Data Protection Policy


This Data Protection Policy ensures that the U3A Vall del Pop (hereafter the U3A):

  • Complies with Spanish Data Protection Law and follows good practice.
  • Protects the rights of members.
  • Is open about how it stores and processes members’ data.
  • Protects itself from the risks of a data breach.

The policy is to be reviewed on an ongoing basis by the U3A Committee Members to ensure that the U3A is compliant with Spanish 2018 GDPR Regulations.
This policy should be read along with the U3A's Privacy Policy.

General guidelines

The only persons able to access personal data covered by this policy are U3A Committee Members and Group Leaders who manage the U3A administration process including communication with our membership.
Committee Members and Group Leaders should take all reasonable care to keep all data secure and follow appropriate precautions when handling data.
Strong passwords must be used and never shared.
Data must not be shared outside the U3A, unless it is with our predefined authorised IT Service Provider or Mailchimp with respect to email addresses.
U3A Val del Pop will provide training to U3A Committee Members and if applicable U3A authorised members who are involved in handling personal data as part of U3A activities.
Membership information will be refreshed periodically to ensure accuracy and that consents are current.

Data Protection Principles

U3A Vall del Pop will follow the data protection principles, guided by information from the Spanish Data Protection Authority AEPD and the Regulations specified in The Reglamento General de Proteccion de Datos 1. . These are;

  • Lawfulness, fairness and transparency; Personal data should be processed lawfully, the lawful basis for use is consent by the individual. We only collect the data we need to manage and communicate with the membership, and we demonstrate how we collect this and what we do with it.
  • Purpose limitation; Personal data should be collected solely for specified, explicit and legitimate purposes defined as membership administration, communicating with members about U3A events and activities, membership updates or issues.
  • Data minimisation; Personal data should be adequate, relevant and limited to what is necessary. This is the minimum data required to carry out membership administration and to enable email contact with U3A members.
    Accuracy; Personal data stored and managed should be accurate and, where necessary, kept up to date. Member's data is renewed annually as part of the membership renewal process. Members can request to see, update, or remove their data at any time.
  • Storage limitation; Personal data should be kept no longer than is necessary for the purposes for which the personal data are processed. Members data is removed and deleted on lapse of membership after a period of grace and in any case at 12 months, or when instructed by a member.
  • Integrity and confidentiality; Personal data should be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

Individual members rights under GDPR

The U3A will ensure that members' information is managed in such a way as to not infringe an individual members rights which include:

  • The right to be informed - what data is held by the U3A.
  • The right of access - entitled to have access to your data held by U3A.
  • The right to rectification - amend or correct the data held by U3A.
  • The right to erasure - to remove, delete all reference, i.e be forgotten.
  • The right to restrict processing - to limit some aspects of how data is used.
  • The right to data portability - to be able to forward data to another.
  • The right to object - to question current use and / or seek resolution.

Subject Access Request

U3A members are entitled to request access to the information and / or to instruct the U3A to comply with a members instructions with regard their data that is held by the U3A. A 'subject access request' can be made with regard to the individual member rights above, at any time to the Membership Secretary in writing or via email. These should be to The Secretary at U3A Vall del Pop, Buzon 7, Partida Corbellot, Murla 03792, Alicante or via email to This email address is being protected from spambots. You need JavaScript enabled to view it.. The U3A will establish that the request is authentic, it will be formally acknowledged and deal with it within 14 days. The Regulation also allows provision for exceptional circumstances or a potential charge for multiple applications.


Photographs are classified as personal data. Any person can object and request at any time to have a displayed phototograph removed providing the U3A can verify the request is authentic and relates to the individual.

Accountability and Governance

The GDPR requires that the U3A demonstrate that it complies with the data protection principles set out previously and respect the rights of the individual.

  • Implement appropriate technical and organisational measures that ensure and demonstrate that the U3A complies with its data protection obligations. Maintain internal Data Protection and Privacy Policies, ongoing staff awareness and routine testing to ensure that these measures are effective.
  • Document the relevant U3A processes to instruct and demonstrate correct method of carrying out precedures.
  • Future improvements and new work must incorporate data protection and privacy princinples.
  • The U3A recognises the role of "Data Controller" as the U3A Committee, that is, the entity that decides the purpose and manner that personal data is used. The role of "Data Processor" is also confined to Committee staff and appointed U3A members who carry out processing of personal data on behalf of the "Data Controller".

Data breach Notification

If a data breach occurs, action shall be taken to minimise the harm by ensuring all Committee Members are aware that a breach has taken place and take steps to identify how the breach has occurred. The Committee shall then seek to rectify the cause of the breach as soon as possible to prevent any further breaches.
The Committee shall also contact the relevant U3A members to inform them of the data breach and actions taken to resolve the breach.
The Committee shall also notify the relevant authorities if the breach is a notifiable event as described under the Regulations.

A Final note

The guidance states this Law is both new and complex across the EU. The Authorities are expecting to see a steady move towards compliance. This policy will be reviewed on a regular basis. If you see any item that you would like further clarification or information on please contact, in the first instance, the Secretary here.

This policy was last updated: April 2021
Next review date for this item: April 2023

*** Please be aware that you take part in any of our activities AT YOUR OWN RISK ***