GENERAL DATA PROTECTION REGULATION (GDPR)
The GDPR was passed by the EU in April 2017, with compliance required by 25th May 2018. This regulation has implications on how we as a trade association may use, collect and store any personal data, including details related to membership.
For the purposes of the General Data Protection Regulation (GDPR) and UK data protection laws, the ‘Controller’ is The Nut & Dried Fruit Trade Association, c/o 18 Lichfield Road, Woodford Green, Essex IG8 9ST. The Data Protection Officer will be the current Secretary of the Association and they can be contacted by email at firstname.lastname@example.org or by letter to the above address.
1. About this policy
We will always comply with the GDPR when dealing with your personal data. Further details on the GDPR can be found on the website of the Information Commissioner (www.ico.gov.uk).
The GDPR relates to any data held by the association, whether online or paper documents.
2. Information we collect (or may collect in the future), for what purpose and the legal basis
As a trade association, we need to collect certain information with regards to membership applications and this information is deemed to be collected under a ‘contract basis’ when membership is applied for. Some information is necessary for the administration of the association and to ensure that we have the correct contact details on file to keep applicants up to date on their membership application.
Type of information and how it is collected
Member’s name, company, job title, address, telephone number(s) and e-mail address.
Provided by Member / Applicant or person applying on their behalf.
Managing the Member’s membership of the association and renewals; ensuring the Member is in the correct membership category; enabling the Secretary to make contact with regard to their membership; taking payment of membership fees or other services/events purchased.
Sending out membership communications in relation to essential aspects of membership of the association, including but not limited to membership renewals, annual general meetings.Sending communications about volunteering for committees/working parties, events and other activities.
Contract basis – performing the association’s ‘contract’ with the Member.
Also performed under legitimate interests to promote and encourage participation in association activities and for the purposes operating the association.
Legitimate interest to undertake statistical analysis about types of member organisations.
|Sending out information via newsletters and or texts regarding services, activities or offers that we think may be of interest to our Members.||This will be on a ‘consent’ basis, with Members opting in to receive such information. Members will be able to remove consent at a later date by opting out.|
Manage and record the administration of membership payments due and received, whether online, via bank transfers or by cheque.Member’s bank details are only requested should a transfer from the association to the Member be required.
Performing the association’s contract with the Member.Note: the association does not currently hold bank account, debit or credit card details of its Members, except where necessary to transfer funds to a Member’s bank account.
|Event sign up. Name and contact details are collected, along with any relevant financial transactions. (includes but is not limited to: networking or educational events)||
To assist in the management of events.
Financial transactions are recorded but no bank details are stored.
Performing the legitimate interests of the association.
|Video footage or photography of events run by the association.||
Video footage or photos of activities / events held by the association may be used on the association’s social media accounts, website, leaflets and posters.
|This will be performed on a consent basis, with participants asked if their images may be used at each event – whether verbally or by written consent. Consent may be withheld or withdrawn. Names of participants may be included but not contact details.|
|Contact details of the current Board of Directors||Required for Companies House||This information is held on a legitimate interest basis.|
3. How we protect your personal data
We will not transfer your personal data outside the UK/EU without your consent.
Members with access to the data will be asked to sign a confidentiality contract with regard to the safekeeping of any personal data.
We have implemented generally accepted standards of technology and operational security in order to protect personal data from loss, misuse, or unauthorised alteration or destruction.
Please note that when transmitting data to us over the internet, there is a risk that this may not be 100% secure, depending on your internet connection or personal computer software.
Any payments taken from you online will be taken through a recognised online secure payment system.
We will notify you as soon as possible after we are aware of it in the event of any breach of your personal data which might expose you to serious risk.
You may update your personal data online at any time, or by writing to the Secretary at email@example.com
4. Who has access to the information you provide to us or that we hold on you?
We will never sell your personal data. We will not share your personal data with any third parties except where required to do so by law or a set out in the table above or paragraph 4.2 below.
We may pass your personal data to third parties who are service providers, agents or subcontractors to us for the purposes of completing tasks and providing services to you on our behalf (eg to send you newsletters). However, we disclose only the personal data that is necessary for the third part to deliver the service and we have a contract in place that requires them to keep your information secure and not to use it for their own purposes. Current service providers are BizWiseIT; Survey Monkey; Dropbox; Quickbooks and OneDrive; Secretary.
We will respect your wishes in respect of what type of communications you want to receive from us and how you want to receive them. There are some communications however that we need to send you, regardless of your marketing preferences, in order for us to fulfil our contractual (Membership) obligations to you/your company.
Where we process your personal information under legitimate interests, you have the right to opt-out. Please update your mailing preferences on the association’s website or e-mail firstname.lastname@example.org if you wish to opt out of receiving such communications.
All current Members of the association have access to see the contact details of other Members for the purposes of making contact. As part of the Membership ‘contract’ all Members agree not to misuse this data or provide it to third parties.
Administrators of the membership & website have access to all data and are bound by contract to keep the data secure, not to misuse the data nor provide it to third parties. Current Administrators are: Secretary & Company Director Louise McKerchar.
5. How long do we keep your information for?
We will hold your personal data on our systems for as long as you are a Member of the association and for as long afterwards as is necessary to comply with our legal obligations.
We will review your data annually to establish whether we are still entitled to process it. If we decide that we are not entitled to do so, we will stop processing your personal data except that we will retain your personal data in an archived form in order to be able to comply with future legal obligations (eg compliance with tax requirements and exemptions, and the establishment or defence of any legal claims)
We will securely destroy all financial information once we have used it and no longer need to keep it.
6. Your Rights
Under certain circumstances, by law you have the right to:
Request access to your personal data (commonly known as a "data subject access request"). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it. For the purposes of data subject access requests, information deemed to be held by the association will be information held on: the Member’s profile (held on the website); any on-line renewal or membership spreadsheets processed by the Secretary; and e-mails sent and received through the association’s e-mail account, currently email@example.com
Request correction of the personal data that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.
Request erasure of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have exercised your right to object to processing (see below).
Object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. You also have the right to object where we are processing your personal data for direct marketing purposes.
Request the restriction of processing of your personal data. This enables you to ask us to suspend the processing of personal data about you, for example if you want us to establish its accuracy or the reason for processing it. You can also withdraw your consent, where this is the basis for our processing your data (without affecting the lawfulness of our previous processing based on consent).
Request the transfer of your personal data to another party.
Please note that the above rights are not absolute, and we may be entitled to refuse requests where exceptions apply.
If you are not satisfied with how we are processing your personal data, you can make a complaint to the Information Commissioner. You can find out more about your rights under applicable data protection laws from the Information Commissioner’s Office website: www.ico.org.uk.
As approved by the Board of Directors, NDFTA