About this Policy

This policy explains when and why we collect personal data about you, how we use it, how we keep it secure, and your rights and obligations in relation to it.  It applies to full members, temporary members, applicants for membership, former members whose membership has ceased and guests who also attend our events. 

In order to access the website and to participate in the events we organise, we ask you to provide certain information by which you can be identified.  You can be assured that it will only be used in accordance with this Data Privacy Policy.  

Royal Naval Volunteer Reserve Yacht Club (the Club) is committed to complying with the UK General Data Protection Regulation (GDPR) when dealing with your personal data.  How GDPR applies to you is explained at ico.org.uk/your-data-matters.

We keep this Policy under regular review, and may change it from time to time, so please check this page for the latest version.  Please also refer to the Club Rules, Section 24: Data and Data Protection.

This Data Privacy Policy was last updated on 24th July 2022.

When do we collect your personal data?
Compliance with this Data Privacy Policy 

What do we collect?
Why do we collect personal data?
Who has access?
With which third parties do we share your personal data?
How do we keep your personal data secure?
What rights do you have over your personal data?
What obligations do you have over other members' personal data.
What happens to your personal data if your membership ceases ?
How does this policy apply to guests?
Any questions?

When do we collect your personal data?

When you join the Club, you complete an application form.  The information you provide, together (since 2020) with any letter of recommendation from an existing member submitted in support of your application, is stored on the website and forms the basis of your member profile.   

In addition:

• you will be asked to provide your bank and contact details to our third party subscription collection company, GoCardless;
• if you pay for goods or services online, the details entered are stored on the website and by a third party payment processing entity, Stripe; and
• photographs and videos by which you may be identified may be taken at Club events which you attend, for subsequent Club use.
  

Compliance with this Data Privacy Policy

Club Rule 4(b) provides that, upon election to membership, each newly elected member shall be taken to have agreed to comply with the Rules.  By Rule 24 (b) each member undertakes to read and abide by the Club's Data Privacy Policy, in its latest version, as published on the Club's website.

What do we collect?

Personal data about you that is stored in your member profile will include, but is not limited to, the following:

When you register for an event, a record of your attendance at the event is kept on the website, together with any invoice issued to you in respect of any requisite payment.

An invoice is also issued and retained on the website for any items you purchase directly from Slops.

Further financial information is collected and retained by the IT systems of the following third parties:

Photographs and video taken by you and other members of yourself and fellow members and submitted for use by the Club may be copied into our photo repository, Flickr, for retention in our archives and others may be used on the website or in newsletters.

Videos of Zoom meetings may be taken and kept in an external video repository, Vimeo, for reference and viewing subsequently including of AGMs conducted by Zoom.

Why do we collect personal data?

We require your personal data to run the Club for the benefit of our members in accordance with the Club's Objects as set out in our Club Rules. 

The following is a list of some of the purposes for which your personal data is used:

• Management of your membership.
• Provision of an online membership directory, for members to be able to contact each other and to gain information about another member's background and boating experience.
• Provision of a Handbook, which includes members' contact details and other information on members' boats, their holding of Club permits and any current or past roles held within the Club.
• To inform you of Club events and news by means of e-bulletins using your email address.
• To send newsletters and the Handbook by post to your home address.
• For the Committee to use for its legitimate purposes, for example, to research historic event attendances or membership demographics.
• For Event Organisers to contact you on events and to provide your details to venues and marinas as necessary for the running of events.
• To enable you, Event Organisers and other relevant Committee members to view your invoices and obtain information as to their payment.
• For you to be able to produce to affiliated clubs evidence of your membership of the Club.

Who has access?

Club administrators

To enable its management of the Club's affairs, the Committee has authorised the following Officers and other post-holders to have access to all your personal data on the website in order for them to to fulfil their roles:

Any one or more of the persons listed above may download to their personal devices members' personal data for the legitimate purpose of performing their roles.  They are required to abide by the GDPR and this Data Privacy Policy.

Event Organisers
From the time when details of a specific event first appear on the website until the conclusion of the event, the relevant Event Organiser(s) is provided with access to the Events section of the website.  They are able to view the registration details entered by each member for the event and to examine the member's invoice and payment status. Upon conclusion of the event, their access is removed and they are required to delete any members' personal data which they have downloaded for the purpose of running the event.

Slops
The Slops Bosun's additional website access is limited to viewing invoices and the relevant payment status in respect of orders placed by members for Slops items.

Other Members
Other members are permitted to download onto their personal devices lists of registrants and details of their participation at an event in which they too are participating, in order to enhance socialisation during the event.   Once the event is over, such personal data is required to be deleted.  

Stripe
Some of the data collected by our card processing provider, Stripe, is visible to the Hon. Treasurer and the one other person authorised by the Committee to monitor Stripe payments for goods and services.  This is limited to the name of the payer, the card type (e.g. VISA), the card issuer (e.g. Barclays Bank), the expiry date and the last 4 digits of its number.

GoCardless
The Hon. Treasurer and the one other person authorised by the Committee to monitor members' GoCardless payments have access to their names and email addresses but not to the details of their bank accounts.

The Club's Banks
The Hon. Treasurer and the one other person authorised by the Committee to monitor transactions on the Club's bank accounts have access to the online banking records of such transactions and can therefore identify the name of each member who has paid money into one of the bank accounts or to whom a payment from the bank account has been made.

With which third parties do we share your personal data?

The Club will never sell your personal data.

We share your personal data with third parties in order for them to provide goods or services of benefit to you.  We disclose the minimum data that is necessary to enable the third party to fulfil the requirements.

Wild Apricot Inc
Wild Apricot has provided the software for the Club to create and maintain our website and to run our membership and event management systems.  Wild Apricot staff have access to all of your personal and financial data but they act in a passive manner and should only access your personal data when authorised to do so by a Club administrator in response to a specific request for support.  

GoCardless
GoCardless is used by the Club to collect membership fees by Direct Debit.  We share with them your email address.  The bank details that you entered if you registered to pay by Direct Debit are held by GoCardless and no-one at the Club has access to them.

The Banks
If it is necessary to send money to your bank by electronic transfer, the Hon. Treasurer will need your bank account details.  These are stored in the bank's electronic records to identify you as a Payee, to which information the Hon. Treasurer and the one other person authorised by the Committee to monitor transactions on the Club's bank accounts has access.

Affiliated Yacht Clubs
A complete list of our members is provided to affiliated clubs and is updated at regular intervals to enable them to give our members access to their facilities.

Printers
We send a list of names and postal addresses to the printers for the newsletter and handbook.

Venues and Marinas
Restaurants often require a list of those attending the function, in order to provide customised service and to prepare name cards and seating plans.  Marinas ask for lists of boats booked for a rally together with the name of the skippers and sometimes other personal information like mobile numbers.

Flickr

This cloud-based company provides storage facilities for our photos and organises our photo archives.  The photos can be accessed by the public.  Descriptions of the photographs never contain a name of an individual but may contain a short identifier for the event, for example, "2019 Annual Dinner".

Vimeo
Vimeo is a cloud-based video sharing platform which we use for historic Zoom recordings of some meetings and vTots.  Where the Zoom attendees have displayed their names when participating in a session, this will be visible on the recording.  The platform is accessible to the public.

How do we keep your personal data secure?

Website
The Club uses adequate and generally accepted standards of technology to protect your personal data on the website by limiting access to the website to members by their use of individual passwords.  The passwords used by members having access to the data for administrative purposes are required to be very strong.

Financial systems
All our financial systems, including those run by Stripe, GoCardless and the Club's banks, use strong, multi-factor authorisation to gain access.  

Members
Members who store other members' personal data on their own electronic devices are requested to have secure passwords to prevent unauthorised access.  They are also required to delete any data that is no longer needed to fulfil the requirement for which they originally obtained it.   

What rights do you have over your own personal data?

Under the GDPR you have the following rights:

• to access your personal data; 
• to be provided with information about how your personal data is processed;
• to have your personal data corrected;
• at any time to withdraw your consent to our processing your personal data or otherwise to object to or restrict how your personal data is processed or to have your personal data erased (in certain circumstances).  However, your withdrawal of such consent in its entirety and without qualification will result in your membership of the Club ceasing by virtue of your resultant non-compliance with Rule 24 (a);
• at any time to withdraw your consent, whether in part or in whole, for the relevant details to appear in the Membership Directory and/or Club Handbook;
• to have your personal data transferred to yourself or to a business in certain circumstances; 
• to change within your member profile what information is visible to other members in the online Membership Directory (but some Club administrators and staff at Wild Apricot will still be able to see all personal data held within the Directory whether or not you have withdrawn consent for it to be visible to other members); and
• to take any complaints about how the Club processes your personal data to the Information Commissioner: ico.org.uk/concerns

In all cases, please contact the DPO or the Membership Secretary for help.

What obligations do you have over other members' personal data?

You have the following obligations under the Club Rules and this Data Privacy Policy:

Access to other members' personal data is obtained by logging in to the website.  You are therefore requested to maintain a very strong password and not share it with anyone.

If you are acting on behalf of the Club in a role that requires you to obtain members' data,  you should delete the data when you no longer act in this capacity.  The relevant data will be retained on the website in accordance with this Data Privacy Policy.

What happens to your personal data if your membership ceases?

If your membership ceases, we will generally keep your personal data until the end of the calendar year after which your membership ceased, provided that by then, the Hon. Treasurer can confirm that there are no payment queries outstanding.  However, the list of registrants for any event in which you participated will be retained on the website for a minimum of three years after its conclusion for personal injury claims.

After that time, the list is deleted and any records of your attendance at a Club event or entry into other financial transactions with the Club will be erased together with all invoices issued to you.  Our financial systems will solely retain the invoice number and amount but there will no longer be any way to link back to the original invoice which shows your name and other details.

Records of your financial transactions with the Club will be retained for as long as is necessary to allow the Club to fulfil its obligations to the tax authorities.

In some instances, your name will remain on the Club website in order for us to maintain our archives, for example, on the list of members who contributed to the cost of the portrait of our Admiral.

Photographs of you either on your own or within groups of other members held on Flickr will not be deleted.  These relate to club events going back to 2010 and form part of our archives.  This policy will also apply to other historic photos.   

If you appear in a video which is stored and shared on Vimeo the video will not be deleted as it forms part of the Club's archives.

No member is permitted to keep on their own devices any personal data of other Club members (unless they are personal friends) beyond the time when the data is necessary in fulfilment of their role or task undertaken on behalf of the Club.  

How does this policy apply to guests?

When you register for an event, you are required to add the names of any guests who will also participate,  together with any choices they make as to meals or activities relating to the event.  All registered guests are covered by our Club's Combined Liability insurance policy, for which a list of registrants for the event is retained on the website for at least three years.  At the beginning of the year following, the list will be deleted.