×
Hampshire Genealogical Society

Data Protection Policy

Date created: 6 July 2022

Purpose

The purpose of this Data Protection Policy (DPP) is to demonstrate that the Society, a ‘small company’ as defined by the UK GDPR, are compliant with the ‘data protection principles’ set out in UK GENERAL DATA PROTECTION REGULATION (UK GDPR), tailored by the DATA PROTECTION ACT 2018.

Scope

This DPP is applicable to all data processing undertaken by the Society.

Definitions

Customer – A person, not a member of the Society, who has bought goods or services from the Society

Society – Hampshire Genealogical Society

DPP – Data Protection Policy

ICO – Information Commissioners Office (UK)

Member – A person who has joined the Society on payment of their annual subscription

Lawfulness, fairness and transparency

Information held by the Society

The Society will carry out an information audit every five years. The audit will incorporate a review of the management of member and customer personal data held by the Society and will identify any potential risks to the security of such personal data.

Lawful basis for processing member and customer personal data

The Society have elected to use ‘Consent of the data subject’ as the basis for collecting Society member and customer personal data.

Consent

Society members will be requested to give their ‘Consent’ for the storage of their personal data at the time they submit their membership application to the Society. Society customers will be requested to give their ‘Consent’ when they purchase goods and services from the Society.

Consent to process children’s data for online services

Membership of the Society will be restricted to persons 18 yrs. of age or older and therefore ‘Consent to process children’s data for online services’ will not be applicable to the Society.

Registration with the ICO

The Society is registered with the ICO.

Individual rights

Right to be informed including privacy information

The Society Privacy Notice will be displayed on the Society website public area and in the Society Quarterly Journal; it will also be transmitted by the Society Membership Secretary to those new Society members who elect to submit hard copy (paper) membership application forms to the Society. A copy of the Society Privacy Notice will also be included with all goods and services delivered by the Society.

Communicating the processing of children’s personal data

Membership of the Society is restricted to persons 18 yrs. of age or older and therefore the requirements for ‘Communicating the processing of children’s personal data’ will not be applicable to the Society.

Right of access

Society members and customers will have the right to:

  • Confirm that their personal data is being processed
  • Receive a copy of their personal data recorded by the Society

This ‘Right of access’ will be stated in the Society Privacy Notice.  Society members and customers can request access to their personal data by writing (email is acceptable) to the Society Membership Secretary.

Right of rectification and data quality

Society members and customers will be responsible for advising the Membership Secretary, in writing (email is acceptable) of any changes to their personal data that may occur after their application to join is accepted by the Society or after their receipt of goods and services from the Society.

Right of erasure including retention and disposal

Society members will be responsible for instructing the Society Membership Secretary, in writing (email is acceptable) if they require their personal data to be erased from the Society records. The Society Membership Secretary shall then advise the member, in writing, when this erasure has been completed.

From this time the person requesting the erasure shall no longer be a member of the Society and will receive no further communications from the Society including the Society Quarterly Journal; they will no longer have access to the Society website members section; membership fees will not be refunded.

Society customers can also write to the Society Sales Office Manager instructing that their personal data be erased from the Society files. The Society sales office shall confirm to the customer, in writing, when this erasure is completed.

Unless requested by members or customers to erase their personal data from the Society electronic or hard copy paper files, the Society shall retain such personal data for seven years after lapse of a Society membership or the most recent date of a purchase of goods or services from the Society by a customer.

Right to restrict processing

Personal data retained by the Society will consist of the contact details and payment processes used to manage annual subscriptions paid by Society members and payments from customers for goods and services received from the Society. Members and customers have the right to block or restrict the processing of their personal data by notifying the Society Membership Secretary in writing (email is acceptable).

Right of data portability

The portability of data, as defined by the UK GDPR, is not applicable to the Society.

Right to object

The personal data provided by members and customers to the Society will be for the purpose of becoming a member of, or to purchase goods or services from the Society.

Therefore if members or customers object to the Society processing their personal data then the Society will refer them to their ‘Right of erasure including retention and disposal’ as stated elsewhere in this document.

Rights related to automated decision making including profiling

The Society will not use member and customer personal data for automated decision making and profiling.

Accountability and governance

Accountability

The Society monitor its compliance with this Data Protection Policy and carries out an audit, every five years, of the effectiveness of its data handling and security controls. This includes data protection awareness training for all Society volunteers involved in the processing of Society members and customers personal data.

Data Processor Contract

There will Data Processor Contracts’ in place between the Society and all Society Data Processors.

Information risks

The Society will carry out information management risk assessments every five years and put in place measures required to mitigate risks to member and customer personal data.

Data Protection by Design

The Society will put in place the policies and procedures necessary to demonstrate their obligation to implementing the appropriate technical and organisational personal data protection measures.

Data Protection Impact Assessments (DPIA)

The Society consider the personal data processing they undertake to be low risk as defined by the UK GDPR and therefore DPIA’s are not required.

Data Protection Lead

The Society will appoint a ‘Data Protection Lead’ as the focal point for all UK GDPR issues within the Society.

Management Responsibility

The Society Executive Officer’s will demonstrate their support for the implementation of the UK GDPR by reviewing all Society data protection documentation such as this Data protection Policy, Privacy Policy, data protection procedures and data protection Guidance Notes for Group Organisers etc.  They will also review any systemic improvement proposals resulting from audits or risk assessments of the Society and their data processors

Data security, international transfers and breaches

Security Policy

The Society will issue a Security Policy demonstrating their commitment to maintaining the security of their member and customer personal data.

International transfers

Personal data held by the Society will only be transferred outside of the jurisdiction of the UK GDPR if conditions of transfer set out in Chapter V of the UK GDPR are met.

Breach notification

The Society will issue a Data Breach Policy demonstrating their commitment to managing any breach of their personal data management systems including the timely notification of the affected Society members and customers.

Be part of Your Family History Community