Effective Date: 09/09/2018
This notice sets out certain information which we are required to provide to you about your personal data.
As we make changes to our website, we may need to update this policy. If we make any important changes that affect your rights and interests, we will make sure we bring this to your attention and explain what this means for you.
If you have any questions in relation to this policy or wish to exercise any of your rights under data protection law (as set out below), you should email
1. Who are we?
We are Tibetan Monastery Services Limited (trading as Gompa – Tibetan Monastery Services), a company registered in England and Wales. Our company registration number is 01756218 and our registered office is at Cooper House, Lower Charlton Estate, Shepton Mallet, Somerset BA4 5QE. We are a trading company wholly owned by the Orient Foundation for Arts and Culture, a charity registered in England and Wales with charity number 287817. We are registered as a controller with the UK Information Commissioner’s Office under number ZA453844.
2. What personal data do we collect?
2.1 The personal data we collect includes:
- a) Identity and contact data.
- b) Financial and transaction data.
- c) Technical data – mainly by automated means including your internet address, data for logging in, browser type and version, time zone setting and location, browser plug-in types and versions, data on the operating system and platform, and other technology on the devices you use to access this website.
- d) Profile data - including your username and password, payments or requests for services made by you, language preferences and information inputted by you.
- e) Usage data - including information about how you use our website, products and services.
- f) Announcement and communications data - including your preferences in receiving announcements and news updates from us and our third party providers and your communication preferences.
2.2 We do not ask you to provide us with any special categories of personal data which are regarded as particularly sensitive. As a not-for-profit partnership of charitable organisations, we will only process your personal data in the course of our legitimate activities and for the purposes you have provided the data to us.
3. How do we collect your personal data?The data we obtain about you will have been received from you, via automated means or interactions, and from third parties, like partner nunneries and monasteries and other service providers, financial and transaction services providers, and delivery service providers.
4. How do we use your personal data?
The purposes for which we use personal data include:
- a) registering you as a registered member-supporter or visitor.
- b) supplying or arranging services for you, including from a third party such as partner nunneries and monasteries.
- c) managing your relationship with us and third parties who supply services to you.
- d) enabling you to complete a survey.
- e) improving our website, services, or customer relationships.
- f) sending event announcements or other news about Gompa’s services which may be of interest to you.
- g) carrying out any other purpose made known at the time.
5. What is our legal basis for using your personal data?
5.1 The bases we use for processing personal data will include
- a) serving our legitimate interests (see 5.2 below).
- b) performing any contract or service request for you or exploring a potential service request or contract.
- c) complying with legal obligations, which normally means disclosing data where we have to do so by law.
5.2 Our legitimate interests include conducting and managing our services, including sending event announcements and news about Gompa’s services to you (subject to any right to unsubscribe), to enable us to supply you with services. We consider and balance any potential impact on you and your rights before we process your personal data for our legitimate interests. You can obtain further information by contacting us.
6. Who do we share your personal data with?
6.1 We will share your personal data, only as needed, with Gompa’s partnership of charitable organisations, including The Orient Foundation (India), The Orient Foundation (Nepal) and with partner nunneries and monasteries in order to fulfil your service requests. You may, however, choose to remain anonymous or use a pseudonym instead.
6.2 If you wish to make a donation to Gompa, this may be made to our parent company and registered charity Orient Foundation for Arts and Culture. However we do not otherwise share your personal data with our parent company.
6.3 Your personal data will be shared with our technical service providers such as our hosting provider, payment gateway provider, email announcements service provider and other IT service providers as necessary to provide our website and our services.
6.4 We may also have to share your personal data with HM Revenue & Customs, the tax authority in the UK, who require reporting of our processing activities in certain circumstances and as otherwise may be required by law.
7. Where are your personal data stored?
7.1 Our website and the personal data collected through it are hosted on servers that are based in the United Kingdom.
7.2 We use Axcess Merchant Services as our payment gateway provider, which is based in the United Kingdom. We use SIX Payment Services as our payments acquirer, which is based in Switzerland. Switzerland is recognised by the European Commission as providing an adequate level of protection for personal data.
7.3 We use Constant Contact for facilitating email announcements to Gompa account holders and Microsoft for its Office 365 and OneDrive services. These companies are based in the USA and have self-certified under the EU-US Privacy Shield Framework. In addition, we have entered into contracts with these companies which contain standard clauses approved by the European Commission.
7.4 The Orient Foundation (India) and The Orient Foundation (Nepal) are not based within the European Economic Area (EEA), but rather countries which are not recognised by the European Commission as providing an adequate level of protection for the rights of individuals in respect of their personal data. We have entered into contracts with these organisations in a form that has been approved by the European Commission as providing an adequate level of protection for personal data. However as explained above, we will only transfer your personal data to these organisations in order to perform the contract we are about to enter into or have entered into with you in respect of our services.
8. How do we keep your personal data secure?
8.1 We have put in place appropriate security measures (for example, access to our website and areas requiring you to login are secured using ‘https’ technology and access to payment card details is encrypted) to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. We also limit access to your personal data to those within our organisation that have a need to access it. They will only process your personal data on our instructions and they are required to keep your personal data confidential.
8.2 We have put in place procedures to deal with any suspected personal data breach and will notify you and the Information Commissioner’s Office or any other relevant regulator where we are legally required to do so.
9. For how long do we keep personal data?
9.1 We keep personal data for as long as reasonably necessary to fulfil the purposes for which we collected it, and to satisfy any legal, regulatory, tax, accounting or reporting requirements. If there is complaint or dispute or it appears there may be, we may extend that period if there is or is likely to be a complaint or dispute.
9.2 We consider the amount, nature and sensitivity of the data, the risk of harm from unauthorised use or disclosure, the purposes, the alternatives, and any legal, regulatory, tax, accounting or other considerations when deciding how long to keep data.
9.3 We retain data relevant to your use of the services for the duration of your registration as part of the service to enhance our service and your experience.
9.4 If you have paid for any of our services, we will retain details of your orders for a period of six years from the date of your orders for tax purposes.
10.2 Given the essential nature of the cookies used by our website, if you block or restrict them then you may not be able to use certain features of our website.
11. What are your legal rights?
11.1 You have a number of rights in relation to the personal data we hold about you:
- a) Access: You have the right to request access to and be provided with a copy of the personal data held about you together with certain information about the processing of such personal data to check that are holding it lawfully
- b) Correction: You have the right to ask us to correct any inaccurate or incomplete personal data held about you
- c) Deletion: You have the right to ask us to delete or remove any personal data held about you where there is no good reason for us to continue holding it or where you have exercised your right to object
- d) Restriction: You have the right to ask us to restrict how we hold your personal data, for example, to confirm its accuracy or our reasons for holding it
- e) Objection: You have the right to object to our holding of any personal data about you which is based on our legitimate interests or those of a third party based on your particular circumstances. You also have the right to object to our holding your personal data for the purpose of sending you service related announcements via email
- f) Portability: You have the right to receive or request that we transfer a copy of the personal data we hold about you in an electronic format where the basis of our holding such information is your consent or the performance of a contract and the information is processed by automated means
- g) Complaints: You have the right to complain to the Information Commissioner’s Office (ICO) or any other EU supervisory authority in relation to how we collect and use your personal data
11.2 You will not have to pay any fee to exercise any of the above rights though we may charge a reasonable fee or refuse to comply with your request if any request is clearly unfounded or excessive. Where this is the case, we will let you know.
To protect the confidentiality of your personal data we may ask you to verify your identity before fulfilling any request in relation to your personal data.