The General Data Protection Regulations (GDPR) and the Data Protection Act 2018 have strengthened the requirements of all organisations which collect and process your personal data.
Our Club, therefore, must by law have a policy on how we do these things. The Club is required to be more transparent about the data it uses, you have increased rights in relation to your personal information, you need to be informed about how it is kept secure and also of the legal grounds the Club has for holding the details it has about you.
About this policy
This policy explains when and why the Riley RM Club collects personal information and how we use it, keep it secure and your rights in relation to it.
Personal data is any information from which an individual can be identified/identifiable (eg name, address, financial details, IP address).
We collect, use and store personal data as described in this policy when, you, the members (or Club officials) engage in our activities.
We will only share your personal data with third parties, as outlined further below.
We will always comply with the GDPR when dealing with your personal data. Further details on the GDPR can be found at www.ico.gov.uk
The Club publishes a privacy notice on its website, Forum, the Membership Application Form and in its magazine. It also appears at the end of this document. The notice is a summary statement of how we use your personal data and should be read alongside this policy. An additional notice, for public information about photography at events, is also included. The Club policy in full is also published on the website.
The General Secretary is the controller of personal data on behalf of the Club and will deal with any contact about GDPR and related matters.
Our reasons for processing your data
We process your data
- for the administration of your annual membership of the Club
- to provide you with a Club magazine
- to enable you to purchase spares from the RM Centre Ltd (the Club’s spares operation)
- to enable you to purchase merchandise from Regalia
- to allow us to compile historic data
- to inform you of events
- to enable you to access our social media and the Club’s Forum
No data is passed to third parties, other than those involved in the spares service above and the Club’s magazine. Payment systems require additional personal information to enable payment to be made. This data is held by the payment system and not by the Club. These all have their own privacy policies.
The legitimate interests of the Club
The Club’s main aims include the preservation of RM models and to ensure the marque is kept alive. In order to do this the Club has a number of legitimate interests under GDPR. These include understanding the needs of you its members, and to ensure the Club grows. They also include the collection of information to add to its historic database of vehicles; to inform you of activities (past, present and future) involving RM vehicles and owners (through its website, magazine and Facebook page); and to provide you with a service through the online Forum, where members share technical and other information.
This policy reflects these legitimate interests and ensures that these do not override members’ interests or fundamental rights and freedoms.
Members have the right under GDPR to
- access their personal data
- be provided with information about how personal data is processed
- have personal data corrected
- have personal data removed in certain circumstances (‘the right to be forgotten’)
- to object to, or restrict how, personal data is processed in certain circumstances
Parents or guardians signing the Membership Application Form are giving permission for their children’s (under 13) data to be used as described elsewhere in this policy. In addition, they given consent for them to use online services. There are special protections under GDPR for children’s data in the context of commercial internet services. Children 13 and over can provide their own consent to use online services; under this age parental consent must be recorded.
Protection of personal data
Your data may be held in paper or electronic form on a database. All electronic data is held securely with an appropriate level of encryption and password security. Paper copies are held securely by the relevant officers. Data for electronic payment of membership, parts, or regalia is collected by a secure payment system.
Sharing of information with overseas representatives of the Club
The Club may share personal data with our representatives in other countries, ensuring their data protection requirements are met. The EU has the same GDPR regulations as the UK. Given small amount of basic data we collect from you, our sharing with non-EU countries where we have representatives complies with their laws.
Requests about personal information
Any requests you have under ‘right of access’ to personal data will be responded to within one month, as required by GDPR. No fee will be charged. Similarly, individuals can ask to have all or part of their data removed; a response will be made within one month. This does not apply where we have to keep records by law (such as for the spares operation which is a registered company) or where we have a legitimate interest which will impact negatively on the Club’s services to its members. Requests to remove all or part of the named contributions to Forum topics cannot be considered. It is a legitimate interest of the Club to maintain these fully, so providing a cohesive and coherent service of technical and other
information to you, its members.
Accuracy and retention of data
Members are asked to keep the Club informed of changes to their data (eg address, email address, telephone number) and this is updated at least once per year at renewal. At that time, you are also authorising the Riley RM Club to hold such data on file which is held by the Membership Secretary. Full membership data will normally be held for as long as a person is a member of the Club and for a period thereafter for the purposes of re-joining. Names, locations and ownership details will be kept indefinitely for reasons of historical significance. It is a legitimate interest of the Club to hold historic data to provide a service to members on the background and history of RM vehicles.
We have to be very careful when taking photographs of people that we do not impact negatively on their privacy. Photographs, even without names, are personal data (unless the crowd or group is large enough for that to be meaningless). Taking photographs and storing them is processing under GDPR.
The taking of photographs in a public space which is not going to cause distress to individuals is acceptable under GDPR.
At a non-public space event, such as a car show, we will provide ‘opt-out’ posters alerting people to photography that may be undertaken and asking them to identify themselves if they do not want to be photographed. At a sit-down event, such as a speech or dinner, this may be mentioned verbally by the organiser/presenter.
In order to do anything with the photographs we (as a car club) must have a lawful basis for processing the data. We will, therefore, have a specific privacy notice at an event saying that photographs may be taken and how they might be used.
We do not publish pictures with children unless parents give consent.
Amendments to the policy
We will review and amend this policy from time to time and will publish any revised policy on our website. Paper copies will be available on request from the General Secretary.