The European General Data Protection Regulation (GDPR) came into force on 25th May 2016 and will apply in all European Union Member States from 25th May 2018.
In the context of GDPR, an individual is known as a ‘data subject’.
Under GDPR, consent must be ‘freely given, specific, informed and an unambiguous indication of the subject’s wishes by which he or she, by a statement of clear affirmative action, signifies agreement to the processing of personal data relating to him or her’.
The Club should hold no more data beyond what is strictly required and only for as long as is needed.
An individual Lion’s rights as a Data Subject
At any point while we are in possession of or processing your personal data, you the data subject, have the following rights:
• Right of access – you have the right to request a copy of the information that we hold about you.
• Right of rectification – you have the right to correct data that we hold about you that is inaccurate or incomplete.
• Right to be forgotten – in certain circumstances you can ask for the data we hold about you to be erased from our records.
• Right to restriction of processing – where certain conditions apply you have a right to restrict the processing
• Right of portability – you have the right to have the data we hold about you transferred to another organisation.
• Receiving and sharing information within the Club. In the same manner that an individual keeps an address list for friends, members of a Club are deemed to be friends, and thus it is not necessary to require specific consent to communicate with one another (e.g. information regarding Club events and minutes) – it is deemed to be for purely personal use.
• Current members. As a result of GDPR introduction in May 2018, existing members of the Club will be required to sign a form to show:
consented to the use of personal data as indicated on the form.
Current members will also be required to sign that they have read from the website and understood this GDPR policy.
• New members. New members will, as in the past, be required to fill in and sign an Invitation/Application For Membership form. To comply with GDPR, this form will state that the new member’s personal data will be held in a secure manual and computer based filing system. It will also state that the individual has the right to withdraw their consent at any time.
• Raffle tickets etc. The purpose for which someone writes their contact details on a lottery/raffle ticket stub is abundantly clear, so formal consent is not required. Clubs should record their intention to do so as part of their requirement to keep records of data processing activities (covered by ‘legitimate interests’ as a legal basis). This should include a statement that once the prizes had been distributed successfully, that the stub would be destroyed after a 4 week maximum retention – this actual destruction should also be formally recorded.
• Annual events. When running an annual event where the Club wishes to store contact details to use the following year (e.g. Grand Show), a privacy statement will clearly identify the use of the data and how long it is kept. A stallholder’s application form should, at the end, include a statement relating to personal data and its use.
• Services to the Community. (E.g. pantomime/theatre visits) There are several services to the community which necessitate the holding of personal data. The use of the data and how long it is kept varies depending on the event or service. We will have clear privacy statements for each area which will define the use of the data and for how long it is kept.
• Publicity. Any photographs used on publicity material, social media or the website will only carry factual information e.g. ‘winner’, not personal data e.g. name, address etc.
Data Audit and ‘legacy data’
• As a result of the introduction of GDPR, a data audit was conducted in May 2018. This resulted in all non-essential ‘legacy data’ being destroyed by shredding. If the Club does not need to keep the data then there is no lawful reason to keep it. The only historical data relating to individuals that is retained is for a lawful reason.
In order for the Furniture Store to function, members of the public provide personal data in the form of (some or all of the following) name, address, email address, landline telephone number, mobile telephone number.
Members of the public currently give personal data via the telephone answering service or via the Kenilworth Lions’ website or in person.
In order to protect individuals’ rights, the Club will:
1. inform members of the public that their personal details:
2. will only be used for the purpose of contact and location for furniture collection or delivery,
3. will only be kept as a record for four weeks following recording,
4. will be destroyed at the end of the four week period either by permanent erasure (electronically) or by secure shredding. This will be carried out by the Store Captain on a weekly basis and will be recorded in the ‘Captain’s Log’ for that session.
Transmission of data (from Balvinder Singh Sokhi, Chairman of Council, Lions Clubs International 21.05.2018
‘On behalf of all the Clubs in Multiple District 105, your Council of Governors have agreed with the International Association of Lions Clubs a lawful basis of transferring personal data outside the European Economic Area in compliance with the Regulation – using Standard Contract Clauses. The Contract gives Clubs a lawful basis to enter and maintain membership data into the LCI MyLCI database and receive membership/officer information and service programs and activities.’