Cardiff-Stuttgart Association (CSA)


GDPR (General Data Protection Policy) Version 2.0 May 2018


1 It was the decision of the CSA committee, after seeking advice from the Information Commissioner’s Office (ICO) and having carried out the self-assessment exercise on the ICO website1, that the CSA need not register with under the GDPR. The CSA would nevertheless need to establish a data protection policy.


Contents


General principles

Individual Consent

What we Use the Data For

Limited Data

What Data We Hold

Why we hold Data

Where do we hold Personal Data?

Accuracy

Data Security and Deletion

Other


General principles


1 CSA requires the consent of the individual to store personal data.


2 The GDPR requires that the CSA process personal data in a manner that is transparent to individuals, i.e. that they know what use we make of their personal data.


3 The information the CSA holds must be limited to that which is necessary.


4 CSA must take reasonable steps to ensure the data is accurate, and correct it when necessary.


5 CSA must ensure the safety of this data, and delete it when no longer required.


6 It follows that we need to know what data we hold, why we hold it, where we hold it, how we keep it secure, and have a policy on deletion.


7 We must also be able to tell individuals, on request, what data we hold on them; and to delete this data, on request, if we no longer need it.


Individual Consent


1 We hold personal data on:

members who supply names and contact data;

attendees at meetings who supply their name and contact details;

others who make enquiries by email and provide their details;

speakers who also supply some contact details;

others whom we may need to contact about room hire, to arrange facilities for meetings, or to publicise our meetings.


2 We will amend the website to make it clear that anyone contacting us gives consent for us to store the personal data supplied for use in managing their query. We should also make clear that if someone supplies us with personal data on anybody else – for example alternative contacts for the enquiry, or someone else who might be interested in our events - the person supplying the information must have permission to do so.


What we Use the Data For


1 We use the data to communicate with the individual regarding the running of the Association. We may also use the contact details to inform them of any events relating to the German language or culture we feel may be of interest.

We do not contact them for any other reason and we do not share their data with third parties unless we are legally obliged to do so, e.g. at the request of the police. A third party includes other people whose contact details the CSA holds. However, anyone wishing the CSA to contact people on his/her behalf, e.g. to publicise a concert, will have given the CSA implied permission to pass on his/her contact details.


Limited Data


1 We hold only what we need to manage our communications or to deal with an enquiry.


What Data We Hold


1 We hold the data supplied by members, guests at our meetings, or anyone else who contacts us. This will typically include name and email address and may also include other contact details such as postal address and telephone number (landline and mobile).


Why we hold Data


1 We need the personal data to let us communicate with individuals who wish to be informed of the Association’s activities, or whom we need to communicate with to arrange or publicise our activities.


Where do we hold Personal Data?


1 The principal store of personal data is on the computer and email account of the Secretary.


2 Electronic copies may also be held on the computer and email account of the Treasurer.


3 Whole or partial copies of this data may be made available to other committee members to assist in the smooth running of the Association.


Accuracy


1 We will attempt to correct any errors we spot. This will typically involve querying any items that look wrong, for example a telephone number or email address in the wrong format.


Data Security and Deletion


1 Personal data is held by the Secretary on a personal computer with limited access and a password, and on an email account protected by a password. The Secretary also hold some contact details in a paper filing system at a private residence.


2 The Treasurer may also hold personal data on a personal computer with limited access and a password, and on an email account protected by a password, or in a paper filing system at a private residence.


3 Other committee members may also hold personal data on a personal computer with limited access, and on an email account protected by a password, or in a paper filing system at a private residence.


4 Committee members may also hold personal data on Word, Excel, or other electronic files.


5 Personal data will be retained as long as the consent is on-going. The Secretary, Treasurer and other committee members who hold personal data will review the data at least annually and delete information that is no longer relevant or where permission has expired.


6 The Chair of the Association will seek an annual assurance from every committee member that any personal data held has been reviewed and deleted according to this policy.


Other


1 We are not required to have a Data Protection Officer (DPO) but it makes sense to appoint one to be the first point of contact for supervisory authorities and for individuals whose data is processed.

The Chair will be the DPO unless the committee or the AGM appoint someone else.


2 Subject Access Requests, or requests to amend or delete data, should be made to the Data Protection Officer. A response will be made within a month.


3 We should ask all committee members on a regular basis to state what personal data they hold (if any) and why they hold it. Annually unless the Association decides otherwise.


4 Data breaches should be reported to the DPO.

(In our circumstances the only likely breaches I can think of are either a break-in where a thief makes off with a computer holding the data, or a successful cyber-attack on Google. But if this happens we should flag it to the DPO and the committee as a potential breach.)


5 Those who wish to report any misuse of their data to the Information Commissioner’s Office may do so at the ICO Wales, 2nd Floor, Churchill House, Churchill Way, Cardiff, CF10 2HH. Telephone 029 2067 8400. wales@ico.org.



End of Document



1 https://ico.org.uk/for-organisations/register/self-assessment/