What is GDPR & DPA?GDPR stands for 'General Data protection Regulation'. It is the EU law that changes the way all organisation in the EU use your personal data and gives you more control over your data. It applies to every company, club or group who process EU people's data, with no exceptions. Even if an organisation is outside the EU, if it handles the data of EU people, it must comply with the law. The law was adopted in April 2016 but the EU has given organisations 2 years to comply, with it becoming enforceable on 25th May 2018.
DPA stands for 'Data Protection Act'. It is the new UK law that also came into effect on 25th May 2018. This UK law enshrines the EU law into UK law and adds exemptions and additions to the EU law.
This new UK law replaces a 1995 law that wasn't effective. It hadn't kept pace with a changing digital world, there were too many companies who found ways to circumvent the law and the fines were small. The fines for breaking the new law can be up to 20 million Euros or 4% of global turnover. 4% of the global turnover of a large tech firm could run into billions!
It's a big change to how you (and organisations) have viewed your name, email address, phone number, postal address or photo in the past. The new law classes all these things (and many others) as your 'personal data' and gives you more control over how an organisation can use your data.
The law says that a company has to have a legal reason for doing anything with your personal data including collecting and storing your data. It also says that a company is legally responsible for protecting your data and can be fined heavily in the event of a 'data breach'.
There are 6 legal reasons that an organisation can use to justify processing your data but, if your data is processed for one reason it can't then be processed for another reason e.g. The BAY Centre can collect your data to administer a Hirer's booking contract but it can't then use that data for a reason not connected to the booking like showing your data on our website - for that, we have to use another legal reason.
The 6 legal reasons that can be used by an organisation for processing are -
1. Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
2. Consent: the individual has given clear consent for you to process their personal data for a specific purpose.
3. Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).
4. Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.
5. Vital interests: the processing is necessary to protect someone’s life.
6. Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law
The Bay Centre uses mainly Contract and Consent to collect and process your data, with Legal Obligations covering any data in Charity & Financial documents.
The new law gives you more control over how your data is used.
Your rights are -
◆ The right to be informed e.g. you should be informed when your data is collected. what it is used for, how long it is kept, etc..
◆ The right of access. You should be able to see what data is being held by us.
◆ The right to rectification. You are able to change or correct your data.
◆ The right to erasure. Under certain circumstances, you are able to have your data deleted.
◆ The right to restrict processing. Under certain circumstances you can restrict what we do with your data.
◆ The right to data portability. You are able to get a digital copy of your data should you wish to move it somewhere else.
◆ The right to object. Under certain circumstances, you are able to object to us using your data in a certain way.
◆ Rights in relation to automated decision making and profiling. We don't use any automated decision making or profiling.
◆ Right to revoke an already given consent.
◆ Right to voice a concern over our handling of your data.
◆ Right to ask a data protection question. We will try to answer any data protection questions as best we can.
For more detailed descriptions of the BAY Centre’s GDPR compliance, please see our Data Protection Policies -
Customer Rights Policy
Lawful Basis Policy
Document initially published. The policy is one of a series of policy documents that replace all previous policy documents that existed in a variety of different formats, some electronic, some paper and some verbal.