Privacy and Data Protection Policy - The South Georgia Association

Please read this policy carefully to understand how we collect, use and store your personal data.

Introduction

The South Georgia Association (the Association) is a not for profit membership organisation created to give a voice to all those with a keen interest in the island of South Georgia. The Association takes your privacy very seriously and is committed to protecting your personal information. This Privacy and Data Protection Policy explains how we, the South Georgia Association, will collect, store, process and protect the information you give us – this means any information that identifies or could identify you. It outlines the type of data that we hold and how we use them to provide services to our members and supporters. The South Georgia Association is a data controller for the purposes of the Data Protection Act 1998 and from May 25 2018, the EU General Data Protection Regulations (GDPR) 2016/679 (Data Protection Law). This means that we are responsible for and control the processing of your personal information. For further information or if you have any concerns regarding our policy, please write to:
The Membership Secretary
South Georgia Association, c/o Scott Polar Research Institute, Lensfield Road, Cambridge, CB2 1ER
Email: membership(at)southgeorgiaassociation.org

This policy includes:

How we collect your information
What personal information we collect
How we may use your personal information
How we keep your information safe
How we might share your information
How we keep your information up to date
How long we keep your information
Our legal basis for keeping and processing your information
Your rights under GDPR
Changes to this policy

How will we collect your information?

We want to make sure that you receive the communications that are most relevant to you, be it through visiting our website or receiving emails, newsletters or if necessary, phone calls. The South Georgia Association may collect information in the following ways:

When you give us information directly: You may provide your details to us when you join, renew your membership or register to attend an event.
When you have given other organisations permission to share it: You may have provided your details to another organisation that works with the South Georgia Association (such as the British Antarcric Survey (BAS) or the Scott Polar Research Institute (SPRI)) for example in order to sign up to a third party or joint event. Such organisations should ensure that they secure your consent if they propose to share your information with the South Georgia Association. The information we may be given from time to time by other organisations depends on the response choices you give when supplying your data to them.
Social media: Depending on your settings or the privacy policies for social media and messaging services like Facebook and Twitter, you might give us permission to access information from those accounts or services.
When your information is available from other public sources: We may collect personal details about you from the public domain, such as from social networks, company websites etc. Please see the section below for more details.

What personal information will we collect?

The type and quantity of information we collect and how we use it depends on why you are providing it. If you support us, for example by joining the Association or signing up for an event, we may collect where relevant:

Your name
Your contact details (full address, email address and phone number)
Details on your interests, for example your relationship with South Georgia, current or former official positions or membership of partner organisations
Your payment details: bank, credit card or PayPal
Subjects of interest in South Georgia, as set out in the membership form

Information we Collect Through the Website:

Comments

When visitors leave comments on the site we collect the data shown in the comments form, and also the visitor’s IP address and browser user agent string to help spam detection.

An anonymised string created from your email address (also called a hash) may be provided to the Gravatar service to see if you are using it. The Gravatar service Privacy Policy is available here: https://automattic.com/privacy/. After approval of your comment, your profile picture is visible to the public in the context of your comment.

Media

If you upload images to the website, you should avoid uploading images with embedded location data (EXIF GPS) included. Visitors to the website can download and extract any location data from images on the website.

Contact forms

Information we collect through contact forms on the site will be transmitted to us, and used as per other information you send us.

Cookies

Cookies are small pieces of information sent by a web server to a web browser, which enable the server to collect information from the browser. Essentially, a cookie takes the form of a small text file deposited on your computer’s hard drive.

If you leave a comment on our site you may opt in to saving your name, email address and website in cookies. These are for your convenience so that you do not have to fill in your details again when you leave another comment. These cookies will last for one year.

If you visit our login page, we will set a temporary cookie to determine if your browser accepts cookies. This cookie contains no personal data and is discarded when you close your browser.

When you log in, we will also set up several cookies to save your login information and your screen display choices. Login cookies last for two days, and screen options cookies last for a year. If you select “Remember Me”, your login will persist for two weeks. If you log out of your account, the login cookies will be removed.

If you edit or publish an article, an additional cookie will be saved in your browser. This cookie includes no personal data and simply indicates the post ID of the article you just edited. It expires after 1 day.

Embedded content from other websites

Articles on this site may include embedded content (e.g. videos, images, articles, etc.). Embedded content from other websites behaves in the exact same way as if the visitor has visited the other website.

These websites may collect data about you, use cookies, embed additional third-party tracking, and monitor your interaction with that embedded content, including tracking your interaction with the embedded content if you have an account and are logged in to that website.

How will we use your personal information?

We will use your personal information in a number of ways, including the following:

To provide you with services or information you have requested
To update you about Association news and events
To administer your membership or events subscriptions
To maintain our records
To help us improve our services, events or information-offering
To analyse and improve the operation of our website
To help us work with selected third parties to ensure that we send you targeted communications (see What personal information we collect above)

You can opt out of your data being used for any of the above by emailing: membership(at)southgeorgiaassociation.org.

Use of Facebook

We do not pass on members’ personal data to Facebook. If you have an account with Facebook and follow the South Georgia Association, the personal information Facebook holds on you will depend on your settings. The South Georgia Association does not share any personal information with Facebook or any other social media platform. For more information please see Facebook’s Help and their Data Policy.

Our use of cookies

If you visit our login page, we will set a temporary cookie to determine if your browser accepts cookies. This cookie contains no personal data and is discarded when you close your browser.

How we keep your data safe?

We place great importance on the security of your personal information and will always take necessary precautions to protect it. We ensure that there are appropriate technical, physical and organisational controls in place to protect your personal information, both on and off-line, from improper access, use, alteration, destruction or loss. For example, we use password protection and encryption technology on our membership databases and carry out regular security reviews. No personal data on members is stored or otherwise available through our website. Except in specific circumstances (detailed in the next section below) we will ensure that only authorised personnel (i.e.South Georgia Association Committee members) have access to your information and that they are appropriately trained to manage that information. Despite precautions, no data transmission over the internet can be guaranteed to be 100% secure. While we strive to protect your personal information, we cannot always guarantee the security of any information as you disclose it to us online, and you must understand that you do so at your own risk. However, any payment card details (such as credit or debit cards) or PayPal payments that we receive through our website are passed securely to our payment processing providers who meet the required Payment Card Industry (PCI) Security Standards. Our website may contain links to other sites. While we aim to link only to sites that share our high standards and respect for privacy, we are not responsible for the content or the privacy practices employed by other sites or organisations. Please be aware that advertisers or web sites that may have links on our site may collect personally identifiable information about you. This Privacy and Data Protection Policy does not cover the information practices of those websites or advertisers.

What happens if there is a data breach?

In the event that the Association becomes aware that others may have hacked your data or otherwise altered, obtained or deleted your personal information held by the South Georgia Association without authorisation, the Membership Secretary will inform you of the nature of the breach as soon as possible and take whatever remedial action is necessary to either seek to recover the information or prevent any reoccurrence of the breach. Advice from external experts/IT support may be sought in resolving the incident promptly. If appropriate, we will also notify the Information Commissioner’s Office (ICO), wherever possible within 24 hours of the discovery of the breach and co-operate fully with any subsequent investigation. Guidance on how and when the ICO should be notified can be found on their website.

Will we ever share your personal data?

The South Georgia Association will never share your personal information with other organisations, unless required to do so by the authorities in accordance with relevant legislation and/or potential law enforcement requirements.

Comments by visitors to the website may be checked through an automated spam detection service.

How we keep your information up to date?

We will also make our best endeavours to keep your record up to date; primarily through our interaction with you at the time of membership renewal and when you enquire about or register to attend an event. However, we would be grateful if you could let us know of any changes to your contact details at the earliest opportunity.

How long we keep your information for?

We will hold your personal information on our systems only for as long as is necessary, which in terms of membership data would normally be for the term of your membership. If we do not hear from you when a renewal is due, we will retain your information for a further 12 months from the scheduled renewal date to accommodate a late renewal request. If we have not heard from you by a date of 12 months from the renewal falling due, your data will automatically be deleted. Should you tell us when your renewal becomes due that you do not wish to continue your membership, we will delete your details at the point that your membership expires. If at any time you wish to cancel your membership, we will delete your information within one month of such a request. Should you contribute material to us, for example through user-generated content or in response to a particular campaign on Facebook, we will generally only keep your content for as long as is reasonably required for the purpose(s) for which it was submitted, unless otherwise stated at the point of generation. Each year at the time of annual renewals in January, a Data Protection Audit will be carried out by the Membership Secretary to ensure that all personal information that is no longer required for the Association to undertake its day to day operations and/or individual member records that we have kept for a year beyond the last renewal date, are deleted in accordance with this Policy. A report on the Data Protection Audit will be presented annually to the next scheduled committee meeting of the Association.

How long we retain your data on the website

If you leave a comment, the comment and its metadata are retained indefinitely. This is so we can recognise and approve any follow-up comments automatically instead of holding them in a moderation queue.

For users that register on our website (if any), we also store the personal information they provide in their user profile. All users can see, edit, or delete their personal information at any time (except they cannot change their username). Website administrators can also see and edit that information.

Our legal basis for processing your information

Our legal basis for processing your information generally rests on the consent given by you for us to do so at the point that you join or renew, or because we need to use it in order to fulfil our obligations to you as a member of the Association. We will process your information in accordance with that consent, i.e. in the interests of your membership of the Association, to inform you of the Association’s activities, news regarding South Georgia and of forthcoming events that may be of interest to you. You are entitled to withdraw that consent at any time. However, there are other lawful reasons that allow us to process your personal information, including ‘legitimate interests’. This means that the reason we are processing information is because there is a legitimate interest for the South Georgia Association in processing that information. Some examples of where we have a legitimate interest in processing your information may be where we may contact you (as a member or prospective member) about our work by email or post, use your information for data analytics to improve our services to members, or where the South Georgia Association may legally be obliged to share data in accordance with relevant legislation and/or potential law enforcement requirements.

Your rights

You retain control of your personal information and how we use it. You have various rights in respect of the information we hold about you, which are set out in detail below. If you wish to exercise any of these rights or make a complaint, you can do so by contacting us at: membership(at)southgeorgiaassociation.org.

Access to your personal information: You have the right to request access to a copy of the personal information that we hold about you, along with information on what personal information we use, why we use it and how long we keep it for. You can make a request for access free of charge. If you wish to make an access request, please do so in writing using our Subject Access Request Form.
Rectification: You can ask us to change or complete any inaccurate or incomplete personal information held about you.
Erasure: You can ask us to delete your personal information where it is no longer necessary for us to use it, you have withdrawn consent, or where you believe we have no lawful basis for holding it.
Portability: You can ask us to provide you or a third party with some of the personal information we hold about you.
Object: You can object to our processing of your personal information where we are relying on a legitimate interest (or those of a third party) and where you have a particular reason to object to processing on this ground. You also have the right to object to the processing of your personal information for direct marketing purposes, for example, for events. If you wish to object, please notify us as describes above, providing details of your objection.
Consent: If you have given us your consent to collect and process your personal information (e.g. when you join the Association) you have the right to withdraw that consent at any time.
Automated decision making and profiling: Automated decision-making takes place when an electronic system uses personal information to make a decision without human intervention. You have the right not to be subject to automated decision making unless you have given us your specific consent, it is necessary for a contract between you and the Association or is otherwise permitted by law. You also have the right to challenge any decisions made about you. The South Georgia Association does not currently carry out or facilitate automated decision making.

Please note that some of these rights only apply in certain circumstances and we may not be able to fulfil every request. For more information on these rights please read the relevant guidance issued by the ICO. If you would like to make a complaint about how we process your personal information, please contact the Membership Secretary: membership(at)southgeorgiaassociation.org.

If you make a complaint and are not happy with how your complaint has been dealt with, you can contact the Information Commissioners Office directly. Alternatively, you are entitled to make a complaint to the Information Commissioner’s Office without first referring your complaint to us. For further information please see the Information Commissioner’s guidance.

Changes to this Privacy and Data Protection Policy

This policy may change from time to time. The Policy was last updated in April 2018 to ensure its compliance with GDPR. If we make any significant changes to this policy, we will publicise these changes clearly on our website or contact you directly with more information.