- The Board of Trustees of the Pembrokeshire Agricultural Society (PAS), hereinafter the ‘Society’ is the Procesor under the General Data Protection Regulation, which means that it determines what purposes personal information held, or will be used for. It is also responsible for notifying the Information Commissioner of the data it holds or is likely to hold, and the general purposes that this data will be used for.
- Pembrokeshire Agricultural Society Board of Trustees are registered with the Information Commissioner’s Office as a Data Controller (DC).
- The Processor of PAS, hereinafter ‘DP’, needs to gather and use certain information about individuals.
- These can include clients, customers, suppliers, business contacts, employees and other people the Society has a relationship with or may need to contact.
- This policy describes how this personal data must be collected, handled, stored to meet the practice’s data protection standards-and to comply with the law. It also outlines how requests for access to the data will be treated.
- This data protection policy exists to ensure that the Society
- Complies with Data Protection law and follows good practice
- Protects the rights of staff, clients, customers and partners
- Is open about how it stores and processes individual’s data
- Protects itself from the risks of a data breach.
- The General Data Protection Regulation describes how organisations must collect, handle, and store personal information.
- These rules apply regardless of whether data is stored electronically, on paper or on other materials.
- To comply with the law, personal information must be collected and used fairly, stored safely and not disclosed unlawfully.
- The General Data Protection Regulation is underpinned by six important principles. They say that personal data must be:
- Processed lawfully, fairly, and transparently
- Collected for specific, explicit, and legitimate purposes
- Adequate, relevant, and limited to what is necessary for processing
- Accurate and, where necessary, kept up to date.
- Kept in a form such that the Data Subject can be identified only as long as is necessary for processing
- Processed in a manner that ensures appropriate security of the personal data
- This policy will be updated as necessary to reflect best practice in data management, security, and control and to ensure compliance with any changes or amendments made to the General Data Protection Regulation.
- This policy applies to:
- All Trustee’s and employees of the Society that includes management, trainees, volunteers, work experience students and support staff.
- All contractors, suppliers and other people working on behalf of the Society
- It applies to all data the organisation holds relating to identifiable individuals. This can include but is not limited to:
- Names of individuals, postal addresses, email addresses, telephone numbers, financial data, business names, plus any other personal sensitive information relating to individuals.
- Everyone who works for the Society has responsibility for ensuring data is collected, stored and handled appropriately.
- This policy will be updated as necessary to reflect best practice in data management, security, and control and to ensure compliance with changes or amendments made to the General Data Protection Regulation (GDPR) 2018.
- The Society will, through appropriate management and strict application of criteria and controls:
- Observe fully conditions regarding the fair collection and use of information
- Meet its legal obligations to specify the purposes for which information is used
- Collect and process appropriate information, and only to the extent that it is needed to fulfil its operational needs or to comply with any legal requirements
- Ensure the quality of information used
- Ensure appropriate retention and disposal of information
- Ensure that the rights of people about whom information is held, can be fully exercised under the GDPR. These include:
- The right to be informed
- The right of access
- The right to rectification
- The right to erase
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision making and profiling.
- Take appropriate technical and organisational security measures to safeguard personal information
- Ensure that personal information is not transferred outside the European Economic Area (EAA) without suitable safeguards
- Treat people justly and fairly whatever their age, religion, disability, gender, sexual orientation or ethnicity when dealing with requests for information
- Set out clear procedures for responding to requests for information
- Information and records relating to service users will be stored securely and will only be accessible to authorised staff and data processors.
- Information will be stored for only as long as it is needed or required by statute and will be disposed of appropriately.
- The Data Processor will ensure all personal and company data is non-recoverable from any computer system previously used by the Society which has been passed on/sold to a third party.
- All individuals/data subjects have the right to access the information Data Processor holds about them.
- If an individual contacts the Society requesting information held about them a request will be made to them for photographic ID and if none of the exemptions arise, the information will be provided within one month of the request.
- In addition, the Data Processor will ensure that:
- Everyone processing personal information understands that they are contractually responsible for following good data protection practice
- Everyone processing personal information is appropriately trained
- Everyone processing personal information is appropriately supervised
- Anybody interested in making enquiries about handling personal information knows what to do
- It deals promptly and courteously with any enquiries about handling personal information
- It describes clearly how it handles personal information
- It will regularly review and audit the way in which it holds, manages and uses personal information
- The Data processor may share data with other agencies such as government departments and other relevant parties e.g. payroll provider, accountants, HR Contracts. Data in Show Schedules and Catalotues .
- The individual/data subject will be made aware in most circumstances how and with whom their information will be shared. There are circumstances where the law allows the Data Processor to disclose data (including sensitive data) without the data subject’s consent. These are:
- Carrying out a legal duty or as authorised by the Secretary of State
- Protecting vital interests of an individual/data subject or other person
- The individual/data subject has already made the information public
- Conducting any legal proceedings, obtaining legal advice or defending any legal rights
- Monitoring for equal opportunities purposes – i.e. race, disability or religion
- Providing a confidential service where the individual/data subject’s consent cannot be obtained or where it is reasonable to proceed without consent: e.g. where we would wish to avoid forcing stressed or all individuals’/data subjects to provide consent signatures.
- The Data Processor will ensure that she/he and all employees are appropriately trained in Data Protection and particularly the policies of data processing C annually.
- If new members of staff commence work with PAS they will be provided with data protection training as soon as is practicable
- The Data Processor will keep a register of all training provided to staff.
- If a breach occurs, details will be recorded of the breach and the Data Processor will consider what action should be taken.
- A record will be kept of any decision making process in this regard, the Trustees of the Society and the Directors of the Company will be informed in writing of any breach or loss.
- The Society will keep a record of all devices holding information subject to the GDPR (listing IMEI numbers; location; users).
- They will also keep records of any actual breaches or near misses so as to update training and education.
- Staff using a mobile device will report the loss or theft of any such device immediately to the Data Processor.
How to contact us
E-mail to: firstname.lastname@example.org
Or write to Pembrokeshire Agricultural Society, Haverfordwest Showground, Pembrokeshire, Wales, SA62 4BW
Pembrokeshire Agricultural Society
01437 764 331