Correct as at: 24th May 2018
This document sets out Stirling Bike Club's (the Club)'s data protection policy, including how, and for which purposes, we handle and process data which we hold.
Consent to Process Your Data as required by the GDPR:
As part of the normal running of the Club, we may need to handle and process your data for the following purposes:
- Membership and membership management (6a)
- Races and race organisation (6a)
- Updating members with relevant information from the club (6a)
- Coaching provision (6a)
- Providing access to Club resources and equipment (6a)
- Welfare and Health & Safety (e.g. emergency contact details)(6d)
- The Wallace Warriors Waiting List (6a)
- Purchases (e.g. club kit) (6a & 6b)
- Anonymised data for affiliation to national and local bodies – e.g. Scottish Cycling and Club Sport Stirling (6f)
- As directed by a court of law (6c)
Additionally: for Club officers, coaches and volunteers we may need to process your data in conjunction with Scottish Cycling for Child Protection purposes through the PVG Scheme. (6c)
We may also use photographs on the club website or in promotional material however specific separate consent will be obtained where we wish to do this. (6a)
Please be assured we will not pass on your data to commercial organisations for financial gain – either ours or theirs. Where we do share any data it will be anonymous and for statistical purposes e.g. membership number totals.
The reference in brackets e.g. (6a) refers to the lawful basis under which the data will be processed - see the note on GDPR Article 6 at the bottom of this page.
If you do NOT consent to us processing your data in accordance with the purposes set out above then we may be unable to provide the benefit(s) of membership. In the event you completely withdraw your consent for any processing your membership may need to be terminated.
We are committed to:
- meeting our legal obligations as laid down by the General Data Protection Regulation and ensuring that data is collected and used fairly and lawfully
- processing personal data only in order to meet our operational needs as outlined above or to fulfil legal requirements
- establishing appropriate retention periods for personal data
- ensuring that data subjects' rights can be appropriately exercised
- ensuring that personal data shall be accurate and, where necessary, kept up to date
- ensuring that a nominated officer is responsible for data protection compliance and provides a point of contact for all data protection issues
- ensuring that all club officers are made aware of good practice in data protection
- providing adequate training for all Club officials and volunteers responsible for personal data
- ensuring that queries about data protection, internal and external to the organisation, are dealt with effectively and promptly
- regularly reviewing data protection procedures and guidelines within the club
- taking appropriate technical and organisational measures against unauthorised and unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data
- ensuring that personal data is not transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data
Exercising your rights under the GDPR
Basis for Processing Data
Under the GDPR Article 6 the following lawful bases for processing personal data are as follows (at least one of which must apply):
(a) Consent: the individual has given clear consent for you to process their personal data for a specific purpose.
(b) Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
(c) Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).
(d) Vital interests: the processing is necessary to protect someone's life.
(e) Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
(f) Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual's personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)