General Data Protection Regulations and your rights to Privacy
Data Protection Policy
Introduction and scope
South Devon Choir needs to gather, store and use certain forms of information about individuals in order to operate.
Individuals includes members, freelancers, contractors, suppliers, volunteers, audiences and potential audiences, business contacts and other people with whom the Choir has a relationship or regularly needs to contact.
This policy explains how this data should be collected, stored and used in order to meet the Choir’s data protection standards and to comply with the law.
This policy ensures that South Devon Choir:
- protects the rights of members and other individuals
- complies with data protection law and follows good practice
- protects the Choir from the risks of a data breach.
Responsibilities and application
All those handling or having access to data on behalf of South Devon Choir are responsible for ensuring that they adhere to this policy, including:
- Committee members
- Committee support volunteers (limited access)
- freelancers and contractors (limited access)
- third-party suppliers (no direct access).
It applies to all data that South Devon Choir holds relating to individuals, including:
- email addresses
- postal addresses
- phone numbers
- photographs and video
- any other personal information held (eg financial).
Not all these forms of data will apply to everyone.
The data will only be used in the legitimate interests of the Choir, including contacting members and supporters regarding activities and concerts; processing subscriptions, Gift Aid and ticket sales; placing orders with suppliers or freelancers; and may be used or recorded electronically or on paper.
The Interim Data Controller for South Devon Choir is Lisa Prager. The Data Controller, together with the Committee, is responsible for why and how data is collected, and how it is stored and used. Any questions relating to the collection or use of data should be directed to the Data Controller.
We fairly and lawfully process personal data
South Devon Choir only collects data where lawful and where it is necessary for the legitimate purposes of the Choir.
- A member’s name, address, phone numbers and email address are collected when they first join the Choir, and will be used to contact the member regarding Choir membership administration and activities. Other data may also later be collected in relation to their membership, including subscription status and practice attendance.
- The name and contact details of volunteers, Committee members, freelancers and contractors are collected when they take up a position, and will be used to contact them regarding Choir administration related to their role.
Suppliers and contractors contact and financial details may need to be collected in order to do business with them and make payment for services and materials provided.
Further information, including criminal records information, may also be collected in specific circumstances where lawful and necessary (eg if a DBS check is required).
- An individual’s name and contact details are collected when they make a booking for an event. This will be used to contact them about their booking and to allow them entry to the event.
- An individual’s name, contact details and other details may be collected at any time (including when booking tickets or at an event), with their consent, in order for South Devon Choir to communicate with them about Choir activities and/or for direct marketing (see ‘Direct Marketing’ below).
We only collect and use personal data for specified and lawful purposes
When collecting data, South Devon Choir always explains why the data is required and what it will be used for. We never use data for any purpose other than that stated or that can reasonably be considered to be related to it. For example, we never sell or disclose personal data to a third party. However, we may use third-party services to store or process the data (such as Microsoft Office365, WordPress, Facebook, Twitter, YouTube, TicketSource, and Mail Chimp), but only if we are sure that they are reputable and secure, and that your data will be kept safe.
We ensure any data collected is relevant and not excessive
South Devon Choir does not collect or store more data than the minimum required for its intended purpose. For example, we need to collect members’ telephone numbers in order to contact them for Choir administration purposes, but data on their marital status or sexuality is not collected, since it is unnecessary and excessive to Choir administration.
We ensure data is accurate and up-to-date
South Devon Choir will ask members, volunteers and employees to check and update their data every two years. In addition, any individual may ask to update their data at any time by contacting the Data Controller.
We ensure data is not kept longer than necessary
South Devon Choir keeps data on individuals for no longer than 12 months after our involvement with the individual has stopped, unless there is a legal requirement to keep such records (eg records relating to Gift Aid, which must be held for 22 months after the relevant tax year), or unless they consent to remaining on our database (eg freelance soloists etc).
We process data in accordance with individuals’ rights
The following requests can be made in writing to the Data Controller:
- Members, volunteers and supporters can request to see any data stored about them. Any such request will be actioned within 28 days of the request being made.
- Members and supporters can request that any inaccurate data held on them is updated. Any such request will be actioned within 14 days of the request being made.
- Members and supporters can request to stop receiving any marketing communications. Online requests using the ‘unsubscribe’ function will be immediately effective; postal and other requests will be actioned within 14 days of the request being received.
- Members and supporters can object to any storage or use of their data that might cause them substantial distress or damage, or any automated decisions made based on their data. Any such objection will be considered by the Committee at its next scheduled meeting, and a decision communicated within 14 days of the meeting.
We keep personal data secure
South Devon Choir ensures that data is kept secure.
- Electronically-held data is held within a password-protected and secure environment, and only Committee members are provided with passwords. Committee members may not forward the passwords to other people without the formal approval of the Data Controller.
- Access rights to electronic data (via password) will be denied to a Committee member upon leaving the Committee. New Committee members will be issued with a new password and access rights.
- Physically-held data (eg membership enrolment forms, two-yearly data confirmation forms) is stored in a locked cupboard, filing cabinet etc.
- Access to the data held will only be given to others where it is clearly essential for the running of the Choir. The Data Controller will decide in what situations this is applicable and keeps a master list of who has access to what data and in what form.
Transfer to countries outside the EEA
South Devon Choir does not transfer data to countries outside the European Economic Area (EEA), unless the country has adequate protection for the individual (eg USA).
We do not share members’ data with other members
As a membership organisation, South Devon Choir encourages communication between members. To facilitate this, members can request a Committee member for assistance in getting in touch with another member, but will not be provided directly with the information.
We only use photographs/videos of individuals with their agreement
We tell performers if activities are to be recorded in any medium for publicity purposes. The Choir and its sponsors may wish to use motion or still pictures, and live, taped, or filmed television or audio of Choir concerts and social events, and related matters. This would be without payment, and could be used on websites, Facebook, Twitter and other social media, as the Committee decides. If an individual is recognisable in this material, they may ask for their image not to used; otherwise, the Choir retains the right in perpetuity to make, use and show such media as deemed necessary.
South Devon Choir collects data from consenting members and supporters for marketing purposes. Such purposes include contacting them to promote concerts, updating them about Choir news, fundraising and other Choir activities.
When data is collected for this purpose, we provide:
- a clear and specific explanation of what the data will be used for, and
- a method for users to show their active consent to receive these communications.
Data collected is only ever used in the way described and consented to. We do not use it to market third-party products, unless this has been explicitly consented to.
Every marketing communication contains a method through which a recipient can withdraw their consent (eg an ‘unsubscribe’ link in an email). Opt-out requests such as this will be processed within 14 days.
A cookie is a small text file that is downloaded onto ‘terminal equipment’ (eg a computer or smartphone) when the user accesses a website. It allows the website to recognise that user’s device and store some information about the user’s preferences or past actions.
The website (www.southdevonchoir.org) has a pop-up box that activates each time a new user visits the website. This allows the user to click to consent (or not) to continuing with cookies enabled, or to ignore the message and continue browsing (giving implied consent). It also includes a link to our Cookies Policy which outlines which specific cookies are used and how they can be disabled in the most common browsers.
This policy document and related documentation will be reviewed and updated every two years.
Document Revision Record