

Area of Arthritis UK: Young people and families

Data collected:

  • Name
  • Email
  • Postal address
  • Telephone
  • Gender
  • Emergency contacts
  • Nationality
  • Criminal record (Volunteers and staff only)
  • Medical data
  • Ethnic origin
  • Photo 
  • Video/audio
  • Sexual orientation
  • Religion

How the data is collected?

  • Service referral form
  • Service sign-up form 
  • 1-2-1 support
  • Meetings/other assessments 
  • Surveys 
  • Project work 
  • Event sign up forms 
  • Youth voice groups 

Why the data is collected?

  • Arthritis UK offers young-person-centred, holistic, accessible one-to-one support, empowering young people to live well with their arthritis and reach their potential – now and into their adult lives. 
  • Volunteer personal data is needed to recruit volunteers so they can get involved. 
  • To facilitate youth activities, provide peer support, workshops, residential weekends, and family events.
  • Allow effective volunteer management.  
  • To conduct volunteer engagement surveys. 
  • To ensure mandatory training is completed. 
  • To send out resources and event packs to postal addresses. 
  • To understand the needs and experiences of young people living with arthritis and their families.
  • To improve our services, advocate for young peoples’ needs better and undertake awareness-raising activities.
  • Personal data is passed onto external providers e.g., caterers for health and safety reasons.  
  • To safeguard young people when they participate in activities. 

Lawful basis relied on:

  1. Consent

Area of Arthritis UK: Health Development

Data collected:

  • Name
  • Email
  • Workplace postcode
  • Profession
  • Areas of interest
  • Accessibility requirements (for events purpose only)

How the data is collected?

  • Professional Network online form. 
  • Event registration forms
  • By conference organisers.

Why the data is collected?

  • To help healthcare and workplace professionals to care for and support people with arthritis. 
  • To share the most up-to-date evidence based best practice with our networks and use information and insight gathered from external stakeholders, to influence health and workplace environments and inform Health Development. 
  • To build a well-informed community that shares good practice, educates healthcare and workplace professionals; and inspires leaders to influence healthcare and workplace environments.               
  • Accessibility requirements are collected to ensure participants’ needs are met in the delivery of face-to-face events. 

Lawful basis relied on:

  1. Consent
  2. Legitimate interest

Area of Arthritis UK: Support services

Data collected:

  • Name
  • Email
  • Postal Address 
  • Telephone
  • Date of birth/year of birth
  • Gender
  • Health data

How the data is collected?

  • Telephone
  • Emails
  • Letters
  • Forms
  • Helpline CRM
  • Supplier contracts
  • Arthritis UKnilla platform
  • AArthritis UK chatbot
  • Tracker app

Why the data is collected?

  • Personal data is shared with third parties to process data on our behalf.
  • Data is collected from service users to respond and assist them with their enquiries, allowing us to offer a relationship management approach.
  • To conduct eArthritis UKluation surveys 
  • To record calls 
  • To book Helpline calls
  • To grant access to the Online Community
  • To create an account on the Tracker App

Lawful basis relied on:

  1. Consent
  2. Legal requirement
  3. Performance of a contract
  4. Legitimate interest
  5. Vital interest

6.7 When we process data related to all our people, including our staff, volunteers, and contractors. 

Area of Arthritis UK: Data and systems

Data collected:

  • Name 
  • Email
  • Title
  • Age

How the data is collected?

  • Website
  • Email

Why is the data collected?

  • Website and email data is used to improve our supporter experience and website performance.
  • Supporter data is used to report on performance and analysis, so that the supporter experience can be improved and tailored.
  • Data is collected from interactions with Arthritis UK to build supporter profiles and section supporters into groups, so that communication and experience can be tailored to assumed requirements. For example, to inform likelihood to donate or engage with Arthritis UK’s products.
  • Data is stored in back up and archive systems to preserve the integrity of Arthritis UK’s ICT systems in the event of an incident.

Lawful basis relied on:

  1. Legitimate interest
  2. Consent

Area of Arthritis UK: Volunteers

Data collected: 

  • Name
  • Email
  • Telephone
  • Gender- Preferred pronouns
  • Emergency contacts
  • Criminal record
  • Medical data 
  • Age

How the data is collected?

  • Application form
  • Passport/driving license
  • Interviews
  • Meetings/other assessments
  • References supplied by former employers  
  • Surveys 

Why the data is collected?

  • Volunteers play a crucial role in the delivery of Arthritis UK's strategic goals, and are involved in many areas of its work, including governance, involvement, research, campaigning, service delivery, support networks, fundraising and online communities. 
  • Volunteer personal data is needed to recruit volunteers so they can support us with our strategic goals and get involved. 
  • Criminal record checks are conducted to ensure individuals are permitted to undertake the role in question.
  • To allow for effective volunteer management. 
  • To conduct volunteer engagement surveys. 
  • To ensure mandatory training is completed by volunteers. 

Lawful basis relied on:

  1. Consent

Area of Arthritis UK: People involved in research / Research Partners 

Data collected:

  • Name
  • Address
  • Age
  • Gender
  • Ethnicity
  • Health data
  • Email
  • Telephone
  • Sex
  • Disability

How the data is collected?

  • Forms
  • Surveys

Why the data is collected?

  • People involved with research and our research partners play a crucial role in the delivery of Arthritis UK's strategic goals, and are involved in many areas of its work, including governance, involvement, research, campaigning, service delivery, support networks, fundraising and online communities.  
  • Personal data is needed to recruit people so they can support us with our strategic goals and get involved in our research. 
  • To maintain and promote equality and diversity in our Research Partners group.

Lawful basis relied on:

  1. Consent

Area of Arthritis UK: People and culture

Data Collected:

  • Name
  • Email
  • Home Address
  • Telephone
  • Financial Information E.G., court orders/ student loans
  • Date of birth
  • Gender
  • Emergency contacts
  • Nationality
  • Criminal record
  • Health data
  • Ethnic origin
  • Sexual orientation
  • Religion
  • Marital status
  • Bank details
  • National insurance number
  • Identification document
  • Right to work documents
  • Life cover beneficiary details  

How the data is collected?

  • Application form
  • CV
  • Copy of passport/driving license
  • Interview notes
  • Meetings/other assessments
  • References supplied by former employers  
  • Fit Note / Medical Cert
  • Occupational Health / GP / Consultant letter 
  • P46/P60 from previous employer 

Why the data is collected?

  • To manage the employment relationship.  
  • To enter into an employment contract and meet Arthritis UK’s obligations under the employment contract. For example, Arthritis UK needs to process data to pay a person in accordance with the employment contract and to administer benefits, pensions and insurance entitlements. 
  • Check an employee's entitlement to work in the UK, to deduct tax, to comply with health and safety laws, to enable employees to take periods of leave to which they are entitled, and to consult with employee representatives if redundancies are proposed or a business transfer is to take place.  
  • Criminal record checks to ensure that individuals are permitted to undertake the role in question.  
  • To maintain accurate and up-to-date employment records and contact details. 
  • Operate and keep a record of disciplinary and grieArthritis UKnce processes. 
  • To ensure acceptable conduct within the workplace. 
  • Ensure employees are complying with releArthritis UKnt policies and procedures. 
  • To keep a record of employee performance and related processes. 
  • To plan for career development, and for succession planning and workforce management purposes. 
  • Operate and keep a record of absence and absence management procedures. 
  • To allow effective workforce management and ensure that employees are receiving pay or other benefits to which they are entitled. 
  • To obtain occupational health advice and ensure that it complies with duties in relation to individuals with disabilities. 
  • Ensure that employees are receiving the pay or other benefits to which they are entitled.
  • To keep a record of other types of leave (including maternity, paternity, adoption, parental leave, shared parental leave, and parental bereavement leave). 
  • Allow effective workforce management. 
  • To ensure that the organisation complies with duties in relation to leave entitlement. 
  • Ensure effective general HR and business administration. 
  • Conduct employee engagement surveys. 
  • Provide references on request for current or former employees. 
  • Respond to and defend against legal claims and enforce its legal rights. 
  • Maintain and promote equality in the workplace. 
  • To make reasonable adjustments for medical conditions. 

Lawful basis relied on:

  1. Consent
  2. Legal requirement
  3. Vital interest (in case of an emergency) 
  4. Legitimate interest (Arthritis UK retains emergency contact info in case of an emergency)  
  5. Performance of a Contract i.e., employment contract. 

7. How long we keep your personal data

Our standard data retention policy is to keep your personal information for up to 12 years. Data protection law requires us to keep personal data for no longer than we need it so the exact length of time we keep personal data depends on the nature of it.

Our retention schedule for keeping personal data may depend on legal requirements and in other cases it may depend on what we deem necessary to keep in accordance with our best practice guidelines.

8. Disclosure to third parties

We will never sell your personal information. However, to ensure we provide you with the best service, we make use of external expertise where appropriate. This involves us sharing personal data with the following service providers:

  • Organisations who work on our behalf.
  • Organisations we partner with to improve the services we deliver.
  • Our processors who act solely on our instructions e.g., we use a processor to process donations on behalf of Arthritis UK.
  • Our fulfilment companies that fulfil an order you have placed with us.

We may also occasionally be required to share your personal data with law enforcement, public authorities, regulators and/or our professional advisers. We will only do this where we have a clear lawful basis for doing so.

There are some instances where we are obligated to disclose personal data, for example, under safeguarding law. We have a safeguarding policy about this and the safeguarding page on our website also has further details, here: https://www.arthritis-uk.org/about-us/our-policies/safeguarding-commitment/ 

9. Our website 

Arthritis UK’s website uses cookies (and similar technologies such as tags) to distinguish you from other users of our website, to provide you with a good experience when you are browsing, and to target our advertising so we can improve our site.

When you first visit our website, we will ask for consent to set any cookies (and to process any personal data collected by these cookies) and you will be able to set your preferences at this stage. Where cookies are strictly necessary, we consider that we have a legitimate interest in processing the personal data they collect, as having a working website is vital to our work.

You can withdraw your consent by clearing cookies from the cache in your device and rejecting them next time you visit our website.

For more information about our use of cookies and tags, please see our Cookie Policy on our website.

10. Our online shop 

When you order via our online shop and use a debit or credit card, the transaction will be processed securely in line with PCI DSS standards, by either us or our contracted suppliers. All credit and debit card details are securely destroyed once the payment or donation has been processed.

11. Our contact information

If you have any queries about your personal data, or you wish to exercise your rights under data protection law, please email our Data Protection Officer at: dpo@arthritis-uk.org.

If you have any general queries, our postal address and general contact information is on our website here: Contact us | Contact us by phone, email or post. (arthritis-uk.org)

If you have any queries about arthritis, or you just need someone to listen to you, you can chat to our advisors on our helpline number here: 0800 5200 520.

If you have a complaint to make, please visit the Complaints page on our website here: Making a complaint | Arthritis UK.

12. Changes to our privacy notice 

We will regularly review this privacy notice. Any significant changes will be clearly communicated on our website on a change log, or we may directly contact you about the changes if we already hold your data and if the changes affect you directly.