Important information on how Changing Faces may use your data

Privacy Statement

This Privacy Statement summarises, and forms part of, our Data Protection and Privacy Policy which immediately follows it.

Changing Faces is committed to ensuring that your privacy is protected. Should we ask you to provide certain information by which you can be identified when using this website or communicating with us by phone, email or in person, then you can be assured that it will only be used in accordance with this Privacy Statement.

For the purposes of this Privacy Statement and our full Data Protection and Privacy Policy:

  • ‘Processing data’ means obtaining, recording or holding information, or carrying out an action such as organising, disclosing or destroying personal data.
  • ‘Direct marketing’ means the communication of any advertising or marketing material which is directed to particular individuals.
  • ‘Administration’ means the processing of data which excludes any element of direct marketing. For example, sending a thank-you letter to acknowledge a donation.

We collect information about:

  • Visitors to our website and owned social-media channels (eg Changing Faces Facebook page, Twitter and Instagram)
  • Our supporters (including our past and present donors, event participants, individuals giving non-financial assistance), prospective supporters and beneficiaries and members of the public who make contact with us, including those who share their personal stories with us
  • Complainants and other individuals in relation to a data protection or freedom of information complaint or enquiry.

We collect:

  • Personal data. For example, names, dates of birth, email addresses and postal addresses.
  •  Non-personal data. An example is the web pages accessed on a computer: we collect this information so that we can show users the information they have recently read, and improve their user experience.
  • Sensitive or special category data – If you contact us in order to seek support from our services, we may collect certain information defined in law as sensitive or special category data. For example, information about your physical or mental health or condition.

We collect information that we need to, or that we believe would be useful to provide our services, products and information. These purposes comprise:

  • Fundraising for Changing Faces
  • Fulfilling Changing Faces legal obligations
  • Administration
  • Marketing
  • Supplying information, advice and support services

Where we ask you to provide us with any information by which you can be identified, you can be assured that it will only be used in accordance with this privacy statement, and in line with data protection legislation, including the Data Protection Act 2018 and the General Data Protection Regulation (GDPR) 2018.

We seek your consent if consent is necessary. To assess whether consent is necessary we carry out a balancing exercise between your rights and expectations, and our legitimate interests to carry out the data processing activity, consistent with the law.

We will never sell your data to any individual or organisation.

We will only pass on your information:

  • If we are legally required to do so, or
  • To a third party which is acting on our behalf to fulfil a service that we provide

We keep the information we hold about you accurate and up-to-date so far as we are able.

We follow the Code of Fundraising Practice for the UK, issued by the Fundraising Regulator, to ensure that we treat all donors, including vulnerable donors, fairly.

If you ask us to remove your personal information from our records, we will make efforts to ensure we have identified the correct record on our system, and we will review the data to ensure that we are not required to hold it for legal reasons. If, once these actions have been taken, we determine that we have no legal obligation to keep your data, we will retain your key details – i.e. your name, home address and email address – on a suppression list to make sure that we do not contact you again, and we will destroy all other information we hold about you (if we were to remove your details completely we would have no record of your wishes, and therefore someone from Changing Faces might inadvertently contact you again.) The only exception to this will be if we are required to keep a record of your gifts for Gift Aid and financial audit purposes, in which case we will anonymise your record and retain the relevant data in a locked note which can only be accessed by a relevant employee.

We use a secure server to host all areas of our website which collect personal information.

We use cookies to help us track the success of our online advertising and to monitor the use of our website.

This statement is effective from May 2018. Any changes we make to our privacy statement and Data Protection and Privacy Policy in the future will be posted on this page and, where appropriate, notified to you by e-mail.

Changing Faces Data Protection and Privacy Policy


This data protection and privacy policy sets out how Changing Faces uses and protects any information that you give Changing Faces when you use this website, our social media pages on Facebook, Twitter, LinkedIn or Instagram, or communicate with us in the course of our normal activities.

1. Who we are and what we do

Changing Faces is the UK’s leading charity for everyone who has a medical condition, mark or scar that makes them look different.

We provide advice and support through our expert psycho-social and skin camouflage services in local communities across the UK. We help build people’s confidence to live their life on their terms. And we challenge prejudice, respect differences and speak to a world that needs to change.

Changing Faces is registered as a charity in England and Wales (registered charity number 1011222), and in Scotland (registered charity number SCO39725) and is the data controller for data protection purposes.

2. Data protection regulations

In carrying out our day-to-day activities we process and store personal information relating to our supporters and we adhere to the requirements of the Data Protection Act 2-2018 (DPA) and the General Data Protection Regulation (GDPR).

We take our responsibilities under data protection legislation seriously and we ensure the personal information we obtain is held, used, transferred and otherwise processed in accordance with those regulations and all other applicable data protection laws and regulations including, but not limited to, the Privacy and Electronic Communication Regulations.

3. What personal information do we collect?

Personal information is information that can be used to identify you. It may include your:

  • Name
  • Date of birth
  • Email address
  • Postal address
  • Bank account details
  • Job title and employer
  • Mobile and landline telephone numbers
  • Gender
  • Marital status
  • Experiences of visible difference, if you share these with us, and
  • The reason you give us for supporting Changing Faces.

It may also include:

  • Details of any opt-in and opt-out preferences you have communicated to us
  • Whether or not you are a UK tax-payer (so that we know whether or not we can claim Gift Aid)
  • Details of any gifts you have given to Changing Faces
  • Details of any Changing Faces events you have participated in
  • Notes relating to our relationship with you. Examples of this could be:
    • Correspondence between you and Changing Faces
    • Connections between you and other individuals or organisations known to Changing Faces, and
    • Data gathered through prospect research (see Paragraph 14).

These lists are not comprehensive, but they are intended to give an indication of the sort of information we collect.

We collect this personal information about you when you ask about our activities, register with us (for example, signing up to receive information), make a donation to us, register for an event, engage with our social media or message boards, order products and services (such as publications and email newsletters), otherwise give us personal information, or become known to us as someone who might consider connecting with Changing Faces in some way.

4. Sensitive/special category data

If you contact us in order to seek support from our services, we may collect the following additional information, defined in law as sensitive data or special category data. Sensitive or special category data is a type of personal data, but potentially, if made available, could leave the individual it relates to vulnerable to discrimination or harassment. GDPR protects personal information as a whole but adds extra focus to sensitive information because of possible impact to a person’s livelihood, quality of life, and ability to participate in daily activities.

Special category data, as defined by the GDPR, comprises:

  • Physical or mental health or condition
  • genetics and biometrics
  • Sexual life or sexual orientation
  • Racial or ethnic origin
  • Political opinions
  • Religious or philosophical beliefs
  • Trade union membership
  • The commission or alleged commission by the data subject of any offence, or any proceedings for any offence that are ongoing.
  • We will only collect any such data with your explicit consent.

5. Non personal data

If you do nothing other than read pages or download information from our website, we may gather information about this use, such as which pages are most visited and which events or activities are of most interest. This information can be used to help us improve our website and services and ensure we provide you with the best service. The information we use for this purpose is aggregated or anonymised, i.e. it will not identify you as an individual visitor to our website.

In recording this information, we apply all the usual data protection principles outlined in this policy, so people sharing this information can feel confident that this information will not be used or stored inappropriately, and they retain the right to access this information or to request its removal at any time.

If you use your credit or debit card to donate to us, buy something or pay online or over the phone, we will ensure that we manage this securely and in accordance with the Payment Card Industry Data Security Standard (PCI DSS). Click on PCI DSS to find out more about card payment security.

We do not store your financial information for longer than we need to.

6. How do we use the information we process?

These are examples of how we may collect and use your personal information:

To provide services, products or information you have requested. For example:

  • The processing of any donation(s) we may receive from you
  • To ask you to help us raise money, donate money to our charity or provide non-financial assistance (but always in accordance with your marketing preferences)
  • The provision of information about our work or our activities, that you have asked to receive
  • To send you items you have requested by telephone or via our website
  • To analyse and improve the services we offer
  • To provide tailored or general advice and support to you on your condition and treatment

For administration purposes. For example:

  • We may contact you about a donation you have made or an event you have expressed an interest in or registered for
  • We may send you information about a race or other event you are a participant in
  • For internal record-keeping, such as the management of feedback or complaints
  • To record website traffic or to personalise the way our information is presented to you.

For legal purposes. For example:

  • Where the processing is required or authorised by law
  • For the purposes of credit risk reduction or fraud prevention (regrettably some people target charities for illegal purposes such as money laundering, and we are therefore required to monitor financial activity and report suspected fraud to the appropriate authorities).

For fundraising purposes. For example, if you are a fundraiser:

  • We advise you on setting up a fundraising page
  • We offer you fundraising materials to help you with your fundraising
  • We advise you on the best ways to fundraise
  • We make you aware of your obligations, where Changing Faces has purchased your fundraising place.

For marketing purposes. For example:

  • We may supplement or add to the information we hold about you with information that is available through, or we receive from, other sources, eg public registers, or third-party information services. This allows us to send you the most relevant information and promote those fundraising opportunities that we believe you are most likely to be interested in.
  • We may contact you by mail, email, phone, text or social messaging; in some cases, this will require getting your consent.
  • If you share a personal story with us via our website or social media channels we may invite you to consent to future communications from us and to sharing your story more widely. Sometimes Changing Faces is invited by journalists to contribute to news stories relating to our cause, and in this situation we may invite you to participate or to allow us to use your story for these purposes.
  • We may use the information for prospect research purposes. Prospect research means gathering and reviewing freely given, publicly available data (from sources such as news articles, Charity Commission, Companies House) to identify individuals and organisations who may have the capacity and inclination to give a donation to Changing Faces. Gathering such data helps us to approach potential donors in the right way, and avoid excessive and inappropriate approaches.

For some data processing activities, including marketing and fundraising, we require your consent to contact you. We may also contact you if we believe there is a legitimate interest in doing so. A legitimate interest is when we believe it is to your benefit to receive a piece of information, it has minimal privacy impact and does not compromise your rights or freedoms. However, if you have specifically told us you do not wish to receive any communications from us we will not process your data on a legitimate interest basis.

There are some occasions when we do not require your consent to process your data, such as for legal purposes or for many administrative purposes, but in some cases we do need your consent to use your data for data processing, including direct-marketing purposes.

If you have asked us not to use your information for marketing purposes we will retain your name, home address and email address on a suppression list to ensure we do not continue to contact you.

The use of your information for the purposes set out above is lawful because one or more of the following applies:

  • Where you have provided information to us for the purposes of requesting information or requesting that we carry out a service for you, we will proceed on the basis that you have given consent to us using the information for that purpose, based on the way that you provided the information to us. You may withdraw consent at any time by emailing This will not affect the lawfulness of processing of your information prior to your withdrawal of consent being received and actioned.
  • It is necessary for us to hold and use your information so that we can carry out our obligations under a contract entered into with you or to take steps you ask us to prior to entering into a contract.
  • It is necessary to comply with our legal obligations.
  • Where the purpose of our processing is for the provision of information or services to you, we may also rely on the fact that it is necessary for your legitimate interests that we provide the information or service requested, and given that you have made the request, would presume that there is no prejudice to you in our fulfilling your request.
  • Other possible options include processing necessary to protect the vital interests of the individual concerned or other individuals and processing necessary for a task carried out in the public interest or in the exercise of official authority vested in the charity.

8. Your marketing preferences

We will use the following statement to invite you to express your preference for how you would like us to retain contact with you:

Are you happy for Changing Faces to contact you with regards to news and information about the charity?

  • By email: Yes / No
  • By post: Yes / No
  • By telephone: Yes/ No
  • By SMS: Yes/ No

Are you happy for Changing Faces to contact you about fundraising?

  • By email: Yes / No
  • By post: Yes / No
  • By telephone: Yes/ No
  • By SMS: Yes/ No

In this way we give you the opportunity to opt in to further communications with us, and to express your preferred method of communication. If you have opted in to further communications we will automatically invite you to update this option every two years; or at any appropriate earlier time that is required.

9. The accuracy of your information

Our aim is for all information that we hold about you to be accurate and, where necessary, kept up-to-date. If any of the information we hold about you is inaccurate and either you advise us of this or we become aware in another way of its inaccuracy, we will ensure it is updated as soon as possible.

10. Information-sharing and disclosure

We will not sell your information to any third party.

We may share your information with our data processors. Our data processors are organisations carrying out services for Changing Faces such as sending out mass emails or materials, subject to your communication preferences and our internal policies and procedures. We have contracts in place with all third parties to ensure they are obligated to treat our customers’ personal data in compliance with the General Data Protection Regulation 2018.

We may also disclose your personal information to third parties if we are required to do so by a legal obligation (for example to the Police or a Government body); or to enable us to enforce or apply our terms and conditions or rights under an agreement; or to protect us, for example, in the case of suspected fraud or defamation.

We may share data relating to specific health conditions or lifestyle issues, but we will only ever do this in an anonymised, aggregated manner.

Other than this, we will not share your information with other organisations without your consent.

Many of our supporters who participate in events to raise funds for Changing Faces set up a personal page on a specialist fundraising platforms (JustGiving or Virgin Money Giving) designed to help individuals and charities raise money and maximise the use of Gift Aid. Personal data provided by Changing Faces supporters for this purpose to JustGiving and Virgin Money Giving is passed to us. We store this information in our database and use it to communicate with our supporters about their fundraising activities.

11. Children

We ensure that when processing children’s data we comply fully with the existing protection and safeguarding legislation. Children are able to exercise their own data rights as soon as they have capacity and understanding, which is ordinarily assumed around the age of 12. Any younger person aged under 16 who would like to engage with us, and whose personal data we need for that purpose, must also have a parent / guardian’s permission to do so before giving us those details.

12. Vulnerable people

We recognise the importance of protecting our vulnerable supporters and we follow the Code of Fundraising Practice in the UK issued by the Fundraising Regulator. We believe this helps to support our staff who come into contact with supporters to provide high quality supporter care, ensuring anyone donating to the Charity is in a position to make a free and informed decision. If an individual appears vulnerable we will offer them a cooling-off period, or more time before taking a donation. If we believe the individual lacks the mental capacity to make a decision we do not take a donation.

13. Storing your information

For financial and technical reasons we may, on occasion, need to use the services of a supplier outside the European Economic Area (EEA). Data may need to be transferred and stored outside the EEA, including in the USA where it will be held in full compliance with General Data Protection Regulation (GDPR) 2018, ensuring security of information equal to that required by the UK and throughout the EEA. We do this by ensuring that any third parties processing your data outside the EEA either benefits from an adequacy determination for GDPR purposes and/or, where appropriate, we have entered into a Data Processing Agreement which contains model EU clauses.

Your record will be deleted if we have had no contact or interaction with you over a period of seven years, and you have opted out of communications. This retention period has been determined with consideration for our legal obligations and tax and accounting rules, and we reserve the right to change it to reflect subsequent changes in those rules and obligations.

14. Our website and social media

By using our website, social media pages, entering a competition or providing your information you consent to our collection and use of the information you provide in the ways set out in this policy.

For all areas of our website which collect personal and financial information, we use a secure server. We take great care to ensure that our websites operate at the highest security levels and that our suppliers are committed to best practice in digital security. All personal information and financial data is encrypted in transmission.

However, the security of data transmission via the internet can never be 100% guaranteed, and data transmission is at your own risk.

15. Cookies

Our website uses cookies to help it work well and to track information about how people are using them.

How we use cookies

A cookie is a small file which asks permission to be placed on your computer’s hard drive. Once you agree, the file is added and the cookie helps analyse web traffic or lets you know when you visit a particular site. Cookies allow web applications to respond to you as an individual. The web application can tailor its operations to your needs, likes and dislikes by gathering and remembering information about your preferences.

We use traffic log cookies to identify which pages are being used. This helps us analyse data about web page traffic and improve our website in order to tailor it to customer needs. We only use this information for statistical analysis purposes and then the data is removed from the system.

Overall, cookies help us provide you with a better website, by enabling us to monitor which pages you find useful and which you do not. A cookie in no way gives us access to your computer or any information about you, other than the data you choose to share with us.

Third party cookies

Some of the services on our websites, such as videos from Youtube and sharing functions from Facebook, Twitter or LinkedIn, may also place cookies on your computer. We do not take responsibility for third party cookies.

Can I refuse cookies?

Yes, you can use your browser settings to disable cookies. Different browsers offer different levels of control – for example you may be able to accept certain cookies and reject others, such as third party cookies.

If you refuse cookies please be aware our websites may not work smoothly for you and there will be certain parts that won’t function correctly.

You can delete the cookies stored on your computer at any time.

More information

For further information about cookies, you can visit

For a full list of the cookies we use and what they do, please email

16. Links to other websites

Our website may contain links to other websites of interest. However, once you have used these links to leave our site, you should note that we do not have any control over that other website. Therefore, we cannot be responsible for the protection and privacy of any information which you provide whilst visiting such sites and such sites are not governed by this privacy statement. You should exercise caution and look at the privacy statement applicable to the website in question.

17. Updating our policy

This policy was last updated 10th September 2018. Any changes we make to our privacy notice in the future will be posted on this page and, where appropriate, notified to you by e-mail. Please check back frequently to see any updates or changes.

18. Responsibilities

All employees and volunteers who process data are responsible for complying fully with this Data Protection and Privacy Policy. We ensure that appropriate and up-to-date training and knowledge is shared across the organisation in order that we fully comply with our responsibilities to keeping your data safe and secure.

Self-employed contractors and volunteers are notified of their responsibilities when they begin delivering services to or volunteering with Changing Faces.

19. Your rights

You have the right to request:

  • details of the processing activities that we carry out with your personal information through making a Subject Access Request;
  • rectification of information that is inaccurate or out of date;
  • erasure of your information (known as the “right to be forgotten”);
  • restriction of the way in which we are dealing with and using your information; and
  • request that your information be provided to you in a format that is secure and suitable for re-use (known as the “right to portability”);
  • rights in relation to automated decision making and profiling including profiling for marketing purposes.

If you would like a copy of some or all of your personal information, please make a request to our Data Protection Lead using the details provided below. We will provide this information to you without charge, unless requests are manifestly unfounded, repetitive or excessive, in which case we are entitled to charge a reasonable administration fee.

If you believe we are not respecting your rights, you are entitled to make a complaint to the Information Commissioner’s Office. Further details about how to complain can be found here.

20. Queries

If you have any questions or queries about this Privacy and Data Protection Statement, or if you would like to request a copy of the information we hold about you, please contact the Data Protection Lead at the address and contact details below:

Data Protection Lead
The Squire Centre
33-37 University Street
London WC1E 6JN

0345 450 0275