Privacy Notice: BADCCC under GDPR
With effect from 25th May 2018 the General Data Protection Regulation (GDPR) applies to processing Members’ personal records that support the smooth running of Barkham and District Classic Car Club (the Club).
The GDPR requires personal data to be processed in a manner that ensures its security, AND only used for the purposes for which it was collected. This includes protection against unauthorised or unlawful processing and against accidental loss, destruction or damage. It requires that appropriate technical or organisational measures are used. This privacy notice sets out how the Club intends to do this, and under which lawful basis the Club is relying upon to operate transparently under GDPR.
I have considered the full range of options under GDPR that allows for the processing of personal data and believe that ‘Legitimate Interests’ is the most appropriate basis to proceed (Art 6.1 of GDPR).
This is simply because the only personal information to be held by the Club will be names and email addresses, linked to vehicle make / model, and this will be the only information that will be processed. All other personal data has been deleted.
• There are a number of elements supporting the Club’s legitimate interests basis:
• The legitimate interest in voluntarily joining the Club with a common interest to attend classic car events;
All personal data will be voluntarily supplied to the Club by the person who owns the data, and no 3rd party data will be used.
• Processing email addresses and vehicle details is necessary for the smooth running of Club activities; and
• The processing of this information is balanced against the individual’s interests, rights and freedoms, of which there is no conflict.
• There is no other less intrusive way of making this happen.
• Members will reasonably expect such a database to be maintained and the information processed, and
• Maintaining this database and processing the information is unlikely to cause unjustified harm.
There is a ‘right to erasure’, or right to be forgotten. The broad principle underpinning this right is to enable a Club Member to request the deletion or removal of personal data where there is no compelling reason for its continued processing.
Members will be signposted to this privacy notice, which will be held on the Club website.
The GDPR provides the following rights for individuals (Members):
1 The right to be informed
2 The right of access
3 The right to rectification
4 The right to erase
5 The right to restrict processing
6 The right to data portability
7 The right to object
8 Rights in relation to automated decision making and profiling.
The Club is relying on the Legitimate Interests clause, as the legal basis for processing information with the Club. This is the most flexible lawful basis for proceeding, and is most appropriate where Clubs use people’s data in ways that they would reasonably expect, and which have a minimal privacy impact. That is the case with the Club. I will only be using email addresses for Club business only. Other than vehicle make / models I do not retain any other information.
I accept, and have taken, extra personal responsibility for considering and protecting member’s rights and interests accordingly. No personal information is shared with 3rd parties, in fact not even with other Members!
Members may think that ‘Consent’ is required to maintain and process the information, however ’Consent’ is one of only 6 legal ways forming a basis for processing. This is more suitable when a company wishes to use it for marketing / 3rd party / or running a business. In fact it is a pretty bad legal basis for processing for a membership based Club such as BADCCC, as the ICO says if you make ‘Consent’ a precondition of service it is unlikely to be the most appropriate lawful basis for processing.
The ICO states that the GDPR sets a high standard for ‘consent’. But often you won’t need consent as there are 5 other ways to comply legally.
Clearly, some Members have offered their consent for me to retain their information, but I don’t need it if I am relying on the legitimate interests clause. All personal information has been voluntarily provided to the Club so that individuals can become Members of the Club and it is reasonable to expect the information will be used to inform Members of current and future activity.
I will need ‘consent’ though, should I decide to share the information with others, which I have no intention of doing. This will change the whole legal basis for processing information.
Further information on Legitimate Interests can be found here: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/legitimate-interests/
What happens to your data?
Email addresses and vehicle make / model information is maintained solely within BT Internet Mail services, within three categories: 1) Members; 2) Awaiting Membership; 3) Car Clubs.
I ONLY RETAIN EMAIL ADDRESSES FOR CLUB MEMBERS / PARTNERS IN THE BADCCC EMAIL ACCOUNT, TOGETHER WITH MAKE OF VEHICLE AND REGISTRATION NUMBER IN CASE A SHOW PASS IS REQUIRED. I DO NOT RETAIN ANY OTHER INFORMATION ABOUT MEMBERS. IF YOU HAVE EVER PROVIDED THAT INFORMATION TO ME IT HAS BEEN DELETED FROM CLUB RECORDS.
Your data is only processed to send you information about upcoming Club events, key activities, or external events that the Club is attending.
Responding to subject access requests
Subject access requests (requests for copies of personal data from individuals) will need to be responded to within one calendar month rather than the current 40 calendar day period. It is also no longer possible to charge £10 for dealing with the request. IF YOU SEND ME A REQUEST I SHALL REPLY WITHIN THE TIMESCALE, BUT WILL ONLY HAVE THE ABOVE INFORMATION, IF YOU ARE A MEMBER, OR APPLYING TO BECOME A MEMBER.
There will be direct obligations on data processors as well as on data controllers. This may mean that if I use any third parties to process data, for example hosting the BADCCC website, then I must have a written contract in place, and these are likely to be negotiated and drafted in favour of the data processors. I WILL NOT BE USING 3RD PARTIES TO TO PROCESS PERSONAL DATA. THE WEBSITE ONLY CONTAINS DETAILS OF EVENTS AND PHOTOGRAPHS.
Consent will be much harder to achieve. If I were to rely on consent from individuals to use their personal data in certain ways, for example to send marketing emails, then there are additional requirements to comply with. NOTWITHSTANDING THIS REQUIREMENT, WITH IMMEDIATE EFFECT I WILL NOT BE SENDING YOUR EMAIL DETAILS TO ANY OTHER 3RD PARTY FULL STOP! ESPECIALLY WITHOUT YOUR PRIOR APPROVAL. THE ONLY MARKETING EMAILS YOU RECEIVE FROM BADCCC WILL BE RELEVANT TO YOUR MEMBERSHIP OR UPCOMING EVENTS. YOU WILL UNDERSTAND IF I DO NOT SHARE YOUR EMAIL ADDRESS WITH OTHER PARTIES AS I DO NOT WISH TO CONTRAVENE THESE REGULATIONS. IF YOU ARE ORGANISING A CLASSIC CAR EVENT YOURSELF, THEN YOU WILL NEED TO GIVE ME PERMISSION TO ADD YOUR NAME AND EMAIL DETAILS TO THE EVENTS PAGE ON THE WEBSITE. PREVIOUS CALENDAR EVENTS ARE AUTOMATICALLY ARCHIVED BY THE WEBMASTER.
Retention policies need to be clear. I can’t keep data for longer than is necessary for the purpose for which it was collected. I also need to inform people how long I will keep their personal data and I can’t keep it indefinitely. YOUR EMAIL ADDRESS AND VEHICLE DETAILS WILL ONLY BE RETAINED BY MYSELF FOR THE DURATION THAT YOU REMAIN AN ACTIVE PAID UP MEMBER, OR AWAITING YOUR DECISION TO JOIN THE CLUB. IF MEMBERSHIP SUBSCRIPTIONS ARE NOT RENEWED, ALL RECORDS WILL BE DELETED WITHIN 3 MONTHS OR IMMEDIATELY UPON RECEIVING AN EMAIL THAT YOU NO LONGER WISH TO REMAIN A MEMBER.
Privacy by design
If I were to plan on putting in place a new system or electronic portal, then I need to consider whether the service provider I choose has adequate security to protect personal data.
THE CLUB DOES NOT HAVE SUCH AN AUTOMATED FACILITY NOR ARE THERE CURRENTLY ANY PLANS TO DO SO. I AM CONTENT THAT BT INTERNET HAS ADEQUATE SECURITY TO PROTECT PERSONAL DATA HELD ON THE EMAIL LIST.
I will only have 72 hours from being aware of a breach to report it to the ICO. Under the Data Protection Act there are no obligations to report breaches. I AM HAPPY TO REPORT ANY BREACHES AS REQUIRED, BUT I DO NOT ANTICIPATE THERE BEING ANY.
Some of the common things clubs are advised upon
One of the principles of the Data Protection Act 1998 (and the GDPR), is that I can only process data for the purpose for which it is collected. This means that if I collect a name and contact details of an individual, so that they can become a member of the club, I can’t simply use that information to allow affiliates to contact them for marketing purposes. I also need to tell people when they join the club if I am going to transfer their data, for example to an umbrella organisation.AS IS SAY EARLIER, THE ONLY REASON I WILL USE THE DATA IS FOR CLUB PURPOSES AND WILL NOT SHARE IT WITHOUT PRIOR WRITTEN APPROVAL.
Subject access requests:
I SHALL MAINTAIN A LOG OF ANY SUBJECT ACCESS REQUESTS, AND THE TIMESCALE IN WHICH I RESPOND. ANY REQUESTS WILL BE DONE VIA EMAIL SO THAT AN ELECTRONIC RECORD IS MAINTAINED FOR EVIDENCE TO THE ICO.
Privacy or data capture statements
When individuals provide me with their details, you will always know why I have it and what I will do with their information.
I need to make sure that personal data is held securely, i.e. that electronic documents are encrypted and password protected and that they are backed up on a regular basis. Our webmaster is also aware of these regulations. DETAILS ARE MAINTAINED SOLELY ON THE CLUB EMAIL DATABASE, ACCESSED SOLELY BY MYSELF, (DOUBLE) PASSWORD PROTECTED AND SECURELY HELD. OTHER INFORMATION MAY BE HELD ON THE CLUB FACEBOOK PAGE, IF YOU HAVE ‘LIKED’ OUR PAGE. NO OTHER PERSONAL DETAILS WILL BE ENTERED ON THE FACEBOOK PAGE EITHER.
IF YOU WISH PART OR ALL OF YOUR CLUB RECORD DELETED, PLEASE LET ME KNOW.
FINALLY, IF YOU KNOW MORE ABOUT THE GDPR THAN I HAVE INCLUDED IN THIS PRIVACY NOTICE, PLEASE BE SO KIND AS TO LET ME KNOW SO THAT I CAN KEEP WITHIN THE LAW.
Barkham and District Classic Car Club.
1st February 2018
The website security is provided by our hosting supplier (“Krystal”) and the products (e.g. “Wordpress”) used to build the website.
The content of the website is entirely at the disposal of the members and while every effort has been taken to remove unnecessary visual information (i.e. registration numbers) from images provided by the members, some may still exist.
Note that the website carries none of the personal information referred to in the Privacy Notice above, unless authorised by the member or members concerned (e.g. as a contact for an event).
If you see anything that you would like edited or removed from the website please contact us via any of the contact forms on the website.
The Webmaster. May 2018