Data Protection Policy
Date created: 29 June 2018
The purpose of this Data Protection Policy (DPP) is to demonstrate that the Society, a ‘small company’ as defined by the GDPR, are compliant with the ‘data protection principles’ set out in REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL OF 27 April 2016.
This DPP is applicable to all data processing undertaken by the Society.
Customer – A person, not a member of the Society, who has bought goods or services from the Society
GDPR – General Data Protection Regulations
DPP – Data Protection Policy
ICO – Information Commissioners Office (UK)
Member – A person who has joined the Society on payment of their annual subscription
Lawfulness, fairness and transparency
Information held by the Society
The Society will carry out an annual information audit during the first quarter of each year. The audit will incorporate a review of the management of member and customer personal data held by the Society and will identify any potential risks to the security of such personal data.
Lawful basis for processing member and customer personal data
The Society have elected to use ‘Consent of the data subject’ as the basis for collecting Society member and customer personal data.
Society members will be requested to give their ‘Consent’ for the storage of their personal data at the time they submit their membership application to the Society. Society customers will be requested to give their ‘Consent’ when they purchase goods and services from the Society.
Consent to process children’s data for online services
Membership of the Society will be restricted to persons 18 yrs. of age or older and therefore ‘Consent to process children’s data for online services’ will not be applicable to the Society.
Registration with the ICO
The Society is registered with the ICO.
Right to be informed including privacy information
The Society Privacy Notice will be displayed on the Society website public area and in the Society Quarterly Journal; it will also be transmitted by the Society Membership Secretary to those new Society members who elect to submit hard copy (paper) membership application forms to the Society. A copy of the Society Privacy Notice will also be included with all goods and services delivered by the Society.
Communicating the processing of children’s personal data
Membership of the Society is restricted to persons 18 yrs. of age or older and therefore the requirements for ‘Communicating the processing of children’s personal data’ will not be applicable to the Society.
Right of access
Society members and customers will have the right to:
- Confirm that their personal data is being processed
- Receive a copy of their personal data recorded by the Society
This ‘Right of access’ will be stated in the Society Privacy Notice. Society members and customers can request access to their personal data by writing (email is acceptable) to the Society Membership Secretary.
Right of rectification and data quality
Society members and customers will be responsible for advising the Membership Secretary, in writing (email is acceptable) of any changes to their personal data that may occur after their application to join is accepted by the Society or after their receipt of goods and services from the Society.
Right of erasure including retention and disposal
Society members will be responsible for instructing the Society Membership Secretary, in writing (email is acceptable) if they require their personal data to be erased from the Society records. The Society Membership Secretary shall then advise the member, in writing, when this erasure has been completed.
From this time the person requesting the erasure shall no longer be a member of the Society and will receive no further communications from the Society including the Society Quarterly Journal; they will no longer have access to the Society website members section; membership fees will not be refunded.
Society customers can also write to the Society Sales Office Manager instructing that their personal data be erased from the Society files. The Society sales office shall confirm to the customer, in writing, when this erasure is completed.
Unless requested by members or customers to erase their personal data from the Society electronic or hard copy paper files, the Society shall retain such personal data for seven years after lapse of a Society membership or the most recent date of a purchase of goods or services from the Society by a customer.
Right to restrict processing
Personal data retained by the Society will consist of the contact details and payment processes used to manage annual subscriptions paid by Society members and payments from customers for goods and services received from the Society. Members and customers have the right to block or restrict the processing of their personal data by notifying the Society Membership Secretary in writing (email is acceptable).
Right of data portability
The portability of data, as defined by the GDPR, is not applicable to the Society.
Right to object
The personal data provided by members and customers to the Society will be for the purpose of becoming a member of, or to purchase goods or services from the Society.
Therefore if members or customers object to the Society processing their personal data then the Society will refer them to their ‘Right of erasure including retention and disposal’ as stated elsewhere in this document.
Rights related to automated decision making including profiling
The Society will not use member and customer personal data for automated decision making and profiling.
Accountability and governance
The Society monitor its compliance with this Data Protection Policy and carries out an annual audit of the effectiveness of its data handling and security controls. This includes data protection awareness training for all Society volunteers involved in the processing of Society members and customers personal data.
Data Processor Contract
There will Data Processor Contracts’ in place between the Society and all Society Data Processors.
The Society will carry out annual information management risk assessments and put in place measures required to mitigate risks to member and customer personal data.
Data Protection by Design
The Society will put in place the policies and procedures necessary to demonstrate their obligation to implementing the appropriate technical and organisational personal data protection measures.
Data Protection Impact Assessments (DPIA)
The Society consider the personal data processing they undertake to be low risk as defined by the GDPR and therefore DPIA’s are not required.
Data Protection Officer
The Society will appoint a ‘Data Protection Lead’ as the focal point for all GDPR issues within the Society.
Data security, international transfers and breaches
The Society will issue a Security Policy demonstrating their commitment to maintaining the security of their member and customer personal data.
Personal data held by the Society will only be transferred outside of the jurisdiction of the GDPR if conditions of transfer set out in Chapter V of the GDPR are met.
The Society will issue a Data Breach Policy demonstrating their commitment to managing any breach of their personal data management systems including the timely notification of the affected Society members and customers.