The Privacy Notice is available to download as PDF: Westerlands CCC Privacy Notice. This has been reproduced for convenience below.
Westerlands Cross Country Club SCIO (SC049593) is committed to protecting and respecting your privacy.
For any personal data you provide, Westerlands Cross Country Club SCIO (SC049593) is the Data Controller and is responsible for storing and otherwise processing that data in a fair, lawful, secure and transparent way.
Your data is not processed for any further purposes other than those detailed in this policy without further consent.
1) What personal data we hold on you and why we need your personal data
You may give us Personal Data by filling in forms or corresponding with us by phone; by e mail; on social media platforms, in person or otherwise. This includes information you provide when you register or renew your membership with the organisation; participate in our events; or engage with our website and social media pages.
The reason we need your Personal Data is to be able to administer your membership and provide the services you are signing up to when you register for membership with the organisation, or participate in the organisation’s events.
Our lawful basis for processing your personal is that we have a contractual obligation to you as a member or participant to provide the services you are registering for.
Membership and management of the organisation:
The organisation will collect and process your name; a method of communication (normally e-mail address); membership status (including first, dual first, second claim or social); confirmation that you are over 18; and confirmation that you have not been expelled from athletics organisations to be able to deliver the services you signed up for. The organisation may also collect details of age and gender for the arranging of teams based on those categories.
These data will be gathered by membership form upon joining and confirmed annually upon membership renewal to ensure the data is up to date.
In addition, the organisation may collect and process other personal data including: phone number(s); address(es); athletics identifier(s); social media identifier(s); age information (including race age category; and date of birth); gender; and the details of any other athletics club(s) that you are registered with.
Your information may be used for:
- processing of membership and membership subscription payments;
- sharing data with and from trustees and committee members to provide information about membership renewals;
- sharing data with and from trustees, committee members and members to provide information about the organisation’s activities;
- sharing data with a governing body, including Scottish Athletics; and Scottish Hill Runners;
- sharing data with regulatory bodies, including the Office of the Scottish Charity Regulator;
- responding to and communicating with members regarding questions, comments, support needs or complaints, concerns or allegations in relation to matters of the organisation;
- sharing data with and from members to arrange events and races;
- sharing data with and from members to promote activities, achievements and running related news;
- analysing anonymised data to monitor trends in the organisation;
- sharing anonymised data with event organisers and members to track numbers of participants;
- sharing data with trustees and committee members to arrange a member vote or petition member opinion;
- sharing data with captains or team managers, and competition providers for entry in events;
- publishing of race and competition results; and
- sending marketing communications about fundraising or selling the organisation’s merchandise.
For electronic payment:
In addition to the data described above, the organisation offers electronic payment methods (including bank transfer) that may require the organisation to process your banking details (including account number; and sort code). These will not be shared with any third party except the organisations banking services provider(s) and will be deleted as soon as practicable after any transfer has been made.
The Club’s banking service providers are Bank of Scotland and PayPal. The banking service providers have their own privacy policies and the organisation does not accept any responsibility or liability for these policies.
For the organisation of catered events:
In addition to the data described above, the organisation may gather information on dietary requirements and allergies for events where food is provided. These anonymised data may be shared with catering providers: both third party caterers and other members of the organisation providing catering. Any special category health data we hold on you is only processed for the purpose(s) of safe running of the event.
We process this data on the lawful basis of consent. Therefore, we will also need your explicit consent to process this data, which we will ask for at the point of collection. This information will be deleted no more than six months after the event.
Third party catering providers have their own privacy policies and the organisation does not accept any responsibility or liability for these policies.
For the organisation of races and running events:
The organisation operates races and running events for both members and non-members. In order to operate races and running events; and for participants’ safely, the organisation may need to collect and process Personal Data.
The organisation may require: name; race category (age grouping and gender); contact details (including email, address and phone number); club affiliation; social media and athletics identifiers; the emergency contact details of another person (including email, address and phone number); and transportation details (including registration details for vehicles parked at the event).
The organisation may also need to collect a declaration of your fitness and competence to complete the event. Any special category health data we hold on you is only processed for the purpose(s) of safe running of the event. We process this data on the lawful basis of consent. Therefore, we will also need your explicit consent to process this data, which we will ask for at the point of collection.
Through the operation of the event, the organisation may generate timing data based upon your performance; and gather photographs and video of the event.
The organisation may gather your Personal Information directly; or using a third-party race entry or timing provider. Race entry and timing providers have their own privacy policies and that the club do not accept any responsibility or liability for these policies. Please check these policies before you submit any personal data to these services.
All personal data gathered during the event will be held by the Race Organiser and may be processed by Race Officials (including registration officials and marshals). This data will be processed by the Race Officials for the duration of the event and held for up to six months by the Race Organiser, after which it will be securely destroyed. Timing and results data may be held indefinitely.
This data may be used for:
- sharing with the Race Organiser and Race Officials for operating the race or running event;
- sharing with the Emergency Services and related organisations in case of emergency;
- sharing anonymised data with governing bodies and to promote the event;
- sharing data with Scottish Hill Runners, Scottish Athletics or any affiliated organisation for the purpose of insurance and licences;
- sharing data with trustees and committee members to provide information about the organisation’s activities; and
- publishing name, athletics club affiliation, race category and timing details either for the event alone or combined with or compared to other events.
For using the club website and the club email list:
The organisation operates a website and email list to assist with processing member information and providing additional functionality. In addition to those details required for membership and club management, operating the Club website and email list requires additional personal information, including a username; email address; and password. All precautions are taken to protect personal data processed through the website and email lists. Traffic is secured using SSL, the servers are located within the UK and kept up to date with security updates. The website is hosted with Maroculous IT Services and uses third party applications to provide additional functionality, including: WordPress; MailMan; Office365 for Non-Profits and their associated providers. These web service providers(s) have their own privacy policies and that the Club do not accept any responsibility or liability for these policies. Please check these policies before you submit any personal data to these services.
The data is processed by roles defined within the website structure, including Editors and Administrators. Administrators have full access to the WordPress installation and the data held and this level of access will be reserved for the webmaster and senior committee members only. Editors will have access to information regarding member generated web content.
Sending an email to named accounts associate with the Club may result in the details contained within and any associated electronic information including email addresses and IP info being distributed to several personal email accounts, including trustees, committee members and the whole club.
There is no obligation to use the Club website as part of membership or to join the Club e-mailing list to partake in Club events and activities.
Visitors to the Club website should acknowledge that they are providing information, including IP address, to the club web service provider: WordPress. WordPress has their own privacy policies and that the Club do not accept any responsibility or liability for these policies. Please check these policies before you submit any personal data to these services.
On social media
The organisation operates on social media including: Facebook; Instagram; Strava; and WhatsApp. All members are free to join these platforms. Social media providers(s) have their own privacy policies and that the organisation does not accept any responsibility or liability for these policies. Please check these policies before you submit any Personal Data to these services.
Gathering data from non-members:
On occasion, the organisation may collect personal data from non-members (including non-member participants who participate in training sessions; participants in open races; and guests to social events). The Personal Data may be processed by the organisation and shared with event organisers for the purposes of arranging the event. This information will be stored for up to six months after an event and then destroyed securely. Our lawful basis for processing data is consent. Therefore, we will also need explicit consent from non-members to process this data, which we will ask for at the point of collecting it.
2) Who we share your personal data with and how we store your data
The Club processes and shares your Personal Data for specific purpose(s) as detailed in Section 1. The Club does not supply any Personal Data it holds to any other third party.The organisation administers personal data as far as is practicable using Office 365 for Non-Profit Organisations, which is secured and stored within the EU in line with GDPR regulations. Data is managed and edited online as far as is practicable. Data access is secured and managed by strictly defined roles within the organisation.
Office 365 GDPR compliance information: https://www.microsoft.com/en-us/trust-center/privacy/gdpr-overview
3) How long we hold your Personal Data
The organisation will hold your personal data on file for as long as you are a member with us and, for former members, the organisation will hold your name and leaving date for no more than seven years after termination of your membership.
For participants in events and activities, all your information is securely destroyed no more than six months after the event, except for data generated as part of a competition (including race timing data) that is held indefinitely.
4) Your rights regarding your Personal Data
As a Data Subject you may have the right at any time:
- to request access to, rectification or erasure of your Personal Data;
- to restrict or object to certain kinds of processing of your Personal Data, including direct marketing;
- to the portability of your personal data; and
- to complain to the UK’s data protection supervisory authority, the Information Commissioner’s Office (https://ico.org.uk) about the organisation’s processing of your Personal Data.
As a data subject you are not obliged to share your personal data with the organisation. If you choose not to share your name and a contact detail with the organisation, we will not be able to register or administer your membership. If you choose not to share your other information with the organisation, we may not be able to include you in all of the organisation’s activities.