Data Protection – Last Upated 6.08.20

Real Social needs to gather and use certain information about individuals in order to operate.

These can include suppliers, volunteers, audiences and potential audiences, business contacts and other people the group has a relationship with or regularly needs to contact.

This policy describes how this data must be collected, handled and stored to comply with the General Data Protection Regulations (GDPR).

This data protection policy ensures that Reel Social:

  • Protects the rights of its members and supporters
  • Complies with data protection law and follows good practice
  • Is open about how it stores and processes individual’s data
  • Protects itself from a data breach

Data Protection Law

The General Data Protection Regulation (GDPR) is a regulation in EU law on data protection and privacy for all individuals in the European Union and describes how organisations must collect, handle and store personal information.  These rules apply whether data is stored electronically, on paper and on other material.  To comply with the law, personal information must be collected and used fairly, stored safely and not disclosed unlawfully.

Reel Social recognises and understands that the consequences of failure to comply with the requirements of GDPR may result in:

  • Criminal and civil action
  • Fines and damages
  • Personal accountability and liability
  • Loss of confidence in the integrity of Reel Social’s systems and procedures
  • Irreparable damage to Reel Social’s reputation

Reel Social may also consider taking action where members do not comply with GDPR.

Roles and Responsibilities 

This policy applies to anyone involved in the activities of Reel Social.

This policy applies to all personal and sensitive data processed on computers, stored in paper files and on other material.  This can include:

  • Names of individuals
  • Postal addresses
  • Email addresses
  • Telephone numbers
  • Any other personal information relating to individuals

Reel Social is the Data Controller and will determine what data is collected and how it is used.  The Data Protection Officer for Reel Social is the website Manager.  She, together with the Management Committee, are responsible for the secure, fair and transparent collection of and use of data by Reel Social.  Any questions relating to the collection or use of data should be directed to the Data Protection Officer.

Everyone who has access to data as part of Reel Social has a responsibility to ensure that they adhere to this policy.

Data Protection Principles

a) We fairly and lawfully process personal data in a transparent way.

Reel Social will only collect data where lawful and where it is necessary for the legitimate purposes of the group.

  • A member’s name, contact details and date of birth will be collected when they first join the group and will be used to contact the member regarding group membership, administration and activities.  Other data may subsequently be collected in relation to their membership, including their payment history for subscriptions.

Lawful basis for processing this date:  Contract (the collection and use of data is fair and reasonable in relation to Reel Social completing tasks expected as part of the individual’s membership).

  • An individual’s name and contact details will be collected when they make a booking for an event.  This will be used to contact them about their booking and to allow entry to the event.

Lawful basis for processing this data: Contract (the collection of data is fair and reasonable in relation to Reel Social completing tasks expected as part of  the booking).

  • An individual’s name, contact details and other details may be collected at any time (including when booking tickets or at an event), with their consent, in order for Reel Social to communicate with them about and promote group activities.

Lawful basis for processing this date: Consent (see ‘How we get consent’)

b) We only collect and use personal data for specific, explicit and legitimate purposes and will only use the data for those specified purposes.

When collecting data, Reel Social will always provide a clear and specific privacy statement explaining to the subject why the data is required and what it will be used for.

c) We ensure any data collected is relevant and not excessive.

Reel Social will not collect and store more data than the minimum information required for its intended purpose.

Reel Social needs to collect telephone numbers and email addresses from members in order to be able to contact them about group administration and activities.

d)  We ensure data is accurate and up-to-date

Reel Social will ask members to check and update their data on an annual basis.  Any individual will be able to update their data at any point by contacting the Website Manager.

e)   We ensure data is not kept longer than necessary

Reel Social will keep records for no longer than is necessary in order to meet the intended use for which it was gathered (unless there is a legal requirement to keep records for a longer period).

The storage and intended use of data will be reviewed in line with Reel Social’s Data Protection and Retention Policy.  When the intended use is no longer applicable (e.g. contact details for a member who has left the group) the data will be deleted within a reasonable period unless the member has consented to her contact details being retained for the purpose of informing her of future activities and events.

f)  We keep personal data secure

  • Reel Social will ensure that data it holds is kept secure
  • Electronically held data will be held within a password-protected and secure environment.  Passwords for electronic data files will be re-set each time an individual with data access leaves their role/position
  • Physically-held data (e.g. membership forms) will be stored securely
  • Access to data will only be given to relevant committee members where it is clearly necessary for the running of the group.  The Data Protection Officer will decide in what situations this is applicable.

Individuals’ Rights

Where Reel Social collects, holds and uses an individual’s personal data, that individual has the following rights over that data. Reel Social will ensure its data processes comply with those rights and will make all reasonable efforts to fulfil requests from an individual in relation to those rights.

Individuals’ rights

Right to be informed:  whenever Reel Social collects data it will provide a clear and specific privacy statement explaining why it is being collected and how it will be used.

Right of access:   individuals can request to see the data Reel Social holds on them and confirmation of how it is being used.  Requests should be made in writing to the Data Protection Officer and will be complied with within one month.  Where requests are complex or numerous this may be extended to two months.

Right of rectification:   individuals can request that their data be updated where it is inaccurate or incomplete. Reel Social will request that members check and update their data with the Membership Secretary on an annual basis.  Any requests for data to be updated will be processed within one month.

Right to object:  individuals can object to their data being used for a particular purpose. Reel Social will always provide a way for an individual to withdraw consent in all marketing communications.  Where Reel Social receives a request to stop using data, Reel Social will comply unless it has a lawful reason to use the data for legitimate interests or contractual obligations.

Right to erasure:  individuals can request for all data held on them to be deleted.  The Reel Social Data Retention Policy will ensure data is not held for longer than is reasonably necessary for relation to the purpose it was originally collected.  If a request for deletion is made, Reel Social will comply with the request unless there is a lawful reason to keep and use the date for legitimate interests or there is a legal requirement to keep the data.

Right to restrict processing:  individuals can request that their personal data be ‘restricted’ – that is, retained and stored but not processed further (e.g. if they have contested the accuracy of any of their data, Reel Social will restrict their data while it is verified).

Member to Member Contact

Reel Social only shares members’ data with other members with the subject’s prior consent.  However, Reel Social encourages communication between members.

To facilitate this, members can access  the personal contact data of other members via the Members’ pages of the Club’s website.   Personal data on these pages must not be shared with anyone outside the Club.  Anyone doing this will be in breach of GDPR.

How we get consent

Reel Social may collect data from consenting supporters for marketing purposes (e.g. to promote Club activities and events).

Any time data is collected for this purpose, Reel Social will provide:

  • A method for users to show their positive and active consent to receive these communications (e.g. a ‘tick box’)
  • A clear and specific explanation of what the data will be used for (e.g. ‘Tick this box if your would like Reel Social to send you email updates with details of Club activities and events).

Data collected will only ever be used in the way described and consented to (e.g. Reel Social will not give out email data to third parties).

Every communication will contain a method through which the recipient can withdraw their consent (e.g. an ‘unsubscribe’ link in an email).  Opt-out requests such as this will be processed in 14 days.

 

*   *   *   *   *   *   *   *   *   *   *   *   *   *   *   *   *   *   *   *   *   *   *   *   *   *   *   *   *   *   *   *

Data Retention Policy

Introduction

This policy sets out how Reel Social will approach data retention and establishes processes to ensure Reel Social does not hold data for longer than in necessary.  It forms part of Reel Social’s Data Protection Policy.

Roles and Responsibilities

Reel Social is the Data Controller and will determine what data is collected and how it is used.  The Data Protection Officer for Reel Social is the Website Manager.  She, together with the Management Committee, are responsible for the secure, fair and transparent collection of data by Reel Social.  Any questions relating to the collection or use of data should be directed to the Data Protection Officer.

Regular Data Review

A regular review of all data will take place to establish if Reel Social still has good reason to keep and use the data held at the time of the review.  As a general rule a data review will be held every 2 years.

Data to be reviewed

  • Data on digital documents (e.g. spreadsheets, databases) stored on personal devices held by committee members
  • Data stored on third part online services (e.g. Dropbox, Facebook groups)
  • Physical data stored at the homes of committee members

Who the review will be conducted by

The review will be conducted by the Data Protection Officer with other committee members to be decided upon at the time of the review.

How data will be deleted

  • Physical data will be destroyed safely and securely, including shredding.
  • All reasonable and practical efforts will be made to remove data stored digitally.
    • Priority will be given to any instances where data is stored in active lists (e.g. where it could be used) and to sensitive data.
    • Where deleting the data would mean deleting other data that Reel Social has a valid lawful reason to keep (e.g. on old emails) then the data may be retained safely and securely but not used.

Statutory requirements

Data stored by Reel Social may be retained based on statutory requirements for storing data other than on data protection regulations.  This might include but is not limited to:

  • Details of payments made and received (e.g. in bank statements and accounting records)
  • Committee meeting minutes
  • Contracts and agreements with suppliers

Other Data Retention Procedures

Member data

  • When a member leaves Reel Social and all administrative tasks relating to their membership have been completed, any potentially sensitive data held on them will be deleted – this might include bank details.
  • Unless consent has been given, data will be removed from all email mailing lists
  • All other data will be stored safely and securely and reviewed as part of the next two-year review.

Mailing list data

  • If an individual opts out of a mailing list their data will be removed as soon as is practically possible.
  • All other data will be stored safely and securely and reviewed as part of the next two-year review.