Foodservice Consultants Society International (UK&I) Privacy Notice (How we use your Information)
1. INTRODUCTION
On the 25th May 2018 new legislation on Data Protection enters into force – The General Data Protection Regulations 2018 – “GDPR”.
GDPR replaces previous legislation and contains lots of obligations which the Foodservice Consultants Society International (UK&I) (FCSI UK&I) (the Association) must fulfil and lots of rights which you as Members have vis-à-vis the Association. Many of the Rules are the same as under previous legislation but there is plenty of new material.
GDPR is an EU Directive directly applicable in all Member states without the need for local legislation and with effect from 25th May 2018. However, the UK has decided that it wants the content of GDPR to apply after the UK leaves the EU and has tabled a Bill in the House of Lords which will achieve this objective. At first sight the Bill looks the same as GDPR (with adjustments which the Association believes are mainly not relevant to the Association’s position) but things change and the Association will need to review its position once the Bill becomes law. GDPR, including its preamble, contains some 54,000 words so the Association hopes you will be understanding if we attempt to reduce that to some succinct explanations at the risk of leaving some questions in Members’ minds. All such questions and doubts can be emailed to the Association. GDPR already allows the Association (“Controller” in GDPR-speak) to introduce operational rules and policies compliant with the new Directive. (If you spot an error please tell us by email.)
GDPR profoundly changes the way the relationship between the Association and its Members works in relation to the information (data) which the Association collects from you and then processes and stores. No data is provided to or accessed by a third party such as an event venue. Most of the law is mandatory but where there are options this notice will identify and explain the option the Association is using. Many of the terms are rather technical but we need to use specific terms in order to say exactly what GDPR stipulates. The Association’s first task is to be a lawful processor of your data.
2. LAWFUL PROCESSING
Membership of the Association is a form of contract where Members pay a subscription in return for which Members receive benefits and services provided by the Association. The Association asserts that it is a lawful processor by virtue of this relationship. The Association also considers it is exempted from any obligation to appoint a Data Protection Officer (DPO) but it does accept the obligation to carry out processing in ways which are lawful, fair and transparent. (The Association may be required to appoint a designated DPO by the UK legislation when it becomes law.)
3. TYPES OF DATA COLLECTED AND STORED
The Association is committed to recording accurate personal data which primarily consists of the information on the Membership Application Form. We do not keep a record of your banking data.
The Association does not collect sensitive personal data such as genetic, biometric or health data nor information on race, ethnicity, religion, political persuasion, or sexual orientation. Such sensitive data is known in GDPR as special category data.
The Association may use your data to enhance your experience of Association Membership by recording your personal preferences, interests and geographical location.
The Association may verify the information supplied in the Membership Application Form but does not seek additional information when considering an application.
If information is published (i.e. in the public domain) about a Member, e.g. personal, professional or civic honour, award, achievement, etc. the Association is likely to add such information to your Member record.
The Association does not claim it is hacker-proof. This aspect of processing is being reviewed at least annually as well as whenever there is a high profile report of data breach. In the event of there being a data breach the Association undertakes to inform you (as well as any relevant authority) not later than 1 month of the Association becoming aware of the breach. (The Association does not believe that the data it holds give rise to any need to report a breach to the Information Commissioner within 72 hours, but it is conscious of the possible need to do so.) Paper records are also held securely.
4. TRANSFER AND SHARING OF DATA
The Executive Director is the principal processor of your data. Book-keeping is also done by the Executive Director and supervised by an independent qualified accountant on whom required legal obligations have been imposed in relation to processing Members’ data.
The Association hires an IT consultant as required but they generally do not require access to member’s data but should that be required it would be under supervision.
The Association’s Officers may also wish to look at Member data from time to time.
The Association will not be able to release to a member personal data about another member, even a telephone number or email address.
When you attend functions or events organised by the Association the venue will occasionally, for security and practical reasons, want a list of names.
5. RETENTION OF DATA
The Association intends to hold your data throughout the period of your Membership and applying the following post-Membership policies: In the case of resignation, exclusion or death, it will delete all your records immediately.
6. YOUR RIGHTS
– To complain
Ideally the Association would wish to try to deal with complaints itself before recourse to any external authority and asks Members to submit complaints via email, but it is open to Members to submit a complaint at any time to the Office of the Information Commissioner.
– To have correct data recorded by the Association
The Association will be happy to correct errors.
– To require the Association to erase data which it holds about a Member
The Association will fully respect the new legislation but reminds Members that the low-level information gathered by the Association is perceived by the Association as the minimum needed to provide Members with the benefits of Association Membership.
7. THE ASSOCIATION WEBSITE
This policy applies when members use the Association website.
8. UPDATES
Whenever this policy is updated a notice will be sent to Members. This policy will be reviewed not later than May 2019 and annually thereafter.
9. CONTACT
If you would like to contact us please email louise@fcsi.org, by post – 42 Ashdene Road, Ash, Aldershot, Hampshire GU12 6SZ or telephone 07425 167627