GDPR, Privacy, and Data Security Policy

 

1. Introduction

Eridge Village Hall (referred to as "the Hall") is committed to protecting the privacy and personal data of its users, staff, volunteers, and third parties. This policy outlines our approach to data protection and the procedures we follow to comply with the UK General Data Protection Regulation (UK GDPR) and Data Protection Act 2018.

2. Purpose

This policy ensures:

  • Compliance with data protection laws.

  • The protection of personal data handled by the Hall.

  • Clear guidelines on the collection, storage, use, and disposal of personal data.

  • Transparency about how personal data is managed.

3. Scope

This policy applies to:

  • Trustees, employees, volunteers, and contractors.

  • Hirers of the Hall.

  • Members of the public interacting with the Hall.

  • Any third parties providing services to the Hall.

4. Key Definitions

  • Personal Data: Any information relating to an identifiable person.

  • Processing: Any operation performed on personal data (e.g., collection, storage, use, disclosure).

  • Data Controller: The Hall's management committee responsible for determining the purpose and means of processing personal data.

  • Data Subject: The individual whose personal data is processed.

5. Principles of Data Protection

Eridge Village Hall commits to:

  1. Processing data lawfully, fairly, and transparently.

  2. Collecting data only for specified, explicit, and legitimate purposes.

  3. Limiting data collection to what is necessary.

  4. Ensuring data is accurate and up-to-date.

  5. Retaining data only for as long as necessary.

  6. Processing data securely to maintain confidentiality and integrity.

6. Collection of Personal Data

We collect personal data in the following ways:

  • Booking forms for hall hire.

  • Volunteer or staff applications.

  • Mailing list sign-ups for events or news.

  • Incident reports or feedback forms.

  • CCTV for security purposes.

Types of data collected include:

  • Name, address, email, and phone numbers.

  • Payment details for bookings.

  • Records of communications.

7. Legal Basis for Processing

The Hall processes personal data based on:

  • Consent (e.g., mailing lists).

  • Contractual obligations (e.g., hall bookings).

  • Legal obligations (e.g., accident records).

  • Legitimate interests (e.g., event promotion).

8. Data Sharing

Personal data is shared only when:

  • Legally required (e.g., with law enforcement).

  • Necessary for fulfilling a contract or service.

  • Consent has been explicitly provided.

9. Data Security

The Hall implements appropriate technical and organizational measures, including:

  • Password-protected systems for digital records.

  • Locked filing cabinets for paper records.

  • Regular reviews of data access permissions.

  • Secure disposal of outdated records.

10. Data Retention

Data is retained only for as long as necessary:

  • Booking records: 6 years (for accounting/audit purposes).

  • CCTV footage: 30 days (unless required for investigations).

  • Mailing list data: Until consent is withdrawn.

11. Data Subject Rights

Individuals have the following rights:

  • Access to their personal data.

  • Rectification of inaccurate data.

  • Erasure of personal data ("right to be forgotten").

  • Restriction or objection to data processing.

  • Data portability.

  • Withdrawal of consent at any time.

Requests related to these rights can be submitted via email to admin@eridge-village-hall.co.uk or in writing to Eridge Village Hall, Old Eridge Road, Eridge Green, Tunbridge Wells, TN3 9JF.

12. Breach Notification

In the event of a data breach:

  • The Hall will assess the impact and take immediate steps to mitigate the risk.

  • Serious breaches will be reported to the Information Commissioner’s Office (ICO) within 72 hours.

  • Affected individuals will be informed if their rights are at risk.

13. Training and Awareness

All trustees, staff, and volunteers handling personal data receive regular training on GDPR and data security.

14. Review of Policy

This policy is reviewed annually or when changes to regulations occur. The latest version is available on request.

15. Contact Information

For queries or concerns about data protection, contact: David Smith  designated contact
Email: Admin@eridge-village-hall.co.uk

Data Security Procedures

1. Digital Data Handling

  • Use of secure, password-protected devices.

  • Regular software updates and antivirus checks.

  • Encrypted email for sensitive data.

2. Physical Data Handling

  • Paper records stored in locked cabinets.

  • Restricted access to physical records.

  • Shredding of outdated documents.

3. Incident Reporting

  • All suspected data breaches must be reported immediately to the Data Protection Officer.

  • A log of incidents is maintained to monitor and improve security practices.

Adopted March 2025