GDPR POLICY
​
1. INTRODUCTION
1.1. Everyone has rights regarding the way in which their personal data is handled. During the course of our activities Polmonthill Snowsports Centre will collect, store and process personal data about our members, customers, suppliers and other third parties, and we recognise that the correct and lawful treatment of this data will maintain confidence in the organisation and will provide for successful business operations in the interests of our sport.
1.2. Polmonthill Snowsports Centre is committed to a policy of protecting the rights and privacy of individuals in accordance with the Data Protection Laws. The new General Data Protection Regulation (GDPR) regulatory environment demands higher transparency and accountability in the way Polmonthill Snowsports Centre manages and uses personal data. It also accords new and stronger rights for individuals to understand and control that use.
The Polmonthill Snowsports Centre database is securely managed through WIX.com
2. ABOUT THIS POLICY
2.1. This policy and any other documents referred to in it sets out the basis on which Polmonthill Snowsports Centre will process any personal data we collect from data subjects, or that is provided to us by data subjects or other sources.
2.2. This policy does not form part of any employee's contract of employment and may be amended at any time.
2.3. This policy sets out rules on data protection and the legal conditions that must be satisfied when Polmonthill Snowsports Centre obtains, handles, processes, transfers and stores personal data.
2.4. The Committee member fulfilling the role of Data Protection Officer (DPO) and is responsible for overseeing our GDPR is the Centre Secretary. If you have any questions about this Policy or what we do with your personal information, they are the main point of contact.
3. ABOUT THE DATA PROTECTION LAWS
3.1. The General Data Protection Regulation (GDPR) and Data Protection Act 2018 (DPA) applies to any personal data processed by Polmonthill Snowsports Centre.
The DPA 2018 sets out the framework for data protection law in the UK. It updates and replaces the Data Protection Act 1998 and came into effect on 25 May 2018. It sits alongside the GDPR and tailors how the GDPR applies in the UK, for example by providing exemptions.
3.2. The GDPR is the General Data Protection Regulation (EU) 2016/679. It sets out the key principles, rights and obligations for most processing of personal data but it does not apply to processing for law enforcement purposes, or to areas outside EU law such as national security or defence.
The GDPR came into effect on 25 May 2018. As a European Regulation, it has direct effect in UK law and automatically applies in the UK until we leave the EU (or until the end of any agreed transition period, if we leave with a deal). After this date, it will form part of UK law under the European Union (Withdrawal) Act 2018, with some technical changes to make it work effectively in a UK context.
3.3. The Data Protection Laws all require that personal data is processed in accordance with the Data Protection Principles (on which see below) and gives individuals rights to access, correct and
control how we use their personal data. Full information regarding these rights is provided in the Privacy Notices. https://www.gov.uk/data-protection
4. Polmonthill Snowsports Centre COMPLIANCE (if applicable)
4.1. Polmonthill Snowsports Centre is committed to compliance with the applicable Data Protection Laws. This commitment includes taking a proactive approach to ensuring compliance with the GDPR and Polmonthill Snowsports Centre will comply with its obligations under the GDPR by following the Data Protection Principles below.
5. DATA PROTECTION PRINCIPLES
5.1. The Data Protection Laws place a responsibility on every data controller to process any personal data in accordance with the following six principles:
5.1.1. processed lawfully, fairly and in a transparent manner in relation to individuals.
5.1.2. collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
5.1.3. adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
5.1.4. accurate and, where necessary, kept up to date; taking every reasonable step to ensure that inaccurate personal data having regard to the purposes for which it is processed is erased or rectified without delay.
5.1.5. kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed.
5.1.6. processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage.
5.2. The Data Protection Laws also state that data controllers must ensure that no personal data is transferred to a country or a territory outside the European Economic Area (EEA) unless that country or territory ensures adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
6. DATA PROTECTION RIGHTS
6.1. Under data protection laws individuals have certain rights in relation to their own personal data. In summary these are:
The rights to access their personal data, usually referred to as a subject access request:
6.1.2. The right to have their personal data rectified.
6.1.3. The right to have their personal data erased, usually referred to as the right to be forgotten.
6.1.4. The right to restrict processing of their personal data.
6.1.5. The right to object to receiving direct marketing materials.
6.1.6. The right to portability of their personal data.
6.1.7. The right to object to processing of their personal data; and
6.1.8. The right to not be subject to a decision made solely by automated data processing.
6.2. Not all of these rights are absolute rights, some are qualified and some only apply in specific circumstances.
6.3. Anyone wishing to exercise any of these rights should apply in writing to the DPO. Any committee member of Polmonthill Snowsports Centre receiving any such request shall forward it to the DPO.
6.4. When receiving telephone enquiries, we will only disclose personal data we hold on our systems if the following conditions are met:
6.4.1. We will check the caller's identity to make sure that information is only given to a person who is entitled to it.
6.4.2. We will suggest that the caller put their request in writing if we are not sure about the caller’s identity and/or where their identity cannot be checked.
6.5. Our members and volunteers will refer a request to the DPO for assistance in difficult situations. Polmonthill Snowsports Centre will not tolerate any harassment or intimidation of its volunteers who are carrying out their duties in accordance with this policy.
7. SECURITY
7.1. Polmonthill Snowsports Centre has an obligation to put in place appropriate technical and organisational measures to protect against unauthorised or unlawful processing of personal data, and against accidental loss or destruction of data.
8. CONTACT US
8.1. The Secretary is responsible for ensuring compliance with the Data Protection Laws and with this policy. email: Polmonthill.snowsports.centre@gmail.com
Any questions about the operation of this policy or any concerns that the policy has not been followed should be referred in the first instance to the DPO.
9. FAIR PROCESS NOTICE (FPN) Child Well-being and Protection Matters.
The Data Protection Act 2018 requires that you are informed about how your personal information will be used.
For the purposes of child well-being/child protection matters, centres may share information about you with Snowsport Scotland and or SIBS (Safeguarding in British Snowsports), where it has been alerted to circumstances that might affect your status as a member of the PVG scheme for regulated work with children and/or protected adults or your suitability to carry out the regulated work role for which you have applied/been appointed or already doing. In the event such sharing is deemed necessary, it will normally only be carried out between the registered Safeguarding Officers in the Centre and Governing Body. This sharing process extends to all members of Snowsport Scotland where there are child protection concerns outwith “regulated work” positions.
10. REVIEW
10.1. We reserve the right to change this policy at any time. Where appropriate, we will notify data subjects of those changes by mail or email.
10.2. The Policy will be reviewed at least every three years or in response to changes in legislation.