HHRA Data Protection/GDPR Statement
1. Policy statement
1.1 Hill Head Residents’ Association (HHRA) is committed to protecting personal data and respecting the rights of our data subjects, the people whose personal data we collect and use.

We process personal data to help us:
a) maintain our list of members;
b) provide services to our members
c) maintain our accounts and records;
d) promote our services;
e) respond effectively to enquirers and handle any complaints

1.2 This policy has been approved by the HHRA Committee, which is responsible for ensuring that HHRA complies with all our legal obligations. It sets out the legal rules that apply whenever we obtain, store or use personal data.
2. Why this policy is important
2.1 We are committed to protecting personal data from being misused, getting into the wrong hands as a result of poor security or being shared carelessly, or being inaccurate, as we are aware that people can be upset or harmed if any of these things happen.

2.2 In particular, we will make sure that all personal data is:
a) processed lawfully, fairly and in a transparent manner;
b) processed for specified, explicit and legitimate purposes and not in a manner that is incompatible with those purposes;
c) adequate, relevant and limited to what is necessary for the purposes for which it is being processed;
d) accurate and, where necessary, up to date;
e) not kept longer than necessary for the purposes for which it is being processed;
f) processed in a secure manner, by using appropriate technical and organisational means;
g) processed in keeping with the rights of data subjects regarding their personal data.
3. What personal information do we process
3.1 In the course of our activities, we may collect and process contact information (personal data) about our members (data subjects). This includes data we receive straight from the person it is about, for example, where they complete forms or contact us.

3.2 We process personal data in both electronic and paper form and all this data is protected under data protection law. The personal data we process includes names and contact details.
4. Making sure processing is fair and lawful
4.1 Processing of personal data will only be fair and lawful when the purpose for the processing meets a legal basis, as listed below, and when the processing is transparent. This means we will provide people with an explanation of how and why we process their personal data at the point we collect data from them, as well as when we collect data about them from other sources.

4.2 Processing of personal data is only lawful if at least one of these legal conditions, taken from those listed in Article 6 of the GDPR, is met:
a) the processing is necessary for us to comply with a legal obligation;
b) the processing is necessary to protect someone’s life (this is called “vital interests”);
c) the processing is necessary for us to perform a task in the public interest, and the task has a clear basis in law;
d) the processing is necessary for legitimate interests pursued by HHRA, unless these are overridden by the interests, rights and freedoms of the data subject.
e) if none of the other legal conditions apply, the processing will only be lawful if the data subject has given their clear consent.
f) the processing is carried out in the course of our legitimate activities and only relates to our members or persons we are in regular contact with in connection with our purposes;
g) if none of the other legal conditions apply, the processing will only be lawful if the data subject has given their explicit consent.
 5. Data Controller
5.1 The data controller is the person who determines the means for processing personal data and the purposes for which it is processed. It does not matter if the decisions are made alone or jointly with others

5.2 The data controller is responsible for the personal data which is processed and the way in which it is processed

5.3 The Membership Secretary is the Data Controller for HHRA.
6. When we need consent to process data
6.1 Where none of the other legal conditions apply to the processing, and we are required to get consent from the data subject, we will clearly set out what we are asking consent for, including why we are collecting the data and how we plan to use it.

6.2 Consent can however be withdrawn at any time and if withdrawn, the processing will stop. Data subjects will be informed of their right to withdraw consent and it will be as easy to withdraw consent as it is to give consent.
7. Processing for specified purposes
7.1 We will only process personal data for the specific purposes explained in our privacy notices or for other purposes specifically permitted by law.

7.2 We will only collect and use personal data that is needed for the specific purposes described above (which will normally be explained to the data subjects in privacy notices). We will not collect more than is needed to achieve those purposes. We will not collect any personal data “just in case” we want to process it later.
8. Accurate data
8.1 We will make sure that personal data held is accurate and, where appropriate, kept up to date. The accuracy of personal data will be checked at the point of collection and at appropriate points later on.
9. Security of personal data
9.1 We will use appropriate measures to keep personal data secure at all points of the processing. Keeping data secure includes protecting it from unauthorised or unlawful processing, or from accidental loss, destruction or damage. 

9.2 We will dispose of data in a secure manner when it is no longer required or we have been asked to remove it.
10. Data subjects’ rights
10.1 We will process personal data in line with data subjects' rights, including their right to:
a) request access to any of their personal data held by us (known as a Subject Access Request);
b) ask to have inaccurate personal data changed;
c) restrict processing, in certain circumstances;
d) object to processing, in certain circumstances, including preventing the use of their data for direct marketing;
e) data portability, which means to receive their data, or some of their data, in a format that can be easily used by another person (including the data subject themselves) or organisation;
f)  not be subject to automated decisions, in certain circumstances;
g) withdraw consent when we are relying on consent to process their data.
10.2 If a colleague receives any request from a data subject that relates or could relate to their data protection rights, this will be forwarded to the Data Controller immediately.

10.3 We will act on all valid requests as soon as possible, and at the latest within one calendar month, unless we have reason to, and can lawfully extend the timescale. This can be extended by up to two months in some circumstances.
11. Direct marketing
11.1 We will comply with the rules set out in the GDPR, the Privacy and Electronic Communications Regulations (PECR) and any laws which may amend or replace the regulations around direct marketing. This includes, but is not limited to, when we make contact with data subjects by post, email, text message, social media messaging, telephone (both live and recorded calls) and fax.Direct marketing means the communication (by any means) of any advertising or marketing material which is directed, or addressed, to individuals.
“Marketing” does not need to be selling anything, or be advertising a commercial product. It includes contact made by organisations to individuals for the purposes of promoting the organisation’s aims.

11.2 Any direct marketing material that we send will identify HHRA as the sender and will describe how people can object to receiving similar communications in the future. If a data subject exercises their right to object to direct marketing we will stop the direct marketing as soon as possible.
12. Sharing information with other organisations
12.1 We will not share personal data with other organisations or people.
13. Dealing with data protection breaches
13.1 Where any member of HHRA, or of the committee, thinks that this policy has not been followed, or data might have been breached or lost, this will be reported immediately to the Data Controller.

13.2 We will keep records of personal data breaches, even if we do not report them to the Information Commissioners Office (ICO).

13.3 We will report all data breaches which are likely to result in a risk to any person, to the ICO.
 Policy approved and adopted by Hill Head Residents’ Association Committee  14 May 2018