Jalon Valley Help will follow the data protection principles, guided by information from the Spanish Data Protection Authority AEPD and the Regulations specified in The Reglamento General de Proteccion de Datos 1.
Lawfulness, fairness and transparency; Personal data should be processed lawfully, the lawful basis for use is consent by the individual. We only collect the data we need to manage and communicate with the membership, and we demonstrate how we collect this and what we do with it.
Purpose limitation; Personal data should be collected solely for specified, explicit and legitimate purposes defined as membership administration, communicating with members about JVH events and activities, membership updates or issues.
Data minimisation; Personal data should be adequate, relevant and limited to what is necessary. This is the minimum data required to carry out membership administration and to enable email contact with JVH members.
Accuracy; Personal data stored and managed should be accurate and, where necessary, kept up to date. Member’s data is renewed annually as part of the membership renewal process. Members can request to see, update, or remove their data at any time.
Storage limitation; Personal data should be kept no longer than is necessary for the purposes for which the personal data are processed. Member’s data is removed and deleted on lapse of membership after a period of grace and in any case at 12 months, or when instructed by a member.
Integrity and confidentiality; Personal data should be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
INDIVIDUAL MEMBERS RIGHTS UNDER GDPR
JVH will ensure that members’ information is managed in such a way as to not infringe an individual member’s rights which include:
- The right to be informed – what data is held by JVH.
- The right of access – entitled to have access to your data held by JVH.
- The right to rectification – amend or correct the data held by JVH.
- The right to erasure – to remove, delete all reference, i.e. be forgotten.
- The right to restrict processing – to limit some aspects of how data is used.
- The right to data portability – to be able to forward data to another.
- The right to object – to question current use and / or seek resolution.
SUBJECT ACCESS REQUEST
JVH members are entitled to request access to the information and / or to instruct JVH to comply with a member’s instructions with regarding their data that is held by JVH. A ‘subject access request’ can be made with regard to the individual member rights above, at any time to the Secretary in writing. These should be to The Secretary at Jalon Valley Help, Apartado Correos 14, 03727 Xaló.
JVH will establish that the request is authentic, it will be formally acknowledged and deal with it within 14 days. The Regulation also allows provision for exceptional circumstances or a potential charge for multiple applications.
Photographs are classified as personal data. Any person can object and request at any time to have a displayed photograph removed providing JVH can verify the request is authentic and relates to the individual.
ACCOUNTABILITY AND GOVERNANCE
The GDPR requires that JVH demonstrate that it complies with the data protection principles set out previously and respect the rights of the individual.
Implement appropriate technical and organisational measures that ensure and demonstrate that JVH complies with its data protection obligations. Maintain internal Data Protection and Privacy Policies, ongoing staff awareness and routine testing to ensure that these measures are effective.
Document the relevant JVH processes to instruct and demonstrate correct method of carrying out procedures.
Future improvements and new work must incorporate data protection and privacy principles.
JVH recognises the role of “Data Controller” as the JVH Committee, that is, the entity that decides the purpose and manner that personal data is used. The role of “Data Processor” is also confined to Committee staff and appointed JVH members who carry out processing of personal data on behalf of the “Data Controller”.
DATA BREACH NOTIFICATION
If a data breach occurs, action shall be taken to minimise the harm by ensuring all Committee Members are aware that a breach has taken place and take steps to identify how the breach has occurred. The Committee shall then seek to rectify the cause of the breach as soon as possible to prevent any further breaches.
The Committee shall also contact the relevant JVH members to inform them of the data breach and actions taken to resolve the breach. The Committee shall also notify the relevant authorities if the breach is a notifiable event as described under the Regulations.
A FINAL NOTE
The guidance states this Law is both new and complex across the EU. The Authorities are expecting to see a steady move towards compliance. This policy will be reviewed on a regular basis. If you see any item that you would like further clarification or information on please contact, in the first instance, the Secretary here.
This policy was last updated: February 2019 Next review date for this item: March 2021