Swansea Bay Business Club Data Protection Policy

Executive Board Members & Club Partners Data Protection Policy

Version 2

Review date: April 2025

About this policy

We are committed to ensuring that we are fully transparent and accountable for the personal data of our members, contacts and Club Board (the Board) including its collection, usage and storage. We are committed to fulfilling our data protection obligations.

This policy is applicable to the current and former Club Board and Club Partners and Affiliates. It is intended to detail how the Club protects your data and additionally, your responsibilities towards the data you may process on behalf of the Club.

The Club has appointed the Immediate Past President as the Data Manager. Their role is to ensure data protection compliance within the Club. If you need to contact them, you can email them at [email protected].

 

Definitions

“Personal data” is any information that relates to an individual who can be identified from that information. Processing is any use that is made of data, including collecting, storing, amending, disclosing or destroying it.

“Special categories of personal data” means information about an individual’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, sex life or sexual orientation and biometric data.

“Criminal records data” means information about an individual’s criminal convictions and offences, and information relating to criminal allegations and proceedings.

 

Data protection principles

Processing of personal data is required to fulfil contractual and legal obligations. The following data protection principles are applied to process personal data:

  1. We process personal data lawfully, fairly and in a transparent manner;
  2. We collect personal data only for specified, explicit and legitimate purposes;
  3. We only process personal data where it is adequate, relevant and limited to what is necessary for the purposes of processing;
  4. We take steps to ensure records reflect accurate personal data and take all reasonable steps to ensure that inaccurate personal data is rectified or deleted without delay;
  5. We keep personal data for the period necessary for processing only;
  6. We put in place appropriate measures to ensure that personal data is secure, and protected against unauthorised or unlawful processing, and accidental loss, destruction or damage;
  7. We will always tell individuals the reasons their personal data needs to be processed within a privacy notice, including how we use the data and the legal basis the Club relies upon to process your data. We will not process your data for any other reason;
  8. Where the Club processes criminal records data this is to perform statutory obligations or to exercise rights in relation to employment law;
  9. If an individual informs the Club that their information has changed or is inaccurate the Club will correct it without delay;
  10. Personal data gathered during the contractual or employment term is held in the individual’s personnel file and on internal systems. The periods for which the Club holds individuals personal data will be confirmed in the appropriate privacy notice; and
  11. We keep records of our processing activities in respect of personal data in accordance with the requirements of the General Data Protection Regulation (GDPR).

 

Your individual rights

As a data subject, individuals have certain rights in relation to their personal data.

 

Your subject access requests

You have the right to make a subject access request. If you make a subject access request, the Club will tell you:

  1. Whether or not data is processed and the reasons for processing, the categories of personal data concerned and the source of the data if it was not collected from the individual;
  2. To whom your data is or may be disclosed, including confirmation as to whether any of the recipients are located outside the European Economic Area (EEA). The Club will also confirm the safeguards in place that apply to such transfers;
  3. How long your personal data is stored (or how that period is decided);
  4. Your rights to rectification or erasure of data, or to restrict or object to processing;
  5. About your right to complain to the Information Commissioner if you believe the Club has failed to comply with your data protection rights; and
  6. Whether or not automated decision-making or profiling occurs and the reasons for any such decision-making occurring.

The Club will also provide you with a copy of the personal data undergoing processing. This will normally be in electronic form.

 

Subject access request process

If you would like to make a request to be provided with a copy of your personal data, this should be emailed to [email protected].

In some cases, the Club may need to ask for proof of identification prior to processing the request; (e.g. in the cases of a former board member requesting information or the request being submitted from an email address that is not detailed on our records) you will be informed of this if it is a requirement.

The Club will normally respond to the request within one month (30 days) from the date it is received.  In some cases, for example, where large amounts of personal data is held, the timescales may be extended to three months from the date of the request to ensure the Club is able to provide all information requested. The Club will ensure you are informed within one month of receiving the original request if this is the case.

Additionally, where a subject access request is manifestly unfounded or excessive, the Club is not obliged to comply with it. Alternatively, the Club may agree to respond but will charge a fee, which will be based on the administrative cost of responding to the request.

A subject access request is likely to be manifestly unfounded or excessive if it repeats a request the Club has already responded to. If an individual submits a request that is unfounded or excessive, the Club will inform them that this is the case and whether or not it will respond to it within 14 days of receiving the request.

 

Other rights

In addition to the right to access, you also have a number of other rights in relation to your personal data. You can request the Club:

  1. Corrects inaccurate data;
  2. Stops processing or deletes data that is no longer necessary for the purposes of processing;
  3. Stops processing or deletes data if your interests override the Club’s legitimate grounds for processing data (if the Club relies on its legitimate interests or consent as a reason for processing data, please refer to the appropriate privacy notice to review the Clubs legal basis for processing your data);
  4. Transfers your data to another processor (data portability);
  5. Stops processing or deletes data if the processing is unlawful; and
  6. Stops processing data for a period of time if the data is inaccurate or there is a dispute about whether or not your interests override the Club’s legitimate grounds, contractual or legal basis’ for processing data.

To ask the Club to take any of these steps, you should send the request to [email protected].

 

International data transfers

The GDPR restricts data transfers to countries outside the EEA in order to ensure that the level of data protection afforded to individuals by the GDPR is not undermined. You transfer Personal Data originating in one country across borders when you transmit, send, view or access that data in or to a different country.

You may only transfer Personal Data outside the EEA if one of the following conditions applies:

  1. The European Commission has issued a decision confirming that the country to which we transfer the Personal Data ensures an adequate level of protection for the Data Subjects’ rights and freedoms;
  2. Appropriate safeguards are in place such as binding corporate rules (BCR), standard contractual clauses approved by the European Commission, an approved code of conduct or a certification mechanism, a copy of which can be obtained from the DPO;
  3. The Data Subject has provided Explicit Consent to the proposed transfer after being informed of any potential risks; or
  4. The transfer is necessary for one of the other reasons set out in the GDPR including the performance of a contract between us and the Data Subject, reasons of public interest, to establish, exercise or defend legal claims or to protect the vital interests of the Data Subject where the Data Subject is physically or legally incapable of giving Consent and, in some limited cases, for our legitimate interest.

 

Your role in protecting our data

Data security

The Club is committed to ensuring there are proper measures and controls in place to ensure the security and safety of personal data. We do this by having internal policies and controls to protect personal data against loss, accidental destruction, misuse or disclosure, and to ensure that data is not accessed, except by individuals who require access to allow the proper performance of their duties (e.g. the Board).

Where third parties are contracted to process personal data on behalf of the Club, security measures are confirmed in written agreements which also confirm the third parties obligations to the confidentiality of any data they process. The Club will not use any third parties to process data unless we are satisfied they have appropriate measures, systems and controls in place to protect data.

 

Impact assessments

To ensure compliance with GDPR principles, with effect 25 May 2018 a data protection impact assessment must be undertaken where processing could result in a high risk to individual’s rights and freedoms, this involves considering the purposes for processing data, assessing the risks and establishing what steps can be taken to reduce the risk to the individual.

 

Social media and data protection

To ensure that personal data is not compromised, and its security is maintained, the Board and Club Partners and Affiliates must not post any personal data obtained through affiliation or membership with the Club on social media and networking sites without the prior consent of the individual and/or the Club.

You must avoid making any social media communications that could damage the Clubs interests or reputation, even indirectly.

You should not use social media to defame or disparage us, or any third party; to harass, bully or unlawfully discriminate against members or third parties; to make false or misleading statements; or to impersonate colleagues or third parties.

Individuals must not express opinions on our behalf via social media, unless expressly authorised to do so.

Individuals must not post comments about sensitive Club-related topics, such as our performance, or do anything to jeopardise our trade secrets, confidential information and intellectual property.

 

Personal devices and data protection

When you access our systems, you may be able to access data about us, our members and other business connections, including information which is confidential, proprietary or private.

The definition of data is very broad, and includes all written, spoken and electronic information held, used or transmitted by us or on our behalf, in whatever form.

When you access our systems using a personal device, we are exposed to a number of risks, including the loss or theft of the device (which could result in unauthorised access to our systems or company data), the threat of malware (such as viruses, worms, spyware, Trojans or other threats that could be introduced into our systems via a device) and the loss or unauthorised alteration of data (including personal and confidential information).

This could expose us to the risk of non-compliance with legal obligations of confidentiality, data protection and privacy. Such risks could result in damage to our systems, our business and our reputation.

We are required to protect our systems and data, and to prevent any data from being deliberately or inadvertently lost, disclosed or altered, while enabling you to access our systems using a device.

When using your device to connect to our systems you must:

  1. At all times, use your best efforts to physically secure the device against loss, theft or use by persons who we have not authorised to access the data. You must secure the device whether or not it is in use and whether or not it is being carried by you. This includes, but is not limited to, passwords, encryption, and physical control of the device;
  2. Install any anti-virus or anti-malware software at our request before connecting to our systems and consent to our efforts to manage the device and secure its data, including providing us with any necessary passwords;
  3. Protect the device with a PIN number or strong password, and keep that PIN number or password secure at all times. If the confidentiality of a PIN number or password is compromised, you must change it immediately;
  4. Maintain the device’s original operating system and keep it current with security patches and updates. Rooted (Android) or jailbroken (iOS) devices are strictly forbidden from accessing our systems or data;
  5. Prohibit use of the device by anyone not authorised by us, including your family, friends and business associates;
  6. Not download or transfer any of the Clubs data to the device, for example via e-mail attachments, unless specifically authorised to do so and delete the information when it is no longer required for the purpose it was downloaded or transferred;
  7. Ensure that if the device is sold, replaced or transferred to another individual that all company data is irretrievably deleted from the device; and
  8. Delete any data, (and backs ups) and provide a signed declaration to confirm you have done so when you leave the Club for any reason.

 

Individual responsibilities

Individuals have a responsibility to assist the Club to keep their personal data up to date.

You may during the course of your Board Membership or Club Partnership have access to personal data of members and contacts.  Where this occurs, you are responsible for assisting the Club to fulfil its data protection obligations to these individuals.

Individuals with access to personal data are required to:

  1. Only to access data that they have authority to access for a specified purpose;
  2. Have individual logins for Web Collect and not share passwords;
  3. Not share data with individuals (internally or externally) unless there is authorisation to do so;
  4. Maintain the security of data and ensure all data protection and security policies and procedures are followed;
  5. Ensure that personal data stored on local or personal drives is password protected using a strong password; and
  6. Ensure personal data sent via email is attached in a separate word or PDF document and that the document is password protected.

 

Data breaches

Any potential data breach must be reported to the Data Manager immediately to allow the club to report within 72 hours to the ICO data breach involving personal data that is likely to pose a risk to the rights and freedoms of individuals.

The Club will maintain an internal record of all data breaches regardless of their effect.

If it is determined that a breach is likely to be high risk to individuals involved, the Club will inform affected individuals of the breach and provide them with information about possible consequences and the steps taken by the Club to mitigate the impact of the breach.