Club GDPR Policy

LEEK GOLF CLUB LTD - GDPR POLICY

This policy sets out the obligations Leek Golf Club (the Club) has in relation to data protection and the rights that identifiable stake-holders (data subjects) have in respect of their personal data.

All personal data will be processed in accordance with the following principles:

1. It will be processed fairly and in a transparent manner;

2. It will only be obtained for a specified, explicit and legitimate purpose;

3. It will be adequate, relevant and proportionate;

4. It will be accurate, up to date and retained for no longer than necessary;

5. It will be processed in accordance with the individual’s rights;

6. It will be kept secure;

7. It will not be transmitted abroad without sufficient protection.

8. Additional processing for archiving purposes in the public interest, scientific or historical research or statistical purposes shall not be considered to be incompatible with the initial purpose.

Personal Data will not be processed unless:

• The data subject has expressly consented to the process,

or

• It is necessary for the performance of a contract with the individual,

or

• It is required under a legal obligation,

or

• To protect the interests of the individual,

or

• It is for the purpose of carrying out public functions including compliance with legal obligations

or

• It is necessary so as to pursue the club’s interests and those of third parties, except where such interests are overridden by the fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

 

Sensitive Personal Data will not be processed unless:

• The individual has consented,

or

• The information is required by law for employment purposes,

or

• Is for the protection of the individual or another person,

or

• Is legally required to be processed.

Individual Rights will be observed:

• To be informed;

• Access to data;

• Rectification of data;

• Erasure of data;

• Restrict processing;

• To object to data;

• Data portability;

• Not to be subject to automated decision making incl. “profiling”:

• Subject Access Requests;

• Consent – Individual‘s consent will be obtained in accordance with the GDPR standard. Where an individual is under the age of 16 years consent will be obtained from a parent or guardian;

• Data breaches – A data subject will be notified of any data breach without undue delay.

Keeping Data Subjects Informed:

The Club will ensure that the following information is provided to every data subject when personal data is collected:

• Details of the Club including the identity of any appointed Data Protection Officer;

• The purposes for which data is being collected and will be processed and the legal basis justifying that collection and processing;

• Where applicable, the legitimate interests upon which the club is justifying its collection and processing of the personal data;

• Where the personal data is not obtained directly from the data subject, the categories of personal data collected and processed;

• Where personal data is to be transferred to one or more third parties, details of those parties;

• Details of any transfer of personal data to a third person located outside the European Economic Area together with any safeguards;

• Details of the length of time the personal data will be held by the Club. Usually in the event of a member’s resignation personal data will be held to allow the club accounts relating to that member to be closed. In the event of an employee’s termination, seven years and in the case of a visitor two years from the visit unless the visitor consents to the data being retained.

• Details of the data subject’s rights;

• Details of the subjects rights to withdraw their consent to the Club’s processing their personal data at any time;

• Details of the data subject’s right to complain to the Information Commissioner’s Office;

• Where applicable details of any legal or contractual requirement or obligation necessitating the collection and processing of the personal data and the consequences of failing to provide it;

• Details of any automated decision-making that will take place using personal data, including information on how decisions will be made, the significance of those decisions and any consequences;

• The information will be provided to the data subject at the time of collection or within one month if collected from a third person.

Data Subject Access:

• A data subject may make subject access request (“SAR”) at any time requiring the Club to disclose the data held by the Club on that data subject. The club will respond to such requests within one month of receipt.

• All subject access requests received must be referred to the Company Secretary and data subjects will be informed of the contact details to enable such contact.

• The club will not charge for handling normal SAR’s but reserves the right to charge a reasonable fee for additional copies of information that has already been supplied to the data subject and for requests that are unfounded, excessive or repetitive.

Rectification of Personal Data:

• If a data subject notifies the Club that personal data held by the Club is inaccurate or incomplete, requesting that it be rectified, the personal data will be rectified and the data subject informed of the rectification within one month of being notified.

• If any affected personal has been disclosed to third parties those parties shall be informed

of the rectification.

Erasure of Personal Data

Data subjects may request that the Club erases personal data held about them in the following circumstances:

• The data subject wishes to withdraw their consent to the Club holding and processing

their personal data and it is no longer necessary for the Club to hold that personal data in

respect of the purpose for which it was originally collected or processed;

• The data subject objects to the Club holding and processing their personal data and there

is no overriding legitimate interest to allow the Club to continue doing so;

• The personal data has been processed unlawfully;

Unless the Club has reasonable grounds to refuse to erase personal data, all requests for erasures will be complied with and the data subject notified within one month of receipt of the request.

Where any erased personal data has been has been disclosed to a third parties, those parties shall be informed of the erasure unless it is impossible or would require a disproportionate effort to do so.

Restriction of Personal Data Processing

Data subjects may request that the Club ceases processing the personal data it holds on them in which case the Club will remove the amount of personal data that is necessary to ensure that no processing of their data takes place.

Objections to Personal Data Processing

Data Subjects have the right to object to the Club processing their personal data on grounds of legitimate interest.

In such cases the Club will cease such processing unless it can be demonstrated that the Club’s legitimate grounds for such processing override the data subject’s interests, rights and freedoms, or the processing is necessary for the conduct of legal claims.

Where a data subject objects to the cub processing their personal data for direct marketing purposes, the club will cease such processing.

Timely Processing

The Club shall not keep personal data for any longer than is necessary in light of the purposes for which that data was originally collected and processed. When the data is no longer required, all reasonable steps will be taken to erase it without undue delay. (Also see above under the heading “Keeping the data subject informed”.)

Accuracy of Data and Keeping data up to date

The Club aims to ensure that all personal data collected and processed is kept accurate and up to date:

Data subjects will be reminded annually to inform the club of any changes to the personal data held in the club records and will be encouraged to check their personal details. Where any inaccurate or out of date data is found, all reasonable steps will be taken to amend or erase the data without undue delay.

Personal Data

The following personal data may be collected, held and processed by the Club:

Members – in order to participate in the activities of the Club:

• Full name, gender and date of birth;

• Date of joining;

• Contact details including home address, telephone number, mobile number and email address;

• Next of kin;

• Banking details including bank sort code and account number;

• Child protection Disclosure if relevant;

• Golf handicap and competition results.

Guests & Visitors – for insurance purposes and to inform of any matters in which they have an interest (e.g. a prize winner, competition scorecard etc.):

• Full name, gender and date of birth;

• Date of visit

• Amount of green fee paid;

• Contact details including home address, telephone number, mobile number and email address;

• Competition score for handicap purpose.

Employees – for contracts of employment;

• Full name, gender and date of birth;

• Contact details including home address, telephone number, mobile number and email address;

• Next of kin;

• Banking details including bank sort code and account number;

• National Insurance number and HMRC tax codes;

• Level of personal contribution to pension scheme

Secure Processing

The Club will ensure that all personal data collected and processed is kept secure and protected against unauthorised or unlawful processing and against accidental loss, destruction or damage:

• All emails containing personal data must be password protected;

• Any personal data disposed of must be securely deleted and hard copies shredded;

• Personal data must not be transferred over unsecured networks;

• Personal data in hard copy must only be transferred directly to the recipient;

• Personal data must not be shared informally;

• All copies of personal information must be stored securely in a locked receptacle;

• No personal data may be transferred to third persons without the authorisation of the Company Secretary;

• Personal data must not be left unattended or on view to unauthorised third persons;

• Personal data must not be stored on a portable device;

• Personal data stored electronically should be backed up and stored off-site and encrypted;

• Personal data stored electronically must be password protected and/or encrypted ;

• Passwords should be changed regularly and such as cannot be easily identified;

• Passwords must not be shared or written down;

• Employees and other parties working for or on behalf of the Club will be made aware of the their and the Club’s responsibilities for data protection under this policy and will be provided with a copy;

• Persons working for or on behalf of the Club will be given access to personal information only to the extent that is necessary to properly carry out their assigned duties;

• All persons working for or on behalf of the Club handling personal data shall be appropriately trained and supervised. Their performance shall be monitored;

Accountability

The Club will not appoint a Data Protection Officer.

Company Secretary will keep written internal records of all data collection, holding and processing which will incorporate the following information:

• The name and details of any applicable third party data controllers and processors;

• The purposes for which the Club processes data;

• Details of categories of personal data collected, held and processed by the Club;

• Details of any third parties that will receive data from the Club;

• Details of any transfer of data to non-EEA countries including safeguards;

• Details of how long personal data will be retained by the Club;

• Detailed descriptions of all technical and organisational measures taken by the Club to ensure the security of personal data.

Privacy Impact Assessments

The club will complete a Privacy Impact Assessment as and when required which will be overseen by the Company Secretary and will address the following :

• The purposes for which personal data is being processed and the processing operations to be carried out on that data;

• Details of legitimate interests being pursued by the Club;

• An assessment of the necessity and proportionality of the data processing with respect to the purpose or which it is being processed;

• An assessment of the risks posed to individual data subjects;

• Details of the measures in place to minimise and handle risks including safeguards, data security, and other measures to ensure the protection of personal data, sufficient to demonstrate compliance with the Regulation.

Data Portability

The Club does not process personal data using automated means.

Automated Decision Making

The Club does not use personal data for the purpose of automated decision making.

Profiling

The Cub does not use personal data for profiling purposes.

Transfer of Data to a Country Outside the EEA

The Club does not transfer personal data outside the European Economic Area.

Purpose of Data Processing:

• The Club collects and processes the personal data obtained from data subjects and sometimes from third persons;

• The Club only processes personal data in accordance with this policy or expressly permitted by law;

• Data subjects will be informed of the purpose for which the Club processes data at the time of collection or as soon as possible thereafter when collected from a third party;

• Adult Members – The Club processes the personal data recognising the Legitimate Interests of the membership and has completed a Legitimate Interests Assessment (see below);

• Junior Members (Under 16) – The Club will only process the data of a Junior with the consent of their parent or guardian;

• Visitors – The Club does not currently process the personal data of visitors for marketing purposes but will seek express consent prior to doing so should this policy change in the future. However, all golfing visitors are covered by the club’s personal liability insurance and to this extent visitors’ personal data will be processed to ensure insurance cover is maintained;

• Accidents – Any accidents to any person will be recorded and reported under the Club’s Health & Safety Policy. Medical information may be retained by the Club in the interests of all concerned;

• Employees – The Club processes personal data under contracts of employment.

• The Club will only collect and process personal data for and to the extent necessary for these purposes.

• Legitimate Interests Assessment – See Appendix A.

Data Breach Notification

All personal data breaches must be reported immediately to the Company Secretary.

If a breach is likely to result in a risk to the rights and freedoms of a data subject (financial loss, breach of confidentiality, reputational damage or other significant economic or social damage), the Company Secretary must ensure that the Information Commissioner’s Office is informed without delay and in any event within 72 hours of being made aware of it.

If a breach is likely to result in a high risk all affected data subjects must be informed of the breach directly and without undue delay.

A data breach notification shall include the following information:

• The categories and approximate number of data subjects affected;

• The categories and approximate number of personal data records involved;

• The name and contact details of the Company Secretary or other contact where information can be obtained;

• The likely consequence of the breach;

• Details of the measures taken or proposed to address the breach and any measures to mitigate any adverse effects.

Implementation

This policy shall be deemed effective from 25th May 2018. No part of this policy shall have retroactive effect and shall only apply to matters occurring on or after this date.

Ratified by Committee on

David T Brookhouse

Hon. Secretary

Review by April 2019

APPENDIX A – LEGITIMATE INTERESTS ASSESSMENT

Data for club members (excluding junior memberships) is held for the Legitimate Interests of managing the members’ club and satisfies the following criteria

1. The Purpose Test

Why do you want to process the data and what are you seeking to achieve? – Efficient Management of the Club, to maintain the club’s status as a “Community Amateur Sports Club (CASC)”and to protect the data subjects interests (e.g. through medical data, identifying next of kin)

Who benefits from the processing and in what way? – The members benefit directly through access to improved club facilities at a lower cost than would be required without using technology.

Are there any wider public benefits to the processing? – The wider community benefits associated with CASC status.

What would be the impact of non-availability? – It is the Cub’s view that there is no viable alternative.

Would your use of data be unethical or unlawful in any way? – No. The Club’s practices are standard throughout UK golf clubs.

2. The Necessity Test

Does this process actually help to further that interest – Yes. It enables containment of subscriptions through reduced management costs.

Is it reasonable? – Yes. It is standard procedure amongst golf clubs.

Is there any less intrusive alternative? – Not as we can see.

3. The Balancing Test

What is the nature of your interest with the individual? – Leek Golf Club Ltd is a non-profit Company Ltd. by Guarantee which operates as a private members club. Directors are elected by members. Major decisions require members’ approval at a General Meeting.

Is any of the data particularly sensitive or private? – A small number of members support training and development of children’s golf and have clearance under child protection following Disclosure Application. Copies of these Applications are retained by the Club. Those involved are made fully aware of the process and have consented. No objection from those involved is anticipated.

A small number of members are in receipt of a subscriptions concession on the grounds of affordability. Applications for the concession are renewable annually and retained by the club whilst effective. Details are not processed or stored electronically. No objection from those involved is anticipated.

With regard to members who resign and leave the Club, data is only retained to allow the Club Accounts to be completed for the financial year of their last subscription and allow them to resume their membership in the future.

4. Children’s Data

Children’s data is not processed under the Legitimate Interests reason. Consent of a parent or guardian will be obtained to hold data in respect of any junior member.

5. Opt Out

It is the Club’s view that it would be impractical to offer any opt-out arrangements as it would result in multiple systems and alternative processes.

 

 
Copyright © Leek Golf Club Registered in England # 00357833, 2010-2018. All Rights Reserved.

Website Design and VPS Cloud Hosting by Uxello.
Golf Club CMSWebsite System - Golf Club CMS
Switch to Desktop ViewSwitch to Mobile View