Alpine Leisure Property Club General Data Protection Policy
According to the new GDP Regulations to be introduced by the EU in May 2018, ALPC (afterwards described as the Club) is required to have a policy in place regarding storage and management of any personal data held by the organisation. This policy applies to both members and employees of the organisation. Under the new regulations we must ensure that all data subjects have the following rights:
- To be informed of the processing of their personal data.
- To request rectification of their data if inaccurate.
- Access to their personal data and supplementary information and the right to confirmation that their personal data is being processed.
- To be ‘forgotten’ by having their personal data deleted or removed on request where there is no compelling reason for the data to continue to process it.
- To restrict the processing of their personal data if they consider that the processing is unlawful or inaccurate.
- To data portability of their personal data for their own purposes.
- To object to the processing of their personal data for direct marketing, scientific or historical research or statistical purposes.
ALPC hold personal data consisting of the following:
- Names, physical addresses, contact telephone numbers and e-mail addresses of members of the Club. This data is held on the password protected members only section of the website, where the individual members have access and capacity to view and correct their personal data (via the ALPC Data Protection Officer).
- Register of Members. We hold the statutory register in a secure database. It contains the minimum data set required to be held, which includes shareholder names and addresses, date of birth, place of birth, nationality, and the number of shares held and date of registration of membership and date of cessation of membership.
- Buying and Selling Information. This information is kept by the Committee member who has responsibility for new members in hard copy. It includes the names, address, e-mail address, telephone numbers ages and occupations of members. Copies of the current passports at application and a copy of the stock transfer form are also kept in hard copy along with the agreed share price. Any electronic copies of the documents are destroyed.
The purposes for holding the data include:
- Contacting members to inform them of the documentation required to fulfil the regulations of the AGM of the Club and the associated SCI.
- To encourage attendance of members at the AGM.
- To circulate minutes of the committee and other documentation that the committee consider necessary for the information of members and the successful administration of the Club.
- To contact the members concerning bookings administration. This includes bid processes and other administration directly concerned with bookings made or changed.
- To contact members concerning any financial issues arising from bookings or subscription payments.
- To keep members generally informed of, for example, issues that could affect any booked holiday or surrounding the smooth running of the Club.
The Club also holds (offline) personal data on any staff offered employment and during their period of employment. This not only includes that information held on members as above but also details essential to manage their employment, including address, former names, passport and nationality details, national insurance, bank details for payment, emergency contact details and in certain circumstances, health information.
Salary and tax information must be kept for 6 years after an individual’s employment has terminated (HMRC requirement). Beyond this point all former employee personal data will be deleted.
All personnel records held are maintained on a password protected PC, only accessible by the designated committee member with responsibility for human resources. Data (but only that which is essential) may be shared with the line manager or with the management committee on a need to know basis; salary, tax and bank information will be shared with third party payroll providers for the purpose of payment of salary or with the express, written consent of the data subject.
ALPC undertakes to ensure that:
- Members and employees will be informed of the purpose and use of their personal data being held by the organisation.
- All data held is the minimum required to administer the Club on behalf of its members and employees.
- That all possible steps are taken to ensure the security of the data held against accidental loss, damage or destruction.
- That members and employees will have the right to view and amend their own personal data.
- That on ceasing either to be a member or an employee of the Club, all personal data will be removed or deleted, unless required by law or where there is a compelling reason for that information to continue to be held.
- All members and employees are informed of their personal data being held and will be approached for their specific signed consent for the processing of their data as outlined above.
Member’s data will be shared with Event Nation Ltd (for the purpose of maintaining and supporting our website), Sareg (our French lawyers) for the purpose of ensuring compliance with our responsibilities under French law, our UK auditors for the purpose of ensuring compliance with our responsibilities under UK law, and (for bookings data only) our chalet staff for the purpose of ensuring the smooth operation of the chalet accommodation and catering.
Response to Data Breaches
A personal data breach may involve loss of personal data or the unlawful accessing or processing of personal data. Only if an incident actually resulted in a breach of personal data, does the mandatory notification obligation applies. For instance, lost USB sticks, stolen laptops, malware infections or hacked databases containing personal data are considered personal data breaches. In the case of a member of the committee becoming aware that a data breach has occurred, the following steps will be taken –
- The committee member who has become aware of the breach will immediately notify the rest of the committee who will arrange to notify the Information Commissioners Office within 72 hours if the data breached is of sufficient personal nature to cause individual risk.
- The committee will investigate the source of the breach, assess the numbers affected and the risk to those individuals, including the sensitivity of the data breached.
- Where the breach is deemed to be high risk to the rights and freedoms of either members or employees, those affected will be informed as soon as possible and within 72 hours.
- The committee will notify those affected of the nature, scope and possible consequences of the breach with advice on steps to take to mitigate the breach.
- The committee will create a breach register and will be alert to the risks of data loss and appropriate technological means to minimise any ongoing risks.