B&MK and its wholly owned subsidiary, Bedford Milton Keynes Waterway Enterprise Limited, hereinafter referred to as “The Trust”, strives to comply with applicable laws and regulations related to Personal Data protection. This Policy sets forth the basic principles by which the Trust processes the personal data of consumers, customers, suppliers, business partners, employees and other individuals
The Principles of the GDPR
- a) All Personal Data shall be processed fairly and lawfully, and shall not be processed unless certain conditions are met.
- b) Personal Data obtained for a specified and lawful purpose, shall not be processed in any manner incompatible with that purpose.
- c) Personal Data collected shall be adequate, relevant and not excessive for those purposes.
The Trust shall ensure that Personal Data is accurate and shall take reasonable steps to ensure it is kept up to date.
- d) The Trust will ensure that Personal Data is not being kept for longer than is necessary for that purpose, being set out in the Data Retention Policy.
- e) All Personal Data will be processed in accordance with the data subject’s rights.
- f) All Personal Data will be kept secure from unauthorised or unlawful processing and protected against accidental loss, destruction or damage by using the appropriate technical and organisational measures.
- g) Personal Data will not be transferred to a country or territory outside the European Economic Area, unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
Use of Personal Information
The Trust will use data for the following main purposes:
- Communication of Member Events, Marketing Events, Consultations.
- Distribution of marketing information, such as, but not limited to, the following; - Newsletters, Articles, Trust Updates, Press Releases.
- Processing of data to analyse website usage. The usage data may include: IP address, geographical location, browser type and version, operating system, length of visit, pages viewed, number of pages viewed. The source of the usage data is the Web-hosting analytic tools, with the data being used to analyse website usage, monitoring and improving the Trust’s websites.
- Financial Transactions will be shared with The Trust payment service providers. The Trust’s websites do not store any data related to financial transactions.
Users’ Rights of Access to Personal Data held by The Trust
Personal Data held for Individuals, Members and Businesses have the following rights:
- a) To access any personal data held;
- b) To rectification of any personal data held;
- c) To erasure of any personal data held;
- d) To restrict processing of any personal data held;
- e) To object to processing of any personal data held;
- f) To request data portability to 3rd party of any personal data held that consent has been provided for;
- g) To complain to the Supervisory Authority; and
- h) To withdraw consent for use and processing of personal data.
Right to request Access to Personal Data held by The Trust
An individual may request The Trust to provide any personal information held about them. The provision of such information will be subject to: -
Provision of appropriate evidence of their identity, such as - photocopy of their passport certified by a solicitor or bank official, copy of utility bill, or similar, showing their current address, official authorisation from a senior manager/director of business.
The Personal Data held by The Trust is subject to active consent by the data subject. The consent can be revoked at any time via notification by mail, email or on-line website forms. The Trust will provide the user with the opportunity to Opt-Out of the use of their personal information for marketing purposes.
Right to be forgotten
The data subject may request that information held about them is deleted or removed and any third party who process or use that data must also comply with the request. An erasure request can only be refused if required to retain the information for compliance with a legal obligation to which The Trust is subject to in order to protect the data subject’s interests.
Retaining and deleting personal data
Personal Data held by The Trust shall not be kept for longer than is necessary.
The Trust will retain and delete personal information as follows:
- a) Personal Members’ Data will be retained for their duration of membership and deleted from the system 6 months after membership expires.
- b) Personal Data for purposes of Marketing Events, Newsletters, Articles, Press Releases, Consultations, will be retained as long as it is relevant and consent has not been withdrawn.
- c) Personal Data will be deleted from the database if the contact information (Postal Address, Email Address) is no longer relevant and will be actioned within a month of any notification of such personal Data becoming irrelevant.
The Trust will treat all personal information as private and confidential and will not disclose any data to anyone outside of The Trust.
All Trust Board Directors, Trustees, staff and volunteers who have access to Personal Data will be required to sign a Confidentiality Policy and a Data Protection Policy.
The Trust will ensure that all personal data is kept securely and only accessed by identified individuals. No access will be allowed by 3rd Parties who are not employed by the Trust
Upon request and validation of their identity, a data subject has the right to receive a copy of their data held by The Trust in a structured format. Requests for data will be processed within one month of receiving the request, providing there is no undue burden or does not compromise the privacy of any other individual. A data subject may also request that any data held by The Trust be transferred directly to another 3rd Party system at no additional cost.