General Data Protection Regulation – GDPR
Who We Are
Carrbridge Tourist and Business Association
On May 25 2018, the General Data Protection Regulation (GDPR) will come into play. It gives you more rights as an individual/business to be informed in the ways we use, share and store your personal information.
1. In accordance with GDPR we will collect information only relevant to the CTBA.
The Personal Data We Process.
In our role as the tourist and business association (CTBA) we require specific details from all members in order to:
- Send and receive emails concerning CTBA business, actions and activities.
- To share village news and information from other agencies in the village and any other business that is deemed necessary for members to be made aware of.
- To send invoices for membership fees.
- To offer relevant details to market the business on the Carrbridge.com website.
- To share the list of members’ email addresses to all other members.
Personal Data is typically the member’s name and business name, address and email address and contact number.
We do not record card details: all payments are processed by BACS to the CTBA bank account, or by cash.
2. Hold All Data Securely.
Where Is Your Data Stored?
Personal data is recorded in a number of ways:-
- Information provided over the phone, via email or by letter. This is held in a file for the CTBA and stored on a computer system.
- This personal data is only stored for as long as legally required.
3. Procedures On How Your Data is Secure
All data is considered private and confidential. To this end there are procedures in place to ensure that it remains secure.
In accordance with GDPR we use appropriate technical and organisational measures and procedures to protect and safeguard any Personal Data given to us against accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to your Personal Data. We also use security procedures and technical and physical restrictions for accessing and using the personal information on our servers. Only authorised personnel are permitted to access personal information in the course of their work.
- The data is stored in a file on the computer. This is only accessible by a password.
- Written Personal Data is securely held in a file; this is deleted/destroyed after one year.
- In accordance to the GDPR all Personal Data has to be processed in a secure manner. Personal data accessible on mobile phones, laptops and ipads are all secured by password access. These electronic devices are not to be used in public areas where the risk of being read by person/s unknown.
- Emails: a disclaimer, on all signatures, to highlight a request to delete or not use an incorrectly sent e mail.
- All devices, electronic or written data is securely locked when the office is not manned.
- External hard drive; this is securely locked away when not in use.
- No data is stored on a USB stick.
- All correspondence is kept secured and destroyed when no longer relevant or legally required.
- Access to all data is limited to the website Carrbridge.com and the Chairperson of the CTBA.
4. How We Use Your Data.
- We use your data for correspondence regarding CTBA business.
- Limited Personal Data is shared with third parties.
5. Third Parties
We do not sell, trade or exchange your personal information to outside parties. This does not include trusted third parties that assist us in the operation of the website and conducting our business operations. i.e Sustrans, Highland Council for example. In these cases, these parties have agreed to keep this information strictly confidential and they have their own privacy policies and we do not accept liability or responsibility for these parties.
6. Your Rights of Access
In accordance with the GDPR you have the right of access to all Personal Data we process. You can find out about any information we hold about you by making a
‘right of access’ request under the General Data Protection Regulations.
- You have the right to request a copy of all the data we hold about you and to whom we have shared it with.
- You have the right to request why we hold it and for how long. We will not process any data for longer than the law requires.
- You have the right to request that we stop processing your data.
- You have the right ‘to be forgotten’ and thus stop processing your Personal Data. This can be requested by email to: firstname.lastname@example.org in the role of Chairperson for the CTBA.
7. Breach of Personal Data
The priority is to ensure that all Personal Data is secure. However in the event of a breach of security the following procedures must be applied:-
- Shut down the access to all data.
- Inform the Data Protection Office within 72 hours.
- Inform the police.
- Inform the web host.
- Inform all members of the CTBA.