Elddis Owners Club Limited
1. Policy Statement
This is the Data Protection Policy of the Elddis Owners Club Limited (“The Club”).
The Club is committed to managing personal information carefully and lawfully in accordance with the General Data Protection Regulations (“GDPR”) and other related legislation which protects personal information.
During the course of our activities, the Club will collect, store and process personal data about our members and other individuals who come into contact with the Club. We recognise that the correct and lawful treatment of this personal information is critical to maintaining the confidence of those connected with the Club, whether that be members or otherwise.
Data users are obliged to comply with this policy when processing personal data on our behalf.
2. About this policy
The types of personal data that we may be required to handle includes information about new members, current members, past members and others that we communicate with. The personal data, which may be held on paper or on a computer or other media, is subject to certain legal safeguards specified in the GDPR and other regulations.
This policy and any other documents referred to in it sets out the basis on which we will process any personal data we collect from data subjects, or that is provided to us by data subjects or other sources.
This Policy Exists to ensure that the Club:-
• Complies with data protection law and follows good practice.
• Protects the rights of members.
• Is open about how it stores and processes member’s data.
•. Protects itself from the risks of a data breach.
This policy has been approved by the Management Committee. It sets out rules on data protection and the legal conditions that must be satisfied when the club obtains, handles, processes, transfers and stores personal data.
This policy should be read in conjunction with the Club’s Privacy Notice.
3. Definitions of Data Protection Terms
Data is information which is stored electronically, on a computer, or in certain paper-based filing systems.
Data subjects means an identified or identifiable natural person.
Personal data means any information relating to an identified or identifiable natural person (‘data subject’).
Data controllers are the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; they are responsible for establishing practices and policies in line with the GDPR. We are the data controller of all personal data used in our school for our own educational purposes.
Data users are those of our members whose work involves processing personal data. Data users must protect the data they handle in accordance with this data protection policy and any applicable data security procedures at all times.
Data processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the club.
Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise.
Special category of personal data means data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation. This type of personal data can only be processed under strict conditions, including a condition requiring the express permission of the person concerned (sensitive personal data).
4. Principles of the Data Protection Regulations
Anyone processing personal data must comply with the enforceable principles of good practice. These provide that personal data must be:-
Processed lawfully, fairly and in a transparent manner.
Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
Accurate and where necessary kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.
Not kept longer than necessary for the purpose.
Secure - in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
5. Fair and lawful processing
Appropriate use of information provided by members will include:-
• Communicating with members about Club events, rallies and activities.
• Sending members issues of the Club events/rally book and newsletters.
• Communicating with members about their membership and/or renewal of their membership of the Club.
• Communicating with members about specific issues associated with their membership of the Club.
Members of the Club will only be asked to provide information that is relevant for membership purposes. This will include:-
• Postal address
• Email address
• Telephone number
• Make model and year of caravan, campervan or motorhome
5.2 Rally forms for attending a Club rally event or activity.
5.3 Children’s Records.
The information collected will include:-
• Postal Address
• Date of Birth
• Adult members membership number
6. Processing for limited purposes
We will only collect and process personal data for specified, explicit and legitimate reasons. We will not further process that personal data unless the reason for doing so is compatible with the purpose or purposes for which it was originally collected.
7. Notifying Data subjects
If we collect personal data directly from data subjects, we will provide information which they are entitled to receive under the GDPR. This will, amongst other things, include the following:-
The purpose or purposes for which we intend to process personal data.
The legal basis on which we believe the processing to be lawful.
The types of third parties, if any, with which we will share or to which we will disclose personal data.
Their individual rights as set out under the GDPR.
8. Adequate, Relevant and limited processing
We will only collect personal data to the extent that it is necessary for the specific purpose notified to the data subject.
9. Accurate Data
The Club will ensure that personal data the club holds is accurate and kept up to date. The Club will check the accuracy of any personal data at the point of collection and at regular intervals afterwards.
We will take all reasonable steps to ensure that personal information that is inaccurate is either erased or rectified without delay.
The club does not hold any sensitive personal data
In supporting the club to maintain accurate records, members and other individuals whose personal information the club may process are responsible for:-
(a) Checking that any information that they provide to the club is accurate and up to date.
(b) Informing the Club of any changes to information that they have provided.
10. Timely processing
We will not keep personal data longer than is necessary for the purpose or purposes for which it was collected. We will take all reasonable steps to destroy and erase from our systems, all data which is no longer required.
11. Processing in line with data subjects’ rights
The club will process all personal data in line with data subjects’ rights under the GDPR and related laws, in particular their right to:-
Request access to any data held about them by a data controller.
Rectification of inaccurate information.
Erasure of personal data concerning the data subject.
Restrict the processing of the data subject’s personal data.
Object to the processing of the data subject’s personal data.
To receive personal data concerning the data subject in a commonly used format (known as data portability) and have this transferred to another controller without hindrance.
12 Data Security
The club will take appropriate security measures that ensure appropriate security of personal data, including protection against unlawful or unauthorised processing of personal data, and against the accidental loss of, destruction or damage to, personal data.
The Club will put in place procedures and technologies to maintain the security of all personal data from the point of collection to the point of destruction. Personal data will only be transferred to a data processor if that processor provides a suitable guarantee that it will comply with the GDPR.
We will maintain data security by protecting the confidentiality, integrity and availability of the personal data, defined as follows:-
(a) Confidentiality means that only people who are authorised to use the data can access it.
(b) Integrity means that personal data should be accurate and suitable for the purpose for which it is processed.
Security procedures include:-
(a) Only granting access of personal data of members to those on the Committee who need to communicate with members, and rally marshals who are arranging club rallies or events.
(b) Using password protection on electronic devices that contain or access personal information.
(c) Using password protection or secure cloud systems when sharing data between committee members.
(d) Secure lockable desks, cabinets, draws and cupboards and devices. These should be kept locked if they hold confidential information of any kind (personal information is always considered confidential) or if it is computerised, be coded, encrypted or password protected both on a local hard drive and on a network drive that is regularly backed up; and if a copy is kept on a removable storage media, that media must itself be kept in a locked filing cabinet, drawer, or safe.
(e) Methods of disposal. Paper documents should be shredded. Digital storage devices should be physically destroyed when they are no longer required.
13. Disclosure and sharing of personal information
The Club may share personal data the club holds about our members in accordance with the GDPR. Where we share personal information we will do this, in most cases, to comply with a legal obligation. Where this is not the case we will, in most other cases, obtain consent first.
Where we do disclose or share personal information, then we will inform you about this in accordance with this policy.
14. Dealing with subject access requests
Data subjects must make a formal request for information we hold about them. This must be made in writing to the general secretary of the club. A member who receives a written request should forward this to the general secretary immediately.
When receiving telephone enquiries, we will only disclose personal data we hold on our systems if the following conditions are met:-
(a) The club will check the caller’s identity to make sure that information is only given to a person who is entitled to it.
(b) The club will suggest that the caller put their request in writing if we are not sure about the caller’s identity and where their identity cannot be checked.
On receipt of a subject access request, the club will send a letter to the requester acknowledging receipt.
The club will respond to subject access requests as soon as possible, but in any event no later than 1 month from the receipt of the request subject to 14.5.
If the nature of the request is complex, or there are other legitimate reasons for doing so, the club may, if necessary, extend the period under 14.4 for up to 2 months. If the club requires an extension of time of over 1 month to deal with a subject access request, the club will inform the requester as soon as possible, but in any event no later than 1 month from the date that the request was made.
The Club will not charge a fee for responding to subject access requests unless the request, in the opinion of the club, is unfounded, excessive and/or repetitive.
15. Data breaches
All data breaches should be immediately reported to the General Secretary of the club.
All data breaches must be handled in accordance with the club’s internal breach reporting procedure.
16. Changes to this policy
The club reserves the right to change this policy at any time and notification of any changes will be communicated accordingly.