1. WHAT is personal data? Personal data relates to a living individual who can be identified from that data. Identification can be by the information alone or in conjunction with any other information in the data controller’s possession or likely to come into such possession. The processing of personal data is governed by the General Data Protection Regulation (the “GDPR”).
2. WHO are We? The Officers and Trustees of Hampshire Narrow Gauge Railway Trust (HNGRT) collectively are the data controller (referred to as “We”, “Our” or “Us” in this Policy). This means We decide how your personal data is processed and for what purposes.
3. HOW do We process your personal data? We comply with Our obligations under GDPR by keeping personal data up to date; by storing and destroying it securely; by not collecting or retaining excessive amounts of data; by protecting personal data from loss, misuse, unauthorised access and disclosure and by ensuring that appropriate technical measures are in place to protect personal data. We do not use any form of automated decision making when processing personal data.
4. WHY do We process your personal data? We use your personal data for the following purposes: - To enable Us to provide a voluntary service for the benefit of Members of HNGRT as specified in Our constitution;
- To administer membership records;
- To manage volunteers and to run events and activities with due regard to Health and Safety
- To maintain the Trust’s accounts and records;
- To inform you of news, events and activities which We believe are in line with the aims of the Trust.
5. WHAT is the legal basis for processing your personal data? We process personal data because we have a contractual obligation to or because it is in the legitimate interests of the Trust except in connection with keeping you informed about news, events and activities where We process your data with your consent.
6. SHARING your personal data. Your personal data will be treated as strictly confidential. We will not individually share your personal data with any third parties without your consent EXCEPT:
- With the emergency services in case of an emergency;
- With Our insurers and advisers in the event of a claim against Us;
- With Our auditors/examiners in connection with the Trust’s accounts;
- With any other organisation or entity, if We are required by law to do so.
7. HOW long do We keep your personal data? This will depend on the reason the personal data is being held.
- Personal data contained on your application form will be kept for no more than 2 calendar years after the year in which you cease to be a Member of the Association.
- Any personal data contained in Our accounting records will be retained for 7 calendar years.
- Personal data in Minutes of meetings will be retained indefinitely – this would normally be your name used to record who was present at the mting and who gave apologies. If you spoke at a meeting or raised a topic for inclusion, this will also be recorded.
- Personal data used to record attendance at meetings, events and activities organised by Us (usually your name) will be held for not more than 2 calendar years except where We are required to hold it for longer by our insurers. Depending on the content, a photograph may be considered personal data. People who attend Our events and activities sometimes take photos of the events and give Us copies for use on our website and in newsletters – those images will be retained indefinitely.
8. YOUR rights. Unless subject to an exemption under the GDPR, you have the following rights with respect to your personal data: -
- The right to request a copy of your personal data which We hold about you;
- The right to request that We correct any personal data if it is found to be inaccurate or out of date;
- The right to request your personal data is erased where it is no longer necessary for Us to retain such data;
- The right to withdraw your consent to the processing at any time;
- The right to request that We provide you with your personal data and where possible, to transmit that data directly to another data controller, (known as the right to data portability), (where applicable);
- The right, where there is a dispute in relation to the accuracy or processing of your personal data, to request a restriction is placed on further processing;
- The right to object to the processing of personal data, (where applicable);
- The right to lodge a complaint with the Information Commissioners Office.
10. HOW to make a complaint. To exercise all relevant rights, queries or complaints please in the first instance contact the Secretary at firstname.lastname@example.org. If this does not resolve your complaint to your satisfaction, you have the right to lodge a complaint with the Information Commissioners Office.
You may download a copy of this document