The Northampton and District Model Railway Club (NDMRC) is committed to safeguarding the privacy of its contacts, and will only use the information it collects about you lawfully. You should check this page from time to time to ensure that you are happy with any changes.
Purpose of this policy. The European Union’s General Data Protection Regulation (GDPR) requires us to provide you with this privacy policy. It covers our members and visitors to our site who may provide personal information to enable us to keep them informed of our activities, apply for membership or other, related activities.
It explains:
- What personal data we collect about you, why we collect it, who it is shared with, and how long we keep it
- how we use your personal data
- how we protect your personal data
- your legal rights in respect of your personal data, including how to access and update the information we hold about you.
About Us. For the purposes of applicable data protection laws, the NDMRC is the controller of your data. This means that we decide the purposes and means for dealing with your personal data.
Contact Us. If you have any queries relating to this privacy notice (including any requests to exercise your legal rights in respect of your data), you can contact us at contact@ndmrc.org
You have the right to make a complaint at any time to the Information Commissioner's Office (ICO), the UK supervisory authority for data protection issues (www.ico.org.uk).
However, we should appreciate the chance to deal with your concerns before you approach the ICO so please contact us in the first instance.
Information we collect about you.
Personal information we may collect directly from you (as applicable)
- Names
- Postal address
- E-mail address
- Mobile and/or landline telephone numbers
- Personal information provided to us if you contact us or make an enquiry, such as your contact details in our records of that correspondence
- Personal information provided to us if you choose to complete any surveys or questionnaires for us, enter a competition or other social media functions on our website
- Records of which of our events you are interested in and which events you attend.
If the data we hold about you is inaccurate in any way, please contact us to have your personal information corrected.
Why do we collect your personal information and on what grounds?
We will only use your personal data if we have a permitted lawful basis to do so. Generally, we collect your personal data because is it necessary for:
- the pursuit of our legitimate interests (as set out below); or
- complying with our legal obligations.
We may also rely on your consent to use your personal data for:
- keeping you informed of our events;
- responding to your enquiries.
- using images provided voluntarily by you for the creation of content for the NDMRC website or its related social media channels.
You have the right to withdraw your consent to these activities at any time, which will mean (unless another lawful basis applies to your data) that we will cease to process the affected data after consent is withdrawn. However, please note this may result in us being unable to provide you with certain features of the website and/or services. The primary purpose for which we collect information about you is to provide you with services you have requested from us. We also collect information about you for the following purposes:
To perform our contract with you:
- To process your communications
- For handling queries, complaints or disputes.
For our legitimate interests:
- To support and manage our events
- For the administration of NDMRC membership records.
- For promoting, marketing and advertising our events
- To effectively handle any legal claims or regulatory enforcement actions taken against NDMRC
- To generally run our website and for internal operations, in order to provide you with an up to date, efficient and reliable Service
- Making important communications about your involvement
To comply with our legal obligations
- To help identify/prevent fraudulent activity
- To comply with our legal obligations (including under applicable data protection laws)
If you fail to provide personal data
You are not generally required to provide to us any personal data. Where you choose to do so (through email or online form submissions) we shall assume that you have done so willingly in the full knowledge of our policy. Bear in mind that we may be unable to respond to any requests for information or membership acceptance if you decline to provide us with adequate information.
Who do we share your information with?
Your personal data is primarily only used within NDMRC. However, in certain limited circumstances we may share your information with other third parties particularly where it is required by law. These could include:
- Other organisation supporting us in the delivery of services or information to you; payment portals, marketing, IT and event management services.
- Where you have expressed an interest in receiving information about its activities
- Third parties: we may be required to disclose such personal data in order to comply with our legal obligations or enforce our legal rights, e.g. any relevant authority or enforcement body and fraud protection
Sensitive Personal Data. We do not collect any Special Categories of Personal Data about you (this includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health and genetic and biometric data). Nor do we collect any information about criminal convictions and offences.
Retention of Personal Data.
We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.
To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
Data Subject’s Rights. In certain circumstances you have rights under data protection laws in relation to the personal data we hold about you. These are summarised below:
Right of Access. You are entitled to ask for access to your personal data so that you are aware of and can verify the lawfulness of the processing. This is achieved through the mechanism, of a Subject Access Request (SAR) and you have the right to obtain:
- Confirmation that your data is being processed (held)
- Access to your personal data (copy) and
- Other supplementary information that corresponds to the information in this Privacy Notice
This information will be provided without charge, without delay and within one month. If an extension is required or requests are considered manifestly unfounded or excessive, in particular because they are repetitive, NDMRC may:
- choose to charge a reasonable fee, taking into account the administrative costs of providing the information or
- refuse to respond. The reasons will be formally notified to you and your rights of appeal to the appropriate Supervisory Authority i.e. UK Information Commissioner’s Office (ICO) will be highlighted.
Identity Verification. To protect your personal data, NDMRC will seek to verify your identity before releasing any information, which will normally be in electronic format. This will normally be a simple process.
Right of Rectification. You are entitled to have personal data rectified or corrected if it is inaccurate or incomplete. NDMRC will respond within one month of your request.
Right of Erasure. You may request the deletion or removal of personal data where there is no compelling reason for its continued processing. The Right to Erasure does not provide an absolute ‘right to be forgotten’. However, you do have a right to have personal data erased and to prevent processing in specific circumstances:
- Where the personal data is no longer necessary in relation to the purpose for which it was originally collected/processed
- When you withdraw consent
- When you object to the processing and there is no overriding legitimate reason for continuing the processing
- Personal data was unlawfully processed
- Personal data has to be erased in order to comply with a legal obligation
Right to Restrict Processing. Under the Act, you have a right to ‘block’ or suppress processing of personal data. The restriction of processing under GDPR is similar. When processing is restricted, NDMRC is permitted to store the personal data, but not process it further. In this event, exactly what is held and why will be explained to you.
Right to Data Portability. You may ask to obtain and reuse your personal data for your own purposes across different services. This allows you to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without hindrance to usability. The Right to Data Portability only applies:
- To personal data you have supplied to NDMRC
- Where the processing is based upon your consent or for the performance of a contract and
- When processing is carried out by automated means
In these circumstances, NDMRC will provide you with a copy of your data free of charge, without delay and within one month. If there is going to be a delay you will be informed.
Right to Object. You have the right to object to:
- Processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling)
- Direct marketing (including profiling) and
- Processing for purposes of scientific/historical research and statistics
Security of your data
We treat the security of your data seriously. We make every effort to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those persons who have a legitimate need to know for the purpose of fulfilling your requests or providing you with information.
Third party links on our site
Our site may, from time to time, contain links to and from the websites of similar/affiliated organisations, suppliers and social media pages. If you follow a link to any of these websites, please note that websites have their own privacy policies and that we are not in control of, and do not accept any responsibility or liability for these policies or any third-party website linked to our site. Please check these policies before you submit any personal information through these websites.
Cookies, IP Addresses and Non-Personal Information
We may collect and store information about your visit on an anonymous, aggregate basis. This information may include the time and length of your visit and the pages you look at on our sites, we may also record the name of your Internet service provider, browser type, and country of origin. We use this information to measure site activity and to develop ideas for improving our site
Our website uses cookies. A cookie is a small file that is stored on your computer when you visit a website. If you visit the website again, it is recognised as a repeat visit by means of the cookie. The cookie contains a unique number but no personal data. We therefore cannot and would not use the cookie to identify you personally. Furthermore, the cookie cannot be used to identify you on websites of third parties. You can configure your web browser to refuse cookies, to delete cookies, or to be informed if a cookie is set. You can find out how to do this by clicking "help" on your browser menu.
Some cookies are used by the website and its servers purely for the purpose of functionality to ensure that form submissions, menus and other critical aspects of the site work as they should. They do not relate to your personal data in any way
Changes to this policy
We may from time to time review and amend this Privacy Policy to take account of changes in law, technology and our operations. We will post any changes to this Privacy Policy on our website from time to time and, where appropriate, notify you by any e-mail address you have provided to us.
18th October 2018