Privacy and Data Protection PolicyPlease read this policy carefully to understand how we collect, use and store your personal data.
IntroductionThe South Georgia Association (the Association) is a not for profit membership organisation created to give a voice to all those with a keen interest in the island of South Georgia. The Association takes your privacy very seriously and is committed to protecting your personal information. This Privacy and Data Protection Policy explains how we, the South Georgia Association, will collect, store, process and protect the information you give us - this means any information that identifies or could identify you. It outlines the type of data that we hold and how we use them to provide services to our members and supporters. The South Georgia Association is a data controller for the purposes of the Data Protection Act 1998 and from May 25 2018, the EU General Data Protection Regulations (GDPR) 2016/679 (Data Protection Law). This means that we are responsible for and control the processing of your personal information. For further information or if you have any concerns regarding our policy, please write to:
The Membership Secretary
South Georgia Association, c/o Scott Polar Research Institute, Lensfield Road, Cambridge, CB2 1ER
This policy includes:
- How we collect your information
- What personal information we collect
- How we may use your personal information
- How we keep your information safe
- How we might share your information
- How we keep your information up to date
- How long we keep your information
- Our legal basis for keeping and processing your information
- Your rights under GDPR
- Changes to this policy
How will we collect your information?We want to make sure that you receive the communications that are most relevant to you, be it through visiting our website or receiving emails, newsletters or if necessary, phone calls. The South Georgia Association may collect information in the following ways:
- When you give us information directly: You may provide your details to us when you join, renew your membership or register to attend an event.
- When you have given other organisations permission to share it: You may have provided your details to another organisation that works with the South Georgia Association (such as the British Antarcric Survey (BAS) or the Scott Polar Research Institute (SPRI)) for example in order to sign up to a third party or joint event. Such organisations should ensure that they secure your consent if they propose to share your information with the South Georgia Association. The information we may be given from time to time by other organisations depends on the response choices you give when supplying your data to them.
- Social media: Depending on your settings or the privacy policies for social media and messaging services like Facebook and Twitter, you might give us permission to access information from those accounts or services.
- When your information is available from other public sources: We may collect personal details about you from the public domain, such as from social networks, company websites etc. Please see the section below for more details.
What personal information will we collect?The type and quantity of information we collect and how we use it depends on why you are providing it. If you support us, for example by joining the Association or signing up for an event, we may collect where relevant:
- Your name
- Your contact details (full address, email address and phone number)
- Details on your interests, for example your relationship with South Georgia, current or former official positions or membership of partner organisations
- Your payment details: bank, credit card or PayPal
- Subjects of interest in South Georgia, as set out in the membership form
How will we use your personal information?We will use your personal information in a number of ways, including the following:
- To provide you with services or information you have requested
- To update you about Association news and events
- To administer your membership or events subscriptions
- To maintain our records
- To help us improve our services, events or information-offering
- To analyse and improve the operation of our website
- To help us work with selected third parties to ensure that we send you targeted communications (see What personal information we collect above)
Use of FacebookWe do not pass on members’ personal data to Facebook. If you have an account with Facebook and follow the South Georgia Association, the personal information Facebook holds on you will depend on your settings. The South Georgia Association does not share any personal information with Facebook or any other social media platform. For more information please see Facebook's Help and their Data Policy.
How we keep your data safe?We place great importance on the security of your personal information and will always take necessary precautions to protect it. We ensure that there are appropriate technical, physical and organisational controls in place to protect your personal information, both on and off-line, from improper access, use, alteration, destruction or loss. For example, we use password protection and encryption technology on our membership databases and carry out regular security reviews. No personal data on members is stored or otherwise available through our website. Except in specific circumstances (detailed in the next section below) we will ensure that only authorised personnel (i.e.South Georgia Association Committee members) have access to your information and that they are appropriately trained to manage that information. Despite precautions, no data transmission over the internet can be guaranteed to be 100% secure. While we strive to protect your personal information, we cannot always guarantee the security of any information as you disclose it to us online, and you must understand that you do so at your own risk. However, any payment card details (such as credit or debit cards) or PayPal payments that we receive through our website are passed securely to our payment processing providers who meet the required Payment Card Industry (PCI) Security Standards. Our website may contain links to other sites. While we aim to link only to sites that share our high standards and respect for privacy, we are not responsible for the content or the privacy practices employed by other sites or organisations. Please be aware that advertisers or web sites that may have links on our site may collect personally identifiable information about you. This Privacy and Data Protection Policy does not cover the information practices of those websites or advertisers.
What happens if there is a data breach?In the event that the Association becomes aware that others may have hacked your data or otherwise altered, obtained or deleted your personal information held by the South Georgia Association without authorisation, the Membership Secretary will inform you of the nature of the breach as soon as possible and take whatever remedial action is necessary to either seek to recover the information or prevent any reoccurrence of the breach. Advice from external experts/IT support may be sought in resolving the incident promptly. If appropriate, we will also notify the Information Commissioner’s Office (ICO), wherever possible within 24 hours of the discovery of the breach and co-operate fully with any subsequent investigation. Guidance on how and when the ICO should be notified can be found on their website.
Will we ever share your personal data?The South Georgia Association will never share your personal information with other organisations, unless required to do so by the authorities in accordance with relevant legislation and/or potential law enforcement requirements.
How we keep your information up to date?We will also make our best endeavours to keep your record up to date; primarily through our interaction with you at the time of membership renewal and when you enquire about or register to attend an event. However, we would be grateful if you could let us know of any changes to your contact details at the earliest opportunity.
How long we keep your information for?We will hold your personal information on our systems only for as long as is necessary, which in terms of membership data would normally be for the term of your membership. If we do not hear from you when a renewal is due, we will retain your information for a further 12 months from the scheduled renewal date to accommodate a late renewal request. If we have not heard from you by a date of 12 months from the renewal falling due, your data will automatically be deleted. Should you tell us when your renewal becomes due that you do not wish to continue your membership, we will delete your details at the point that your membership expires. If at any time you wish to cancel your membership, we will delete your information within one month of such a request. Should you contribute material to us, for example through user-generated content or in response to a particular campaign on Facebook, we will generally only keep your content for as long as is reasonably required for the purpose(s) for which it was submitted, unless otherwise stated at the point of generation. Each year at the time of annual renewals in January, a Data Protection Audit will be carried out by the Membership Secretary to ensure that all personal information that is no longer required for the Association to undertake its day to day operations and/or individual member records that we have kept for a year beyond the last renewal date, are deleted in accordance with this Policy. A report on the Data Protection Audit will be presented annually to the next scheduled committee meeting of the Association.
Our legal basis for processing your informationOur legal basis for processing your information generally rests on the consent given by you for us to do so at the point that you join or renew, or because we need to use it in order to fulfil our obligations to you as a member of the Association. We will process your information in accordance with that consent, i.e. in the interests of your membership of the Association, to inform you of the Association’s activities, news regarding South Georgia and of forthcoming events that may be of interest to you. You are entitled to withdraw that consent at any time. However, there are other lawful reasons that allow us to process your personal information, including ‘legitimate interests’. This means that the reason we are processing information is because there is a legitimate interest for the South Georgia Association in processing that information. Some examples of where we have a legitimate interest in processing your information may be where we may contact you (as a member or prospective member) about our work by email or post, use your information for data analytics to improve our services to members, or where the South Georgia Association may legally be obliged to share data in accordance with relevant legislation and/or potential law enforcement requirements.
Your rightsYou retain control of your personal information and how we use it. You have various rights in respect of the information we hold about you, which are set out in detail below. If you wish to exercise any of these rights or make a complaint, you can do so by contacting us at: membership(at)southgeorgiaassociation.org.
- Access to your personal information: You have the right to request access to a copy of the personal information that we hold about you, along with information on what personal information we use, why we use it and how long we keep it for. You can make a request for access free of charge. If you wish to make an access request, please do so in writing using our Subject Access Request Form.
- Rectification: You can ask us to change or complete any inaccurate or incomplete personal information held about you.
- Erasure: You can ask us to delete your personal information where it is no longer necessary for us to use it, you have withdrawn consent, or where you believe we have no lawful basis for holding it.
- Portability: You can ask us to provide you or a third party with some of the personal information we hold about you.
- Object: You can object to our processing of your personal information where we are relying on a legitimate interest (or those of a third party) and where you have a particular reason to object to processing on this ground. You also have the right to object to the processing of your personal information for direct marketing purposes, for example, for events. If you wish to object, please notify us as describes above, providing details of your objection.
- Consent: If you have given us your consent to collect and process your personal information (e.g. when you join the Association) you have the right to withdraw that consent at any time.
- Automated decision making and profiling: Automated decision-making takes place when an electronic system uses personal information to make a decision without human intervention. You have the right not to be subject to automated decision making unless you have given us your specific consent, it is necessary for a contract between you and the Association or is otherwise permitted by law. You also have the right to challenge any decisions made about you. The South Georgia Association does not currently carry out or facilitate automated decision making.
If you make a complaint and are not happy with how your complaint has been dealt with, you can contact the Information Commissioners Office directly. Alternatively, you are entitled to make a complaint to the Information Commissioner’s Office without first referring your complaint to us. For further information please see the Information Commissioner’s guidance.