PRIVACY POLICY
We take the security of your personal data very seriously and put safeguards in place when collecting, processing and storing your information. This policy notice explains exactly what we do with your data including any third parties we work with β although we never share your personal information with any third party marketing organisations (except for the purposes of receiving emails from us) and only use your data for the purpose(s) for which it was collected.
Who handles your data (data controller)
Dundee United Community Trust, C/O Dundee United Football Club, Tannadice Park, Tannadice Street, Dundee, DD3 7JW. Tel: 01382 833 166 (option 7). E-mail: enquiries@dundeeunitedct.co.uk.
Data Protection Officer
Jamie Kirk, Chief Executive, Dundee United Community Trust. Tel: 01382 833 166 (option 7). E-mail: jamie.kirk@dundeeunitedct.co.uk.
Purposes for processing
We collect, store and process data for the following reasons:
π We collect emergency contact information from members to allow us to successfully discharge our duty of care for our members. We collect a named emergency contact, their relationship to our member and emergency contact details.
β« We collect personal information from all of our members to allow us to manage their membership efficiently.
π When members leave, we retain some information β which is anonymised β to help us report to our funders, partners, and the people we work with. This is always anonymous, with only the demographic information presented as a whole.
β« We store and process contact information including email address from within our membership to keep our members up to date on current and new activities within Dundee United Community Trust. There is a clear process for opting out of receiving this information at any time.
π We securely store and process personal financial information to track membership payments and provide a simple facility for maintaining session payments.
Sources of personal information
The personal information we process is received from:
π Application forms to attend new sessions or activity.
β« Standing order forms for donations or membership fee payments.
π Current registrants to our email marketing system β all of whom have attended a Dundee United Community Trust activity in the past or have previously expressed an interest in receiving information relating to Dundee United Community Trust.
The only third-party information we receive is relating to Information for members under the age of 16 which is provided by their parent/guardian and for those listed as emergency contacts for our members.
Legal basis for processing
While we seek consent for processing data for marketing purposes which is obtained on an opt in basis (with an ongoing right to opt out), our legal basis for processing personal data is based on legitimate interests. This means that we do not use personal data in ways which is likely to come as a surprise to those on whom we hold personal data. For example we receive all of our marketing information directly from members when they apply to be part of our programmes. We then gain consent to use this data to keep them informed about other Dundee United Community Trust programmes and activities as well as providing information and news from the Trust. Our members β active and lapsed β receive marketing information based on an existing relationship with the Trust and have the option to opt out of receiving such information at any time.
We also have a requirement to process medical information on the grounds of vital interests although this legal basis is only applicable to members. This is because many of our activities involve physical activity and we may be required to deliver emergency first aid and or contact an emergency contact or the emergency services to preserve life. For non-active members β thereby people who have previously took part in a Community Trust activity but do not any longer β we only retain name, date of birth, gender and email address.
Who we share data with
We only share your data with third parties for the purposes of processing your data and never sell or share your personal data for the purposes of marketing by third parties. Your personal data is stored on an online cloud based server which is GDPR compliant β which means we have taken necessary steps to safeguard your personal information. We use an email marketing partner and have a signed agreement in place which ensures the security of your personal data.
Retention periods
Based on our legitimate interests we retain your personal data on an ongoing basis. For members no longer taking part in our activities we securely destroy all personal data except name and email address. We transfer and anonymise demographic information into a separate and secure database to assist with reporting to funders and partners however it is not possible to identify the data subject from this personal information. All medical and banking data is destroyed entirely no later than 12 months after cancelling your membership.
Your rights in respect of data processing
Under new General Data Protection Regulations there are enhanced rights available to individuals and more stringent regulations in place for those processing personal data. Your rights in this regard are summarised below, but more information is available at https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/.
Right to be informed
Everyone has the right to know what personal data we hold and how we process it, which is why we have produced this policy notice.
Right of access
Individuals have the right to access personal information relating to them. You have the right to obtain:
π Confirmation that we are processing your data.
β« A copy of the personal data which we hold relating to you.
π Other supplementary information β which is contained in this notice.
Access requests can be made in writing to the address and email address provided above and we have a duty to respond within 28 days. Information will be, unless specifically requested otherwise, electronically. There is no processing fee for reasonable access requests however we may levy a postage fee for providing hard copies of your information at the same cost as incurred by us. If we believe your access request is unjustified or excessive, we will write to you and explain this.
Right to rectification
Under the new GDPR legislation you have the right to rectification of inaccurate information. Updates to personal data can be provided in writing and to the email address noted above and we will make necessary changes or come back to you with a query relating to your change within 28 days.
Right to erasure
Under GDPR you now have the right to have your personal data erased which is also commonly known as the βright to be forgotten.β You can request to have your personal data erased either in writing or verbally using the contact details above. This only applies if the personal data used is no longer required for the reasons it was provided originally. It is not possible for members to attend our activities without us holding some personal data β on the basis of vital interests. For members to take part we require emergency contact information medical information to allow us to discharge our duty of care responsibilities properly. Individuals can withdraw marketing consent at any time, whether active or inactive members. We will respond to all requests under the right to erasure within 28 days.
Right to restrict processing
An alternative to requesting that we erase your personal data, you have the right to restrict processing. This means that you can limit what we do with your personal information. This only applies if you have particular valid grounds for wanting the restriction, such as you contest the nature of the information we hold about you. As a matter of course, as soon as we receive a request to restrict processing we will automatically do so while we consider the grounds on which the request was made. Requests can be made in writing and verbally using the contact details above and we will act upon all requests within 28 days.
Right to object
You have the right to object to the processing of your personal data for direct marketing. Our email marketing system provides a clear option to opt out of receiving marketing information which can be applied at any time.
Withdrawing consent
You can withdraw your consent to process your personal data at any time in writing by using the contact details below or by using the functionality provided in our email marketing system.
Lodging a complaint in relation to data processing
If you have any concerns as to how we process your personal data, you can get further guidance or information from, or lodge a complaint to: The Information Commissionerβs Office, 45 Melville Street, Edinburgh, EH3 7HL. Tel: 0303 123 1115. Email: scotland@ico.org.uk.