GENERAL DATA PROTECTION REGULATION (GDPR)
Data Protection Policy Statement
Introduction: purpose and principles
On 25 May 2018 the GDPR comes in effect throughout the EU. The biggest upheaval since the Data Protection Act 1998 (which it replaces), it gives people much more say over what any organisation, from major companies to an association such as The Harrogate Club, which has collected personal data, can do with it.
Central to the Regulation are two principles. First, it will be no longer acceptable for The Club (“the data controller”) simply to assume members who voluntarily provided personal data (“data providers”) have automatically consented to accept communications from The Club, unless there is a specific “opt out” provision. Rather, data providers need to “opt in” to receive future communications. In other words, passive acceptance is no longer the default position; consent must be an active and affirmative action by the person on the database.
Not only that, but any data provider has the right to know the reason why their data has been collected and who has access to it. They can also demand access to the data stored on them and for that data to be rectified if incorrect; furthermore, for it to be removed either by withdrawing consent or under the statutory “right to be forgotten” (see below).
Therefore the Club has redesigned its membership forms to include an empty check box and a corresponding invitation to tick it in order to stay up to date with Club announcements, news and forthcoming events; also for the Club to identify ways which members can support The Club.
The second principle is that the data controller must ensure personal data is processed lawfully, transparently, and for a specific purpose. “Lawfully” has a range of alternative meanings, of which one must apply. For example, it is lawful if the data provider has consented to their data being held; alternatively it can mean that it is in the controller’s legitimate interest to do so, to ensure data providers receive necessary information and/or to prevent fraud and misrepresentation.
Accordingly, this Statement outlines The Club’s Data Protection Policy under the GDPR: how it handles and uses the data collected and identifies the legal rights of data providers.
How does The Club collect information?
The Club obtains information about members provided on joining The Club on annual renewal, or when members contact The Club for any reason, or if a nonmember guest attendee positively agrees to provide the information requested. The principal legal basis for collecting and processing personal data is the consent of the data provider; otherwise it is deemed to be in The Club’s legitimate interest to do so in furthering its aims and objectives.
The information is kept by Mail Chimp on its computer system; only Mail Chimp (“data processor”) processes the information and makes it available to The Club committee as and when required.
What type of information is collected?
The personal information collected includes name, address, telephone number and email address, and how to connect with members via social media. Bank details are not kept although subscriptions and other payments due to The Club can be paid by online bank transfer (alternatively by personal cheque or cash).
How is the information used?
The Club may use the information to:
Process subscriptions and any loans and donations made.
Sending announcements, news and details of forthcoming events.
Requesting any help and assistance as circumstances arise.
Seeking views or comments on the Club’s activities.
Who has access to the personal information provided?
Only The Club’s committee has access. No information will be sold or rented to third parties, nor shared with them.
What are the legal rights of those who have consented for The Club to hold their personal information to have access to it and update or remove, if necessary?
Obviously, the accuracy of the information provided is important to The Club. If there is a change of email address, or if any of the other information held is inaccurate or out of date, it is the responsibility of the person concerned to contact the committee, the contact details of whom are detailed on The Club’s publications and/or its website and/or Facebook page.
The Club is not only legally obliged to be transparent about the personal information held by it but also regards this as a moral obligation. All those on the database have the legal right to ask for a copy of the information The Club holds about them.
There is also the legal right to demand removal of the information by specific withdrawal of consent by pressing the “unsubscribe” button on any Mail Chimp email. Alternatively, under the “right to be forgotten” provisions of the Regulation, a data provider’s information will be removed if the data is no longer necessary for the purpose for which it was collected, for example if the data provider has moved out of the area or cannot, or decides, no longer to participate in The Club’s activities.
Security precautions in place to protect the loss, misuse or alteration of personal information.
When members, or others by way of voluntary consent, provide personal information, The Club will do its utmost to take all practicable steps to ensure it is treated securely. However, email addresses are transmitted normally over the Internet and this can never be guaranteed to be 100% secure. It must be understood that such information is transmitted at the risk of data providers.
Review of this policy
The Club undertakes to keep this Data Protection Policy under regular review. This Policy was last updated in April 2018.
President, The Harrogate Club