Active Essex Foundation (AEF) takes very seriously its obligations in relation to the processing of personal data pursuant to the Data Protection Act 2018 and the General Data Protection Regulation (GDPR). This policy sets out the procedures to be followed by the Board of Trustees and staff engaged on behalf of AEF.

The Trustees with responsibility for data protection are Rob Hayne and Angela Brown.

External Registration

In accordance with guidance issued by the Information Commissioner, AEF is a not for profit organisation which is exempt from registration. The basis of this exemption is that AEF:

a. Only processes information necessary to establish or maintain membership or support;

b. Only processes information necessary to provide or administer activities for people who are members of the organisation or have regular

c. Only shares the information with people and organisations necessary to carry out the organisation’s activities. (Important – if individuals give AEF permission to share their information, this is OK)

d. Only keeps the information while the individual is a member or supporter or as long as necessary for member/supporter administration.

The Trustees will keep this status under review and any change to AEF’s position or need to register with the Information Commissioner will be reported to the Board of Trustees.

Information Asset Register

AEF’s Information Asset Register (IAR) is a standing agenda item reviewed by the Board of Trustees at every Board meeting.

AEF has a standard form of Privacy Notice which ensures that all personal data captured has a lawful basis for processing. The contents and usage of this Privacy Notice is reviewed periodically by the Trustees.

Subject Access Requests

Subject to any exceptions which apply by law, AEF will provide to any individual who requests it a reply stating whether or not AEF holds personal data about the individual and, if applicable, provide a written copy of the data subject’s own data and the information stated in article 15(1) GDPR, e.g. the purpose of the processing, categories of data concerned, recipients to whom the data are disclosed and the logic involved in any automated decision concerning them.

AEF will comply with requests for access to personal information as quickly as is practicable, but will ensure that the information is provided within one month, free of charge, as required by law.

Subject access requests must be made in writing and be specific enough for AEF to understand what information is being sought. AEF reserves the right to ask for further details in order to particularise any request. AEF also reserves the right to ask the person making the request to verify their identity before sending them information e.g. by producing a utility bill showing name and address.

All subject access requests should be addressed to Rob Hayne, Trustee at [email protected] or our registered address.

Right to Rectification

AEF will allow the rectification of inaccurate data. This right applies to objective and factual data and includes the right of the data subject to supplement additional data.

Right to Erasure (“right to be forgotten”)

AEF will erase the personal data which it holds for a data subject when the individual no longer wants her/his data to be processed and provided that there are no legitimate grounds for retaining it.

According to the Judgment of the Court (Grand Chamber), 13 May 2014. Google Spain SL and Google Inc. v Agencia Española de Protección de Datos (AEPD) and Mario Costeja González, “the right to erasure applies not only from the fact that such data are inaccurate but, in particular, also from the fact that they are inadequate, irrelevant or excessive in relation to the purposes of the processing, (…)”. Accordingly, it will always need to be balanced against other fundamental rights as for instance, freedom of expression or historical or scientific research.

Right to Restriction of Processing

AEF will cease processing personal data when required in accordance with article 18 GDPR, e.g., the accuracy of the personal data is contested or the processing is unlawful, or the result of an objection is pending. AEF will only store the personal data and no further processing can take place; unless, the data subject explicitly consents or some other lawful justification for processing applies.

Notification Obligation regarding rectification or erasure of personal data or restriction of processing to recipients

AEF will notify any rectification or erasure or restriction of processing carried out to each recipient to whom the personal data have been disclosed; unless this proves impossible or involves a disproportionate effort.

Right to Data Portability

This right applies if the processing is carried out by automated means and the data subject provided personal data on the basis of his or her consent, or the processing is necessary for the performance of a contract. Under those conditions, if the data subject requests it AEF will (i) provide the data subject with the data in a structured, commonly used and machine-readable format and, (ii) allow the transmission of the data to another data controller.

Right to Object

Where the processing is carried out in the public interest or in the exercise of official authority vested in AEF, or on the grounds of the legitimate interests of a third party, or for direct marketing, including profiling, AEF will inform and provide to the data subject of their right to object the processing.

When processing has been objected to by a data subject AEF will cease to process that individual’s data and remove their information fro its systems unless it can demonstrate compelling legitimate grounds for the processing which override interests, rights and freedoms of the individual or for the establishment, exercise or defence of legal claims.

Reporting of data loss and breaches

In the case of a personal data breach, AEF shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the Information Commissioner’s Office unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.

The notification shall at least:

a. describe the nature of the personal data breach;

b. communicate the name and contact details of the Trustees reporting the breach;

c. describe the likely consequences of the personal data breach; and

d. describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

Where, and in so far as, it is not possible to provide the information at the same time, the information may be provided in phases without undue further delay

Retention and disposal of personal data

AEF will hold the minimum personal data necessary to enable it to perform its functions and comply with law. The data will be erased once the need to hold it has passed. Every effort will be made to ensure that data is accurate and up to date and that inaccuracies are corrected quickly.