Reviewed and updated May 2018. To be reviewed annually. Next review scheduled: May 2019.
INTRODUCTION AND DEFINITIONS
The General Data Protection Regulation (GDPR) was approved by the EU Parliament on 14 April 2016 and came into force on 25 May 2018. It applies to all organisations based in the EU that control or process any personal data. The general aims of the GDPR are to:
support privacy as a fundamental human right;
require organisations that handle personal data to be accountable for managing that data appropriately; and
give individuals rights over how their personal data is processed or otherwise used.
More details can be found on the GDPR website: www.eugdpr.org.
Transition Town Hastings (TTH) holds a very limited amount of personal details of a number of individuals (“Members”) for the purpose of transmitting to them its digital newsletter and sometimes sending other update emails (later referred to jointly as “digital communication”). The present document represents TTH’s Data protection and confidentiality policy, and outlines the measures taken by TTH in order to comply with the requirements of the GDPR.
DEFINITION of PERSONAL DATA
GDPR defines personal data as “any information relating to an identified or identifiable natural person”. This includes mostly information such as name, address, email address, financial information, contact information, identification numbers, etc., but also include information related to one’s digital life, like an IP address, geolocation, browsing history, cookies, or other digital information that can point to you. It also refers to sensitive information about a person, including their physical, mental, social, economic or cultural identities.
WHAT RIGHTS DOES THE GDPR PROVIDE TO INDIVIDUALS?
There are several rights an individual may exercise under the GDPR including the following (please note that these rights are not absolute, and limitations/exceptions may apply in some cases):
Right to be informed: Individuals have the right to be informed about the collection and use of their personal data. This includes: the purposes for processing their personal data, the retention periods for that personal data, and who it will be shared with.
Right of access: Individuals can ask for a copy of the personal data retained about them and an explanation of how it is being used, at any time.
Right to rectification: Individuals have the right to correct, revise or remove any of the personal data retained about them at any time.
Right to be forgotten: Individuals can ask to delete their personal data.
Right to restrict processing: If an individual believes, for example, that their personal data is inaccurate or collected unlawfully, the individual may request limited use of their personal data.
Right of portability: Individuals have the right to receive their personal data in a structured, commonly used and machine-readable format.
Right to object: Where an individual decides that they no longer wish to allow their personal data to be included in analytics or to receive direct marketing emails or other personalised (targeted) marketing content at any time, the individual may opt out of use of their data for these purposes.
The right not to be subject to automated decision making including profiling: This refers to making a decision solely by automated means without any human involvement, and automated processing of personal data to evaluate certain things about an individual. Profiling can be part of an automated decision-making process.
POLICY STATEMENT AND IMPLEMENTATION
TTH is committed to abiding by the requirements of the GDPR, and specifically to ensuring that any personal data stored and utilised by our volunteers is handled appropriately and securely and is not shared without consent.
TTH is currently committed to only holding very limited personal details of third parties, namely name, surname and email address. These are held within a digital mailing system that is password protected, and only a limited number of TTH members has access to it, namely (collectively, the “Core Team”):
TTH commits to not sharing with any third party any personal details held.
If and when the information held, the modality of storage or the modality of access to the data changes in the future, TTH is committed to reviewing and if necessary modifying its data protection policy.
Data protection is a statutory requirement. This means that all staff must make sure they read and understand this policy.
The liabilities under the GDPR rests with our Core Team, which also has the responsibility to ensure that our data protection processes are robust. To this end we will ensure that training briefings and awareness will form part of the induction processes of any new members of the Core Team, and that the issue is regularly reviewed and discussed. This will ensure that we have a good organisational knowledge of what data protection is and why it’s important.
TTH keeps an online database (on Mailchimp) with limited contact details for the purpose of emailing its regular newsletter and managing event organisation (through Eventbrite). It also occasionally compiles Excel spreadsheets with details (name and skills or area of interest) on volunteers for specific projects TTH is the controller of this data, and does not outsource the processing of this data to any third party.
This data is kept secure, using the appropriate passwords, and is only accessed by the Core Team as appropriate under the guiding principle of this policy.
Currently, only the following have access to the online database:
Chair (and co-Chair)
Secretary (and co-Secretary)
The acting Data Protection Officer is the Co- Secretary. The Data Protection Officer can be contacted by email at firstname.lastname@example.org.
Data is currently held to allow for the dissemination of information and we aim to refresh consent at appropriate intervals and review if anything changes, unless any of the persons included in the database requests to “unsubscribe” from the newsletter. In this case, the personal details of the person in question are securely deleted.
Consent to hold data must be freely given, specific, informed and unambiguous. Individuals must give ‘opt in’ consent for their data to be stored. This is done in practice by subscribing to the TTH newsletter via the online form on our website, or by providing name and email address on appropriate paper forms, mainly at TTH public events.
There is a simple way for people to withdraw their consent for their data to be stored, by “unsubscribing” to the newsletter. This can be done automatically by following the link provided in the newsletter itself, or by contacting TTH via email.
Any changes to the data protection policy, or any other matters related to data privacy are recorded in the minutes of the meeting(s) at which these matters are discussed. This fulfills the “Accountability Principle” of the GDPR.
SUBJECT ACCESS REQUESTS
Members have the right to request to see the information we hold about them and to request that their data is deleted. It lies with the Data Protection Officer to process their request. The Data Protection Officer has a month to respond to the request. If a request is refused then the individual must be told within a month why and that they have the right to complain to a supervisory authority for judicial remedy. Any information provided as part of a Subject Access Request will be made available in a single readable form.
TTH considers that the GDPR requirement for data portability does not apply to the limited personal information it holds on its members. However, we will respond in a timely manner to any enquiry related to data portability we receive or advise the Data subject about any issues which may cause a delay.