Introduction
Information about the UK General Data Protection Regulation (UK GDPR) is available at the Information Commissioner’s Office (ICO). The ICO describes personal data as any information relating to an identified or identifiable natural person. The club revised its Privacy Policy in July 2024 taking account of the latest information from the ICO, Cycling UK and developments in mobile devices for taking photos and video footage. The new policy will take effect from 1 August 2024.
Lawful processing
The UK GDPR requires organisations to comply with at least one of its lawful bases for processing personal data. The club complies with the Legitimate Interest basis since it processes the personal data to organise cycling activities for its members.
Information collected and consent
The club collects the following information and obtains consent as described herein:
- name – consent is given when you join the email distribution list
- email address – consent is given when you join the email distribution list
- phone number – consent is given when you volunteer to lead a ride or join the club WhatsApp group
- a group photo – consent is given when the photographer had obtained your verbal consent before the photo was taken (it is reasonable if the photographer requests this consent once per ride). Club members will also have the option of absenting themselves from any photo to be taken (and the photographer should allow this opportunity)
- other information that the club requires if you enter a specific event such as an external cycling event (e.g. an audax) or cycle/camping event – consent is given when you apply to join the event
- other information that the club requires for Cycling UK – consent is given when you join the club which is affiliated to a national cycling organisation with its own privacy policy
Information processing
The club processes your personal information as follows:
- your name and phone number will on the list of ride leaders on the club website if you volunteer to lead a ride
- your email address will be used to provide you with information about rides and other cycling related activities via Google Groups
- your presence in group photos may be on the club website
- your name may appear on the club website as part of the list of most frequent attendees of club rides
- your name may appear on the club website in any Articles describing recent events such as cycle/camping trips
- your name and phone number will appear on the club WhatsApp group
Systems implications
In UK GDPR matters, the club is the Data Controller of your personal data and is ultimately responsible for it. The club will use various IT services as a Data Processor.
The club uses the company 123 Reg as Data Processor for its website and Google as Data Processor for its email distribution system and although both companies process information outside of the UK they comply with the latest UK regulations on these matters of international transfers. Only the club committee and website admin can publish personal data on these systems.
The club uses WhatsApp for “chat” purposes. Although WhatsApp process personal information the company claim their system is only for personal use rather than organisational use and provide little information about data protection. By its nature any member of the group can publish personal data to the “chat” area. Personal data is not held centrally since it is immediately uploaded to camera rolls on the phone of each group member.
Prohibited processing
The club has decided to introduce two policies to ensure that it complies with the UK GDPR. Both of these policies reflect recent developments in technology and may well be revised again following advice from the ICO.
Members of the WhatsApp group may only publish personal information identified in the above Information Collected section since the club will not have obtained consent to publish any other personal information, e.g. someone’s home address.
Club members should not record video footage of club rides since it is impractical to obtain the consent of all members included in the footage and there is no other legal basis to make the recording. The only exception would be if club members made a video recording solely for the purpose of providing evidence of an accident or driving offence in which case the recording may not be published anywhere including social media sites such as WhatsApp and the recording should be deleted within one week.
Remedial actions
The club has a significant number of photos on the website and many of these will have been taken without consent of the subjects. It is not practical to contact all members on these photos so instead club members may contact the club secretary to request removal of a photo.
Members of the WhatsApp group will be asked to delete all existing “chats” ready for the implementation of the new privacy policy in August 2024 and to follow the guidelines thereafter. Administrative rights in the group should only be given to committee members.
Your rights
The club complies with each of your rights under the UK GDPR:
- The right of access – your personal data can be viewed on the website or WhatApp group
- The right to rectification – your personal data can be rectified on the website via a page edit or the WhatsApp group via a new “chat”
- The right to erasure or right to be forgotten – your personal data can be removed on the website via a page delete or the WhatsApp group via a new “chat” asking members to delete the relevant “chat” on their phones
- The right to restriction of processing – processing of your personal data could be removed from any of the club’s processing by contacting the club secretary
- The right to be informed – your personal data can be viewed on the website or WhatApp group
- The right to data portability – your personal data can be exported from the website by contacting the club secretary or from the WhatsApp group by access the system yourself
- The right to object – you can object to the use your personal data by contacting the club secretary
- The right not to be subject to a decision based solely on automated processing. – the club does not take any decisions based on automated processing