Privacy Policy

Effective date: 19/06/2025

1. Introduction 

The Pulmonary Vascular Research Institute (PVRI) is a global charity dedicated to advancing research, education, and patient care in pulmonary vascular disease (PVD). We are committed to protecting your privacy and handling your personal data responsibly and in compliance with all applicable data protection laws, including the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, as regulated by the Information Commissioner's Office (ICO). 

This Privacy Policy explains how we collect, use, store, share, and protect your personal data when you interact with us, whether as a member, donor, staff member, volunteer, researcher, attendee at our events, website visitor or in any other capacity. 

2. Who we are 

The PVRI is a registered charity in England and Wales, Charity Number: 1127115 and a Company Limited by Guarantee no. 05780068. VAT registration no. 488 0247 66. Registered office: 5 Tanner Street, London SE1 3LE 

For the purposes of data protection law, the PVRI is the Data Controller of your personal data. This means we are responsible for deciding how and why your personal data is processed. 

3. The personal data we collect 

We may collect and process various types of personal data about you, depending on your interaction with us. This may include: 

  • Identity data: Name(s), your image in form of a photo or video
  • Contact data: Postal address, email address, telephone numbers
  • Professional data: Job title, institution, professional qualifications, research interests, publications
  • Membership data: Membership status, payment methods and history for membership fees
  • Donation data: Donation amounts, payment methods, gift aid declarations (where applicable)
  • Event data: Involvement in conferences, webinars, workshops, workstream and taskforce meetings, registration details
  • Research data: In specific research projects, we may collect data such as health information (special category data), and other sensitive information. This will always be done under strict ethical and legal safeguards, with explicit consent or other appropriate lawful bases, and clear information provided at the point of collection.
  • Marketing and communications data: Your preferences in communication receiving marketing from us and our third parties
  • Technical data: Internet Protocol (IP) address, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, and other technology on the devices you use to access our website.
  • Usage data: Information about how you use our website, products, and services. 

Special category data: Protecting sensitive information 

Due to the nature of PVRI's activities, we process "special category data." This is personal data that is inherently more sensitive and requires a higher level of protection under the UK GDPR. It includes: 

  • Health data: Information about your physical or mental health, including data about the provision and receipt of health care services.
  • Data concerning a person's sex life or sexual orientation, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership. 

We will only process such sensitive data where we have identified a lawful basis under UK GDPR. 

Where required, we will conduct Data Protection Impact Assessments (DPIAs) for high-risk processing of special category data. 

4. How we collect your personal data 

We collect personal data from and about you through various methods, including: 

Direct interactions: You may provide us with your identity, contact, and professional data by filling in forms, creating an account on our website, becoming a member, making a donation, registering for an event, applying for a job, a volunteer role or a grant, or corresponding with us by post, phone, email, or otherwise. 

Automated technologies or interactions: As you interact with our website, we may automatically collect technical data about your equipment, browse actions, and patterns. We collect this personal data by using cookies and other similar technologies. Please see our Cookie Policy for more details. 

Third parties or publicly available sources: We may receive personal data about you from various third parties and public sources, such as: 

  • analytics providers (e.g.Google Analytics)
  • publicly available sources (e.g.professional directories, research databases)
  • partners involved in joint research projects or events. 

5. How we use your personal data and our lawful bases 

We will only use your personal data when the law allows us to. Most commonly, we will use your personal data in the following circumstances and for the following purposes:

Purpose of processing Type of data Lawful basis for processing (UK GDPR) Our approach
Membership management: To process your membership application, manage your membership, send membership communications, and provide member benefits  Identity, contact, professional, membership, financial, engagement in our messages and events Performance of a contract with you  We process your data to fulfill our contractual obligations as your membership provider. This includes managing your account, delivering membership benefits, and sending essential communications related to your membership. We ensure data is processed securely.  
Donation processing & fundraising: To process your donations, administer Gift Aid, thank you for your support, and inform you about our work and future fundraising opportunities. dentity, contact, financial, donation Legitimate Interests (to support our charitable objectives and engage with supporters) or Consent (for direct marketing) We process your donation data to administer your contribution and fulfil any associated obligations like Gift Aid. We rely on legitimate interests to acknowledge your support and provide updates on our charitable work. For any direct marketing communications about future fundraising, we will obtain your consent and provide easy ways to opt-out.
Event management: To register you for events, manage your attendance, send event-related communications, and to facilitate networking.  Identity, contact, professional, financial, Performance of a Contract with you (for paid events) or Legitimate Interests (for free events and networking) For paid events, we process your data to fulfil our contractual agreement to register and manage your attendance. For free events and networking, we rely on our legitimate interests to organise and run events that further our objectives and benefit participants. We will obtain your consent for future communication and provide easy ways to opt-out. 
Research activities: To conduct and facilitate pulmonary vascular disease research, including patient surveys. Identity, contact, professional, research (including Special Category Data) Public Task (for research in the public interest) or Legitimate Interests (for certain research activities) or Explicit Consent (especially for processing sensitive health data) 

We obtain your clear, specific, and informed consent for processing your special category data for defined research purposes. This consent is freely given, informed, and unambiguous, and you have the right to withdraw it at any time. When relying on the bases of public interest, we ensure: 

  • the processing is necessary and cannot reasonably be achieved by other means (e.g. using anonymised data)  

  • it is subject to appropriate safeguards as required by UK GDPR (such as data minimisation, pseudonymisation where possible, robust security measures, and adherence to recognised ethical standards)

  • it is not likely to cause substantial damage or distress to individuals

  • it is not used to support decisions about individuals.
Communications & engagement: To send you newsletters, updates, and information about our work, events, and initiatives.   Identity, contact, professional, communication Consent (for marketing communications) or Legitimate Interests (for non-marketing, service-related communications, e.g, membership renewals)

For marketing communications, we will obtain your explicit consent and provide clear opt-out options. For non-marketing, service-related communications (e.g. membership renewals or essential service updates), we rely on our legitimate interests to keep you informed about relevant aspects of your engagement with us.
Website administration & improvement: To administer and protect our business and website (including troubleshooting, data analysis, testing, system maintenance, support, reporting, and hosting of data). Technical, Usage  Legitimate Interests (for running our business, provision of administration and IT services, network security, and to prevent fraud). We process technical and usage data based on our legitimate interests to ensure our website is secure, functional, and continuously improved. This includes monitoring for issues, analysing performance, and maintaining system integrity to provide you with a reliable online experience and protect our operations from fraud. 
Compliance with legal obligations: To comply with our legal or regulatory obligations (e.g. reporting to regulatory bodies, financial audits). All relevant data Legal Obligation. We process your data when it is necessary to comply with a legal or regulatory obligations. This includes fulfilling statutory reporting requirements, undergoing financial audits, and responding to lawful requests from regulatory bodies.
HR and employment: (e.g. staff, volunteers, job applicants). Identity, contact, professional, financial, including special category data 

Performance of a contract   

Legal obligation 

Consent 

This includes processing data for payroll, administering benefits, managing performance, and fulfilling the terms of employment or volunteer contracts. For job applicants, it can apply to steps prior to entering into a contract (e.g., processing application forms, conducting interviews). 

 

Many HR activities are required by law. This includes processing data to comply with statutory obligations such as tax, National Insurance, health and safety regulations, safeguarding duties, and right-to-work checks  

 

In specific limited circumstances, we may ask for your explicit consent to process certain special category data for HR purposes (e.g. for voluntary diversity monitoring). If consent is relied upon, it will be clearly explained, and you will have the right to withdraw it at any time.  

 

6. Data Sharing 

We may share your personal data with: 

  • Our staff and volunteers: Who require access to perform their duties.
  • Third-party service providers: Who perform services on our behalf (e.g.IT support, website hosting, payment processing, event management platforms, mailing services, survey tools). These providers are contractually obliged to protect your data and only use it for the purposes we specify.
  • Research partners: In the context of collaborative research, your data may be shared with research institutions, universities, and pharmaceutical companies. We will ensure appropriate data sharing agreements are in place, often pseudonymising or anonymising data where possible, and always adhering to ethical guidelines and relevant data protection laws.
  • Regulatory authorities: When legally required to do so.
  • Professional advisors: Such as lawyers, auditors, and insurers.
  • Event sponsors: We may occasionally share your personal data (such as your name, institution, job title etc) with our event sponsors for business purposes, including networking, describing the scale and reach of the PVRI community, lead generation for sponsors, and providing attendees with relevant information about sponsor products and services. We will always inform you about this sharing at the point of registration or data collection, and you will have the option to opt-out where appropriate. 

7. International data transfers 

As a global organisation, the PVRI operates internationally. This means your personal data may be transferred to and stored in countries outside the UK and the European Economic Area (EEA), where data protection laws may not be as stringent as in the UK/EEA. 

Whenever we transfer your personal data out of the UK/EEA, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented: 

  • We will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the ICO (or the European Commission for EU GDPR purposes).
  • Where we use certain third-party service providers, we will endeavour to use specific contracts approved by the ICO (or European Commission) which give personal data the same protection it has in the UK/EEA.
  • Where we use providers based in the US, we may transfer data to them if they are part of a recognised data privacy framework, such as the EU-US Data Privacy Framework, that provides equivalent safeguards. 

8. Data security 

We have implemented appropriate technical and organisational security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. This includes: 

  • Access controls: Limiting access to personal data to those who have a legitimate need to know.
  • Encryption: Using encryption for sensitive data where appropriate.
  • Pseudonymisation/anonymisation: Where possible, processing personal data in a way that it can no longer be attributed to a specific data subject without the use of additional information.
  • Regular security audits: Conducting regular assessments of our systems and processes.
  • Staff training: Ensuring our staff and volunteers are trained in data protection and security. 

We have in place a data breach notification procedure to deal with any suspected personal data breach. Despite our best efforts we are unable to guarantee the absolute security of data provided to us and we will notify you and any applicable regulator of a breach as is necessary. 

9. Data retention 

We will only retain your personal data for as long as necessary to fulfil the purposes for which we collected it, including for the purposes of satisfying any legal, accounting, or reporting requirements. 

To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements. 

10. Your legal rights 

Under UK GDPR, you have the following rights regarding your personal data: 

  • Right to be informed: To be informed about how your personal data is being used (which is what this privacy policy aims to do).
  • Right of access: To request access to your personal data (commonly known as a "data subject access request").
  • Right to rectification: To request that inaccurate or incomplete personal data we hold about you is corrected.
  • Right to erasure (right to be forgotten): To request the deletion or removal of your personal data where there is no compelling reason for its continued processing. Please note that there may be circumstances where we are legally entitled to retain it.
  • Right to restrict processing: To ask us to suspend the processing of your personal data in certain circumstances (e.g. if you want us to establish its accuracy or the reason for processing it).
  • Right to data portability: To request the transfer of your personal data to you or to a third party in a structured format.
  • Right to object: To object to the processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your situation which makes you want to object to processing on this ground. You also have the right to object where we are processing your personal data for direct marketing purposes.
  • Rights in relation to automated decision-making and profiling: To object to automated decision-making and profiling that produces legal effects concerning you or similarly significantly affects you. 

To exercise any of these rights, please contact us using the details below. We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. 

11. Changes to this privacy policy 

We keep our Privacy Policy under regular review. Any changes we may make to our Privacy Policy in the future will be posted on this site and, where appropriate, notified to you by email. We encourage you to review this policy periodically to stay informed about how we are protecting your information. 

12. Contact us 

If you have any questions about this Privacy Policy or our data protection practices, or if you wish to exercise any of your rights, please contact us: 

  • Data Protection Officer: Karen Osborn, Chief Executive
  • Postal address: The PVRI’s registered address is 5 Tanner Street, London SE1 3LE, United Kingdom +44 (0) 7934 126930. 

13. Complaints 

You have the right to make a complaint at any time to the Information Commissioner's Office (ICO), the UK supervisory authority for data protection issues. ICO Website: www.ico.org.uk ICO Helpline: 0303 123 1113

Other policies and statements
Accessibility Statement
Code of Conduct
Complaints Policy
Privacy Policy
Cookies Policy
Terms & Conditions
Social Media Policy
PVRI team

Got a question? Want to have a chat? Our small but friendly PVRI Staff team are here to help.

Get in touch