General Data Protection Regulation (GDPR)

Introduction

The General Data Protection Regulation came into force on 25th May 2018. Under the regulation we are required to:

• tell you what data we hold on you;
• obtain your consent to hold such data;
• take reasonable precautions to secure your data;
• provide you with a copy of such data on request;
• allow you to change or delete any data we hold on you;
• delete personal data that are no longer required.

You will of course realise that if you ask us to delete all your data you will effectively have left the Association.

What Data We Hold

The data we hold fall into two categories: the membership database and membership accounts.

The database holds the following data:

• your contact details (name, postal address and email address if applicable);
• membership number and type, year of joining (if known);
• post code (copy for sorting and filtering), local station code;
• date of last renewal and payment type (PayPal, cash, cheque or automated);

The membership account shows all payment details for the year, including payment type and cheque details if applicable. The account is sent to the Treasurer by email and used to reconcile the bank and PayPal statements. The Treasurer supplies details of automated payments (online banking, standing orders, etc.) to the Membership Secretary. Year end accounts are held for a number of years in accordance with normal practice.

Security

The database is held on a personal computer which is behind two firewalls which both block incoming requests. It is not currently encrypted. Regular backups are made to a separate device.

No personal data are stored on the web server or in “the cloud”. However data entered on web forms are transmitted to the Membership Secretary by email. Mail to our domain (mmpa.org.uk) is forwarded by our host’s mail server to the recipient.

We do not pass personal data to any third party, and will not do so unless compelled by law.

Email distribution of newsletters etc. will not show the addresses of all recipients. Messages will either be sent individually including by mail-merge or mailing list, or to undisclosed recipients (i.e. BCC).

Access

You are entitled to request a copy of the current data we hold on you.

You may also request that any or all such data are amended or deleted.

Requests should be sent by email to membership@mmpa.org.uk.

Please be aware that although we can delete or amend all current data it will not be feasible to update archived backup copies.

Use of Data

Your contact details are used primarily to send you newsletters, membership reminders and ad hoc communications.

We do not in general send out marketing material. There may be occasions when a train operator makes a special offer that is beneficial to members, and this could be communicated via the newsletter or direct email.

We do not in general carry out any processing of personal data. The only exception is that we may occasionally produce statistical data such as the distribution of members between local stations or postcode districts.

Consent

Because your details are only used to communicate with you and the operation of your membership would not be possible without those details, it is not necessary for you to give explicit consent. Applying for or renewing your membership implies consent for the information you supply or supplied to be used for the purposes for which it was supplied.