This data protection policy ensures that the EPUK:
The General Data Protection Regulation identifies eight data protection principles.
Principle 1 - Personal data shall be processed lawfully, fairly and in a transparent manner.
Principle 2 - Personal data can only be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
Principle 3 - The collection of personal data must be adequate, relevant and limited to what is necessary compared to the purpose(s) data is collected for.
Principle 4 – Personal data held should be accurate and, where necessary, kept up to date. Every reasonable step must be taken to ensure that personal data that are inaccurate are erased or rectified without delay.
Principle 5 – Personal data which is kept in a form which permits identification of individuals shall not be kept for longer than is necessary.
Principle 6 - Personal data must be processed in accordance with the individuals’ rights.
Principle 7 - Personal data must be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
Principle 8 - Personal data cannot be transferred to a country or territory outside the European Union unless that country or territory ensures an adequate level of protection for the rights and freedoms of individuals in relation to the processing of personal data.
EPUK requests personal information from members and non-members for the purpose of sending communications about their involvement with EPUK. The forms used to request personal information will contain a privacy statement informing potential members and members as to why the information is being requested and what the information will be used for. Members and non-members will be asked to provide consent for their data to be held and a record of this consent along with member’s and non-member’s information will be securely held. EPUK members and non-members will be informed that they can, at any time, remove their consent and will be informed as to who to contact should they wish to do so. Once an EPUK member or non-member requests not to receive certain communications this will be acted upon promptly and the member/non-member will be informed as to when the action has been taken.
Members and non-members will be informed as to how their information will be used and the EPUK Board will seek to ensure that member/non-member information is not used inappropriately. Appropriate use of information provided by members and non-members will include:
EPUK will ensure that all data users are made aware of what would be considered appropriate and inappropriate communication. Inappropriate communication would include sending EPUK members and non-members marketing and/or promotional materials from external service providers.
EPUK will ensure that members' and non-members’ information is managed in such a way as to not infringe an individuals’ rights which include:
EPUK Members and non-members will only be asked to provide information that is relevant for communication purposes. This will include:
Where additional information may be required this will be obtained with the specific consent of the member or non-member who will be informed as to why this information is required and the purpose that it will be used for.
There may be occasional instances where a members' or non-members’ data needs to be shared with a third party due to an accident or incident involving statutory authorities. Where it is in the best interests of the member/non-member and/or the EPUK in these instances where the EPUK has a substantiated concern then consent does not have to be sought from the member/non-member.
EPUK has a responsibility to ensure members' and non-members’ information is kept up to date. Members and non-members will be informed to let the National and/or Regional Secretariat know if any of their personal information changes. In addition, on an annual basis the membership renewal invoices will provide an opportunity for members to resubmit their personal information and reconfirm their consent for EPUK to communicate with them.
The EPUK Board is responsible for ensuring that EPUK remains compliant with data protection requirements and can evidence that it has. For this purpose, those from whom data is required will be asked to provide written consent. The evidence of this consent will then be securely held as evidence of compliance. The EPUK Board shall ensure that new members joining the Board receive an induction into how data protection is managed within EPUK and the reasons for this. The Board will review data protection and who has access to information on a regular basis as well as reviewing what data is held.
The EPUK Board members have a responsibility to ensure that data is both securely held and processed. This will include:
The Board has scrutinised the Terms and Conditions of each supplier and judge that they are GDPR compliant.
EPUK members and non-members are entitled to request access to the information that is held by EPUK. The request needs to be received in the form of a written request to the EPUK National Secretariat. On receipt of the request, the request will be formally acknowledged and dealt with within 14 days unless there are exceptional circumstances as to why the request cannot be granted. EPUK will provide a written response detailing all information held on the member/non-member. A record shall be kept of the date of the request and the date of the response.
Were a data breach to occur action shall be taken to minimise the harm by ensuring all Board members are aware that a breach had taken place and how the breach had occurred. The Board shall then seek to rectify the cause of the breach as soon as possible to prevent any further breaches and agree action to be taken and, where necessary, the Information Commissioner's Office to be notified. The Board shall also contact the relevant EPUK members and non-members to inform them of the data breach and actions taken to resolve the breach.
If an EPUK member or non-member contacts the EPUK to say that they feel that there has been a breach by the EPUK, a Board member will ask the member/non-member to provide an outline of their concerns. If the initial contact is by telephone, the Board member will ask the EPUK member/non-member to follow this up with an email or a letter detailing their concern. The concern will then be investigated by members of the Board who are not in any way implicated in the breach. Breach matters will be subject to a full investigation, records will be kept and all those involved notified of the outcome.
Policy agreed by the Board of Trustees on 25 May 2019
To be reviewed at regular intervals
Already registered? sign in »