The Data Protection Act 1998 (DPA) and General Data Protection Regulations (GDPR) govern the processing of personal data.
Personal data is information about living individuals that enables them to be identified – e.g. names, addresses, telephone numbers and email addresses.
Lawful Basis for processing Personal Data
The lawful basis for the Charity processing your personal data is based on one of more of the following Articles of the General Data Protection Regulations (GDPR):
- 6(1)(b) –-Processing is necessary for the performance of a contract with the data subject or to take steps to enter into a contract
- 6(1)(c) – Processing is necessary for compliance with a legal obligation e.g VAT
- 6(1)(f) – processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
- 9(2)(b) – Processing is necessary for carrying out obligations under employment, social, security or social protection law, or a collective agreement
Limitations On The Processing of Personal Data
The Charity will use personal data to comply with the law and for the purposes of managing the hall, its bookings and finances, running and marketing events at the hall, staff employment and its fundraising activities.
The Charity will not process your personal data under the lawful basis 6(1)(a) – Consent of the Data Subject and which would therefore require your freely given, specific agreement to the processing of your personal data.
The Charity will only obtain your personal data from you.
The Charity will not:
- process children’s personal data
- process personal data that contains any item of Sensitive Data (see below)
- process personal data that requires the Explicit Consent of the owner of that personal data. Explicit Consent – is a freely given, specific agreement by the owner of personal data to the processing of his/her personal
- pass personal data to any other person or organisation, unless the law requires the Charity to do so
- pass any personal data to another country, unless the law requires the Charity to do so
- perform automated decision making, including profiling
Sensitive Data is the following personal data:
- racial or ethnic origin
- political opinions
- religious beliefs or other beliefs of a similar nature
- trade union membership
- physical or mental health or condition
- sexual orientation
- criminal record
- proceedings for any offence committed or alleged to have been committed
Retention of Personal Data
Personal data may be retained for up to 7 years for accounts and legal purposes and for longer where required by the Charity’s insurers.
The Rights of Owners of Personal Data
You have the following rights:
- the right to be informed
- the right of access
- the right to rectification
- the right to erasure
- the right to restrict processing
- the right to data portability
- the right to object
- rights in relation to automated decision making and profiling
You can request to exercise any of these rights by contacting the Charity’s Data Protection Officer:
0774 786 0592
email: firstname.lastname@example.org. Please provide a contact phone number in your email.
The Data Protection Officer
Washington Village Memorial Hall
The Right to Be Informed
The Charity will supply information about the processing of personal data in the form of a Privacy Notice.
The Right of Access
You have the right to make a Subject Access Request to obtain confirmation from the Charity that your personal data is or is not being used, where it is being used and for what purpose, and if it is being used what elements of personal data are being processed.
If you want to see a copy of your personal data that we hold please contact us on 07747 860 592 or email: email@example.com. Please provide a contact phone number in your email.
The Right to Rectification
You have the right to request rectification of your personal data. The Charity will rectify any personal data which is inaccurate or incomplete when:
- the Charity identifies an inaccuracy
- you request rectification of your personal data
The Right to Erasure
You have the right to request erasure of your personal data. The Charity shall erase personal data when:
- the Charity determines that:
- the personal data is no longer necessary for the purposes for which it was originally processed
- the personal data has to be erased to comply with a legal obligation
- you request your personal data to be erased and there is no legitimate reason to hold the personal data
The Right to Restrict Processing
You have the right to request restricted processing of your personal data. The Charity shall restrict the processing of your personal data to storage only:
- where you contest the accuracy of your personal data until the Charity has verified the accuracy of your personal data and, if necessary, corrected it
- where you have objected to the processing of your personal data (where it was necessary for the performance of a public interest task or purpose of legitimate interests), until the Charity has considered whether it’s legitimate grounds override yours
- when processing is unlawful and you oppose erasure and request restriction instead
- if the Charity no longer need the personal data but you require the data to establish, exercise or defend a legal claim
The Right to Object
You have the right to object to the processing of your personal data. The Charity will stop processing your personal data where you have submitted an objection to the processing of your personal data, and:
- the Charity is satisfied that the objection is on “grounds relating to your particular situation”, and
- the Charity considers that it does not have compelling legitimate grounds for the processing, which override your interests, rights and freedoms, or
- the processing is not for the establishment, exercise or defence of legal claims
Rights in Relation to Automated Decision Making and Profiling
The Charity shall not use automated decision making and profiling in its processing of personal data.