Effective 25th May 2018
Last update 30th March 2020
Reason for last update: Switch of website hosting provider following Surrey County Council's decision to withdraw funding for community website hosting support.
Thorpe Ward Residents’ Association (referred to as we, us our) are committed to treating your information securely, with respect and in line with data protection law. We serve our membership (referred to as you, your) in accordance with our Constitution which can be found on our website (thorpewardresidents.org.uk) which may be updated from time-to-time in accordance with the rules of our Constitution. In the document below, we clearly set out all the information regarding how we use your data and your rights. If you have any questions, please see the contact section at the bottom of this document.
- Through this policy and our website forms, we are committed to being transparent about how your information will be processed and ensuring the secure use of your data.
- You will also be informed about any changes to this document.
- When collecting your personal data, we will always make clear to you which data is necessary in connection with our service.
Your personal data shall be:
- Processed fairly, lawfully and in a transparent manner in relation to the data subject. We will tell you clearly how your data will be processed.
- Collected for specified, explicit and legitimate purposes and not further processed for other purposes incompatible with those purposes (purpose limitation). We will always ensure we are processing your data appropriately.
- Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (data minimisation). We won't collect more personal data than we need to carry out the task.
- Accurate and, where necessary, kept up to date. We will take reasonable steps to ensure inaccurate data is rectified or deleted without delay.
- Kept in a form that permits identification of the data subjects for no longer than is necessary for the purposes for which the personal data are processed. We may store your personal data for longer periods but we will ensure we have a legal purpose for this. Or statistical purposes subject to implementation of appropriate technical and organisational measures required by the Regulation in order to safeguard your rights.
- Processed in a way that ensures appropriate security of the personal data. This includes protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (integrity and confidentiality).
- The controller shall be responsible for, and be able to demonstrate, compliance with the principles (accountability).
Why do we process your data?
We need to process some personal data to deliver our services to you. Without some minimal data processing, we are unable to perform certain actions which relate to the service that you expect from us.
- Consent: We will only process your data if you have explicitly signed up for our service or explicitly ticked a box on one of our webforms. By completing this form you consent to receive information from us.
- Supply you information: In certain circumstances, we need your personal data to comply with our ability to keep you informed about community-related matters or information about us that may interest you and to which you have consent in accordance with the above. For example, we may need to deliver our community publication, send you communications via email or make phone contact with you about specific matters in the locality of your area, plus provide communication on your such matters as our governance and your subscription.
- Legal compliance: If the law requires us to, we may need to process your data in order to comply with legal proceedings. This could for example take place in the case of fraud or criminal activity. We may in those cases pass on your details to the law enforcement authorities.
The legal bases we rely on?
We process your data in accordance with the data protection regulation. This sets out the legal ways in which we may collect and process your personal data. To process your data we must have a lawful basis to do so. The law allows for six ways to process your personal data. We will process your personal data where:
- You have given consent to the processing of your personal data for one or more specific purposes;
- It is necessary for the performance of a contract to which you are a party or in order to take steps at your request prior to entering into a contract;
- It is necessary for compliance with a legal obligation to which we are subject;
- It is necessary in order to protect your vital interests;
- It is necessary for the performance of a task carried out in the public interest or as we may be required to act in accordance with our Constitution;
- It is necessary for the purposes of the legitimate interests pursued by us or by a third party, except where such interests are overridden by your interests or fundamental rights and freedoms which require protection of personal data.
How will we process your data?
From the 25th May 2018, we may require your consent to enable us to continue to provide you with our services. Depending on what services you have signed up for, the manner in which your data will be processed may be different. Below we have listed the ways in which we will process your data to deliver our service:
- If you have subscribed to us, we will keep you informed via email and newsletters of your annual membership renewal and send you reminders to re-subscribe.
- Provide you electronic newsletters as a means of communicating to you about us and community-related information which we believe will be of interest. This may include, but not be limited to information we receive from third-parties which we will pass on where we believe you have an interest. This may include links to other third-party websites.
- Provide you details of our meetings and events being held, including our monthly Committee meetings, AGM and other meetings and events that we believe you may be interested to receive.
- To phone or contact one or more of members relating to a specific issue, such as, but not limited to town planning, volunteering support, to obtain further information about a reported activity.
- To follow-up on a contact you make in person (including attending Committee meetings), phone, letter, email or via our website.
- Only where necessary, to contact you where we identify a potential issue with information you have previously provided and that would stop us providing you a service or where we believe it may do so in the future.
- Undertake research to understand more about our membership, where they are located and how they engage with us. This is however strictly for internal use only in order to review our performance, the results of which will only be shared with our Committee. Where necessary, we may use this information to help improve how and what we provide as part of our service to you. The analysis of this data will never be given to any external parties or presented with identifiable data e.g. names, addresses etc.
- If you are attending one of our events, your submitted data will be processed for the purposes of administering the event you will be attending. We may also ask you to confirm your attendance.
- If in the rare occasion there is a major change to one of our core services which may affect you, we will inform you via email or newsletter.
- From time-to-time, we may contact you regarding some sponsored events/ publications or the opportunity to make donations.
- To deal with enquiries and complaints made by or about you relating to us, we will be responding to you and will occasionally document issues raised so that we can solve them.
Please note that you can unsubscribe from all emails at any point and you can have your data deleted or changed in all cases except where legal or contractual obligations still apply. Please see the section ‘Your Data Protection Rights’ below.
What types of data do we collect?
We may collect, store securely and use the following kinds of personal data:
- Information that you provide to us for the purpose of subscribing to our services, including email notifications and/or newsletters. These will include address, title, name, email address, and the name of your organisation, if appropriate.
- Information relating to any transactions carried out between you and us, including information relating to meeting(s) attended, subscription(s) and donation payment(s) made;
- Any other information that you choose to send to us via email until it is no longer needed to process a request.
Where may your data be processed?
As part of the services offered to you through this website, the information which you provide to us may be transferred to countries outside the European Union (“EU”) such as to non-EU based cloud services which we use to manage the service we provide and to conduct our operations. If we transfer your information outside of the EU in this way, we will take steps to ensure that appropriate security measures are taken with the aim of ensuring that your privacy rights continue to be protected as outlined in this policy.
How long will we keep your data?
Personal data processed for any purpose shall not be kept for longer than is necessary for that purpose. If your subscription lapses and you have not requested to have your data erased (see Your Data Protection Rights), we may keep your details for up to a year after your renewal anniversary, so that we may contact you to remind you to renew your subscription as we find many members just simply forget to renew their membership. After a year has lapsed we will send you a final email giving you 30 days’ notice that thereafter we will cease all communication with you and remind you of your right that we erase all information we hold on you.
In some circumstances we may anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes, we may use or store this information indefinitely without further notice to you.
In some circumstances you can ask us to delete your data: see “Right of erasure” below for further information.
Security of your personal data
We will take reasonable technical and organisational precautions to prevent the loss, misuse or alteration of your personal information. For example, we have rules in place to ensure that access to personal information on our protected database is restricted to authorised individuals on a strictly need-to-know basis. We will not discuss your personal information with anyone other than you, unless you have given us prior written authorisation to do so or where we have received a clear written instruction from you (as a one-off circumstance).
Data transmission over the internet is inherently insecure, and we cannot guarantee the security of data sent over the internet.
Who do we share your data with?
We will never share information with any third party that intends to use it for direct marketing unless we have received specific consent from the individuals involved. In some cases, we will share your information with trusted third-parties to support legitimate business purposes and in order to fulfil our services to you. These include the following types of service:
- Local authorities
- Organisations supporting delivery of community services
- Accounting software and accountants
- Electronic newsletter providers
- Data storage services
- Postal forwarding service providers
- Consultants or other professionals appointed by us
In the case of fraud or other criminal activity, we may share your information with law enforcement bodies.
Third party websites
The website may from time to time contain links to other websites. We are not responsible for the privacy policies or practices of third party websites
Your data protection rights
- Withdraw consent
Where we are using your personal information on the basis of your consent, you have the right to withdraw that consent at any time.
- Right to be informed
You have the right to be told how your personal information will be used. This policy document, and shorter summary statements used on our communications, are intended to be a clear and transparent description of how your data may be used.
- Right of access
You can write to us asking what information we hold on you and to request a copy of that information. This is called a Subject Access Request. From 25 May 2018, we will respond as soon as possible and at the latest within one month of receipt. We reserve the right to extend the period of compliance by a further two months where requests are complex or numerous. If this is the case, we will inform you within one month of the receipt of the request and explain why the extension is necessary. Before completing this request, we are entitled to ask for any information we reasonably require to check the person’s identity. This is to make sure there are no attempts at identity theft and to verify your identity. There is no charge for this request.
Under the “Right of Access of the Data Subject”, you are entitled to request a copy of the information we are processing about you. You are only entitled to your own personal data, and not to information relating to other people (unless you are acting on behalf of that person). This is known as a Subject Access Request (SAR) (see below).
- Right of erasure
From 25 May 2018, you have the right to be forgotten (i.e. to have your personally identifiable data deleted). You can request to be forgotten by contacting us through our website, or by writing to us at the address shown below and on our website. However, we may not always be able to comply with your request of erasure for specific legal reasons, which will be notified to you.
- Right of rectification
If you believe our records are inaccurate you have the right to ask for those records relating to you to be updated. This enables you to have any incomplete or inaccurate data we hold about you corrected. We may need to verify the accuracy of the new data provided to us.
You may submit a formal ‘Subject Access Request’ (SAR) to us via email or call us (see contact information as the bottom of this document) to request information on what data we hold and how it can be updated.
Unless there is an applicable exemption, you are entitled to be given information on:
- Whether your personal data is being processed.
- The purposes of the processing.
- The types of personal data being processed.
- A copy of your personal data being processed.
- The recipients or categories of recipients your data will be disclosed to. This includes countries outside of the EU and the appropriate safeguards in place to protect your data.
- Where possible, the envisaged period of time your data will be stored and processed.
- The right to request rectification, erasure or restriction of the processing of your personal data.
- The source of your data, if it has not been collected directly from you.
- The existence of automated decision making, including profiling.
We will respond as soon as possible and at least within one month of receipt. We reserve the right to extend the period of compliance by a further two months where requests are complex or numerous and explain why the extension is necessary. Before completing this request, we are entitled to ask for information we reasonably require to check the person’s identity. This is to make sure there are not attempts at identify theft and to verify your identify.
If we need more information from you to help us find your information or identify you, we will ask you for further information. The 30-day timescales will commence once we are satisfied we have all the necessary identification and information to respond to your request.
If you have difficulty in identifying the precise information you require, or difficulty in making the application in writing, please contact us via our website form, or using the contact details shown.
All SAR requests should be sent to be addressed to the Data Protection Officer.
There is not charge for this request.
- Right to restrict processing
In certain situations, you have the right to ask for processing of your personal data to be restricted because there is some disagreement about its accuracy or legitimate usage.
- Right to object
You have an absolute right to stop the processing of your personal data for direct marketing purposes. Contact us via the website and we will amend your contact preferences.
- Right to object to automated decisions
In a situation where a data controller is using your personal data in a computerised model or algorithm to make decisions “that have a legal effect on you”, you have the right to object. This right is more applicable to mortgage or finance situations. We do not undertake complex computerised decision making that produce legal effects.
Changes to this policy
If, for any reason, you have a complaint, please contact our Data Protection Officer to discuss your concerns.
If, for any reason, you are unhappy with our response to your SAR, please contact the Data Protection Officer to discuss your concerns.
Following this, if you are still dissatisfied with the outcome, you have the right to appeal our decision directly to the Information Commissioner’s Office at the contact details below. The Information Commissioner’s Office will assess whether they wish to take further action.
Request a review by the Information Commissioner on the https://ico.org.uk/ or by calling 0303 123 1113.