Data Protection Policy
This privacy notice explains how the Caledonian Fiddle Orchestra (CFO) collects, manages, uses and protects your data. It outlines the type of data we hold and how we use that data to provide information to our members, supporters and concert organisers.
1. Our legal basis for processing.
Our legal basis is consent by members, supporters and concert organisers. The CFO stores personal information on our members, supporters and concert organisers with a view to:
a. communicating with members, supporters and concert organisers.
b. informing supporters of concerts, principally of our annual concert
We may contact members and concert organisers by post, email or telephone. We may contact supporters by email and post.
2. Our data prior to 24 May 2018 was provided voluntarily by members, supporters and concert organisers. We assume that consent has been implicitly given to this data. All data recorded after 24 May 2018 will include a record of the means by which consent was given.
3. The data held on members is restricted to name, address, telephone number, email address, playing status and subscriptions paid. Data is used for contacting members regarding the business of the orchestra.
4. The data held on supporters is restricted to name, address, email address and information on recent ticket purchases.
5. The data held on concert organisers is restricted to name, address, telephone number, email address and information on concerts.
6. We use your data to keep members informed of orchestra activities, to keep supporters informed of concerts and to correspond with concert organisers.
If you provide contact information, and unless you specify otherwise, we will assume that this includes consent for us to use the data for the purposes listed above.
7. The president of the orchestra is the data protection officer. The Data Controller is the Caledonian Fiddle Orchestra. The Processor is appointed by the committee of the orchestra. The orchestra uses no external data processors.
8. The Controller determines the purposes and means of processing personal data.
9. The Processor is responsible for processing personal data on behalf of a controller
10. The orchestra retains no information considered to be in special categories of personal data.
11. The orchestra issues this privacy notice to all individuals for whom it holds data, which includes the legal basis for processing as well as the purposes of the processing. The privacy notice explains the data which the orchestra holds.
12. The orchestra keeps a record of the privacy statement.
13. You always have the right to
a. Be informed as to how we use your data (this privacy notice)
b. Access or request a copy of the data we hold about you,
c. Update your information and/or manage communications preferences at any time
d. Ask us to remove your data from our records.
14. The orchestra welcomes younger players and requires that a child is accompanied by a parents or guardian. Personal data will be taken from the parent or guardian and not from the child.
15. Data on members is retained for historical purposes (typically for commemorative events) and deleted on request of the member or on intimation of the death of the member.
16. Data on supporters is deleted after 6 years if no tickets are purchased in that period.
17. Data on concert organisers is retained for 10 years after the last concert performance
18. No personal information will be shared with other organisations or individuals without the explicit consent of the supporter or member.
19. Given the small number of individuals we hold data on, no profiling or processing of data is performed.
20. All data is backed up and held securely by the Processor. In the event of loss of any or all data, deleted data may be restored from backup copies of data. Backup data is retained for a limited period. In the event of restoration from backups, we will follow all reasonable steps to ensure that deletion requests are taken into account in the restored data.
21. The orchestra’s policy is that all data is retained securely and is accessible only by office bearers and committee members of the orchestra. Individuals who cease to be committee members or office bearers will not have access to data.
22. No international data transfer is envisaged save for the use of secure cloud storage.
23. This policy and adherence to it is reviewed annually by the committee. This review will include awareness sessions for all committee members including a data protection impact assessment. All members of the committee and office bearers accept the need to comply with data protection legislation and to promote a positive culture of data protection across the business of the orchestra.
24. In the event of a breach of data protection the president will let the Information Commissioner's Office (ICO) know at the earliest possible moment.
25. The orchestra is not required to pay a data protection fee because the nature of the data is only retained for the purposes of:
a. Membership administration
b. Advertising, marketing and public relations
Any questions concerning this policy should be directed by email to firstname.lastname@example.org