Installation Ceremony and Dinner 18 Oct:  Grocers' Hall
All New Shoptalk Informal Forum 31 Oct:  The Artillery Arms
Click here for our rolling events programme

 

WCoMC Privacy Policy

  
Introduction

On 25th May 2018 new legislation on Data Protection came into force (The General Data Protection Regulation, “GDPR”). GDPR replaces previous legislation and contains significant obligations which the Company must fulfil and numerous rights which Members, Registered Event Account Holders and their Associated Contacts (“You”) have vis-à-vis the Company. Many of the Rules are the same as under previous legislation but there are a number of new elements. GDPR is an EU Directive directly applicable in all Member States without the need for local legislation. However, the UK has decided that it requires the content of GDPR to apply after the UK leaves the EU and has tabled a Bill in the House of Lords which will achieve this objective.

If You have any queries do please contact us at gdpr@wcomc.org.

This Privacy Policy deals with the following points:

  • What is Lawful Processing?
  • What data does the Company acquire and keep about members and other associated contacts?
  • Where does the Company obtain the data from and how is the data stored?
  • Does the Company transfer such data elsewhere?
  • How long does the Company retain such data?
  • Your rights

GDPR changes the relationship between the Company and You in relation to the information (data) which the Company collects from You and then processes and stores. Some data is necessarily provided to or accessed by a third party, such as an event venue, caterer or the Company bookkeeper. Much of the requirements of GDPR are mandatory, but where there are options we will identify and explain the option the Company is using. Many of the terms are technical, but You need to be aware of the terms in order to understand what GDPR stipulates. The Company’s first task is to be a lawful processor of Your data.

Lawful Processing

Membership of the Company is a form of contract where Members pay a fine and quarterage in return for which Members receive benefits and services provided by the Company; being a Registered Event Account Holder is a similar form of contract. The Company asserts that it is a lawful processor by virtue of these relationships and therefore does not need to obtain specific consent to process data. The Company also considers that it is exempt from any obligation to appoint a Data Protection Officer (“DPO”) under GDPR, but it does accept its obligation to carry out processing in ways which are lawful, fair and transparent. The Company acknowledges that it may be required to appoint a designated DPO by the forthcoming UK legislation.

Types of Data Collected and Stored

Members

The Company is committed to recording accurate personal data which primarily consists of the information on the Membership Application Form and the banking information on the Direct Debit Mandate. Date of birth is recorded because subscription rates may vary with the Member’s age. The Company does not collect sensitive personal data (special category data) such as genetic, biometric or health data nor information on race, ethnicity, religion, political persuasion, or sexual orientation. The Company may however use your data to enhance your experience of Company Membership and events by recording your personal preferences, interests, dietary and access requirements and geographical location. Similarly, the Company may use the information you provide summarising your professional skills to assist in the resourcing of ProBono support to Not-for-Profit organisations as part of our philanthropic activities.

The Company may verify the information supplied in the Membership Application Form but does not seek additional information when considering an application. If information is published (i.e. in the public domain) about a Member, e.g. personal, professional or civic honour, award, achievement, etc., the Company is likely to add such information to your Membership record.

The Company’s database (civiCRM) allows Members to access and update their personal and professional data and to book events online for themselves and their guests. Members are able to correct errors, delete data you do not wish to be recorded or even erase your data entirely although that would defeat many of the purposes and benefits of being a Member. Access is password protected. In the event of there being a data breach, the Company undertakes to inform you (as well as any relevant authority) not later than one month of the Company becoming aware of the breach. The Company does not believe that the data it holds gives rise to any need to report a breach to the Information Commissioner within 72 hours but it is conscious of the possible need to do so. Any paper records are also held securely.

Non-Members

The Company’s database (civiCRM) similarly allows non-Members to book events online for themselves (by creating a Registered Event Account) and their guests. Limited information is required and stored, typically name, primary email contact, your personal seating preferences, dietary and access requirements. Registered Event Account holders are able to correct errors, delete data you do not wish to be recorded or erase your data entirely although that would defeat many of the purposes and benefits of being a Registered Event Account Holder. Access is password protected. In the event of there being a data breach, the Company undertakes to inform you (as well as any relevant authority) not later than one month of the Company becoming aware of the breach. The Company does not believe that the data it holds gives rise to any need to report a breach to the Information Commissioner within 72 hours but it is conscious of the possible need to do so.

Transfer and Sharing of Data

The Clerk (which includes any assistant), who is an employee of the Company, is the principal processor of Your data. Book-keeping is undertaken by an independent sub-contractor on whom required legal obligations have been imposed in relation to processing Member data. The Company’s IT hosting and support providers may also need to access Your data from time to time but always under Company supervision.

The Company’s Officers and Committees may also wish to look at Member data from time to time, for example in relation to the provision of our philanthropic ProBono activities.

When You attend functions or events organised by the Company the venue will normally, for security and practical reasons, require a list of attendees’ names. The Company also provides limited data to our landlord when Members attend meetings and access the building.

For the time being the Company intends to continue its current practice of providing Members’ names and contact details to the publishers of The City of London Directory and Livery Companies Annual Guide and the White Book. Liverymen’s details will also continue to be provided to the City of London for inclusion in the Common Hall Register.

The Company does not knowingly transfer Your data outside the EU and requires all its suppliers not to make such transfers. The ultimate location of computer servers may make this apparently simple commitment difficult to enforce.

Retention of Data

The Company intends to hold Your data indefinitely.

In the case of a Member’s resignation, all data will be held unless requested otherwise, when we reserve the right to keep your name, membership dates and the date of resignation.

In the case of a Member’s exclusion, all data will be held for eight years, in order that appropriate institutional memory exists. At the end of this period your name, membership dates and date of exclusion will be retained.

In the case of death, we will keep your data indefinitely for archival purposes only. The Company will consider requests for erasure received from immediate family and/or executors, in which case your name, membership dates and date of death will be retained.

Your Rights

  • To Complain:  Ideally the Company would wish to try and deal with complaints itself before recourse to any external authority and asks You to submit complaints to us via email at gdpr@wcomc.org but we are open to You submitting a complaint at any time to the Office of the Information Commissioner.
     
  • To have correct data recorded by the Company:  The Company will be happy to correct errors; Members and Registered Account Holders are reminded that You are able to amend and correct any errors Yourself.
     
  • To require the Company to erase data which it holds about You:  The Company will fully respect the new legislation but reminds You that the low-level information gathered is perceived to be the minimum needed to provide You with the benefits of Membership and Your attendance at events. The Company also notes that in relation to any information passed to a third party, e.g. names and contact details given to The City of London Directory and Livery Companies Annual Guide, this cannot, once given, be retrieved or erased. Any changes may only be made when the publications are reprinted.

Company Website

This policy applies when You use the Company website. There is a link to the policy on the site.

Review and Updates

This policy will be reviewed in May 2019 and annually thereafter, unless changes in the law require an interim review. Whenever this policy is updated or amended, You will be advised.

Dated: May 2018 (version 1f)