WCoMC Privacy and IPR Policy
Introduction
On 25th May 2018 new legislation on Data Protection came into force (The General Data Protection Regulation, “GDPR”). GDPR replaced previous legislation and contains significant obligations which WCoMC and its Associated Organisations such as CMCE (hereinafter referred to as "The Company") must fulfil and numerous rights which Members, Registered Event Account Holders and their Associated Contacts, and external organisations that have directly or indirectly provided images to The Company (“You”) have vis-à-vis The Company. Many of the Rules are the same as under previous legislation but there are a number of new elements. GDPR is an EU Directive directly applicable in all Member States without the need for local legislation.
The UK implemented GDPR as the Data Protection Act 2018 (DPA 2018) and decided that it required the content of GDPR to apply after the UK left the EU. To all intents and purposes, UK GDPR achieves this objective. The provisions of the EU GDPR were incorporated directly into UK law at the end of the transition period. The UK GDPR sits alongside the DPA 2018 with some technical amendments so that it works in a UK-only context.
If You have any queries do please contact us at gdpr@wcomc.org.
This Privacy Policy deals with the following points:
- What is Lawful Processing?
- What data does The Company acquire and keep about members and other associated contacts?
- Where does The Company obtain the data from and how is the data stored?
- How does The Company process data that includes images?
- Does The Company transfer such data elsewhere?
- How long does The Company retain such data?
- Your rights
GDPR changes the relationship between The Company and You in relation to the information (data) which The Company collects from You and then processes and stores. Some data is necessarily provided to or accessed by a third party, such as an event venue, caterer or The Company bookkeeper. Much of the requirements of GDPR are mandatory, but where there are options we will identify and explain the option The Company is using. Many of the terms are technical, but You need to be aware of the terms in order to understand what GDPR stipulates. The Company’s first task is to be a lawful processor of Your data.
Lawful Processing
Membership of The Company is a form of contract where Members pay a fine and quarterage in return for which Members receive benefits and services provided by The Company; being a Registered Event Account Holder is a similar form of contract. The Company asserts that it is a lawful processor by virtue of these relationships and therefore does not need to obtain specific consent to process data. The Company also considers that it is exempt from any obligation to appoint a Data Protection Officer (“DPO”) under GDPR, but it does accept its obligation to carry out processing in ways which are lawful, fair and transparent. The Company acknowledges that it may be required to appoint a designated DPO by the forthcoming UK legislation.
Types of Data Collected and Stored
Members
The Company is committed to recording accurate personal data which primarily consists of the information on the Connection and Membership Application Forms and the banking information on the Direct Debit Mandate. Date of birth is recorded because subscription rates may vary with the Member’s age. The Company does not collect sensitive personal data (special category data) such as genetic, biometric or health data nor information on race, ethnicity, religion, political persuasion, or sexual orientation. The Company may however use your data to enhance your experience of Company Membership and events by recording your personal preferences, interests, dietary and access requirements and geographical location. Similarly, The Company may use the information you provide summarising your professional skills to assist in the resourcing of ProBono support to Not-for-Profit organisations as part of our philanthropic activities.
The Company may verify the information supplied in the Membership Application Form but does not seek additional information when considering an application. If information is published (i.e. in the public domain) about a Member, e.g. personal, professional or civic honour, award, achievement, etc., The Company is likely to add such information to your Membership record.
The Company’s database (civiCRM) allows Members to access and update their personal and professional data and to book events online for themselves and their guests. Members are able to correct errors, delete data you do not wish to be recorded or even erase your data entirely although that would defeat many of the purposes and benefits of being a Member. Access is password protected. In the event of there being a data breach, The Company undertakes to inform you (as well as any relevant authority) not later than one month of The Company becoming aware of the breach. The Company does not believe that the data it holds gives rise to any need to report a breach to the Information Commissioner within 72 hours but it is conscious of the possible need to do so. Any paper records are also held securely.
Non-Members
The Company’s database (civiCRM) similarly allows non-Members to book events online for themselves (by creating a Registered Event Account) and their guests. Limited information is required and stored, typically name, primary email contact, your personal seating preferences, dietary and access requirements. Registered Event Account holders are able to correct errors, delete data you do not wish to be recorded or erase your data entirely although that would defeat many of the purposes and benefits of being a Registered Event Account Holder. Access is password protected. In the event of there being a data breach, The Company undertakes to inform you (as well as any relevant authority) not later than one month of The Company becoming aware of the breach. The Company does not believe that the data it holds gives rise to any need to report a breach to the Information Commissioner within 72 hours but it is conscious of the possible need to do so.
Images
The Company receives and may publish information from Members and Other Parties that may include personal data and images. Such information is received in Good Faith and The Company cannot be held responsible for ensuring its provenance. Any Privacy or Intellectual Property issues arising from this will be handled through our procedures described below.
Transfer and Sharing of Data
The Clerk (which includes any assistant), who is an employee of the Company, is the principal processor of Your data. Book-keeping may be undertaken by an independent sub-contractor on whom required legal obligations will be imposed in relation to processing Member data. The Company’s IT hosting and support providers may also need to access Your data from time to time but always under Company supervision.
The Company’s Officers and Committees may also wish to look at Member data from time to time, for example in relation to the provision of our philanthropic ProBono activities.
When You attend functions or events organised by the Company the venue will normally, for security and practical reasons, require a list of attendees’ names. The Company also provides limited data to our landlord when Members attend meetings and access the building.
For the time being The Company intends to continue its current practice of providing Members’ names and contact details to the publishers of The City of London Directory and Livery Companies Annual Guide and the White Book. Liverymen’s details will also continue to be provided to the City of London for inclusion in the Common Hall Register.
The Company does not knowingly transfer Your data outside the EU and requires all its suppliers not to make such transfers. The ultimate location of computer servers may make this apparently simple commitment difficult to enforce.
Retention of Data
The Company intends to hold Your data indefinitely.
In the case of a Member’s resignation, all data will be held unless requested otherwise, when we reserve the right to keep your name, membership dates and the date of resignation.
In the case of a Member’s exclusion, all data will be held for eight years, in order that appropriate institutional memory exists. At the end of this period your name, membership dates and date of exclusion will be retained.
In the case of death, we will keep your data indefinitely for archival purposes only. The Company will consider requests for erasure received from immediate family and/or executors, in which case your name, membership dates and date of death will be retained.
Your Rights
- To Complain: Ideally The Company would wish to try and deal with complaints itself before recourse to any external authority and asks You to submit complaints to us via email at gdpr@wcomc.org but we are open to You submitting a complaint at any time to the Office of the Information Commissioner.
- To have correct data recorded by The Company: The Company will be happy to correct errors; Members and Registered Account Holders are reminded that You are able to access, amend and correct any errors Yourself.
- To require The Company to erase data or images: The Company will fully respect the appropriate legislation but reminds You that the low-level information gathered is perceived to be the minimum needed to provide You with the benefits of Membership and Your attendance at events. The Company also notes that in relation to any information passed to a third party, eg names and contact details given to The City of London Directory and Livery Companies Annual Guide, this cannot, once given, be retrieved or erased. Any changes may only be made when the publications are reprinted. Similarly, should any data, information or image prove to be the property of a Third Party, then best endeavours will be made to erase it, but historical instances may be impossible to retrieve or erase.
Company Websites
This policy applies when You use any of The Company's websites. There are links to the policy on the sites.
Review and Updates
This policy will be reviewed in May 2019 and annually thereafter, unless changes in the law require an interim review. Whenever this policy is updated or amended, You will be advised.
Dated: May 2018 (version 1h) - reviewed and revised in 2019 and 2020 and 2021