In order to operate as an organisation we need some personal data about our members. The privacy notice below explains more about the information we hold, how we use it and what your rights are.
1. INTRODUCTION
On the 25th May 2018 new legislation on Data Protection entered into force – The General Data Protection Regulations 2018 (GDPR).
GDPR replaces previous legislation and contains lots of obligations which the Confrérie du Sabre d’Or (the Club), The Order of the Golden Sabre, and Golden Sabre Tours must fulfil, and lots of rights which you as Members have with regard to the Club. Many of the Rules are the same as under previous legislation, but there is plenty of new material.
GDPR is an EU Directive directly applicable in all Member states without the need for local legislation and with effect from 25th May 2018. However, the UK has decided that it wants the content of GDPR to apply after the UK leaves the EU, and has tabled a Bill in the House of Lords which will achieve this objective. At first sight the Bill looks the same as GDPR (with adjustments which the Club believes are mainly not relevant to the Club’s position), but things change and the Club will need to review its position once the Bill becomes law. GDPR, including its preamble, contains some 54,000 words, so the Club hopes you will be understanding if we attempt to reduce that to some succinct explanations, at the risk of leaving some questions in Members’ minds. All such questions and doubts can be emailed (or sent by post) to the Club, and will be answered in the form of FAQs (Frequently Asked Questions). GDPR already allows the Club (Controller) to introduce operational rules and policies compliant with the new Directive. If you spot an error please tell us by email.
GDPR profoundly changes the way the relationship between the Club and its Members works in relation to the information (data) which the Club collects from you, processes, and stores. No data are provided to or accessed by third parties such as event venues. Most of the law is mandatory, but where there are options, this notice will identify and explain the option the Club is using. Many of the terms are rather technical, but we need to use specific terms in order to say exactly what GDPR stipulates. The Club’s first task is to be a lawful processor of your data.
2. LAWFUL PROCESSING
Membership of the Club is a form of contract where Members pay a subscription, in return for which Members receive benefits and services provided by the Club. The Club asserts that it is a lawful processor by virtue of this relationship, and does not need to obtain specific consent to process data. The Club also considers it is exempt from any obligation to appoint a Data Protection Officer (DPO), but it does accept the obligation to carry out processing in ways which are lawful, fair, and transparent. The Club may be required to appoint a designated DPO by the UK legislation when it becomes law.
3. TYPES OF DATA COLLECTED AND STORED
The Club is committed to recording accurate personal data which primarily consists of the information on the Membership Application Form.
We do not have access to your banking data as that is an arrangement between you and GoCardless, although we do have the ability to set up requests for payment. GoCardless has its own privacy notice, which you can request from them.
The Club does not collect sensitive (special category) personal data such as genetic, biometric, or health data, nor information on race, ethnicity, religion, political persuasion, or sexual orientation.
The Club may use your data to enhance your experience of Club Membership by recording your personal preferences, interests, and geographical location.
The Club may verify the information supplied in the Membership Application Form, but does not seek additional information when considering an application.
If information is published (i.e. in the public domain) about a Member, e.g. personal, professional, or civic honour, or other award or achievement, the Club is likely to add such information to your Member record.
The Club does not claim it is hacker-proof. This aspect of processing is being reviewed at least annually as well as whenever there is a high-profile report of data breach. In the event of there being a data breach, the Club undertakes to inform you (as well as any relevant authority) within one month of the Club becoming aware of the breach. The Club does not believe that the data it holds give rise to any need to report a breach to the Information Commissioner within 72 hours, but it is conscious of the possible need to do so.
Paper records are also held securely.
4. TRANSFER AND SHARING OF DATA
The Secretary (or any assistant), who is a volunteer to the Club, is the principal processor of your data.
Book-keeping is done by another volunteer to the Club, and supervised by an independent qualified volunteer on whom required legal obligations have been imposed in relation to processing Members’ data.
The Club’s Officers may also wish to look at Member data from time to time.
The Club will not be able to release to a member personal data about another member, even a telephone number or email address.
When you attend functions or events organised by the Club, the venue will usually want a list of names, for reasons of security and practicality.
The Club does not knowingly transfer your data outside the UK, Republic of Ireland, or European Union.
5. RETENTION OF DATA
The Club intends to hold your data throughout the period of your Membership and applying the following post-Membership policies:
- In the case of resignation, for up to six months, and thereafter to retain indefinitely only your name, the date of joining, and the date of resignation
- In the case of exclusion, for eight years, in order that appropriate institutional memory exists of the circumstances
In the case of death, indefinitely, for archival purposes only, but the Club will consider requests for erasure from immediate family and/or executors.
6. YOUR RIGHTS
To complain: Ideally the Club would wish to try to deal with complaints itself before recourse to any external authority, and asks Members to submit complaints via email. Members may, however, submit a complaint at any time to the Office of the Information Commissioner.
To have correct data recorded by the Club: The Club will be happy to correct errors.
To require the Club to erase data which it holds about a Member: The Club will fully respect the new legislation, but reminds Members that the low level of information gathered by the Club is perceived by the Club as the minimum needed to provide Members with the benefits of Club Membership.
7. THE CLUB WEBSITE
This policy applies when members use the Club website. There is a link to the policy when you log on to the site.
8. FREQUENTLY ASKED QUESTIONS (FAQs)
FAQs will occur as Members put questions to the Club, and to respond to the evolution of the regulatory environment. Answers to FAQs form part of this Notice.
9. UPDATES
A notice will be sent to Members whenever this policy is updated. This policy will be reviewed not later than May 2019 and annually thereafter.
10. CONTACT
If you would like to contact us about this policy, please email gdpr@sabra.ge.
The support, management and operation of this website necessarily involves a number of third-party organisations, each of which may access and store the data entered by users of the site.
Such organisations are used purely in support of the UK website of the Confrérie du Sabre d’Or, and are shown below.
- Nominus (website hosting)
- Typeform (event booking and membership forms)
- GoCardless (Direct Debit payments)
We offer no assurances regarding the privacy, data protection, or GDPR compliance of any websites linked to from this website (such as websites belonging to Caveaux or partner organisations.