Page last updated
20th June 2018

Data Privacy Policy

1. WHAT is personal data? Personal data relates to a living individual who can be identified from that data. Identification can be by the information alone or in conjunction with any other information in the data controller’s possession or likely to come into such possession. The processing of personal data is governed by the General Data Protection Regulation (the “GDPR”).

2. WHO are We? The Officers and Trustees of Hampshire Narrow Gauge Railway Trust (HNGRT) collectively are the data controller (referred to as “We”, “Our” or “Us” in this Policy). This means We decide how your personal data is processed and for what purposes.

3. HOW do We process your personal data? We comply with Our obligations under GDPR by keeping personal data up to date; by storing and destroying it securely; by not collecting or retaining excessive amounts of data; by protecting personal data from loss, misuse, unauthorised access and disclosure and by ensuring that appropriate technical measures are in place to protect personal data. We do not use any form of automated decision making when processing personal data.

4. WHY do We process your personal data? We use your personal data for the following purposes: - To enable Us to provide a voluntary service for the benefit of Members of HNGRT as specified in Our constitution;

  • To administer membership records;
  • To manage volunteers and to run events and activities with due regard to Health and Safety
  • To maintain the Trust’s accounts and records;
  • To inform you of news, events and activities which We believe are in line with the aims of the Trust.
You are under no obligation to provide Us with your personal data but without it you will be unable to participate in the activities of the Trust or to join it.

5. WHAT is the legal basis for processing your personal data? We process personal data because we have a contractual obligation to or because it is in the legitimate interests of the Trust except in connection with keeping you informed about news, events and activities where We process your data with your consent.

6. SHARING your personal data. Your personal data will be treated as strictly confidential. We will not individually share your personal data with any third parties without your consent EXCEPT:

  • With the emergency services in case of an emergency;
  • With Our insurers and advisers in the event of a claim against Us;
  • With Our auditors/examiners in connection with the Trust’s accounts;
  • With any other organisation or entity, if We are required by law to do so.

We use proprietary programs (Windows, Google etc) to manage most of Our bulk emails and, technically, this means We are sharing some of your personal data with them. You may read their Privacy Policys on their websites. Technically, this may mean that your personal data is being transferred outside of the European Economic Area (“EEA”) as the servers used by Microsoft and Google may be housed outside of the EEA or USA; both participate in and have certified their compliance with the EU-U.S. Privacy Shield Framework.

(If you join Our Facebook group, any personal data used will be governed by Facebook’s Privacy Policy as notified to you directly by Facebook.)

7. HOW long do We keep your personal data? This will depend on the reason the personal data is being held.

  • Personal data contained on your application form will be kept for no more than 2 calendar years after the year in which you cease to be a Member of the Association.
  • Any personal data contained in Our accounting records will be retained for 7 calendar years.
  • Personal data in Minutes of meetings will be retained indefinitely – this would normally be your name used to record who was present at the mting and who gave apologies. If you spoke at a meeting or raised a topic for inclusion, this will also be recorded.
  • Personal data used to record attendance at meetings, events and activities organised by Us (usually your name) will be held for not more than 2 calendar years except where We are required to hold it for longer by our insurers. Depending on the content, a photograph may be considered personal data. People who attend Our events and activities sometimes take photos of the events and give Us copies for use on our website and in newsletters – those images will be retained indefinitely.

8. YOUR rights. Unless subject to an exemption under the GDPR, you have the following rights with respect to your personal data: -

  • The right to request a copy of your personal data which We hold about you;
  • The right to request that We correct any personal data if it is found to be inaccurate or out of date;
  • The right to request your personal data is erased where it is no longer necessary for Us to retain such data;
  • The right to withdraw your consent to the processing at any time;
  • The right to request that We provide you with your personal data and where possible, to transmit that data directly to another data controller, (known as the right to data portability), (where applicable);
  • The right, where there is a dispute in relation to the accuracy or processing of your personal data, to request a restriction is placed on further processing;
  • The right to object to the processing of personal data, (where applicable);
  • The right to lodge a complaint with the Information Commissioners Office.

9. FURTHER processing. If We wish to use your personal data for a new purpose, not covered by this Data Privacy Policy, then We will provide you with a new notice explaining this new use prior to commencing the processing and setting out the relevant purposes and processing conditions. Where and whenever necessary, We will seek your prior consent to the new processing.

10. HOW to make a complaint. To exercise all relevant rights, queries or complaints please in the first instance contact the Secretary at If this does not resolve your complaint to your satisfaction, you have the right to lodge a complaint with the Information Commissioners Office.

11. UPDATES to Our Data Privacy Policy. This Data Privacy Policy was last updated on 28 April 2018. Any changes We make to Our Data Privacy Policy will be shown on the copy displayed on the Trust website (

You may download a copy of this document