CSF Leak Association Privacy Policy: Your Data Protection Rights & Our Commitment

Cerebrospinal Fluid Leak Association (CSF Leak Association) is a registered charity (Charity Number: SC046319) in the UK, working to improve understanding and treatment of cerebrospinal fluid (CSF) leaks and associated conditions, such as intracranial hypotension.

We are registered as a data controller with the Information Commissioner’s Office (registration number: ZB804603).

When we process your personal data, we are considered to be the data controller for your personal data. This means that we determine why and how we use it and are responsible for protecting it. When we process your personal data, we must comply with the rules set out in the Data Protection Legislation (the Data Protection Act 2018, the UK General Data Protection Regulation – UK GDPR and the Privacy and Electronic Communications (EC Directive) Regulations 2003 - PECR).

We understand how important your personal data is and we will only process it when we have a lawful reason to do so, when it is necessary and in accordance with the Data Protection Legislation. This Privacy Policy explains how and why we use the information we collect about you; how your personal information will be processed, stored and used; and information about your information rights and how to access them.

Personal data means any identified or identifiable information that relates to or is about you. This could be your name, contact details, a username, or an IP address. This can be information that can directly identify you or information that can indirectly identify you, such as when it is combined with other information.

Some personal data is considered to be sensitive; this is called ‘special categories of personal data’ and includes information relating to your health or sexual orientation, for example. We must comply with additional requirements when processing this type of data and ensure that we process it securely.

The personal data that we collect and process about you will vary depending on the relationship that we have with you or are interacting with you. Schedule 1 outlines what personal data we process about you according to our identified purposes for processing it.

In most cases, we will collect your personal data directly from you. For example, if you visit our website, fill out a form, provide personal data by email or through our social media channels.

When we process personal data, we must have a lawful basis (lawful grounds) to do so. There are six lawful grounds that we can process personal data under and the lawful basis will depend on the reasons why we need to process it and your relationship with us.

The lawful grounds that we use for processing your personal data is outlined in Schedule 1 to this Privacy Policy.

The reasons why we process your personal data will vary depending on the reasons why we are interacting with you or the services that we are offering. The purposes for processing your personal data is outlined in Schedule 1 to this Privacy Policy

There may be some circumstances where we need to process your personal data for reasons not set out in in this Privacy Policy. For example, when we are required to by law (such as when it is necessary to comply with a legal obligation or a Court Order) or need to share information for the purposes of the prevention or detection of crime. When this is the case, we will only do so when it is necessary and when it is lawful under the Data Protection Legislation.

We process special category data (sensitive personal data) in specific circumstances, including:

Health Information:

1. When you provide medical information as part of your membership
2. When you share your CSF leak experience through member stories

Legal Basis for Processing Special Category Data:

We rely on the following conditions under Article 9 of the UK GDPR:

1. Explicit consent (for member stories and research participation)
2. Substantial public interest
3. Research and statistical purposes

We will only keep your personal data for as long as is necessary for the purposes that we have outlined, or for as long as is necessary by law. After this time, we will either anonymise it so that it can no longer identify you or securely destroy or delete it.

Please contact us with if you would like to know more about how long we process your personal data for.

Where we are processing your personal data with your consent, or explicit consent for special categories of personal data; you have the right to withdraw that consent at any time. When you withdraw your consent, it will not affect the lawfulness of the processing before you withdrew the consent.

We will take measures to stop processing your personal data as soon as we can. However, there may be a short delay while we put these in place. For example, you may still receive communications from us until we have amended our records. We will aim to stop processing your personal data within one month of you withdrawing your consent.

You can withdraw your consent at any time by contacting us with the contact information in this policy.

You are not required under law or contract to provide us with or share any personal data with us. However, if we were unable to process your personal data we would be unable to provide you with a service or facilitate you volunteering with us.

We will never sell your personal data to any other organisation or use it in ways that are beyond your reasonable expectations, or in ways we haven’t told you about.

We may use data processors who provide services to us such as IT infrastructure, data storage or for processing payments. When we use a data processor, we will have a contract in place with them, or their terms and conditions will outline that they can only process your personal data in accordance with our instructions and that they provide sufficient guarantees that they secure your personal data to a high standard and they comply with the requirements set out in the data protection legislation.

Some data processors we use are:

There may be other circumstances where we need to share your personal data with other organisations such as law enforcement or other organisations when we have a legal obligation do so, such as a court order. If we need to do this, we will only do so when it is necessary, lawful and in accordance with the data protection legislation.

If we believe that there is an immediate risk to your life or safety, we may share information with relevant authorities for safeguarding purposes or to protect your vital interests. We will always consider whether we can obtain your consent to do this, though we may need to rely on other lawful grounds such as vital interests for sharing this information if we cannot obtain that consent or you are incapable of providing consent.

The CSF Leak Association does not make any automated decisions about you using your personal data that would have legal or similarly significant effects on you.

Generally we process your personal data in the United Kingdom (UK) or European Economic Area (EEA).

We may use data processors who provide us with email, payment services or other IT infrastructure that store your personal data outside of the UK or European Economic Area. When this is the case, they will be contractually obliged to protect your personal data to the high standards of the UK data protection legislation.

When your personal data is processed outside of the UK or EEA, we rely on the following mechanisms to ensure that there are appropriate safeguards in place to protect it and to ensure that you have enforceable information rights:

• The transfer is based on an adequacy regulation – This is where the UK have decided that the data protection laws in these countries provide for equivalent protections (this is the case with the EEA, and under the UK extension to the EU-US Data Privacy Framework); or
• The transfer is based on ‘standard contractual clauses’ - This is where there are contractual obligations in place to provide for appropriate safeguards and enforceable rights. This will generally be achieved by implementing the Information Commissioner’s Office International Data Transfer Agreements (IDTAs) or International Data Transfer Addendums.

We maintain presence on social media platforms including:

• Facebook
• X
• LinkedIn
• Instagram
• BlueSky

When you interact with us on social media:

• These platforms may collect your data independently
• Their privacy policies will apply to your interactions
• We may receive aggregated analytics about our social media presence
• We may use social media messaging for communications if you contact us through these platforms
• We encourage you to review the privacy policies of any social media platforms you use to interact with us.

When we process your personal data, we must comply with the data protection principles under the UK GDPR. This includes the responsibility to implement appropriate organisational and technical measures to protect your personal data from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to your personal data.

We do this by implementing security measures such as our data protection policy and processes; training for mentors; information security and cyber security measures such as firewalls; controlling access to our systems such as password protection and encryption; and only sharing your personal data by secure means.

We also have policies and procedures in place to deal with personal data breaches to ensure that we can effectively deal with any risks posed and can comply with our notification obligations under the UK GDPR.

The Data Protection Legislation gives you rights over your personal data and we will always help you to exercise these; the information rights are:

Not all of these rights are absolute, they do not apply in every circumstance and they may be restricted under certain conditions. For example, if we have a legal obligation to continue processing your personal data or when an exemption applies under the Data Protection Act 2018. If we need to restrict these rights, we will always consider this on a case-by-case basis, only when it is necessary, lawful to do so and in accordance with the Data Protection Legislation.

You can exercise your information rights at any time by letting us know or by contacting us at dataprotection@csfleak.uk.

When you exercise your information rights, we usually have one month to comply with the request unless it is considered to be complex. If we consider your rights request to be ‘complex’, we may extend this timeframe to a total of three months. We will let you know if this is the case within one month of receiving your request.

We may ask you for proof of identity when considering an information rights request to ensure that we protect it from unlawful disclosure or from unauthorised alteration or processing.

Ordinarily, we will not charge you a fee for exercising your information rights unless we consider it to be manifestly (or clearly) unfounded or excessive. This includes situations where repeat requests are made within a short timeframe; or where the request is clearly intended to cause disruption. In this case, you may be charged an administrative fee. Alternatively, we may refuse to comply with your request. We will always inform you if this is the case.

The Information Commissioner’s Office (ICO) regulates and enforces data protection compliance in the UK. Their website has useful guidance on data protection matters, you can find it here: www.ico.org.uk

You have the right to lodge a complaint to the ICO at anytime, if you are unhappy with how we have processed your personal data or if you think we have not followed the rules. You can contact the ICO here - https://ico.org.uk/make-a-complaint/data-protection-complaints/data-protection-complaints/

We will regularly review this privacy policy and publish any new versions on our website. You should regularly check our privacy information to ensure that you have the most up to date version.

Version: 1.0

Last review: 31-JAN-2025

Next review date: 31-JAN-2027