Privacy Policy

PRIVACY POLICY

1. INTRODUCTION

This policy sets out the obligations of Stewarton Golf Club (“the club”) regarding data protection and the rights of all club members and guests (“data subjects”) in respect of their personal data under the General Data Protection Regulation (GDPR 2018).

This privacy policy sets out how we, Stewarton Golf Club process your personal data. We take the privacy of your personal data very seriously and all data captured will be used and held in accordance with the requirements of the GPDR act 2018.

The club is committed not only by the letter of the law, but also to the spirit of the law and places high importance on the correct, lawful, and fair handling of all personal data, respecting the legal rights, privacy, and trust of all individuals with whom it deals. The club captain will be “the controller” of all personal data with the club secretary being “the processor” of said personal data.

 

2. THE DATA PROTECTION PRINCIPLES

This policy aims to ensure compliance with the regulations. The regulations set out the following principles with which any party handling personal data must comply. All personal data must be:

a) processed lawfully, fairly, and in a transparent manner in relation to the data subject:

b) collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes: further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be incompatible with the initial purposes:

c) adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed:

d) accurate and, where necessary, kept up to date: every reasonable step must be taken to ensure that personal data that is inaccurate, having regard to the purposes for which it was processed, is erased or rectified without delay:

e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed: When data is no longer required, all reasonable steps will be taken to erase it without delay

f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

 

3. WHEN WE COLLECT INFORMATION FROM YOU?

We seek to acquire information about you when you:

  • Become a member of Stewarton Golf Club
  • Re- new your membership of Stewarton Golf Club
  • Become an honorary member of Stewarton Golf Club

Whenever we request personal information from you, we will always aim to reasonably explain why we are collecting the information and refer you to this policy for more comprehensive detail. Any questions regarding this “Privacy Policy” and our privacy practices should be addressed to the club captain (“the controller”) or club secretary (“the processor”).

Please note: We do not collect or store personal data about any member supplied or obtained from any 3rd party sources. Any data we store is only that which is collected directly from the individual.

 

4. WHAT TYPE OF INFORMATION WE COLLECT FROM YOU?

We may collect the following information:

  • Name & surname
  • Home address
  • Contact number
  • Email address
  • Handicap ability
  • Any previous clubs
  • Any membership proposers
  • Your personal signature

 

5. WHAT DO WE USE YOUR DATA FOR?

We process your data for the following purposes:

  • Processing membership applications
  • Providing you with information relating to membership
  • Internal record keeping
  • Processing competition entries
  • To improve our communication to all members
  • Respond to your enquires
  • Carry out our obligations as your committee
  • Seek your views and comments
  • Notify you of changes which may affect you
  • Send you communications which you may have requested and that may be of interest to you

 

6. WHAT IS OUR LEGAL BASIS FOR YOUR DATA?

We process your personal data for all the purposes identified under part 5 of this policy, on the basis that it is in our legitimate interests to carry out these activities.

 

7. THE RIGHTS OF DATA SUBJECTS

The regulations set out the following rights applicable to all data subjects:

a) The rights to be informed: The club shall ensure that all data subjects are informed of the purpose(s) for which all personal data is being collected and how it will be processed. Where applicable, the legitimate interest upon which the club is justifying its collection and processing of the personal data. Where the personal data is to be transferred to one or more third parties, details of those parties. Details of the length time personal data will be held by the club, normally: if a member resigns from the club, the personal data will be retained until the club accounts have been completed for the accounting period covering the last subscription payment from the ex-member.

b) The right to access: A data subject may make an access request at any time find out more about the personal data which the club holds on them. The club is normally required to respond to an access request within one month of receipt of said request. All access requests received must be forwarded to the club secretary, and data subjects will be advised of the contact details to enable such contact.

c) The right to rectification: If a data subject informs the club that personal data held by the club is inaccurate or incomplete, requesting that it be rectified, the personal data in question shall be rectified, and the data subject informed of that rectification, within one month of receipt of data subject’s notice. If any affected personal data that has been disclosed to third parties, those parties shall be informed of any rectification of that personal data.

d) The right to erasure: Data subjects may request that the club erases the personal data it holds on them in the following circumstances:

  • It is no longer necessary for the club to hold that personal data with respect for which it was originally collected or processed. The data subject wishes to withdraw their consent to the club holding or processing their personal data.
  • The data subject objects to the club holding or processing their personal data and there is no overriding legitimate interest to allow the club to continue doing so.
  • The personal data has been processed unlawfully.
  • The personal data needs to be erased for the club to comply with a particular legal obligation.
  • Unless the club has reasonable grounds to refuse to erase personal data, all requests for erasure shall be complied with, and the data subject informed of the erasure, within one month of receipt of the data subject’s request.
  • If any personal data that is to be erased has been disclosed to third parties, those parties shall be informed of the erasure (unless it is impossible or would require disproportionate effort to do so).

e) The right to restrict processing: Data subjects may request that the club ceases processing data it holds about them. If a data subject makes such a request, the club shall only retain the amount of personal data pertaining to that data that is necessary to ensure that no further processing of their personal data takes place. If any affected personal data has been disclosed to third parties, those parties shall be informed of the applicable restrictions on processing it (unless it is impossible or would require disproportionate effort to do so).

 

f) The right to object: Data subjects have the right to object to the club processing their personal data on legitimate interests (including profiling), direct marketing (including profiling). Where a data subject objects to the club processing their personal data based on its legitimate interests, the club shall cease such process forthwith, unless it can be demonstrated that the club’s legitimate grounds for such processing overrides the data subject’s interests, rights and freedoms: or the processing is necessary for the conduct of legal claims. Where a data subject objects to the club processing their personal data for direct marketing purposes, the club shall cease such processing forthwith.

Please note: That the club does not use personal data for the purpose of automated decision making or for the purpose of profiling or marketing.

 

8. DATA PROTECTION MEASURES

The club shall ensure that members working with personal data shall comply with the following procedures:

a) All emails containing personal data must be password protected.

b) Where any personal data is to be erased or otherwise disposed of for any reason (including where copies have been made and are no longer needed), it should be securely deleted and disposed of. Hardcopies should be shredded, and electronic copies should be deleted securely.

c) Personal data may be transmitted over secure networks only: transmission over unsecure networks is not permitted in any circumstances.

d) Where personal data is to be transferred in hardcopy form it should be passed directly to the recipient.

e) No personal data may be shared informally.

f) All hardcopies of personal data, along with any electronic copies stored on physical, removable media should be stored securely in a locked box, drawer or similar.

g) No personal data may be transferred without the authorisation of the club secretary and or club captain.

h) Personal data must always be handled with care and should not be left unattended or in view of unauthorised personnel.

i) If personal data is being viewed on a computer screen and the computer is to be left unattended the user must lock the computer and screen.

j) No personal data should be stored on any mobile device (including, but not limited to tablets and smartphones), whether such device belongs to the club.

k) All personal data stored electronically should be backed up, all backups should be encrypted.

l) All electronic copies of personal data should be stored securely using passwords and data encryption (where available for banking or financial transmissions)

m) All passwords used to protect personal data should be changed regularly and should not use words or phrases that can be easily guessed. Password should not be written down or shared to unauthorised personnel. If a password is forgotten it must be reset using the applicable method.

n) Personal data held by the club will on be used to provide data subjects with information regarding club events and any information of interest or pertinent to data subjects.   

 

9. DATA BREACH NOTIFICATION

All personal data breaches must be reported immediately to the club secretary.

If a personal data breach occurs and that breach is likely to result in a risk to the rights and freedom of data subjects (e.g., financial loss, breach of confidentiality, discrimination, reputational damage, or other significant social or economic damage), the secretary must ensure that information commissioner’s office is informed of the breach without delay, and in any event, within 72 hours after having become aware of it. In the event that a personal breach is likely to result in a high risk to the rights and freedoms of data subjects, the club “controller” and or club “processor” must ensure that all affected data subjects are informed of the data breach without undue delay. Data breach notifications shall include the following:

  • The categories and approximate number of data subjects concerned
  • The categories and approximate number or personal data records concerned
  • The name and contact details of the club Secretary and or the club captain
  • The likely consequences of the breach
  • Details of the measures taken, or proposed to be taken, by the club to address the breach including, where appropriate, measures to mitigate its possible adverse effects.

 

10. THE COMPLAINTS PROCEDURE

If at any point you wish to raise a complaint about how the club have handled your personal

Data, then you should contact the club captain and or the club secretary directly. If you are not satisfied with the club’s response or believe we are not processing your personal data in accordance with the GDPR 2018, you can complain to the Information Commissioner’s Officer (ICO) at www.scottishgolf.org>legislation

Please note: That this policy is under regular review, as stated before in this policy your privacy is important to the club that is why all personal data received from you will be treated with total confidentiality and we will make our best effort to ensure your data is securely stored at all times and in the unlikely event of a data breach you are notified within 30 days including full details of personal data breach.

 

11. IMPLEMENTATION OF POLICY

This policy shall be deemed effective as of 15th of December 2018. No part of this policy shall have retroactive effect and shall thus apply only to matters occurring on or after this date.

Our Partners