Join now by direct debit available soon

Data Protection Policy

1. INTERPRETATION& DEFINITIONS:

Automated Decision-Making (ADM):  when a decision is made which is based solely on Automated Processing (including profiling) which produces legal effects or significantly affects an individual. The UK GDPR prohibits Automated Decision-Making (unless certain conditions are met) but not Automated Processing.

Automated Processing:  any form of automated processing of Personal Data consisting of the use of Personal Data to evaluate certain personal aspects relating to an individual, in particular to analyse or predict aspects concerning that individual’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements. Profiling is an example of Automated Processing.

Company:  West Wight Sports & Community Centre Trust Limited of Moa Place, Freshwater, Isle Of Wight, PO40 9XH, with company number 01266607. The Company is also a registered charity with number 273334.

Consent:  agreement which must be freely given, specific, informed and be an unambiguous indication of the Data Subject’s wishes by which they, by a statement or by a clear positive action, signify agreement to the Processing of Personal Data relating to them.

Controller:  the person or organisation that determines when, why and how to process Personal Data. It is responsible for establishing practices and policies in line with the UK GDPR. We are the Controller of all Personal Data relating to our Personnel and Personal Data used in our business for our own commercial purposes.

Criminal Convictions Data:  means personal data relating to criminal convictions and offences and includes personal data relating to criminal allegations and proceedings.

Data Subject:  a living, identified or identifiable individual about whom we hold Personal Data. Data Subjects may be nationals or residents of any country and may have legal rights regarding their Personal Data.

Data Privacy Impact Assessment (DPIA):  tools and assessments used to identify and reduce risks of a data processing activity. DPIA can be carried out as part of Privacy by Design and should be conducted for all major system or business change programmes involving the Processing of Personal Data.

Data Protection Officer (DPO):  the person required to be appointed in specific circumstances under the UK GDPR. Where a mandatory DPO has not been appointed, this term means a data protection manager or other voluntary appointment of a DPO.

EEA:  the 28 countries in the EU, and Iceland, Liechtenstein and Norway.

Explicit Consent:  consent which requires a very clear and specific statement (that is, not just action).

UK General Data Protection Regulation (GDPR):  the General Data Protection Regulation ((EU) 2016/679) as defined in the Data Protection Act 2018. Personal Data is subject to the legal safeguards specified in the UK GDPR.

Personnel:  all employees, workers, contractors, agency workers, consultants, directors, members and others.

Personal Data:  any information identifying a Data Subject or information relating to a Data Subject that we can identify (directly or indirectly) from that data alone or in combination with other identifiers we possess or can reasonably access. Personal Data includes Special Categories of Personal Data and Pseudonymised Personal Data but excludes anonymous data or data that has had the identity of an individual permanently removed. Personal data can be factual (for example, a name, email address, location or date of birth) or an opinion about that person’s actions or behaviour.

Personal Data Breach:  any act or omission that compromises the security, confidentiality, integrity or availability of Personal Data or the physical, technical, administrative or organisational safeguards that we or our third-party service providers put in place to protect it. The loss, or unauthorised access, disclosure or acquisition, of Personal Data is a Personal Data Breach.

Privacy by Design:  implementing appropriate technical and organisational measures in an effective manner to ensure compliance with the UK GDPR.

Privacy Guidelines:  our privacy and UK GDPR related guidelines provided to assist in interpreting and implementing this Privacy Standard and Related Policies.

Privacy Notices (also referred to as Fair Processing Notices) or Privacy Policies:  separate notices setting out information that may be provided to Data Subjects when we collect information about them. These notices may take the form of general privacy statements applicable to a specific group of individuals (for example, employee privacy notices or the website privacy policy) or they may be stand-alone, one-time privacy statements covering Processing related to a specific purpose.

Processing or Process:  any activity that involves the use of Personal Data. It includes obtaining, recording or holding the data, or carrying out any operation or set of operations on the data including organising, amending, retrieving, using, disclosing, erasing or destroying it. Processing also includes transmitting or transferring Personal Data to third parties.

Pseudonymisation or Pseudonymised:  replacing information that directly or indirectly identifies an individual with one or more artificial identifiers or pseudonyms so that the person, to whom the data relates, cannot be identified without the use of additional information which is meant to be kept separately and secure.

Related Policies:  our policies, operating procedures or processes related to this Privacy Standard and designed to protect Personal Data.

Special Categories of Personal Data:  information revealing racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership, physical or mental health conditions, sexual life, sexual orientation, biometric or genetic data.

2. INTRODUCTION

 2.1 This Privacy Standard sets out how West Wight Sports & Community Centre Trust Limited (“we”, “our”, “us”, “WWSCC”) handle the Personal Data of our customers, suppliers, employees, workers and other third parties.

2.2 This Privacy Standard applies to all Personal Data we Process regardless of the media on which that data is stored or whether it relates to past or present employees, workers, customers, clients or supplier contacts, shareholders, website users or any other Data Subject.

2.3 This Privacy Standard applies to all Employees, Workers and Self-Employed contractors (“you”, “your”). You must read, understand and comply with this Privacy Standard when Processing Personal Data on our behalf and attend training on its requirements. This Privacy Standard sets out what we expect from you for WWSCC to comply with applicable law. Your compliance with this Privacy Standard is mandatory. Related Policies and Privacy Guidelines are available to help you interpret and act in accordance with this Privacy Standard. You must also comply with all such Related Policies and Privacy Guidelines. Any breach of this Privacy Standard may result in disciplinary action.

2.4 Where you have a specific responsibility in connection with Processing such as capturing Consent, reporting a Personal Data Breach, conducting a DPIA as referenced in this Privacy Standard or otherwise then you must comply with the Related Policies and Privacy Guidelines.

 2.5 This Privacy Standard (together with Related Policies and Privacy Guidelines) is an internal document and cannot be shared with third parties, customers, members or regulators without prior authorisation from the DPO.

3. SCOPE

3.1 We recognise that the correct and lawful treatment of Personal Data will maintain confidence in the organisation and will provide for successful business operations. Protecting the confidentiality and integrity of Personal Data is a critical responsibility that we take seriously at all times. We are exposed to potential fines of up to EUR20 million or 4% of annual turnover, whichever is higher and depending on the breach, for failure to comply with the provisions of the UK GDPR.

3.2 All Trustees, Directors, managers and supervisors are responsible for ensuring all WWSCC employees, workers and contractors comply with this Privacy Standard and need to implement appropriate practices, processes, controls and training to ensure that compliance.

3.3 The DPO is responsible for overseeing this Privacy Standard and, as applicable, developing Related Policies and Privacy Guidelines. That post is held by Clare Griffin, Centre Manager whose email is: clare.griffin@westwight.org.uk .

3.4 Please contact the DPO with any questions about the operation of this Privacy Standard or the UK GDPR or if you have any concerns that this Privacy Standard is not being or has not been followed. In particular, you must always contact the DPO in the following circumstances:

a. if you are unsure of the lawful basis which you are relying on to process Personal Data (including the legitimate interests used by WWSCC); 

b. if you need to rely on Consent and/or need to capture Explicit Consent; 

c. if you need to draft Privacy Notices; 

d. if you are unsure about the retention period for the Personal Data being Processed;

e. if you are unsure about what security or other measures you need to implement to protect Personal Data;

f. if there has been a Personal Data Breach;

g. if you are unsure on what basis to transfer Personal Data outside the EEA; 

h. if you need any assistance dealing with any rights invoked by a Data Subject; 

i. whenever you are engaging in a significant new, or change in, Processing activity which is likely to require a DPIA or plan to use Personal Data for purposes other than what it was collected for; 

j. if you plan to undertake any activities involving Automated Processing including profiling or Automated Decision-Making; 

k. if you need help complying with applicable law when carrying out direct marketing activities; or 

l. if you need help with any contracts or other areas in relation to sharing Personal Data with third parties