London IBM Retirees Club

Privacy Policy and GDPR Compliance

Privacy Policy

The Data Controller

The data controller is the London IBM Retirees Club, hereinafter referred to as LIRC.

Your Data

Data about individuals is received by LIRC through:

  • Completed membership application forms
  • Member-approved transfer of data from the predecessor organisation IBM Retired Employees’ Club (London Branch)
  • Bookings and sales of tickets for events
  • Email correspondence with committee members
  • Comments and feedback provided on our website
  • Payments to and from LIRC

Data Storage and Processing

LIRC (the Data Controller) may hold some or all of the following personal information. This information is retained and used solely for the purpose of running the Club.

Membership Information

A unique reference number, which may be based on your current or former IBM personnel number, Name, Addresses, Phone Numbers, Email address, Membership status and Contact preferences.

Event Bookings

Records of member applications for events including, for all events: member reference number, member contact information, date and price of the event, number of places applied for, attendants’ disability status (where provided) and payment preference. For some events additional information may be collected, including, where applicable: contact details for guests, insurance status, dietary requirements, emergency contacts, health information and seating preferences.

Email Correspondence

Emails between committee members and individuals.

Website Comments and Feedback

Comments and feedback entered directly into the club website.

Bank Accounts

Name, basic payment details and date.

Information That We Share With Others

Personal data is shared outside LIRC with the following organisations, which are Data Processors for LIRC:

  • Organisations running, or providing services in support of, events for our Members and their guests (eg travel agents, hotels and others running events).
  • Our banks, for payment processing.
  • MailChimp.com, for bulk email communication with Members.
  • Google.com (Gmail), for outgoing emails sent by our server. These are automated acknowledgements of receipt of information entered by you into forms on our website. These may include: event booking requests, membership applications, event feedback and other items.

Data Disposal

Your personal information is retained according to the next table, and deleted thereafter.

Data Retention Policy
Category Retention
Membership information Retained while the individual is a member.
Deleted six months after notification of their withdrawal from the club.
Booking and ticketing data 12 months from date of running the event
Email correspondence 6 months
Website comments and feedback 6 months
Payments 6 years

GDPR Policy and Compliance Statement

This outlines GDPR responsibilities and how the LIRC meet those requirements.
GDPR requires that:

Article 5 – The controller shall be responsible for, and be able to demonstrate, compliance with the principles:

  1. processed lawfully, fairly and in a transparent manner in relation to individuals;
     
  2. collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;
     
  3. adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
    [Information collected and the legal basis for it is identified above]
     
  4. accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
    [Processes for individuals to view and correct their personal data held by LIRC are outlined in this Privacy Policy]
     
  5. kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals;
     
  6. processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures
    [Personally identifiable data is expected to be handled with care and consideration in line with GDPR by all committee members and third parties who come into contact with it. It should be secured and used only in line with its agreed purposes]

In the event of a data breach the LIRC committee will investigate the causes, inform individuals affected and provide them with appropriate information and actively seek to prevent further occurrences in the future.

Committee Member Training

Once per year a portion of a committee meeting will be dedicated to:

  • Reviewing the principles of GDPR compliance.
  • Reviewing changes to the organisation and its processes and whether this has an impact on data protection and GDPR.
  • Assessing and meeting the training needs associated with protecting and managing individuals’ data in line with GDPR requirements.

This will usually be the first committee meeting after the AGM to allow new committee members to be trained promptly. Additional training will be provided on request for anybody who needs it.

Addressing Individuals’ Rights

The Right to be Informed

When individuals become members of LIRC they are advised that their information will be stored and they are referred to this page which outlines their rights and how LIRC addresses them under GDPR.

The Right of Access

Upon written request for Subject Access to any committee member by an individual, a copy of the membership records for that person will be provided as well as any information stored by MailChimp.com on behalf of LIRC. Additionally, on request, a search of and list of emails that have been retained to or from the individual will be provided. Copies of any retained non-public paper data relating to the individual will also be provided on request, if they exist. Providing this information will be free of charge and will be completed within one month.

The Right to Rectification

Upon written request for rectification of incomplete or incorrect information to any committee member by an individual, that person’s information will be corrected within two months.

The Right to Erasure

Upon written request for data erasure to any committee member by an individual, information about that person will be deleted as far as possible except where it may be required for running events for which the individual has booked but not yet attended. Deletion may take up to two months.

Note that request for deletion of member information constitutes your resignation from the club.

The Right to Restrict Processing

Individuals can suppress processing of data – this is complicated and unlikely to impact on small organisations like the LIRC and if an episode occurs then the regulations will be followed.

The Right to Data Portability

Upon written request for data portability to any committee member by an individual, the club will provide a copy of that person’s membership information in electronic format. This will be completed within one month.

The Right to Object

Upon written request for opt-out of marketing materials to any committee member by an individual, LIRC will ensure that the person does not receive direct marketing materials from the club.

LIRC-privacy-policy-v4