The General Data Protection Regulation (GDPR) 2018

This is what the Association must comply with going forward and why we have produced a Data Protection Policy and a Privacy Notice for you to sign.

The General Data Protection Regulation 2018 (“GDPR”) comes into force in the UK on 25th May 2018. It replaces the Data Protection Act 1998 and will harmonise data protection law throughout Europe.

The GDPR seeks to uphold 6 principles when an individual’s personal data is ‘processed’ by the NADCAA, (the term ‘processing’ is a wide term which covers most things which can be done with personal data, including collecting it, storing it and using it):

  1. Personal data must be processed fairly and lawfully and in a transparent manner.
  2. Personal information must be collected for specified, explicit and legitimate purposes.
  3. Personal data must be adequate, relevant and limited to what is necessary for the purpose
  4. Personal data must be accurate and up to date.
  5. Personal data must not be kept longer than is necessary.
  6. Personal information must be processed in a manner which ensures security of the personal data against unlawful processing accidental loss, destruction or damage.

Sensitive personal data is information concerning:

Racial or ethnic origin

Political opinions

Religious belief or similar including philosophical belief

Trade union membership

Physical/mental health or condition

Sexual life or sexual orientation

Commission or allegation of an offence

Proceedings of any offence, disposal of proceedings, sentences

Genetic data

Biometric data

The Newton Abbot & District Co-operative Allotment Association does not store any of the above personal data pertaining to its members.

The GDPR sets out the following legal grounds under which the NADCAA may process (non-sensitive) personal data:

Necessity to protect the vital interests of the individual– e.g. disclosing an employee’s heart condition to a paramedic

Necessity for the performance of a task carried out in the public interest

Necessity for the performance of a contract with the data subject

Necessity for compliance with a legal obligation

Necessity for the legitimate interests of the data controller

If you have consent

The GDPR requires that The Newton Abbot & District Co-operative Allotment Association is able to demonstrate that it is complying with the law so that each member has documentation which explains what data it holds, how it collects it and what the Association does with it. The key documents that enable the NADCAA to do this are:

A Data Protection Policy

Privacy notices (also known as a Fair Processing Notices)

A Website Privacy Policy (if relevant)

Data Protection Policy

The Data Protection Policy informs members and others acting on behalf of the NADCAA how to handle personal data in compliance with the law.

Privacy Notice

The Privacy Notice clearly describes how the NADCAA handles and uses your personal data. New Members will receive a Privacy Notice when they join the Association and current members will be sent one by email or by post.

The Privacy Notice includes the following, among other information:

The identity and contact details of the NADCAA and the Colony Administrator responsible for Data Protection

The purposes and legal ground for processing data

The recipients of the personal data

If the NADCAA transferred data to any organisations situated outside the EU the notice should also include the legitimate interests pursued by that organisation and the safeguards in place to protect the data

The expected length of time that the NADCAA will store the data

The individual’s rights to access to, erasure or restriction of their personal data

The right to complain to the ICO

Website Privacy Policy

Part of the NADCAA website, is used to enable potential members to add their names to the waiting list. The Website Privacy Policy includes specific information which explains which data is being collected, how and why. The information also explains the website’s use of cookies if applicable. A prominent and clearly visible link to the Website Privacy Policy should exists so that the NADCAA is able to show that it has given the required information to visitors. The ICO recommends that the NADCAA regularly review the policies/notices.

Data subjects (those whose data the NADCAA hold) have the right to access their information. They have a right to request that the NADCAA inform them of:

The purposes of processing

The categories of personal data held

The recipients of the personal data

How long the organisation expects to hold their data before destruction

The right to lodge a complaint with a supervisory authority

If the data was not collected directly from the data subject, the source of the information

The envisaged consequences of such processing for the data subject

In addition to being given the above information by the NADCAA, if an individual exercises this right they must be given a copy of the personal data that the NADCAA processes.