General Data Protection Regulation Policy

1. Introduction

The GDPR applies to personal information about individuals which is held on a device or in a manual filing system, or which is recorded with the intention that it will be part of such systems.

The GDPR is concerned with the right of the individual (the Data Subject) to know what information is being held about them, for what reason and how the information will be used. It also provides ways that the information can be accessed, rectified, erased and objected to. The GDPR outlines principles to ensure that:

  • Individuals have the right to be informed about the collection and use of their personal data
  • Individuals have the right to understand retention periods of personal data and who it will be shared with (called privacy information) The CPCT must provide privacy information to individuals at the time of collection
  • The information provided to individuals is concise, transparent, intelligible, easily accessible, and presented using clear and plain language.
  • Individuals have the right to access their personal data
  • Individuals have the right to rectify/adjust their data
  • Individuals have the right to be deleted. Any requests made either verbally or in writing must be actioned within one month
  • Individuals have the right to restrict the use of their personal data – any requests must be responded to in one month

Individuals have the right to object to processing including the use of their personal data for statistics, research & direct marketing (including profiling)At the CPCT we collect personal data and ensure that it is:

  • obtained only for specified purposes
  • relevant to the purposes for which it is processed
  • accurate and kept up to date
  • not kept for longer than is necessary – in most cases two years but some governance documents for six
  • processed according to the rights of the Data Subject under the GDPR
  • protected against unauthorised processing, accidental loss or damage
  • not transferred to areas outside of the European Union (including via websites)
  • not shared with third parties without the consent of the data subject, in which case the consent will be recorded

Crystal Palace Community Trust holds personal information on volunteers/staff/service users. The designated data protection officer is the Trust Manager Tracey Skillern in her absence all requests should be made to Lucy Hopkins, Marketing & Community Engagement Officer.

2. Scope of the policy

  • Personal records will be stored at the CPCT in accordance with its procedures
  • CPCT staff and volunteers, other than designated persons in the course of their duty, do not have access to personal information on other staff or volunteers
  • When staff and volunteers leave the organisation, all personnel documents will be kept in accordance with CPCT procedures
  • Staff and volunteers have the right to see the information held on them by CPCT. Requests should be in writing to the Trust Manager and the CPCT will provide a copy of the information within two weeks of receiving the request. No charge is made
  • Information about individuals will not be disclosed to any third party outside of CPCT without the permission of the individual
  • Where photographs of staff or service users are used to publicise or promote the organisation, permission will be sought from individuals and the photographs held and consequently used for no more than two years

This policy will be used in conjunction with other policies if applicable including the:

  • Confidentiality Policy
  • CCTV Policy
  • DBS data storage Policy
  • Photographic Permissions Policy