YYC GDPR Notice Issue 1.01
Yealm Yacht Club
GENERAL DATA PROTECTION REGULATIONS
GENERAL PRIVACY NOTICE
(Issue 1.01 12/11/2019 - updated to reflect transition to use of external membership services Processor)
(Issue 1 24/05/2018 - Initial release)
1.1. You as a Member
This document sets out to explain to members of the Yealm Yacht Club (YYC) why data about a member is held and how it is used. It is assumed that the reader of the document is a Club Member of the YYC and thus the "you" is used in the document to refer to a member of the YYC and "Club" means the Yealm Yacht Club.
1.2. Why the Need to Conform
On May 2018, the General Data Protection Regulations (GDPR) came into force building upon existing legislation such as the Data Protection Act 1998. GDPR places more onerous responsibilities on any organisation that holds personal data. As a Sports Private Members Club (as defined by the VAT Act 1994) the Yealm Yacht Club (YYC) is therefore subject to GDPR.
1.3. Personal Data
Personal data broadly means any piece of information that can allow an individual to be directly or indirectly identified (for example names, addresses, email addresses). This includes data which on its own may not precisely identify an individual, but which if combined with other information – even from another source – might allow that individual to be identified.
1.4. Sensitive Personal Data
GDPR also includes a category of ‘sensitive personal data’ which imposes even stricter regulation; this data would be any of the following:
However the YYC does not collect or hold such data.
1.5. GDPR Controller and Processor
The GDPR defines two levels of responsibility for its control and implementation, the Controller and the Processor.
The Processor is responsible for the processing of data to comply with GDPR, and may be an internal operation and/or an external organisation.
The Controller has responsibilities for the oversight of and ensuring that the Processors are meeting their obligations under GDPR.
For the purpose of the GDPR YYC is both a Controller and is currently a Processor. Other external organisations, as notified to the Club Membership, may also be used to hold and process your data for the purposes of club administration and management.
2. Aim of this Privacy Notice
The aim of this Privacy Notice is to explain why the YYC needs the personal data it holds and how it will acquire, store, use and, most importantly, secure that data in order to be compliant with GDPR.
3. The Legal Basis for Holding Personal Data of YYC Members
The basic premise of GDPR is that there has to be a legal basis for an organisation to hold and process personal data. GDPR recognises 6 bases. The lawful basis that applies to YYC Members is Contract. This means that the processing of data is necessary because of a contract an organisation has with an individual.
In the case of the YYC, the contract is the provision of defined membership services in return for members paying a membership fee or by virtue of membership being awarded as an Honorary Member. In these circumstances, the sole purpose of holding and storing personal data is so that the YYC can provide these membership services.
3.1. Compliance with GDPR
To comply with GDPR personal data of a member held by the YYC must be:
3.2. Your rights regarding your personal data
GDPR establishes the following rights for you:
3.3. Need to Acquire Personal Data
As a Sports Private Members Club, the YYC requires personal data for some or all of the following purposes:
To contact you to facilitate the provision of membership services. This may be by post, email, telephone or social media. The following list is not exhaustive but includes:
This may be done either electronically, by post or hand delivered.
4. Personal Data
4.1. What Personal Data is Required?
The principle is that we only need the minimum personal data to efficiently and effectively run a Membership Sports Organisation. In practice this means:
In addition for those who pay their subscription by Direct Debit:
4.2. How is the data acquired?
The principal and preferred method of acquiring your personal data is by completion of an online application or renewal form to join or continue membership of the Club. However other methods of application such as by email or by completion of a paper copy of our application form may be accepted.
4.3. Storing Personal Data
Your personal data is currently stored by transferring your details into a Relational Database located within the Club's premises. Access to this data is on a need to know basis by relevant officers and staff of the Club. The Club is transitioning to the provision of membership administration processing and storage by an external service provider, as denoted in the Appendix to this notice and themselves regulated under UK law including the GPDR.
4.4. Data Validation
Every year your renewal notice includes the description of the data held by the Club (excluding Bank details). We rely on you to inform us of any changes to your data then or at any time a change to the information is relevant.
4.5. Personal Data Retention Period
The Club will keep your personal data for as long as you are a member of the YYC. Once your membership ceases only the data necessary to comply with HMRC regulations will be retained for the required six tax years which may be up to seven calendar years. Your personal data will then be securely deleted or destroyed.
4.6. Securing Personal Data
Protecting your personal data is of paramount importance to us. The data may currently only be accessed through the Club's computerised system that accesses the database. This access is on a need to know basis by the relevant Club Officers, Committee Members or staff in order to fulfil their Club related functions. As noted above we are currently transition our administration system to an external Processor where your data will only be visible to authorised Club Officers, Committee Members or Staff as above, plus authorised staff of the external Processor as noted in their Data Protection Statement linked from the Appendix below.
As the data is essential for the purposes of running the Club a copy is maintained by an external Processor. This data is encrypted then transmitted and stored in two locations in the UK by a UK company regulated by UK laws including the GDPR.
4.7. Do we share your personal data?
The Club will not under any circumstances share your personal data with any other body or organisation unless you have given your explicit permission for us to do so.
Mailings ether by post or electronically are sent to members who are known to be no longer members of the Club.
4.8. Action is taken if there is a breach of data
Should the YYC suspect or confirm that there has been a breach of personal data, the matter will be investigated as soon as possible. The individual(s) concerned will be informed of the details of the breach. If the breach falls into a category of severity that requires the Information Commissioner’s Office to be informed, this will be done as soon as is practicable. YYC rules and procedures will then be reviewed and amended as necessary to prevent a reoccurrence.
GDPR places a considerable legal responsibility on the YYC in order to ensure that any personal data it holds on you is secure and only used for purposes which you have been made aware of as a member of the YYC. Because we are a membership organisation, the legal basis for holding your personal data is termed Contract ie. the YYC is contracted to provide some or all of the membership services outlined in this Privacy Notice because you have voluntarily become a member of the YYC. This Notice also describes: what personal data we require; why we need it; how we store it; and how we secure it. Any further clarification can be obtained by contacting a member of the Management Committee.
All emails sent by the system contain a tracking pixel. This is used to track whether each email has been opened by the recipient, and when. This information can be viewed by those users of the system with permission to view email delivery reports. We do not display any information regarding the location of the recipient. Note that the tracking pixel is only activated if the recipient chooses to download images into their email client.