K20 Cycling Club

Privacy policy

Your Personal Data - What is it?  

Personal data relates to information concerning a living individual who can be identified from that data.  Identification can be by the information alone or in conjunction with any other information in the data controller’s possession or likely to come into such possession.  The processing of personal data is governed by The General Data Protection Regulation 2016/679 (the GDPR).  This is designed to safeguard your personal information.

Who we are

In terms of your personal data and from a legal perspective, K20 Cycling Club is the data controller.  As such, we are committed to maintaining the trust and confidence of our members and visitors to our website and on other occasions when data is voluntarily provided to us by ‘data subjects’.  This Privacy Policy provides detailed information on when and why we collect or process your personal information and how we use it.  

Categories of Personal Data Processed.  

The type or categories of personal data which we collect and hold about you includes your:

  • Name

  • Postal address

  • Email address

  • Mobile and/or landline number

  • Date of birth

  • Gender

  • Club events for which you have registered and attended in the past

  • Photographs and video footage taken during club activities and events

  • Other.  This will include information which you supply on the Club’s (restricted access) membership website which may include your cycling interests and the details of a person to contact in case of emergency (ICE)

  • From time to time we may request additional information from you and such data will be treated in the same manner as all other data held on you.

  • Minutes of meetings and other records of decisions may include your name and other information about you.

Generally, none of this information is available or visible to anyone other than Club Officers who require access to it for specific purposes in order to manage Club activities, or other members of the Club via the secure Member Directory. Members have full control over what other members see of their personal details and may turn off part or all of that data so that is is not visible in the Member Directory.  If you participate in an event or other activity we may need to provide your name and possibly other details (such as dietary requirements) to other stakeholders.

How do we process your data and what do we use it for?  

K20 Cycling Club complies with its obligations under the GDPR by keeping your personal data up to date (although we require your assistance to do this effectively by maintaining your own membership record when changes occur), by storing and where appropriate destroying it securely, by holding your data for no longer than is necessary for the purposes for which that data is processed, by not collecting or retaining excessive amounts of data, by protecting that data from loss, misuse, unauthorised access and disclosure and by ensuring that appropriate technical measures are in place to protect your personal data.  

We use your personal data for the following reasons:

  • To deliver the services that individuals have requested

  • To inform members of news, events, activities and opportunities within K20 Cycling Club

  • To allow members to contact one another, should they wish to do so. It should be noted that the Club Constitution states that the Club is committed to everyone having the right to enjoy their sport in an environment free from threat of intimidation, harassment and abuse.  Any member therefore found to be using another member’s data to communicate in a manner deemed to be abusive, threatening or intimidating will be subject to disciplinary action likely to lead to immediate expulsion from the Club. 

  • To process payments for Club events and/or voluntary charitable donations to the Club’s charities

  • As an efficient means of communicating quickly and effectively with the Club’s membership

  • To ensure the smooth running of Club operations and events at an appropriate standard.

What is the legal basis for processing your data?  

Data Controllers must have a lawful basis for processing Personal Data under the General Data Protection Regulation and these are set out in Article 6.1 of the Regulation and are noted below.  It is important to note that there is no hierarchy of legal bases on which to process personal data; all are equally valid. 

  • CONSENT – the individual has given their Consent to the processing of their Personal Data.

  • CONTRACTUAL - processing of Personal Data is necessary for the performance of a contract to which the individual is a party or for the Controller to take pre-contractual steps at the request of the individual.

  • LEGAL OBLIGATION - processing of Personal Data is necessary for compliance with a legal obligation to which the Controller is subject.

  • VITAL INTERESTS - processing of Personal Data is necessary to protect the vital interest of the individual or of another individual.

  • PUBLIC TASK - processing of Personal Data is necessary for the performance of a task carried out in the public interest or in the exercise of official authority.

  • LEGITIMATE INTERESTS – processing is necessary under the Legitimate Interests of the Controller or Third Party, unless these interests are overridden by the individual’s interests or fundamental rights.

We process your data on the basis of Consent (when you join) and Legitimate Interest.  

Legitimate Interest is defined as the interests of the Club, as a membership organisation, in conducting and managing our business to enable us to give you the best service in the most efficient and secure way, thereby fulfilling your reasonable expectations of membership.  For example, we have an interest in making sure you are kept informed of forthcoming Club events and activities so that you can register for and participate in them where applicable and appropriate.  When we process your personal data for our legitimate interests we make sure to consider and balance any potential impact on you (both positive and negative) and your rights under data protection laws.  Our legitimate operational interests do not automatically override your interests and we will not use your personal data where our interests are overridden by the impact on you unless we have your consent or are otherwise required or permitted to by the law.

Collecting your personal data 

We only collect and retain personal data which you provide to us as part of the process of obtaining and retaining membership of K20 Cycling Club.  If your personal data changes then you should tell us either by updating your membership profile on the membership system or by informing us so that we can do this on your behalf.  In the first instance, we would expect you to update your own personal information via the secure member area of the Club website.

Sensitive personal data  

We will never collect sensitive personal data about you without your explicit consent and a clear explanation why it might be required.  

Sharing your personal data  

We will not sell, pass on or share your data with any commercial or charitable organisation, with the exception of data which is required on occasion in order to manage certain activities.  For example, when registering your details for a specific activity or event i.e. passing on specific dietary requirements for catering as requested by you.

Making Payments

In due course, K20 Cycling Club aims to manage card payments via the Club’s website and, in such cases, these will be  handled by Stripe (https://stripe.com/gb) while direct debits will be handled by GoCardless (https://gocardless.com/).  Both are GDPR compliant.  

If making or receiving payments to or from the Club by other methods (such as Bank transfer) your personal data, as provided by you, may be stored by the Club or the Club’s bank in order that payments can be processed quickly and efficiently.  In all cases this data is stored securely and is never passed on to any other third party.

How long do we keep your personal data?  

We would normally expect to keep your personal data for as long as you remain a member of the Club.  If you allow your membership to expire, your data will be deleted within 90 days if you fail to renew in that time.

Further processing  

If we wish to use your personal data for a new purpose, not covered by this Privacy notice, then we will provide you with a new notice explaining this use prior to commencing the processing, setting out the relevant purposes and processing conditions.  Where and whenever necessary we will seek your consent prior to any new processing.

Transferring your data abroad 

Member personal data is held on the Club membership system (MembershipWorks) which is a cloud based platform operating from the US https://membershipworks.com/.  As such, it is required by law to be compliant with EU regulations on data protection. You may read more in their Data Processing Addendum at https://membershipworks.com/dpa/.  

MembershipWorks uses ‘Amazon Web Services’ servers to store, secure and backup data.  AWS is also fully compliant with the requirements of GDPR.  See https://aws.amazon.com/compliance/gdpr-center/ for further information.

Club Guests

For the purposes of administering Club activities efficiently, we may collect and process data on Club guests, whether they be guests of Club members attending Club events, or individuals who may have registered to attend certain Club events.  We apply the same standards of data processing with regard to guest information as we do for Club members.

The Public

The Club may enter into correspondence with members of the public, such as enquirers, correspondents, etc.  When it does so the Club may collect incidental personal data such as contact details and personal circumstances, and process such data in order to respond to queries and deal with ad hoc issues.

Suppliers

The Club processes personal data concerning its suppliers of goods and services (such as Club clothing) including identifiers such as contact details, financial information and purchase history.  The Club processes such information in order to purchase goods and services and to pay its suppliers and to maintain its accounts and records.  This will usually be done on a Contractual basis.

Automated Decision Making and Profiling

The Club does not employ any automated decision making or conduct profiling of data subjects.  However, under Legitimate Interest, we may periodically send you information so that you are informed of member renewal notifications or upcoming events in which you might be interested or to which you have already registered.  They may be automated processes but they do not involve automated decision making or profiling.

Your rights and access to your personal data

Unless subject to an exemption under GDPR, you have the following rights with respect to your personal data:

  • The right to be informed about the processing of your personal data

  • The right to request access to your personal data and to obtain information about how we process it

  • The right to request a personal copy of your personal data which K20 Cycling Club holds about you

  • The right to request that K20 Cycling Club corrects any personal data if it is found to be inaccurate, incomplete or out of date

  • The right to request that your personal data is erased where it is no longer necessary for K20 Cycling Club to retain such data

  • The right, where there is a dispute in relation to the accuracy or processing of your personal data, to request a restriction is placed on further processing

  • The right to object to the processing of personal data

  • The right ‘to be forgotten’ and for all your personal data held by K20 Cycling Club to be erased

  • The right to data portability where you can request and obtain your personal data for your own purposes which allows you to move, copy or transfer personal data easily from one IT environment to another

  • The right to lodge a complaint with the Information Commissioner’s Office (https://ico.org.uk/concerns)

Details of how to access your data are below under Contact Details.

K20 Cycling Club Website - SquareSpace

K20 Cycling Club’s website is hosted at SquareSpace (SquareSpace Ireland Limited).   K20 Cycling Club will use anonymous information collected on the site by technical ‘Cookies’ for the sole purpose of monitoring and reporting on the effectiveness of the site and to help us improve it.  We DO NOT use advertising ‘Cookies’.

For more information about SquareSpace and how SquareSpace processes data, please see the SquareSpace Privacy Policy.

People who email us

We use Transport Layer Security (TLS) to encrypt and protect email traffic. If your email service does not support TLS, you should be aware that any emails we send or receive may not be protected in transit.

We will also monitor any emails sent to us, including file attachments, for viruses or malicious software. Please be aware that you have a responsibility to ensure that any email you send is within the bounds of the law.

Contact Details

Members of K20 Cycling may access, view and amend their own personal data by logging into the membership area of the website.

To exercise all relevant rights, queries or complaints in relation to ‘Privacy’ in the first instance please contact K20 Cycling Club by email to privacy@k20cyclingclub.org

If your communication is more general, please use the contact form on the homepage of the website or email us at info@k20cyclingclub.org

Changes to this Privacy Policy

We may change this privacy notice from time to time by updating this page in order to reflect changes in the law and/or our privacy practices. We encourage you to check this privacy notice for changes whenever you visit our website. 

This policy does not document every part of the GDPR legislation which may be relevant but merely focuses on the key aspects that are likely to be applicable to K20 Cycling Club.  

Should other issues arise in practice not covered by this policy the Club will consider these separately at the time. 

Apple Touch Icon