General Data Protection Regulation (GDPR)
and
CDXC Privacy Statements
Members will have heard of the General Data Protection Regulation (GDPR) which came into force across Europe on 25th May 2018. These regulations apply to CDXC and here we explain our responsibilities, describe how we discharge them in a compliant manner and inform you of your rights under the new legislation.
What is GDPR?
GDPR expands existing Data Protection Regulations and widens their scope. It requires that personal data on members (“data subjects”) must be:
a) processed lawfully, fairly and in a transparent manner in relation to individuals;
b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed;
f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
How does CDXC comply?
Under the legislation, CDXC becomes the ‘Data Controller’ for the personal data it holds on current members, past members and prospective members. That data is held in a database within the Wild Apricot system. Our policy for compliance with GDPR is as follows:
(i) CDXC has a legitimate reason to hold your personal data:
CDXC holds personal data to allow it to service members in regard to subscriptions, Digest circulation, event organisation and general communications. We retain ex-members’ and prospective members personal data to allow us to re-engage with them to entice them to re-join.
(ii) CDXC holds your personal data securely:
All of CDXC’s membership, ex-membership and never-membership data is held securely on the Wild Apricot platform. Wild Apricot is a third-party Data Processor, located outside the EU, but uses appropriate technical measures to keep CDXC’s data secure. The Wild Apricot privacy statement can be found at:
https://www.wildapricot.com/PrivacyPolicy
(iii) CDXC uses your personal data responsibly:
CDXC uses the personal data it holds solely for the purposes of administering the Club. With the sole exception of providing the Digest mailing list to our printers, CDXC does not disclose, share, sell or otherwise distribute personal data in its database. Members may, under password control, download a list of current members; that download contains only Salutation and Callsign are considered to be pieces of information that are in the public domain in the context of amateur radio.
(iv) CDXC allows those whose data we keep to know what we keep and why:
CDXC keeps the following personal data for entries on the database (note that not all entries have all of the following fields completed):
a) Full name and title, salutation (on air name)
b) Primary callsign
c) Other callsign(s)
d) Postal address
e) e-mail address
f) Telephone number(s)
g) Digest /eDigest preference
h) Information related to subscription renewals (but not any bank or PayPal information)
i) Date of last log-on to the system
j) Joining source
k) Attendance at events
l) General administrator’s notes.
m) For each marketing campaign we track persons we contacted and their response.
At present, some personal data we keep on members, with the exception of any notes added to a record by Administrators, has been obtained either directly from the member or from publicly available sources (e.g. callbooks, QRZ.com etc.). We retain this data as it is necessary for CDXC and in the interests of the individual member, but we remind members to check that their personal data is accurate.
(v) CDXC allows those whose personal data we keep to request some or all of it to be updated or deleted:
Members may access and update their own primary data by using their secure log in password on the CDXC web site. This is also how any inaccuracies or changes in your personal data can be updated at any time. Individual passwords are not visible to any other users (including Administrators).
Administrators, who would normally be Committee members or those who assist with system administration, can access all data on the system and help with any requests to edit or remove data if requested. Administrators who download any data from the Wild Apricot system are legally required to comply with all of the conditions of GDPR.
Only Administrators can delete certain data from the system. If any person would like their personal data removed from their database record they should contact sec@cdxc.org.uk with a request.
Whilst it is the right of any person to have their personal data deleted, removal of personal data that would result in CDXC being unable to service a membership or which created a significant ongoing load on any of our volunteers may result in that person’s membership being suspended.
(vi) CDXC does not retain personal data for longer than is necessary for the reasons it was held in the first place:
Data held by CDXC will be retained for the following periods:
a) Members: All data to be retained for the period of their membership
b) Ex-Members: All data to be retained for seven years after cessation of membership
c) Never-Members: We obtain consent (e.g. at conventions or on our web site forms) to store personal data from prospective members, and retain it for at most five years.
(vii) CDXC has a nominated Data Protection Officer:
The Data Protection Officer for CDXC is the Honorary Secretary who may be contacted at sec@cdxc.org.uk or at the address in the current CDXC Digest. The Data Protection Officer is responsible for informing the Information Commissioners Office within 72 hours if there is a suspected breach of security affecting personal data.
What do members, ex-members or never-members need to do?
If you are content for CDXC to hold the personal data we do on the basis of, and for the timescales described above, then nothing.
Members may login to the CDXC web site at any time to check their personal data is correct. If you would like any data we hold on you to be updated or deleted, please contact sec@cdxc.org.uk
Approved by Committee April 2018