General Data Protection Regulations
From 25 May 2018 the UK's existing data protection laws will be replaced by the EU's General Data Protection Regulations. The new law aims to give EU citizens more control over how their personal data is used, especially online. All organisations who collect, store, share or use individuals' personal data, will need to comply with new regulations or face penalties, including hefty fines. This includes clubs. The key principles to bear in mind are:
- Data needs to be processed securely
- Data needs to be updated regularly and accurately
- Data must be limited to what the club needs
- Data must be used only for the purpose for which it is collected and
- Before using personal data, organisations must give people clear information about how it will be used in a privacy notice
Edinburgh Ski Touring Club Privacy Notice: May 2018
The ESTC is a ‘controller’ of the personal information that you provide to us and this privacy notice sets out how, why and for how long we will use your personal data, as well as who it is shared with.
It also explains your legal rights as a ‘data subject’ and how to exercise them.
What we need from you
When you register as a member of ESTC or renew your membership, we will ask you for some or all of the following personal information:
Why we need your personal information – contractual purposes
We need to collect members’ personal information so that we can manage your relationship with us. We may use our members’ personal information to:
We also process our members’ personal information in pursuit of our legitimate interests to:
We may ask you if we can process your personal information for other purposes.
At present the only other purpose is to allow you to see the contact details of other members. This information is only available to members, who have to sign in to the members’ area of the membermojo website. When you join or renew you are asked if you want to share your details: if you don’t agree to your details being shared, you do not appear on the list other members can see.
If we ever propose to use your information for any other purposes we will provide an additional privacy notice explaining what and how.
Who we share your personal information with
When we register your membership with Mountaineering Scotland we pass on your personal information and they become a ‘controller’ of it. Mountaineering Scotland provides full details of how it uses your personal data in its own privacy notice (here) and will not use it for any other purpose.
We may be required to share personal information with statutory or regulatory authorities (eg the Health & Safety Executive) to comply with statutory obligations. We may also share personal information with professional and legal advisors for the purpose of obtaining advice.
Third party suppliers with access to members’ personal data
The ESTC uses membermojo to process membership and to provide email forwarding services. They may process personal data on our behalf as ‘processors’ and are subject to contractual conditions to only process that personal information under our instructions and to protect it. They retain certain other data such as server logs and emails for a limited period as explained on their privacy notice here
In the event that we share personal information with external parties, we only share what is required for the specific purposes and take reasonable steps to ensure the recipient only processes the disclosed information in accordance with those purposes.
How we protect your personal information
Your personal information can be accessed by members of the club committee and may be used only for the purposes set out above. It may also be read by a number of people in ‘off-committee’ support roles, for example to manage the club’s Google Group membership or to provide IT support to the committee.
Your personal information is stored on the membermojo server (to which access is protected) and a back-up copy may be taken from time to time and stored in a password-protected location on Google Docs. The information required by Mountaineering Scotland is transferred to them by inputting it directly into a password-protected database or emailed via a password-protected spreadsheet.
How long we keep your personal information
We only keep your personal information for as long as necessary to provide you with membership services. If you don’t renew your membership, your details will be archived after nine months and deleted after two years.
You have a right to:
If you are dissatisfied, you have a right to raise a complaint with the Information Commissioner’s Office at www.ico.org.uk
It also explains your legal rights as a ‘data subject’ and how to exercise them.
What we need from you
When you register as a member of ESTC or renew your membership, we will ask you for some or all of the following personal information:
- Contact details - name, address, email address and phone number.
- Safety and emergency details such as your next of kin and their contact details.
- Participation details – membership of other clubs, existing Mountaineering Scotland membership number.
Why we need your personal information – contractual purposes
We need to collect members’ personal information so that we can manage your relationship with us. We may use our members’ personal information to:
- Provide you with core member services, including confirmation of membership, membership card and end of year renewal reminder.
- Set up an online membership account enabling you to manage your membership and communication preferences.
- Organise club activities and manage risk and safety if you attend a meet.
- Register your membership with Mountaineering Scotland to provide you with insurance cover, magazine subscription and other benefits they offer, including access to courses and competitions.
We also process our members’ personal information in pursuit of our legitimate interests to:
- Provide you with news and updates about the activity of the club including meets, training, general meetings or other events.
- Raise awareness of the club’s activities by capturing photos, videos, or live streaming at events. We may use this for promotion, education and development purposes.
- Respond to and investigate your questions, comments, support needs, complaints, concerns or allegations.
We may ask you if we can process your personal information for other purposes.
At present the only other purpose is to allow you to see the contact details of other members. This information is only available to members, who have to sign in to the members’ area of the membermojo website. When you join or renew you are asked if you want to share your details: if you don’t agree to your details being shared, you do not appear on the list other members can see.
If we ever propose to use your information for any other purposes we will provide an additional privacy notice explaining what and how.
Who we share your personal information with
When we register your membership with Mountaineering Scotland we pass on your personal information and they become a ‘controller’ of it. Mountaineering Scotland provides full details of how it uses your personal data in its own privacy notice (here) and will not use it for any other purpose.
We may be required to share personal information with statutory or regulatory authorities (eg the Health & Safety Executive) to comply with statutory obligations. We may also share personal information with professional and legal advisors for the purpose of obtaining advice.
Third party suppliers with access to members’ personal data
The ESTC uses membermojo to process membership and to provide email forwarding services. They may process personal data on our behalf as ‘processors’ and are subject to contractual conditions to only process that personal information under our instructions and to protect it. They retain certain other data such as server logs and emails for a limited period as explained on their privacy notice here
In the event that we share personal information with external parties, we only share what is required for the specific purposes and take reasonable steps to ensure the recipient only processes the disclosed information in accordance with those purposes.
- The Royal Bank of Scotland and Santander process payment transactions securely on our behalf.
- Instructors and event organisers may receive personal details of event participants.
How we protect your personal information
Your personal information can be accessed by members of the club committee and may be used only for the purposes set out above. It may also be read by a number of people in ‘off-committee’ support roles, for example to manage the club’s Google Group membership or to provide IT support to the committee.
Your personal information is stored on the membermojo server (to which access is protected) and a back-up copy may be taken from time to time and stored in a password-protected location on Google Docs. The information required by Mountaineering Scotland is transferred to them by inputting it directly into a password-protected database or emailed via a password-protected spreadsheet.
How long we keep your personal information
We only keep your personal information for as long as necessary to provide you with membership services. If you don’t renew your membership, your details will be archived after nine months and deleted after two years.
You have a right to:
- Change your communication preferences or restrict the processing of your personal data for specific purposes.
- Request that we correct your personal data if you believe it is inaccurate or incomplete.
- Request that we delete your personal information.
- Access the personal data that we hold about you through a “subject access request”.
If you are dissatisfied, you have a right to raise a complaint with the Information Commissioner’s Office at www.ico.org.uk