This Data Protection Policy ensures that the U3A Vall del Pop (hereafter the U3A):
- Complies with Spanish Data Protection Law and follows good practice.
- Protects the rights of members.
- Is open about how it stores and processes members’ data.
- Protects itself from the risks of a data breach.
The policy is to be reviewed on an ongoing basis by the U3A Committee Members to ensure that the U3A is compliant with Spanish 2018 GDPR Regulations.
The only persons able to access personal data covered by this policy are U3A Committee Members and Group Leaders who manage the U3A administration process including communication with our membership.
Committee Members and Group Leaders should take all reasonable care to keep all data secure and follow appropriate precautions when handling data.
Strong passwords must be used and never shared.
Data must not be shared outside the U3A, unless it is with our predefined authorised IT Service Provider Klickhere.com or Mailchimp with respect to email addresses.
U3A Val del Pop will provide training to U3A Committee Members and if applicable U3A authorised members who are involved in handling personal data as part of U3A activities.
Membership information will be refreshed periodically to ensure accuracy and that consents are current.
Data Protection Principles
U3A Vall del Pop will follow the data protection principles, guided by information from the Spanish Data Protection Authority AEPD and the Regulations specified in The Reglamento General de Proteccion de Datos 1. . These are;
- Lawfulness, fairness and transparency; Personal data should be processed lawfully, the lawful basis for use is consent by the individual. We only collect the data we need to manage and communicate with the membership, and we demonstrate how we collect this and what we do with it.
- Purpose limitation; Personal data should be collected solely for specified, explicit and legitimate purposes defined as membership administration, communicating with members about U3A events and activities, membership updates or issues.
- Data minimisation; Personal data should be adequate, relevant and limited to what is necessary. This is the minimum data required to carry out membership administration and to enable email contact with U3A members.
Accuracy; Personal data stored and managed should be accurate and, where necessary, kept up to date. Member's data is renewed annually as part of the membership renewal process. Members can request to see, update, or remove their data at any time.
- Storage limitation; Personal data should be kept no longer than is necessary for the purposes for which the personal data are processed. Members data is removed and deleted on lapse of membership after a period of grace and in any case at 12 months, or when instructed by a member.
- Integrity and confidentiality; Personal data should be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
Individual members rights under GDPR
The U3A will ensure that members' information is managed in such a way as to not infringe an individual members rights which include:
- The right to be informed - what data is held by the U3A.
- The right of access - entitled to have access to your data held by U3A.
- The right to rectification - amend or correct the data held by U3A.
- The right to erasure - to remove, delete all reference, i.e be forgotten.
- The right to restrict processing - to limit some aspects of how data is used.
- The right to data portability - to be able to forward data to another.
- The right to object - to question current use and / or seek resolution.
Subject Access Request
Photographs are classified as personal data. Any person can object and request at any time to have a displayed phototograph removed providing the U3A can verify the request is authentic and relates to the individual.
Accountability and Governance
The GDPR requires that the U3A demonstrate that it complies with the data protection principles set out previously and respect the rights of the individual.
- Implement appropriate technical and organisational measures that ensure and demonstrate that the U3A complies with its data protection obligations. Maintain internal Data Protection and Privacy Policies, ongoing staff awareness and routine testing to ensure that these measures are effective.
- Document the relevant U3A processes to instruct and demonstrate correct method of carrying out precedures.
- Future improvements and new work must incorporate data protection and privacy princinples.
- The U3A recognises the role of "Data Controller" as the U3A Committee, that is, the entity that decides the purpose and manner that personal data is used. The role of "Data Processor" is also confined to Committee staff and appointed U3A members who carry out processing of personal data on behalf of the "Data Controller".
Data breach Notification
If a data breach occurs, action shall be taken to minimise the harm by ensuring all Committee Members are aware that a breach has taken place and take steps to identify how the breach has occurred. The Committee shall then seek to rectify the cause of the breach as soon as possible to prevent any further breaches.
The Committee shall also contact the relevant U3A members to inform them of the data breach and actions taken to resolve the breach.
The Committee shall also notify the relevant authorities if the breach is a notifiable event as described under the Regulations.
A Final note
The guidance states this Law is both new and complex across the EU. The Authorities are expecting to see a steady move towards compliance. This policy will be reviewed on a regular basis. If you see any item that you would like further clarification or information on please contact, in the first instance, the Secretary here.
This policy was last updated: December 2018
Next review date for this item: January 2020