YYC GDPR Notice Issue 1.01

Yealm Yacht Club

GENERAL DATA PROTECTION REGULATIONS

GENERAL PRIVACY NOTICE

(Issue 1.01 12/11/2019 - updated to reflect transition to use of external membership services Processor)
(Issue 1 24/05/2018 - Initial release)

1. Background

1.1. You as a Member

This document sets out to explain to members of the Yealm Yacht Club (YYC) why data about a member is held and how it is used. It is assumed that the reader of the document is a Club Member of the YYC and thus the "you" is used in the document to refer to a member of the YYC and "Club" means the Yealm Yacht Club.

1.2. Why the Need to Conform

On May 2018, the General Data Protection Regulations (GDPR) came into force building upon existing legislation such as the Data Protection Act 1998. GDPR places more onerous responsibilities on any organisation that holds personal data. As a Sports Private Members Club (as defined by the VAT Act 1994) the Yealm Yacht Club (YYC) is therefore subject to GDPR.

1.3. Personal Data

Personal data broadly means any piece of information that can allow an individual to be directly or indirectly identified (for example names, addresses, email addresses). This includes data which on its own may not precisely identify an individual, but which if combined with other information – even from another source – might allow that individual to be identified.

1.4. Sensitive Personal Data

GDPR also includes a category of ‘sensitive personal data’ which imposes even stricter regulation; this data would be any of the following:

• racial or ethnic origin;
• political opinions;
• religion or philosophical beliefs;
• trade union membership;
• health;
• sex life or orientation.

However the YYC does not collect or hold such data.

1.5. GDPR Controller and Processor

The GDPR defines two levels of responsibility for its control and implementation, the Controller and the Processor.

The Processor is responsible for the processing of data to comply with GDPR, and may be an internal operation and/or an external organisation.

The Controller has responsibilities for the oversight of and ensuring that the Processors are meeting their obligations under GDPR.

For the purpose of the GDPR YYC is both a Controller and is currently a Processor. Other external organisations, as notified to the Club Membership, may also be used to hold and process your data for the purposes of club administration and management.

2. Aim of this Privacy Notice

The aim of this Privacy Notice is to explain why the YYC needs the personal data it holds and how it will acquire, store, use and, most importantly, secure that data in order to be compliant with GDPR.

3. The Legal Basis for Holding Personal Data of YYC Members

The basic premise of GDPR is that there has to be a legal basis for an organisation to hold and process personal data. GDPR recognises 6 bases. The lawful basis that applies to YYC Members is Contract. This means that the processing of data is necessary because of a contract an organisation has with an individual.

In the case of the YYC, the contract is the provision of defined membership services in return for members paying a membership fee or by virtue of membership being awarded as an Honorary Member. In these circumstances, the sole purpose of holding and storing personal data is so that the YYC can provide these membership services.

3.1. Compliance with GDPR

To comply with GDPR personal data of a member held by the YYC must be:

• Used lawfully, fairly and in a transparent way;
• Collected only for valid purposes that have clearly been explained to you;
• Not used in any way that is incompatible with those purposes;
• Relevant to and limited to the purposes we have told you about;
• Accurate and kept up to date;
• Kept only as long as is necessary for the purposes we have told you about and to comply with any other legal requirement such as HMRC regulations;
• Kept and destroyed the data securely. This includes ensuring that appropriate technical and security measures are in place to protect your personal data from loss, misuse, unauthorised access and disclosure.
  

3.2. Your rights regarding your personal data

GDPR establishes the following rights for you:

• Right to be informed. You have the right to be informed why we need your personal data and how we will use and protect it. This is the principal purpose of this Privacy Notice.
• Right to access. You have the right to request the personal data we hold on you. We are required to provide that information at the latest within one month.
• Right to rectification. If the data we hold on you is incorrect, out of date or incomplete, you can request a rectification. We must respond to such a request within one month.
• Right to erasure. If you believe that we should no longer be holding your personal data or we are unlawfully using it, you can request that we erase the data we do hold, the so called ‘right to be forgotten’. We have to complete the erasure within one month.
• Right to restrict processing. You have the right to restrict how we use your data and we must act within one month. A simple example would be if you no longer wanted us to communicate with you by email.
• Right to data portability. Although this is highly unlikely in the circumstances of the YYC, you have the right to request that we electronically move, copy or transfer your personal data to another organisation.
• Right to object. You have the right to object if we use your data for any purpose other than that to which you have consented.

3.3. Need to Acquire Personal Data

As a Sports Private Members Club, the YYC requires personal data for some or all of the following purposes:

• To maintain a record of its current members;
• To process relevant financial information relating to membership e.g. payment of the membership fee by Direct Debit;
• To confirm your identity to provide some or all of these services;
• To enable the fulfilment of the sporting activities of the Club;

To contact you to facilitate the provision of membership services. This may be by post, email, telephone or social media. The following list is not exhaustive but includes:

• To notify you of any changes to our services, events, Committee Members, Officers or staff.
• To confirm your membership status when membership renewal is due.
• To advertise any events that are allied to our sporting objectives.
• To provide articles that might be of interest to you.
• To provide the YYC Newsletter and information about Club activities;
• To distribute the papers relevant to an Annual or Special General Meeting.

This may be done either electronically, by post or hand delivered.

• To promote the interests of the YYC.
• To seek your views, opinions and comments.

4. Personal Data

4.1. What Personal Data is Required?

The principle is that we only need the minimum personal data to efficiently and effectively run a Membership Sports Organisation. In practice this means:

• Names
• Addresses
• Email addresses (for those who wish to be contacted by email)
• Telephone number(s)
• Date of Birth to establish eligibility for certain categories of membership e.g. Cadet, Student or Senior.
• Boat or Yacht details where applicable.
• Certificates of competence relevant to the activities of the Club.

In addition for those who pay their subscription by Direct Debit:

• Name of bank
• Bank sort code
• Account No
• Account Name

4.2. How is the data acquired?

The principal and preferred method of acquiring your personal data is by completion of an online application or renewal form to join or continue membership of the Club. However other methods of application such as by email or by completion of a paper copy of our application form may be accepted.

4.3. Storing Personal Data

Your personal data is currently stored by transferring your details into a Relational Database located within the Club's premises. Access to this data is on a need to know basis by relevant officers and staff of the Club. The Club is transitioning to the provision of membership administration processing and storage by an external service provider, as denoted in the Appendix to this notice and themselves regulated under UK law including the GPDR.

4.4. Data Validation

Every year your renewal notice includes the description of the data held by the Club (excluding Bank details). We rely on you to inform us of any changes to your data then or at any time a change to the information is relevant.

4.5. Personal Data Retention Period

The Club will keep your personal data for as long as you are a member of the YYC. Once your membership ceases only the data necessary to comply with HMRC regulations will be retained for the required six tax years which may be up to seven calendar years. Your personal data will then be securely deleted or destroyed.

4.6. Securing Personal Data

Protecting your personal data is of paramount importance to us. The data may currently only be accessed through the Club's computerised system that accesses the database. This access is on a need to know basis by the relevant Club Officers, Committee Members or staff in order to fulfil their Club related functions. As noted above we are currently transition our administration system to an external Processor where your data will only be visible to authorised Club Officers, Committee Members or Staff as above, plus authorised staff of the external Processor as noted in their Data Protection Statement linked from the Appendix below. 

As the data is essential for the purposes of running the Club a copy is maintained by an external Processor. This data is encrypted then transmitted and stored in two locations in the UK by a UK company regulated by UK laws including the GDPR.

4.7. Do we share your personal data?

No.

The Club will not under any circumstances share your personal data with any other body or organisation unless you have given your explicit permission for us to do so.

Mailings ether by post or electronically are sent to members who are known to be no longer members of the Club.

4.8. Action is taken if there is a breach of data

Should the YYC suspect or confirm that there has been a breach of personal data, the matter will be investigated as soon as possible. The individual(s) concerned will be informed of the details of the breach. If the breach falls into a category of severity that requires the Information Commissioner’s Office to be informed, this will be done as soon as is practicable. YYC rules and procedures will then be reviewed and amended as necessary to prevent a reoccurrence.

5. Summary

GDPR places a considerable legal responsibility on the YYC in order to ensure that any personal data it holds on you is secure and only used for purposes which you have been made aware of as a member of the YYC. Because we are a membership organisation, the legal basis for holding your personal data is termed Contract ie. the YYC is contracted to provide some or all of the membership services outlined in this Privacy Notice because you have voluntarily become a member of the YYC. This Notice also describes: what personal data we require; why we need it; how we store it; and how we secure it. Any further clarification can be obtained by contacting a member of the Management Committee.

6. Appendix