(Where the words 'BOSCC', 'us', 'we', ‘Camera Club’ or ‘Club’ are used it will mean the club known as the 'Burnham-on-Sea Camera Club')
The EU General Data Protection Regulation 2016 (GDPR) came into effect on 25th May 2018. At the same time, the UK Data Protection Act 2018 (DPA 2018) came into effect. The UK Act adds exemptions and additions to the EU Regulation.
These Regulations change the way that businesses, charities and other organisations process an individual’s personal data. They allow an individual to exercise more control over how an organisation collects, stores and uses that individual’s personal data.
Personal Data collected and lawful basis
Personal data is any information that can be used to identify a person, for example, a name, an email, a phone number, an address, a photo, a signature and many other items of information.
Under the new Regulations, an organisation must have a lawful basis (legal reason) for everything that it does with personal data. The lawful basis that we use to process personal data is ‘Consent’. This means that an individual must give his consent for us to collect, store and use their personal data. It also means that an individual has the right to revoke their consent at any time and to request that their personal data be deleted.
The Camera Club collects personal data when individuals fill in membership forms or are photographed during the club’s activities. It also collects personal data from judges and speakers when they are contracted to provide their services to the club.
The personal data that we may collect is -
Name (or pseudonym)
Contact data, which is one or more of – an email address, a phone number or postal address
A photo that may be taken during any of the club’s activities.
We are also required by the new Regulations to collect and keep any personal data that may be given when a ‘Data Access Request’ is made (that is, any request to view data, change data, revoke consents or delete data). The lawful basis for this is ‘Legal Obligation’.
How the Burnham-on-Sea Camera Club uses the personal data
The Camera Club, with permission, uses the personal contact data for communicating with members about club activities such as forthcoming events, distribution of programmes & minutes, reminders of subs and fees, competition results and all aspects of their membership.
It will also, with permission, use a member’s name to identify them in club communications, competitions, events and documents either in written form or in digital form (in emails or on the club’s websites, www.boscc.org.uk, Facebook or Flickr).
It may also, with permission, take a member’s photo during club activities and use it in club activity material or promotional articles which are sent to various news outlets to be published.
It will also, by virtue of the lawful basis of Contract, contact judges and speakers to book their services and to communicate with them about any aspects of their contract with us.
How the Club stores and protects personal data
The Camera Club keeps personal data online in the BAY Centre’s business form of Google drive (known as G Suite). Google encrypt all data on their drives and are one of the most secure cloud providers. Backups are held on a separate server. The backups are encrypted and password protected.
Only two people have access to the personal data. They are the Secretary and the Treasurer.
The paper membership forms are kept by the Secretary in a locked location.
Who does the Camera Club share data with?
The Camera Club store personal data in the BAY Centre’s online storage. This storage is a business form of Google Drive.
The BAY Centre have opted-in to a Google Data Processing Amendment (DPA) that became effective on the 25th May 2018. This DPA makes the agreement between the BAY Centre and Google comply with the new EU General Data Protection Regulations.
Occasionally, the Camera Club will take photos of club activities that may contain member’s images. The photos may be used for club activities or included in articles prepared by the club and sent to various news outlets to be published.
The UK Data Protection Act 2018 allows for exemptions to the EU Regulation, one such exemption is the ‘special purposes’ exemption, which protects processing for the purposes of journalism. The exemption means that ‘journalists’ (and it seems, non-journalists) who process personal data with a view to publishing are exempt from needing a ‘lawful basis’ for that processing (this exemption does not remove their obligation to meet all the other requirements of the EU Regulation). For a full list of media outlets please see www.bayc.uk/media .
How long does the Club keep personal data?
The Camera Club will delete a member’s personal data (both online and in the paper membership forms) 3 months after they cease to be a member.
Any data requests to view, change the data, revoke consents or delete personal data will be held for 7 years.
An individual’s rights under the new Data Protection law
Under the Regulations, with the lawful basis of Consent, you have the right to revoke those consents at any time. You can do this by contacting the secretary at firstname.lastname@example.org or asking any of the committee members to pass your request to the secretary.
You also have the right to request to view your personal data being held by the Camera Club. You can do this by contacting the secretary at email@example.com or asking any of the committee members to pass your request to the secretary.
You also have the right to request that any personal data held by the Camera Club be corrected or changed. You can do this by contacting the secretary at firstname.lastname@example.org or asking any of the committee members to pass your request to the secretary.
You also have the right to ask for your personal data to be deleted. You can do this by contacting the secretary at email@example.com or asking any of the committee members to pass your request to the secretary.
You also have the right to request a copy of your data be provided by the Camera club in an easily transportable form. You can do this by contacting the secretary at firstname.lastname@example.org or asking any of the committee members to pass your request to the secretary.
(Under the new Regulations, the Camera Club must keep records of all data requests that are made. The legal basis for this is ‘Legal Obligation’.)
The Camera Club will report any data breaches of the personal data to the relevant authorities within 72 hours of becoming aware of a data breach.
The data will be reported to the ICO (Information Commissioner’s Office) which is the UK's independent body set up to uphold personal information rights.
How to report a concern to the ICO
In the first instance, if you have a concern about the way that we are handling your data, please contact the secretary at email@example.com.
If we don't sort out your concern satisfactorily, you can report your concern to the ICO.
The ICO (Information Commissioner’s Office) is the UK's independent body set up to uphold personal information rights.
The ICO webpage for reporting a concern can be found at https://ico.org.uk/concerns/
Data Controller and Processor
For the new EU Data Protection Regulation, the Burnham-on-Sea Camera Club is both a data controller and a data processor of the personal data.
Their address is -
Burnham-on-Sea Camera Club
The BAY Centre
Document initially published. The policy is one of a series of policy documents that replace all previous policy documents that existed in a variety of different formats, some electronic, some paper and some verbal.
Added ‘competition results and all aspects of their membership.’ to the personal contact data usage paragraph.
Added ‘competitions, events and documents either in written form or in digital form (in emails or on the club’s websites, www.boscc.org.uk, Facebook or Flickr).’ to the member’s name usage paragraph.