Our privacy statement

Epilepsy Action is pleased to provide the following information:

Who are we?

Epilepsy Action is a community of people committed to a better life for everyone affected by epilepsy. In this policy, whenever you see the words ‘we’, ‘us’ or ‘our’, it refers to Epilepsy Action (a working name for British Epilepsy Association) and BEA Trading Limited.

BEA Trading Limited sells a range of goods and enters into corporate partnership arrangements. All of its profits are passed to Epilepsy Action.

The company is wholly owned and controlled by British Epilepsy Association. British Epilepsy Association is a charity registered in England and Wales (No. 234343) and an incorporated company registered in England (No. 797997).

Your acceptance of this policy

By using our websites, social media pages, entering a competition or providing your information you consent to our collection and use of the information you provide in the way(s) set out in this policy. If you do not agree to this policy please do not use our sites, social media pages or services.

Changes to this Privacy Statement

We regularly review our Privacy Statement. Any updates will be posted on our website and will apply from when they are updated on the website. Supporters that we are in contact with will be informed if there are major changes.

This privacy policy was last updated on 10 May 2019.

What is personal data?

‘Personal data’ means any information that identifies a living person. This can include name, address, phone number, email address and driving licence.

It also covers our use of any personal information you provide to us. This may be by phone, text message (SMS), email, social media, letter and other correspondence, and in person. It can include IP addresses and other technical identifying information.

What is Special Categories of Personal Data?

‘Special Categories of Personal Data’ means information about someone that may include their physical or mental health or condition. For example, this might include their epilepsy status, their age or ethnicity.

People we collect information on

We need to collect and use your personal data if you contact us for any reason, including if you are a:

  • Member of Epilepsy Action
  • Member of our online community
  • Supporter
  • A person who uses our advice and information services
  • Visitor to any of our websites
  • A person who contacts with us through social media platforms
  • A person who buys goods from our trading company, BEA Trading Ltd
  • Volunteer or prospective volunteer
  • Donor or someone fundraising for us
  • Employee or prospective employee of Epilepsy Action
  • Supplier or prospective supplier to Epilepsy Action
  • Journalist, member of the media or someone who publishes or broadcasts to the public
  • MP, other parliamentarian or representative including councillors
  • Person within the epilepsy community who works with us. This can include health and social care professionals, researchers, commissioners and government officials and other similar departments
  • Person from an organisation that wishes to work with us or ask us for support or information (including, but not limited to, charities, schools, companies)

Why we hold your data

We hold your details to:

  • Communicate with you as a supporter and service user
  • Respond to your enquiry or request for information
  • Provide you with the service or membership you have requested
  • Process sales or donations and verify financial transactions
  • Manage orders, deliver items you have ordered and communicate with you about your order
  • Provide a personalised service to you when you visit our websites. This includes the use of cookies if you agree to their use. This could include customising the content and/or layout of our pages for individual users
  • Keep a record of any contact we have with you
  • Prevent or detect fraud
  • Enable third parties, working for us, to carry out technical or logistical functions for us
  • To carry out research on the demographics, background and interest of our supporters and users of our services. This is to get a better understanding of them and improve our services
  • Tell you about the things you have told us you are interested in – if you have given us permission to
  • Send by post information about our work we think it is in our legitimate interest to do so.
  • Help you with any problems you may be experiencing with a form or our website. We may also do this if you enter your details onto one of our online forms, and you don’t ‘send’ or ‘submit’ the form

How we collect data

We may collect and store information about you whenever you interact with us. For example, when you make a donation, register for an event or submit an enquiry. Other examples include if you register for our services, apply for a job or volunteering opportunity, or otherwise give us any other personal information.

We may also receive information about you from third parties for a specific purpose. However, this will only happen if you have given them permission to share your information.

Complying with GDPR and the 2018 Data Protection Act

GDPR requires Epilepsy Action to process personal data fairly and lawfully. We will offer you choices about the way you are contacted. We will also be clear about how we will use your information. We will make sure that the reason for collecting information is lawful.

Epilepsy Action has informed the Information Commissioner’s Office (ICO) why we collect and process data.

We only hold data about you that is sufficient for our purpose, nothing more.

We work to make sure the data we hold is accurate and up to date. Accuracy is checked when data is recorded, for example through Royal Mail postcode files.

We only hold personal data as long as necessary. However, we may need to keep personal data about you even if you have requested no further contact or erasure. This is so that we can make sure we don’t contact you about an activity. For example, it means we won’t include you when we send promotional communications to people in a particular geographic area.

We have systems in place to safeguard your personal data. Access to written and electronic personal data is restricted and has a level of security depending on the sensitivity of the data. No sensitive or special categories of data linked to a person’s name or address is taken off-site from our offices unless it is either password protected or encrypted.

Marketing communication preferences

If you have given us permission to contact you about epilepsy news and information, our work or ways to support us, we will make sure that you can opt out of receiving marketing communications. At the first reasonable opportunity, you will be offered the chance to opt out of hearing from Epilepsy Action and its trading company. You will be able to say ‘no’ to contact by mail, telephone, text or email.

If at a later date you complete another form, giving different contact preferences, we will use those you have given most recently.

Every time we contact you in the future we will give you the chance to update your communication preferences.

Legitimate interest

Epilepsy Action may use legitimate interest as the basis to send individuals information about our work or marketing material by post where they haven’t previously opted out of contact by post. Prior to using legitimate interest we will carry out a legitimate interest’s assessment. In every mailing we send using legitimate interest you will be given an opportunity to opt out of further contact.

Epilepsy action may also use legitimate interest to process data of the following and similar parties:

  1. Processing employee data
  2. Processing employment applications
  3. Processing volunteer applications and engagement (including volunteer fundraisers)
  4. Epilepsy Action Advisers
  5. Authors and writers for our publications
  6. Processing standard business contacts (including storing contact details) including
    1. Journalists etc
    2. Suppliers or potential suppliers
    3. Public officials, MPs etc
    4. Health and social care professionals
    5. Other charities
  7. Approaching companies about cooperation or fundraising where we can demonstrate this is reasonable for example they have a Corporate Responsibility statement or other statement indicating support for our type of work.
  8. Approaching trusts and foundation where we can demonstrate this is reasonable for example they state they support our type of charity.
  9. Responding to enquiries
  10. Processing requests to or seek advice or engagement with us including
    1. Cooperate on projects
  11. Researching partners and potential partners (including trusts and funds and companies and their employees, directors or trustees) via information in the public domain.
  12. Visitors to our websites
  13. Those who engage with us through social media
  14. Postal marketing to any contacts for whom consent has not been obtained and they have not opted out of postal marketing and where engagement to date suggests it does not cause harm or override an individual’s privacy rights, for example current donors, Epilepsy Professional circulation, Doodle Day doodlers who have supplied contact details, previous raffle participants.
  15. The publication or broadcast of photographs, videos etc in live or near live events and for one month after such events
  16. Circulation of Epilepsy Professional magazine to clinics and clinicians

Email marketing

Emails and text messages are also covered by the Privacy and Electronic Communications Regulations. Every time your email address or mobile telephone number is recorded, you will be offered email/text updates. You will have to tick a box to agree to your details being used for marketing emails/texts.

Also, any marketing emails/texts sent by Epilepsy Action will include the opportunity to unsubscribe from future emails/texts.

Social media

We may use your details to contact you with updates and information relating to your fundraising. This depends on your own privacy settings for social media and messaging sites such as Facebook, WhatsApp and Twitter. We will only do this for events you have expressed an interest in, or registered for. We may also use your details to promote other activities or events on social media platforms. To control these adverts you should amend your social media platform settings.

Building profiles of supporters and targeting communications

We may use profiling and screening techniques to ensure communications are relevant and well timed. We may also use them to provide an improved experience for our supporters. Profiling also allows us to target our resources effectively. We do this because it allows us to understand the background of the people who support us. This helps us to make appropriate requests to supporters who may be able and willing to give more than they already do. It also helps us to raise more funds, sooner and more cost-effectively, than we otherwise would.

When building a profile we may analyse geographic, demographic and other information relating to you. This is so we can understand your interests and preferences better in order to contact you with the most relevant communications. In doing this, we may use additional information from third-party sources when it is available. This information is gathered using publicly available data about you, for example addresses, listed directorships or typical earnings in a given area.

Sharing your data with other organisations

We use third parties to handle some of our services on our behalf, as allowed under GDPR. These organisations are only allowed to use your personal information for the specific purpose they have been contracted for. For example, this could be to send a letter to you or process your direct debit.

We always transfer your personal data securely – through a secure FTP (File Transfer Protocol) website, or as a password-protected file.

Unlike some organisations, we will never swap or sell your data to another organisation for them to use for marketing purposes. All suppliers handling any personal data are subject to a data processing agreement, which is legally binding and controls what they are able to do with the data.

Data storage

We only transfer data outside the European Economic Area when in compliance with the conditions for transfer set out in Chapter V of the GDPR.

Special categories of personal data

If you contact our helpline we may record the following.

  • Your interests in epilepsy and what affects you in your daily life. This helps us to monitor the demand for our services. It also helps us to plan the future content of our information booklets, fact sheets and web pages.
  • Your age, epilepsy status and ethnicity. This helps us to identify trends in the range of people using our services and to plan improved access to them.

If you join Epilepsy Action as a member or use some of our services such as training courses, branches or others, we may record the following.

  • Your age, epilepsy status and ethnicity. This helps us to identify trends in the range of people using our services and plan to improve access to them.

If you support our work as a media volunteer, we may record the following information – but we will never share it without your explicit consent.

  • Information about your epilepsy and the way it impacts on your day-to-day life.
  • Information like your age and your personal experiences, to help us to match your story with media enquiries or our campaigns.

Some of this is classified as “Special Categories of Personal Data” (and is subject to additional data protection). We will ask for your explicit consent to record and process Special Categories of Personal Data.

We have legally-backed reasons for collecting Special Categories of Personal Data. It helps us to achieve one or more of our charitable aims, for example the provision of accurate advice and support to people diagnosed with epilepsy. None of this data will be used in a way that could harm you as an individual.

Emergency contact details

If you attend an Epilepsy Action event and provide us with emergency contact details you must confirm that the person whose details you provide has given permission for you to give us the information.

We will delete the emergency contact details as soon as is practical after the event has ended.

Use of media and consent

a. Media consent applies to:

  • Photographs
  • Video footage
  • Still images taken from video
  • Sound recordings
  • Quotes and case studies submitted (spoken or written, including web form submissions)
b. It applies whether or not Epilepsy Action took the material, commissioned it or it was submitted by a third party
c. If you give consent to the use of media Epilepsy Action may use it as follows:
  • on the Epilepsy Action website or other websites
  • on social media and video-hosting platforms (for example Twitter, Facebook, Instagram and YouTube)
  • in Epilepsy Action information materials, such as leaflets, presentations, posters or fundraising material
  • for broadcast and radio interviews
  • for written press articles
d. Expiry of consent
  • Material will only be used, printed or published in new publications for as long as consent has been given
  • Consent can be withdrawn at any time in which case they will not be used in new publications
  • Media consent will normally be for five years but may be renewed by you
  • After expiry of consent photographs, videos or audio recordings etc will be:
  1. Deleted from photographic libraries or other storage and not reused in publications etc
  2. Withdrawn from web use and other similar environments
  3. Epilepsy Action is unable to guarantee that we can withdraw from use images, videos or quotes that have been published prior to withdrawal of consent. We will not use images, videos or quotes in future publications but they may continue to appear in publications already in circulation
  • Epilepsy Action will take all reasonable steps to make sure that content used for our websites, publications and materials is not used by third parties without our permission. However, we cannot guarantee that third parties will always request our consent
  • At some Epilepsy Action events, other photographers not employed or associated with Epilepsy Action may take and distribute photographs etc. These may be journalists, other event attendees or casual passers-by. The use of these images etc is beyond Epilepsy Action's control.

People who call our helpline

When you call the Epilepsy Action Helpline, we offer a translation service for customers if English is not your first language. This is provided by a third-party company. The company that provides this service does not keep any information from the calls or record them.

Job applicants, current and former Epilepsy Action employees

When people apply to work at Epilepsy Action, we use the information they supply to process their application and to monitor recruitment statistics. When we want to disclose information to a third party, we will not do so without telling the person in advance unless the disclosure is required by law. For example, we may need to take up a reference or obtain a ‘disclosure’ from the Disclosure and Barring Service.

Personal information about unsuccessful candidates will be held for 6 months after the recruitment exercise has finished. It will then be securely destroyed or deleted. We keep de-personalised statistical information about applicants to help inform our recruitment activities. However, no individuals can be identified from that data.

Once a person has taken up employment with Epilepsy Action, we will compile a file about their employment. The information in this file will be kept secure and will only be used for purposes directly relevant to that person’s employment. Once their employment with Epilepsy Action has ended, we will keep the file as required by our Retention Schedule and Retaining Personal Data Policies then securely destroy or delete it.

Your data on our website

If you use any of the email facilities or forms on any of our sites, we will capture your email address, your name and, where relevant, your postal address. This means we can respond to your request, enquiry or order. We will ask if you want to opt in to being contacted in the future by telephone, email or text. You will be given the opportunity to opt out of receiving mail.

If you use any of the secure forms on our sites, your credit card information is only used to complete that transaction. All such forms are secure and cannot be accessed by anyone other than the members of staff involved in completing the transaction.

Information is automatically provided on your browsing behaviour through the use of cookies on our sites. This information does not enable us to identify you personally. However, it does allow us to track usage of our sites so that we can improve them.

We use standard third-party web analytics services (such as Google Analytics) to collect anonymous information about your computer, including your IP address, operating system and browser type. This includes for example the number of users viewing pages on the site, but it does not identify you individually. This means we can monitor and report on the effectiveness of the site to help us improve it. If visitors want to post a comment on our sites, we require visitors to enter a name and email address.

We may temporarily retain any data that you provide on the website if you place an order through our shop, even if you do not complete your order. Such contact details and data may be used to contact you to enquire if you require any assistance with your order but for no other purpose.


We use a third-party provider, Technology Trust, to deliver our e-newsletters. We gather statistics around email opening and clicks using industry standard technologies. This includes clear gifs to help us monitor and improve our e-newsletter.

Website hosting

We use third-party services to host our websites. These sites are hosted at:

  • Amazon Data Services Ireland Ltd, operated on our behalf by Ixis IT Ltd
  • Rackspace Ltd, operated on our behalf by Muchloved Charitable Trust
  • Krystal Hosting Ltd
  • Shopify Inc.
  • NFSN Inc (no personal data is stored on this server)

Spam prevention using a third-party system

We use web services (such as Mollom) to analyse the quality of content posted to our websites by users. This includes comments, forms, blogs and forum posts. They screen people’s contributions before they are posted and prevent spam.

The contents of the form (including your personal data) and other information (such as IP address, operating system and browser type) are passed to these third-party systems. This enables them to decide whether the content is posted by spammers or similar. They will only use your information for this purpose.

People who contact us through social media

We use third-party providers Hootsuite and Tweetdeck to manage our social media interactions.

If you send us a private or direct message through social media, the message will be stored in line with our Retaining Personal Data and Data Retention Schedule. It will not be shared with any other organisations.

Children’s data

If a child under 16 joins Epilepsy Action or takes part in an event, we will keep their information to service their membership or the event. If a child uses the helpline or uses any other email facility to contact us, their information will only be used to deal with their enquiry.

We recognise the need to protect the privacy and safety of children under 16. We generally use photographs of models wherever possible and only use images of real children and their names where this is necessary in context.

Parental permission will have been obtained to use the image, and, in the case of children 13 and over, we also ask for the child’s permission.

Please see our supplementary children’s privacy policy.

Changing your communication preferences

You can change your communication preferences at any time. You can choose whether we contact you by mail, telephone, email or text message. You can also choose whether or not you receive information on certain activities of Epilepsy Action, such as appeals, campaigns and raffles. Just contact us – by phone on 0113 210 8800, in writing or by email to dpo@epilepsy.org.uk or visit epilepsy.org.uk/contact

Your rights as a data subject

At any point whilst Epilepsy Action is in possession of, or processing your personal data, all data subjects have the following rights:

  • Right of access – you have the right to request a copy of the information that we hold about you.
  • Right of rectification – you have a right to correct data that we hold about you that is inaccurate or incomplete.
  • Right to be forgotten – in certain circumstances you can ask for the data we hold about you to be erased from our records.
  • Right to restriction of processing – where certain conditions apply you have a right to restrict the processing.
  • Right of portability – you have the right to have the data we hold about you transferred to another organisation.
  • Right to object – you have the right to object to certain types of processing such as direct marketing.
  • Right to object to automated processing, including profiling – you also have the right not to be subject to the legal effects of automated processing or profiling.

In the event that Epilepsy Action refuses your request under rights of access, we will provide you with a reason as to why, which you have the right to legally challenge.

At your request Epilepsy Action can confirm what information it holds about you and how it is processed.

You can request the following information:

  • Identity and the contact details of the person or organisation (Epilepsy Action) that has determined how and why to process your data.
  • Contact details of the data protection officer, where applicable.
  • The purpose of the processing as well as the legal basis for processing.
  • If the processing is based on the legitimate interests of Epilepsy Action and information about these interests.
  • The categories of personal data collected, stored and processed.
  • Recipient(s) or categories of recipients that the data is/will be disclosed to.
  • How long the data will be stored.
  • Details of your rights to correct, erasure, restrict or object to such processing.
  • Information about your right to withdraw consent at any time.
  • How to lodge a complaint with the supervisory authority (ICO).
  • Whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether you are obliged to provide the personal data and the possible consequences of failing to provide such data.
  • The source of personal data if it wasn’t collected directly from you.
  • Any details and information of automated decision making, such as profiling, and any meaningful information about the logic involved, as well as the significance and expected consequences of such processing.

Data subject access requests

Epilepsy Action will assist you if you want to see the information we hold about you. A request should be made in writing, by letter or by email, to dpo@epilepsy.org.uk.

To support your request, Epilepsy Action also requires ID and will accept the following forms when information on your personal data is requested: a copy of your driving licence, passport, birth certificate and a utility bill not older than three months.

A minimum of one piece of photographic ID listed above and a supporting document is required. If Epilepsy Action is dissatisfied with the quality, further information may be sought before personal data can be released. The 30 days’ time limit will apply on receipt of valid identification.

In most cases, we will process your data subject access request within 30 days. We may need to extend this period for particularly complex requests.

Your first request will be completed for free but if you make further requests a service charge will be levied if it is made within six months of the last request.

The remit of this policy

This Privacy Statement does not cover information gathered on other websites outside our control.

How to contact us

Requests for information about our privacy statement can be emailed to the supporter care team at: dpo@epilepsy.org.uk or by writing to:

Data Protection Officer
Epilepsy Action
New Anstey House
Gate Way Drive, Yeadon


In the event that you wish to make a complaint about how your personal data is being processed by Epilepsy Action you have the right to complain to us. If you do not get a response within 30 days you can complain to the ICO.

For a more detailed list of what information we collect and how it is used you can visit the Information Commissioner’s Office (ICO) website and view our registry entry.

ICO, Wycliffe House, Water Lane, Wilmslow, SK9 5AF
Telephone +44 (0) 303 123 1113 or email: https://ico.org.uk/global/contact-us/email/

Our ICO registration number is Z4605447.

Subscribe to the e-action newsletter

Stay up to date with the latest news on coronavirus, epilepsy news and events, and how you can get involved.

Epilepsy Action will never swap, share or sell your details. For more information, read our privacy policy.
By clicking subscribe you agree to our privacy policy.