On 25th May 2018 new legislation on Data Protection came into force (The General Data Protection Regulation, “GDPR”). GDPR replaces previous legislation and contains significant obligations which the Company must fulfil and numerous rights which Members, Registered Event Account Holders and their Associated Contacts (“You”) have vis-à-vis the Company. Many of the Rules are the same as under previous legislation but there are a number of new elements. GDPR is an EU Directive directly applicable in all Member States without the need for local legislation. However, the UK has decided that it requires the content of GDPR to apply after the UK leaves the EU and has tabled a Bill in the House of Lords which will achieve this objective.
If You have any queries do please contact us at firstname.lastname@example.org
What is Lawful Processing?
What data does the Company acquire and keep about members and other associated contacts?
Where does the Company obtain the data from and how is the data stored?
Does the Company transfer such data elsewhere?
How long does the Company retain such data?
GDPR changes the relationship between the Company and You in relation to the information (data) which the Company collects from You and then processes and stores. Some data is necessarily provided to or accessed by a third party, such as an event venue, caterer or the Company bookkeeper. Much of the requirements of GDPR are mandatory, but where there are options we will identify and explain the option the Company is using. Many of the terms are technical, but You need to be aware of the terms in order to understand what GDPR stipulates. The Company’s first task is to be a lawful processor of Your data.
Membership of the Company is a form of contract where Members pay a fine and quarterage in return for which Members receive benefits and services provided by the Company; being a Registered Event Account Holder is a similar form of contract. The Company asserts that it is a lawful processor by virtue of these relationships and therefore does not need to obtain specific consent to process data. The Company also considers that it is exempt from any obligation to appoint a Data Protection Officer (“DPO”) under GDPR, but it does accept its obligation to carry out processing in ways which are lawful, fair and transparent. The Company acknowledges that it may be required to appoint a designated DPO by the forthcoming UK legislation.
Types of Data Collected and Stored
The Company is committed to recording accurate personal data which primarily consists of the information on the Membership Application Form and the banking information on the Direct Debit Mandate. Date of birth is recorded because subscription rates may vary with the Member’s age. The Company does not collect sensitive personal data (special category data) such as genetic, biometric or health data nor information on race, ethnicity, religion, political persuasion, or sexual orientation. The Company may however use your data to enhance your experience of Company Membership and events by recording your personal preferences, interests, dietary and access requirements and geographical location. Similarly, the Company may use the information you provide summarising your professional skills to assist in the resourcing of ProBono support to Not-for-Profit organisations as part of our philanthropic activities.
The Company may verify the information supplied in the Membership Application Form but does not seek additional information when considering an application. If information is published (i.e. in the public domain) about a Member, e.g. personal, professional or civic honour, award, achievement, etc., the Company is likely to add such information to your Membership record.
The Company’s database is held on wix.com servers and complies with the GDRPR requirements, it allows Members to access and update their personal and professional data. Members are able to correct errors, Members need to request deletion of their data should they wish to remove their details from our servers. In the event of there being a data breach, the Company undertakes to inform you (as well as any relevant authority) not later than one month of the Company becoming aware of the breach. The Company does not believe that the data it holds gives rise to any need to report a breach to the Information Commissioner within 72 hours but it is conscious of the possible need to do so. Any paper records are also held securely.
The Company’s database is held on wix.com servers and similarly requires that we store data typically name, primary email contact and telephone number. In the event of there being a data breach, the Company undertakes to inform you (as well as any relevant authority) not later than one month of the Company becoming aware of the breach. The Company does not believe that the data it holds gives rise to any need to report a breach to the Information Commissioner within 72 hours but it is conscious of the possible need to do so.
Transfer and Sharing of Data
The Clerk (which includes any assistant), who is an employee of the Company, is the principal processor of Your data. Book-keeping is undertaken by an independent sub-contractor on whom required legal obligations have been imposed in relation to processing Member data. The Company’s IT hosting and support providers may also need to access Your data from time to time but always under Company supervision.
The Company’s Officers and Committees may also wish to look at Member data from time to time, for example in relation to the deletion of contact details from non engagement after a period of time has elapsed
The Company does not knowingly transfer Your data outside the EU and requires all its suppliers not to make such transfers. The ultimate location of computer servers may make this apparently simple commitment difficult to enforce.
Retention of Data
The Company intends to hold your data for 7 years.
In the case of a Member’s resignation, all data will be held unless requested otherwise, when we reserve the right to keep your name, membership dates and the date of resignation.
In the case of a Member’s exclusion, all data will be held for eight years, in order that appropriate institutional memory exists. At the end of this period your name, membership dates and date of exclusion will be retained.
In the case of death, we will keep your data indefinitely for archival purposes only. The Company will consider requests for erasure received from immediate family and/or executors, in which case your name, membership dates and date of death will be retained.
To Complain: Ideally the Company would wish to try and deal with complaints itself before recourse to any external authority and asks You to submit complaints to us via email at email@example.com but we are open to You submitting a complaint at any time to the Office of the Information Commissioner.
To have correct data recorded by the Company: The Company will be happy to correct errors; Members and Registered Account Holders are reminded that You are able to amend and correct any errors Yourself.
To require the Company to erase data which it holds about You: The Company will fully respect the new legislation but reminds You that the low-level information gathered is perceived to be the minimum needed to provide You with the benefits of Membership.
This policy applies when You use the Company website. There is a link to the policy on the site.
Review and Updates
This policy will be reviewed in May 2020 and annually thereafter, unless changes in the law require an interim review. Whenever this policy is updated or amended, You will be advised.
Dated: May 2019