embark2 Data Protection Policy
Last updated 29/03/19

Definitions

GDPR means the General Data Protection Regulation.
Responsible Person John Webb
Register of Systems means a register of all systems or contexts in which personal data is processed by embark2
  1. Data protection principles

 embark2 is committed to processing data in accordance with its responsibilities under the GDPR.

Article 5 of the GDPR requires that personal data shall be:

  1. processed lawfully, fairly and in a transparent manner in relation to individuals;
  2. collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;
  3. adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
  4. accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
  5. kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals; and
  6. processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
  7. General provisions
  8. This policy applies to all personal data processed by
  9. The Responsible Person, John Webb, shall take responsibility for the embark2’s ongoing compliance with this policy.
  10. This policy shall be reviewed at least annually.
  11. Lawful, fair and transparent processing
  12. To ensure its processing of data is lawful, fair and transparent, the embark2 shall maintain a Register of Systems.
  13. The Register of Systems shall be reviewed at least annually.
  14. Members have the right to access their personal data and any such requests made to us shall be dealt with in a timely manner.
  15. Lawful purposes
  16. All data processed by embark2 must be done on one of the following lawful bases: consent, contract, legal obligation, vital interests, public task or legitimate interests (see ICO guidance for more information).
  17. embark2 shall note the appropriate lawful basis in the Register of Systems.
  18. Your consent is relied upon as a lawful basis for processing data, evidence of opt-in consent shall be kept with the personal data.
  19. When communications are sent to you based on your consent, the option for you to revoke your consent should be clearly available and systems should be in place to ensure such revocation is reflected accurately in embark2’s systems.
  20. We respect your right to control your data. Your rights include:

1)      The right to be informed

This privacy notice outlines how we capture, store and use your data. If you have any questions about any elements of this policy, please contact us.

2)     The right to rectification

If we have captured information about you that is inaccurate or incomplete you can update it.

For more information on your individual rights, please see the Information Commissioner’s Office.

  1. Data minimisation

embark2 shall ensure that personal data are adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.

Why do we collect your personal data?

  1. We use your personal data to keep in touch with you.
  2. We will only ever collect, store and use your personal data when we have an identified purpose and reason to do so. The ICO refers to this as a ‘lawful basis’.
  1. Further information about why we collect your personal data is outlined below:

To administer your embark2membership, which may involve:

  • Sending you your membership welcome email when you first join us
  • Sending you your membership renewal email
  • Getting in touch should there ever be any issues with your membership or issues concerning the code of behaviour
  • To send you information regarding holiday and event bookings
  • information about holidays/events you have booked onto.
  • To send you information about our group and ask for your opinion
  • To send you information about activities that we feel may be of interest to you.
  • From time to time, we may also use your personal data to ask for your opinion about our holidays/events/activities.
  • To keep in you informed and provide information regarding embark2 activities.

What kind of personal data do we collect and how do we collect it?

  1. a) Basic information

We will usually collect basic information about you, including your name, age, gender, town or city, county, your postcode, email address.

  1. b) Registration process

As part of the registration confirmation process, we will collect the date, cause of your partner’s bereavement and location of the registry office.  We may also collect information relating to screen names and additional email addresses you use. Usually, we collect this data from you directly, but we may also obtain information, from external public sources, for example, published obituaries.

  1. c) Getting to know you better

We also collect information about you that helps us to get to know you better. This may include:

  • information about your interests and family
  • your contributions to the web forum
  • records of events you’ve attended or organised
  1. d) Sensitive personal data

We do not normally collect or store sensitive personal data (such as information relating to health, beliefs or political affiliation) about members. However, there are some situations where this will occur.

When we do so, we will be very clear as to why we are collecting such information, and we will only do so with your specific consent and permission. In these situations, we collect the data from you directly.

If you are attending a holiday or an event we may collect extra information about you, for example:

  • details of emergency contacts
  • medical conditions and
  • dietary requirements
  • travel insurance details

Usually, this information will be stored for a maximum of 7 days following the holiday/event.

  1. Accuracy
  2. embark2 shall take reasonable steps to ensure personal data is accurate.
  1. Where necessary for the lawful basis on which data is processed, steps shall be put in place to ensure that personal data is kept up to date.
  1. All of the personal data we process is processed by our administrators in the UK. However, for the purposes of IT hosting and maintenance your information may be situated outside of the European Economic Area (EEA). This will be done in accordance with guidance issued by the Information Commissioner’s Office.
  1. Electronic data and databases are stored on secure computer systems and we control who has access to information (using both physical and electronic means). Our administrators all receive data protection/GDPR training.
  2. Archiving / removal

We will only use and store information for as long as it required for the purposes it was collected for, as outlined above.

  1. Security
  2. embark2 shall ensure that personal data is stored securely using modern software that is kept up-to-date.
  3. Access to personal data shall be limited to the administrators who need access and appropriate security is in place to avoid unauthorised sharing of information.
  4. When personal data is deleted this will be done safely such that the data is irrecoverable.
  5. Appropriate back-up and disaster recovery solutions shall be in place.
  6. Breach

In the event of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data, embark2 shall promptly assess the risk to member’s rights and freedoms and if appropriate report this breach to the ICO (more information on the ICO website).

Review Date … March 2020