Data Protection Policy

Aims of this Policy

The Commitee of the English Speaking Alcoholics Anonymous Berlin Convention is committed to protecting the privacy and security of its members, volunteers and event attendees personal information.

We need to keep certain information on our members, volunteers and attendees to carry out our operations, to meet our objectives and to comply with legal obligations.

The organisation is committed to ensuring any personal data will be dealt in accordance with the General Data Protection Regulation (GDPR). To comply with the law, personal information will be collected and used fairly, stored safely and not disclosed to any other person unlawfully.

The aim of this policy is to ensure that everyone handling personal data is fully aware of the requirements and acts in accordance with data protection procedures. This document also highlights key data protection procedures within the organisation, including how we collect and use personal information about you during and after your relationship with us.

By following good practice we can protect members, volunteers, attendees as well as the Alcoholic Anonymous fellowship as a whole.

This policy covers all committee members and volunteers.

Definitions

In line with the General Data Protection Regulation (GDPR). principles, the Commitee of the English Speaking Alcoholics Anonymous Berlin Convention will ensure that personal data will:

  • Be obtained fairly and lawfully and in a transparent way
  • Collected only for valid purposes that are clearly explained and not used in any way that is incompatible with those purposes
  • Relevant to the purposes collected for and limited only to those purposes
  • Be accurate and kept up to date
  • Kept only as long as necessary for the purposes it was collected for
  • Kept securely

The definition of ‘Processing’ is obtaining, using, holding, amending, disclosing, destroying and deleting personal data. This includes paper based personal data as well as that kept on computer.

The Personal Data Guardianship Code suggests five key principles of good data governance on which best practice is based. The organisation will seek to abide by this code in relation to all the personal data it processes, i.e.

  • Accountability: those handling personal data follow publicised data principles to help gain public trust and safeguard personal data.-
  • Visibility: Data subjects should have access to the information about themselves that an organisation holds. This includes the right to have incorrect personal data corrected and to know who has had access to this data.
  • Consent: The collection and use of personal data must be fair and lawful and in accordance with the DPA’s eight data protection principles. Personal data should only be used for the purposes agreed by the data subject. If personal data is to be shared with a third party or used for another purpose, the data subject’s consent should be explicitly obtained.
  • Access: Everyone should have the right to know the roles and groups of people within an organisation who have access to their personal data and who has used this data.
  • Stewardship: Those collecting personal data have a duty of care to protect this data throughout the data life span.

Type of information processed

The Commitee of the English Speaking Alcoholics Anonymous Berlin Convention processes the following personal information:

Fellowship members’ personal data

  • Names
  • Email addresses
  • Addresses (only city or country, or when the full address has been provided as part of a request for promotional material)
  • Telephone numbers (only for specific purposes)
  • Bank details (only for payments follow-up and reimbursement process)

Committee and volunteers’ personal data

  • Names
  • Email addresses
  • Telephone numbers
  • Addresses (only committee members)
  • Bank details (only committee members)

Professional contacts’ personal data

  • Names
  • Job Titles
  • Email addresses
  • Addresses
  • Telephone numbers

Personal data is kept in the following forms:

  • Electronic – emails/computer files/password protected files on cloud services/telephone speed dial
  • Paper – letters/forms/business cards/minutes/meeting reports/directories

Groups of people within the organisation who will process personal information are:

  • Committee members

Responsibilities

Under the General Data Protection Regulation, overall responsibility for personal data in a voluntary organisation rests with the governing body. In the case of the English Speaking Alcoholics Anonymous Berlin Convention this is the convention commitee.

All committee members who process personal information must ensure they not only understand but also act in line with this policy and the data protection principles.

Breach of this policy may result in disciplinary proceedings.

Policy Implementation

To meet these responsibilities the committee members will:

  • Ensure any personal data is collected in a fair and lawful way;
  • Explain why it is needed at the start;
  • Ensure that only the minimum amount of information needed is collected and used;
  • Ensure the information used is up to date and accurate;
  • Review the length of time information is held;
  • Ensure it is kept safely;
  • Ensure the rights people have in relation to their personal data can be exercised.

We will ensure that:

  • Everyone managing and handling personal information is trained to do so.
  • Anyone wanting to make enquiries about handling personal information, whether a member of staff, trustee or sub-committee member, knows what to do;

Training

Training and awareness raising about the General Data Protection Regulation (GDPR) and how it is followed in this organisation will take the following forms:

On induction: a copy of this policy will be issued

General training/ awareness raising: all committee members and data handling volunteers will receive a copy of this policy and any updates as required. Ongoing training will be given as necessary.

Gathering and checking information

Before personal information is collected, we must ensure that we only request the minimum information to fulfil the task required.

We will inform people whose information is gathered how we intend to use their personal data.

To ensure that personal information kept is accurate anyone submitting it should be made aware how they can update and changes or request their data removed from our records.

Personal sensitive information will not be used apart from the exact purpose for which permission was given.

Retention periods

The Committee of the English Speaking Alcoholics Anonymous Berlin Convention will ensure that information is kept according to the following retention periods guidelines:

GOVERNANCE

  • Organization meeting minutes: Archived
  • Convention Reports: Archived
  • General correspondence: One year unless ongoing query/legal

FELLOWSHIP

  • Mailing list: Until stop using service
  • Volunteer details: Six months
  • Correspondence (email/mail): 1 year unless ongoing query/legal
  • Committee member details: 1 year unless or until they stop volunteering

FINANCE

  • Bank details (committee members, volunteers): 1 year
  • Supplier details: Archived
  • Order details (mail/online): 3 years (legal)
  • Ticket buyers: 3 years (legal)

OTHER

  • Professional contacts: Until no longer used

Data Security

The organisation will take steps to ensure that personal data is kept secure at all times against unauthorised or unlawful loss or disclosure. The following measures will be taken:

  • All committee emails are password protected
  • All e-mails from the official convention e-mail address are encrypted
  • All storage devices and cloud services are password protected

Procedure in case of a breach

A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes. For example sending personal information to an unintended addressee or theft/loss of a laptop containg personal data.

In the event of a personal data breach please inform the chair of the convention committee via e-mail to convention.berlin@aamail.org

Individual Rights

Anyone whose personal information we process has the right to know:

  • What information we hold and process on them
  • How to gain access to this information
  • How to keep it up to date
  • What we are doing to comply with the Act.

They also have the right to prevent processing of their personal data in some circumstances and the right to correct, rectify, block or erase information regarded as wrong. They can also request their data be transferred to another party.

Individuals have a right under the Act to access certain personal data being kept about them on computer and certain files. Any person wishing to exercise this right should apply in writing to convention.berlin@aamail.org

We may also require proof of identity before access is granted.

Queries about handling personal information will be dealt with swiftly and politely.

We will aim to comply with requests for access to personal information as soon as possible, but will ensure it is provided within the 40 days required by the Act from receiving the written request.

Review

This policy will be reviewed yearly (or as necessary) to ensure it remains up to date and compliant with the law.

If you have any questions about this policy please contact the chair of the convention committee to convention.berlin@aamail.org