Data Protection and Third Party Fundraising Platforms

This note has been prepared in the context of Facebook Donate. Facebook Donate enables supporters to donate to a charity via the Facebook platform. It provides a facility for a supporter to add a Gift Aid declaration to their donation. Facebook does not claim the Gift Aid but passes the relevant information to the charity for it to make the claim.

The note applies to any arrangement of this type, where another party collects donations and provides data to a charity e.g. Just Giving, and so the entity acting like Facebook is referred to in this note as a ‘third party platform’.

Third party platform compliance

When a charity receives donations through a third party platform and wishes to use the personal data of those donors for any purpose, the following must be put in place to ensure that the processing is compliant with GDPR rules.

The third party is responsible for the processing of the donation and ensuring that the associated data is processed legally and fairly. They should have clear “fair processing information” which sets out what they will do with the data and if they will pass it onto any other parties, including the charity. The charity should conduct some due diligence to ensure that the third party has a legal basis for sharing the data with them, as any subsequent processing by the charity may be unlawful if not.

Providing additional fair processing information

Under GDPR, data subjects (i.e. the individual whose data is being collected and used) have a right to be informed about the use of their data. Where the charity obtains personal data from a source other than the data subject, they must provide privacy information within a reasonable period of obtaining it and no later than one month.

This information must include:

  • The name and contact details of your organisation
  • The contact details of your data protection officer
  • The purposes of the processing
  • The lawful basis for the processing
  • The legitimate interests for the processing
  • The categories of personal data obtained
  • The recipients or categories of recipients of the personal data (e.g. HMRC)
  • The details of transfers of the personal data to any third countries or international organisations
  • The retention periods for the personal data
  • The rights available to individuals in respect of the processing
  • The right to withdraw consent
  • The right to lodge a complaint with a supervisory authority
  • The source of the personal data
  • The details of the existence of automated decision-making, including profiling

It is likely that much of this will be covered by the charities existing privacy policy, and a letter confirming the charities details, where the data was obtained from and providing access to the privacy policy may be sufficient.

This is required unless the individual already has the information. Therefore, if the platform is configurable enough that it has provided your information and a link to your privacy policy, an additional confirmation may not be required.

Gift Aid processing

If the third party platform has asked the donor if they would like to Gift Aid their donation, and the wording that the supporter has agreed to is deemed to be compliant, there is no requirement for the charity to confirm that wording with the donor. However, it does provide additional evidence that the donor was aware of the requirements for Gift Aiding their gift, and if you are sending “fair processing information” as referred to in this note, it may make sense to include this as well.

Marketing opt ins

Some third party platforms offer the option of collecting marketing permissions. You must review the wording they use and make a judgement about what a supporter might expect to receive having said yes. For example, some just cover ‘news from the charity’ which wouldn’t cover further asks for support. The consent requested should be accurately recorded in your supporter database and reflected in the type of communications sent.

You may find it helpful to clarify/confirm the kind of marketing you will send, and in line with the Fundraising Code of Practice, you must confirm how consent can be withdrawn in your initial letter and any further fundraising comms you send.

NB: This note has been prepared to help make charities aware of the key obligations under GDPR legislation which arise in this type of arrangement. It does not constitute legal advice and all organisations should consider this guidance in the light of their own circumstances and ensure that seek appropriate advice. Additional updates may be made in due course, in response to feedback from charities.

Please consult the website of the Information Commissioner for further guidance:

Zoe Rowland is Head of Data Governance at Cancer Research UK


CTG update: It is possible to add Gift Aid to eligible donations via Facebook Donate. However, there has been some uncertainty as to whether HMRC would accept Gift Aid claims on donations received via Facebook due to concerns about the audit trail. CTG has been working to facilitate a meeting between Facebook and HMRC to resolve this issue, which is due to take place shortly. Read more here.

Join the discussion

Your email address will not be published.