Love Newmilns Menu

GDPR

Overview of the General Data Protection Regulation

The Charity will ensure that all personal data that it holds will be:

-       processed lawfully, fairly and in a transparent manner;

-       collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;

-       adequate, relevant and limited to what is necessary;

-       accurate and kept up to date;

-       kept in a form which permits identification of data subjects for no longer than is necessary;

-       processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage.

 
 

GDPR Policy

1.  Introduction


Under the General Data Protection Regulations (GDPR) the Newmilns Regeneration Association (herein after referred to as “the Association”) is required to comply with the GDPR and undertakes to do so.

2.  Definitions


The definitions of terms used in this policy are the same as the definitions of those terms detailed in the GDPR regulations.

Data Subject
A data subject is an identifiable individual person about whom the Association holds personal data.

Contact Information
For the purposes of this Policy, “Contact Information” may include, but not limited to, a person’s:
full name (including any preferences about how they like to be called);
full postal address;
telephone and/or mobile number(s);
e-mail address(es);
social media IDs/UserNames (eg: Facebook, twitter, WhatsApp)

3.  Principles of the GDPR


The Association will ensure that all personal data that it holds will be:

processed lawfully, fairly and in a transparent manner in relation to individuals;

collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;

adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;

accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;

kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals; and

processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

4.  Lawful Processing


The Association will obtain, hold and process all personal data in accordance with the GDPR for the following lawful purposes.

In all cases the information collected, held and processed will include Contact Information (as defined in 2 above).

**********************************

4.1        By Consent


People who are interested in, and wish to be kept informed of, the activities of the Association.

Subject to the person’s consent, this may include information selected and forwarded by the Association on activities relevant to those of the Association by other organisations.
Note: this will not involve providing the person’s personal data to another organisation.

The information collected may additionally contain details of any particular areas of interest about which the person wishes to be kept informed.

The information provided will be held and processed solely for the purpose of providing the information requested by the person.

4.2        By Contract


People who sell goods and/or services to, and/or purchase goods and/or services from the Association. This may also include the Association’s Lottery, where participants or recipients of grants may be asked for details to be paid out.

The information collected will additionally contain details of:

The goods/services being sold to, or purchased from the Association;

Bank and other details necessary and relevant to the making or receiving of payments for the goods/services being sold to, or purchased from the Association;

For the Association’s Lottery we will require the individual to provide their Date of Birth in order to confirm compliance with Age restrictions.

The information provided will be held and processed solely for the purpose of managing the contract between the Association and the person for the supply or purchase of goods/services.

4.3        By Legal Obligation


People where there is a legal obligation on the Association to collect, process and share information with a third party – eg: the legal obligations to collect, process and share with HM Revenue & Customs payroll information on employees of the Association.

The information provided will be held, processed and shared with others solely for the purpose meeting the Association’s legal obligations.

Employees (Human Resources)
For the purpose of managing an employee’s contract and terms of employment the information collected will additionally contain details, as required, of:

The person’s references;

The person’s emergency contacts detail;

The person’s CV;

The person’s history of employment;

Such other information as may be required within the limitations of employment.

Taxation (HM Revenue & Customs)
For the purpose of managing an employee’s PAYE and other taxation affairs the information collected will additionally contain details, as required by HM Revenue & Customs, of:

The person’s National Insurance Number;

The person’s taxation codes;

The person’s salary/wages, benefits, taxation deductions & payments;

Such other information as may be required by HM Revenue & Customs.

Pensions
For the purpose of managing an employee’s statutory pension rights the information collected will additionally contain details, as required by the Association’s pension scheme (National Employees Savings Trust, NEST), of:

The person’s National Insurance Number;

The person’s salary/wages, benefits, taxation & payments;

Such other information as may be required by the NEST scheme.

4.4        By Vital Interest


The Association undertakes no activities which require the collection, holding and/or processing of personal information for reasons of vital interest.

4.5        By Public Task


The Association undertakes no public tasks which require the collection, holding and/or processing of personal information.

4.6        Legitimate Interest


Volunteers
Contact information of current or potential volunteers may be held in line with paragraph 2.

Closed Circuit TV (CCTV) Recording
While not currently running video CCTV, the Association reserve the right to introduce video CCTV in the future. This would allow the Association to collect video CCTV images of people entering and moving around its premises in order to safeguard its collection from theft and vandalism, as my be required by its insurers.

Any information collected would only be processed and, where appropriate, shared with other authorities (eg: the Police) where it is necessary to investigate a potential crime.

5.  Individual Rights


Note:  The following clauses are taken primarily from the guidance provided by the Office of the Information Commissioner,
https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-be-informed/

5.1        The right to be informed


When collecting personal information the Association will provide to the data subject free of charge, a Privacy Policy written in clear and plain language which is concise, transparent, intelligible and easily accessible containing the following information:

- Identity and contact details of the controller
Note: where the organisation has a controller’s representative and/or a data protection officer, their contact details should also be included

- Purpose of the processing and the lawful basis for the processing

- The legitimate interests of the controller or third party, where applicable

- Categories of personal data
Not applicable if the data are obtained directly from the data subject

- Any recipient or categories of recipients of the personal data

- Retention period or criteria used to determine the retention period

- The existence of each of data subject’s rights

- The right to withdraw consent at any time, where relevant

- The right to lodge a complaint with a supervisory authority

- The source the personal data originates from and whether it came from publicly accessible sources
Not applicable if the data are obtained directly from the data subject

- Whether the provision of personal data is part of a statutory or contractual requirement or obligation and possible consequences of failing to provide the personal data
Not applicable if the data are NOT obtained directly from the data subject

In the case of data obtained directly from the data subject, the information will be provided at the time the data are obtained.

In the case that the data are not obtained directly from the data subject, the information will be provided within a reasonable period of the Association having obtained the data (within one month), or,
if the data are used to communicate with the data subject, at the latest, when the first communication takes place; or
if disclosure to another recipient is envisaged, at the latest, before the data are disclosed.

5.2        The right of access


The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him/her are being processed, and, where that is the case, access to his/her personal data and the information detailed in the Association’s relevant Privacy Policy:

5.3        The right to rectification


The data subject shall have the right to require the controller without undue delay to rectify any inaccurate or incomplete personal data concerning him/her.

5.4        The right to erase  (The right to be forgotten)


Except where the data are held for purposes of legal obligation or public task (4.3 or 4.5) the data subject shall have the right to require the controller without undue delay to erase any personal data concerning him/her.
Note:  This provision is also known as “The right to be forgotten”.

5.5        The right to restrict processing


Where there is a dispute between the data subject and the Controller about the accuracy, validity or legality of data held by the Association the data subject shall have the right to require the controlled to cease processing the data for a reasonable period of time to allow the dispute to be resolved.

5.6        The right to data portability


Where data are held for purposes of consent or contract (4.1 or 4.2) the data subject shall have the right to require the controller to provide him/her with a copy in a structured, commonly used and machine-readable format of the data which he/she has provided to the controller, and have the right to transmit those data to another controller without hindrance.

5.7        The right to object


a)  The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him/her which is based Public Task or Legitimate Interest (4.5 or 4.6), including profiling based on those provisions. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.

b)  Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him/her for such marketing, which includes profiling to the extent that it is related to such direct marketing.

c)  Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.

d)  At the latest at the time of the first communication with the data subject, the right referred to in paragraphs a) and d) shall be explicitly brought to the attention of the data subject and shall be presented clearly and separately from any other information.

6.  Data Controller and Data Protection Office

6.1        Data Controller


A Data Controller will be appointed by the Board of Trustees.

In the absence of the Data Controller (eg: on holiday or on sick leave) the Chair of the Trustees will act as the Data Controller.

The Data Controller shall implement appropriate technical and organisational measures to ensure and be able to demonstrate that processing is performed in accordance with this Regulation.

Those measures shall be reviewed and updated where necessary.

6.2        Data Protection Officer


The scale and scope of the data collected and processed by the Association does not justify the appointment of a Data Protection Officer.

7.  Privacy Policy


The Association will have a Privacy Policy which it will make available to everyone on whom it holds and processes personal data, in accordance with 5.1. The Association will also have an enhanced Privacy Policy for Employees that will include Payroll and Taxation references.

In the case of data obtained directly from the data subject, the information will be provided at the time the data are obtained.

In the case that the data are not obtained directly from the data subject, the information will be provided within a reasonable period of the Association having obtained the data (within one month), or,
if the data are used to communicate with the data subject, at the latest, when the first communication takes place; or
if disclosure to another recipient is envisaged, at the latest, before the data are disclosed.


Privacy Policy
Employees – Payroll & Taxation

It is important to us that you understand and are happy with how we use your information.
Please take time to read this policy in full.

7.1        Identity and contact details of the controller.


The Association’s Data Controller is Graham Vincent.

He can be contacted at:         

Newmilns Regeneration Association, 4 Brown Street, Newmilns KA16 9AB
e-mail:  grahamvincent@lovenewmilns.org

7.2        Data Subjects


This Privacy Policy applies to employees of the Association and all other persons from whom the Association is legally required to collect, process and share personal data for the purposes of compliance with UK taxation legislation.

7.3        Purpose of the processing and the lawful basis for the processing


The purpose of processing is to manage your PAYE, NIC, pension and other statutory taxation relevant to your employment with the Association.

The lawful basis for the processing is “Legal Obligation”

7.4        The right to withdraw consent at any time


You do not have the right to withdraw consent to the use of your personal data as the lawful basis for holding and processing the data is “Legal Obligation”.

7.5        The right to require the erasure of your data (right to be forgotten)


You do not have the right to require the erasure, of your personal data as the lawful basis for holding and processing the data is “Legal Obligation”.

7.6        The legitimate interests of the controller or third party, where applicable


None applicable for lawful basis processing.

7.7        Any recipient or categories of recipients of the personal data


Relevant PAYE & NIC data calculated by the Data Controller on the basis of your salary and benefits are forwarded securely to HM Revenue & Customs via the HMRC PAYE Government Gateway site.

Relevant pension contributions calculated by the Data Controller on the basis of your salary are forwarded securely to the National Employee Savings Trust through its encrypted website.

From time-to-time we may need to share the information we collect with the Association’s professional advisors (eg: lawyers, accountants) when they need it to provide advice.   We will seek your permission before sharing your personal information in this way.

The Police, local authorities, Her Majesty’s Revenue and Customs (HMRC), the Courts and any other central or local government bodies where they request it and we may lawfully disclose it, for example for the prevention and detection of crime.

We also may share the information we collect where we are legally obliged to do so, eg: to comply with a court order.

Other people who make a reasonable subject access request to us, provided that we are allowed to do so by law.

7.8        Retention period or criteria used to determine the retention period


Your personal data are retained for the prevailing statutory period (currently 6 years) as prescribed by HMRC and NEST.

7.9        Details of transfers to third country and safeguards


The Association does not transfer any personal data to third countries.

7.10    The existence of each of data subject’s rights


Other than the right to withdraw consent (see 7.4) and the right to erase (see 7.5)) you have all the data subject rights, as prescribed by the General Data Protection Regulation, namely:   The rights:

a)  to be informed about your personal data held by the Data Controller on behalf of the Association, the purpose(s) for which they are held; the manner in which they are processed; the recipients (if any) of the data;

b)  to be given access to your personal data;

c)  to rectification – the correction of any error in the data and/or the completion of any incomplete data;

d)  to restrict processing – while you have legitimate justifiable concerns about the accuracy, validity or legality of data held by the Association or the way in which the data are being processed.   Data process may be resumed once either the cause(s) of the concern has(have) been rectified or your concerns are demonstrated to be unjustified.

e)  to object to processing – while you have reasonable grounds relating to their impact on your particular circumstances and where the legal basis of the processing is Public Task or Legitimate Interest. However, the processing of your data can be resumed if the Data Controller can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or for the establishment, exercise or defence of legal claims;

7.11    The source the personal data originates from and whether it came from publicly accessible sources


Only your personal tax code data originates directly from HM Revenue & Customs and is not available from publicly accessible sources

7.12        Whether the provision of personal data is part of a statutory or contractual requirement or obligation and possible consequences of failing to provide the personal data


The provision of your personal data for this is a statutory requirement under UK taxation and pensions legislation.

Failure to provide the data, or the provision of data which are inaccurate or late render both you and the Association to significant penalties or legal action.

7.13    The existence of automated decision making, including profiling and information about how decisions are made, the significance and the consequences


The Association does not use any automated decision-making software in the processing of your personal data.

7.14    The right to lodge a complaint with a supervisory authority


You have the right to lodge a complaint with the Information Commissioner’s Office, the supervisory authority for the UK if you are dissatisfied with the way that the Association is collecting, holding, processing and using your personal data and you feel that your reasonable attempts to raise the issues and get them addressed have failed.

7.15    What additional information do we collect and when?


In addition to the statutory information that we collect, hold and process for the purpose of managing you taxation and pension affairs we also collect and hold:

- All information you choose to submit to us when you communicate to us by post, e-mail, messaging, or other form of image-based (eg: photographs), sound-based (eg: sound files) or text-based communication, whether physical (eg: ink & paper) or electronic.

- Copies of any notes that we take, whether physical (eg: ink & paper) or electronic, during verbal communications between us (eg: telephone; Skype®; Hangouts®).

- Information on what we communicate to you by post, e-mail, messaging, or other form of image-based or text-based communication whether physical (eg: ink & paper) or electronic, including information in all ancillary materials (eg: attachments, images, brochures). 

7.16    Is your information secure?


We take the security of your information very seriously.

We comply with the relevant prevailing legislation which requires us to have in place appropriate security measures at all times, including where we share your information with others. 


 

Privacy Policy
General

It is important to us that you understand and are happy with how we use your information.
Please take time to read this policy in full.

7.17    Identity and contact details of the controller


The Association’s Data Controller is Graham Vincent.

He can be contacted at:         

Newmilns Regeneration Association, 4 Brown Street, Newmilns KA16 9AB
e-mail:  grahamvincent@lovenewmilns.org

7.18    Data Subjects


This Privacy Policy applies to all individuals from whom the Association has collected and holds personal information.

7.19    The Right to be Informed


The Association will provide to the data subject free of charge, a Privacy Policy containing the following information:

- Purpose of the processing and the lawful basis for the processing

- The legitimate interests of the controller or third party, where applicable

- Categories of personal data
Not applicable if the data are obtained directly from the data subject

- Any recipient or categories of recipients of the personal data

- Retention period or criteria used to determine the retention period

- The existence of each of data subject’s rights

- The right to withdraw consent at any time, where relevant

- The right to lodge a complaint with a supervisory authority

- The source the personal data originates from and whether it came from publicly accessible sources
Not applicable if the data are obtained directly from the data subject

- Whether the provision of personal data is part of a statutory or contractual requirement or obligation and possible consequences of failing to provide the personal data
Not applicable if the data are NOT obtained directly from the data subject

In the case of data obtained directly from the data subject, the information will be provided at the time the data are obtained.

In the case that the data are not obtained directly from the data subject, the information will be provided within a reasonable period of the Association having obtained the data (within one month), or,
if the data are used to communicate with the data subject, at the latest, when the first communication takes place; or
if disclosure to another recipient is envisaged, at the latest, before the data are disclosed.

7.20    The right to withdraw consent at any time


You do not have the right to withdraw consent to the use of your personal data if the lawful basis for holding and processing the data is “Legal Obligation”.

7.21    The right to require the erasure of your data (right to be forgotten)


You do not have the right to require the erasure, of your personal data if the lawful basis for holding and processing the data is “Legal Obligation”.

7.22    The legitimate interests of the controller or third party, where applicable


Detail the basis for holding the data. None applicable for lawful basis processing.

7.23    Retention period or criteria used to determine the retention period


The Association will specify the retention period for the data.

7.24    The existence of each of data subject’s rights


Other than the right to withdraw consent and the right to erase you have all the data subject rights, as prescribed by the General Data Protection Regulation, namely:   The rights:

a)  to be informed about your personal data held by the Data Controller on behalf of the Association, the purpose(s) for which they are held; the manner in which they are processed; the recipients (if any) of the data;

b)  to be given access to your personal data;

c)  to rectification – the correction of any error in the data and/or the completion of any incomplete data;

d)  to restrict processing – while you have legitimate justifiable concerns about the accuracy, validity or legality of data held by the Association or the way in which the data are being processed.   Data process may be resumed once either the cause(s) of the concern has(have) been rectified or your concerns are demonstrated to be unjustified.

e)  to object to processing – while you have reasonable grounds relating to their impact on your particular circumstances and where the legal basis of the processing is Public Task or Legitimate Interest. However, the processing of your data can be resumed if the Data Controller can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or for the establishment, exercise or defence of legal claims;

7.25    The right to lodge a complaint with a supervisory authority


You have the right to lodge a complaint with the Information Commissioner’s Office, the supervisory authority for the UK if you are dissatisfied with the way that the Association is collecting, holding, processing and using your personal data and you feel that your reasonable attempts to raise the issues and get them addressed have failed.

7.26    What additional information do we collect and when?


In addition to the statutory information that we collect, hold and process for the purpose of managing you taxation and pension affairs we also collect and hold:

- All information you choose to submit to us when you communicate to us by post, e-mail, messaging, or other form of image-based (eg: photographs), sound-based (eg: sound files) or text-based communication, whether physical (eg: ink & paper) or electronic.

- Copies of any notes that we take, whether physical (eg: ink & paper) or electronic, during verbal communications between us (eg: telephone; Skype®; Hangouts®).

- Information on what we communicate to you by post, e-mail, messaging, or other form of image-based or text-based communication whether physical (eg: ink & paper) or electronic, including information in all ancillary materials (eg: attachments, images, brochures).

7.27    Is your information secure?


We take the security of your information very seriously.

We comply with the relevant prevailing legislation which requires us to have in place appropriate security measures at all times, including where we share your information with others.