.png){kind=logo}
Privacy Policy
Lymington & District Chamber of Commerce & Industry, Google Analytics Cookies & the Cookie Law
In response to the May 2011 law relating to website privacy and the use of cookies this page explains how and why Lymington & District Chamber of Commerce & Industry uses them and how a visitor to the Lymington & District Chamber of Commerce & Industrywebsite can control their use.
The Lymington & District Chamber of Commerce & Industry website uses Google Analytics to gather non-personal information on our visitors in order to determine how many visits our website is receiving at any given time. This is done through the use of ‘cookies’ and code which is embedded on our web pages. If you wish to reject the cookies on our website, you will need to turn off cookies in your browser. You can find instructions on how to reject cookies in different browsers here. Please note that rejecting cookies may mean that some sites will not function correctly.
Google’s explanation of the Analytics service is as follows:
Google Analytics is a web analytics service provided by Google, Inc. (“Google”). Google Analytics uses “cookies”, which are text files placed on your computer, to help the website analyze how users use the site. The information generated by the cookie about your use of the website (including your IP address) will be transmitted to and stored by Google on servers in the United States. Google will use this information for the purpose of evaluating your use of the website, compiling reports on website activity for website operators and providing other services relating to website activity and internet usage. Google may also transfer this information to third parties where required to do so by law, or where such third parties process the information on Google’s behalf. Google will not associate your IP address with any other data held by Google.
Personal Data Protection Policy
Purpose, Scope and Users
The Lymington and District Chamber of Commerce and Industry, hereinafter referred to as the “Company”, strives to comply with applicable laws and regulations related to Personal Data protection in countries where the Company operates. This Policy sets forth the basic principles by which the Company processes the personal data of consumers, customers, suppliers, business partners, employees and other individuals, and indicates the responsibilities of its business departments and employees while processing personal data.
This Policy applies to the Company and its directly or indirectly controlled wholly-owned subsidiaries conducting business within the European Economic Area (EEA) or processing the personal data of data subjects within EEA.
The users of this document are all employees, permanent or temporary, and all contractors working on behalf of The Company.
Reference Documents
-
EU GDPR 2016/679 (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC)
-
Employee Personal Data Protection Policy
-
Data Retention Policy
-
Data Protection Officer Job Description
-
Guidelines for Data Inventory and Processing Activities
-
Data Subject Access Request Procedure
-
Data Protection Impact Assessment Guidelines
-
Cross Border Personal Data Transfer Procedure
-
Breach Notification Procedure
Definitions
The following definitions of terms used in this document are drawn from Article 4 of the European Union’s General Data Protection Regulation:
Personal Data: Any information relating to an identified or identifiable natural person (“Data Subject“) who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Sensitive Personal Data: Personal data which are, by their nature, particularly sensitive in relation to fundamental rights and freedoms merit specific protection as the context of their processing could create significant risks to the fundamental rights and freedoms. Those personal data include personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.
Data Controller: The natural or legal person, public authority, agency or any other body, which alone or jointly with others, determines the purposes and means of the processing of personal data.
Data Processor: A natural or legal person, public authority, agency or any other body which processes personal data on behalf of a Data Controller.
Processing: An operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of the data.
Anonymization: Irreversibly de-identifying personal data such that the person cannot be identified by using reasonable time, cost, and technology either by the controller or by any other person to identify that individual. The personal data processing principles do not apply to anonymized data as it is no longer personal data.
Pseudonymization: The processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person. Pseudonymization reduces, but does not completely eliminate, the ability to link personal data to a data subject. Because pseudonymized data is still personal data, the processing of pseudonymized data should comply with the Personal Data Processing principles.
Cross-border processing of personal data: Processing of personal data which takes place in the context of the activities of establishments in more than one Member State of a controller or processor in the European Union where the controller or processor is established in more than one Member State; or processing of personal data which takes place in the context of the activities of a single establishment of a controller or processor in the Union but which substantially affects or is likely to substantially affect data subjects in more than one Member State;
Supervisory Authority: An independent public authority which is established by a Member State pursuant to Article 51 of the EU GDPR;
Lead supervisory authority: The supervisory authority with the primary responsibility for dealing with a cross-border data processing activity, for example when a data subject makes a complaint about the processing of his or her personal data; it is responsible, among others, for receiving the data breach notifications, to be notified on risky processing activity and will have full authority as regards to its duties to ensure compliance with the provisions of the EU GDPR;
Each “local supervisory authority” will still maintain in its own territory, and will monitor any local data processing that affects data subjects or that is carried out by an EU or non-EU controller or processor when their processing targets data subjects residing on its territory. Their tasks and powers includes conducting investigations and applying administrative measures and fines, promoting public awareness of the risks, rules, security, and rights in relation to the processing of personal data, as well as obtaining access to any premises of the controller and the processor, including any data processing equipment and means.
“Main establishment as regards a controller” with establishments in more than one Member State, the place of its central administration in the Union, unless the decisions on the purposes and means of the processing of personal data are taken in another establishment of the controller in the Union and the latter establishment has the power to have such decisions implemented, in which case the establishment having taken such decisions is to be considered to be the main establishment;
“Main establishment as regards a processor” with establishments in more than one Member State, the place of its central administration in the Union, or, if the processor has no central administration in the Union, the establishment of the processor in the Union where the main processing activities in the context of the activities of an establishment of the processor take place to the extent that the processor is subject to specific obligations under this Regulation;
Group Undertaking: Any holding company together with its subsidiary.
Basic Principles Regarding Personal Data Processing
The data protection principles outline the basic responsibilities for organisations handling personal data. Article 5(2) of the GDPR stipulates that “the controller shall be responsible for, and be able to demonstrate, compliance with the principles.”
Lawfulness, Fairness and Transparency
The data protection principles outline the basic responsibilities for organisations handling personal data. Article 5(2) of the GDPR stipulates that “the controller shall be responsible for, and be able to demonstrate, compliance with the principles.”
Purpose Limitation
Personal data must be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
Data Minimization
Personal data must be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed. The Company must apply anonymization or pseudonymization to personal data if possible to reduce the risks to the data subjects concerned.
Accuracy
Personal data must be accurate and, where necessary, kept up to date; reasonable steps must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified in a timely manner.
Storage Period Limitation
Personal data must be kept for no longer than is necessary for the purposes for which the personal data are processed.
Integrity and confidentiality
Taking into account the state of technology and other available security measures, the implementation cost, and likelihood and severity of personal data risks, the Company must use appropriate technical or organizational measures to process Personal Data in a manner that ensures appropriate security of personal data, including protection against accidental or unlawful destruction, loss, alternation, unauthorized access to, or disclosure.
Accountability
Data controllers must be responsible for and be able to demonstrate compliance with the principles outlined above.
Building Data Protection in Business Activities
In order to demonstrate compliance with the principles of data protection, an organisation should build data protection into its business activities.
Notification to Data Subjects
(See the Fair Processing Guidelines section.)
Data Subject’s Choice and Consent
(See the Fair Processing Guidelines section.)
Collection
The Company must strive to collect the least amount of personal data possible. If personal data is collected from a third party, the Communications Director (“The Data Protection Officer”), must ensure that the personal data is collected lawfully.
Use, Retention, and Disposal
The purposes, methods, storage limitation and retention period of personal data must be consistent with the information contained in the Privacy Notice. The Company must maintain the accuracy, integrity, confidentiality and relevance of personal data based on the processing purpose. Adequate security mechanisms designed to protect personal data must be used to prevent personal data from being stolen, misused, or abused, and prevent personal data breaches. The Communications Director is responsible for compliance with the requirements listed in this section.
Disclosure to Third Parties
Whenever the Company uses a third-party supplier or business partner to process personal data on its behalf, the Communications Director must ensure that this processor will provide security measures to safeguard personal data that are appropriate to the associated risks. For this purpose, the Processor GDPR Compliance Questionnaire must be used.
The Company must contractually require the supplier or business partner to provide the same level of data protection. The supplier or business partner must only process personal data to carry out its contractual obligations towards the Company or upon the instructions of the Company and not for any other purposes. When the Company processes personal data jointly with an independent third party, the Company must explicitly specify its respective responsibilities of and the third party in the relevant contract or any other legal binding document, such as the Supplier Data Processing Agreement .
Cross-border Transfer of Personal Data
Before transferring personal data out of the European Economic Area (EEA) adequate safeguards must be used including the signing of a Data Transfer Agreement, as required by the European Union and, if required, authorization from the relevant Data Protection Authority must be obtained. The entity receiving the personal data must comply with the principles of personal data processing set forth in Cross Border Data Transfer Procedure.
Rights of Access by Data Subjects
When acting as a data controller, the Communications Director is responsible to provide data subjects with a reasonable access mechanism to enable them to access their personal data, and must allow them to update, rectify, erase, or transmit their Personal Data, if appropriate or required by law. The access mechanism will be further detailed in the Data Subject Access Request Procedure.
Data Portability
Data Subjects have the right to receive, upon request, a copy of the data they provided to us in a structured format and to transmit those data to another controller, for free. The Communications Director is responsible to ensure that such requests are processed within one month, are not excessive and do not affect the rights to personal data of other individuals .
Right to be Forgotten
Upon request, Data Subjects have the right to obtain from the Company the erasure of its personal data. When the Company is acting as a Controller, the Communications Director must take necessary actions (including technical measures) to inform the third-parties who use or process that data to comply with the request.
Fair Processing Guidelines
Personal data must only be processed when explicitly authorised by the Communications Director.
The Company must decide whether to perform the Data Protection Impact Assessment for each data processing activity according to the Data Protection Impact Assessment Guidelines .
Notices to Data Subjects
At the time of collection or before collecting personal data for any kind of processing activities including but not limited to selling products, services, or marketing activities, the Communications Director is responsible to properly inform data subjects of the following: the types of personal data collected, the purposes of the processing, processing methods, the data subjects’ rights with respect to their personal data, the retention period, potential international data transfers, if data will be shared with third parties and the Company’s security measures to protect personal data. This information is provided through Privacy Notice.
Where personal data is being shared with a third party, the Communications Director must ensure that data subjects have been notified of this through a Privacy Notice.
Where personal data is being transferred to a third country according to Cross Border Data Transfer Policy, the Privacy Notice should reflect this and clearly state to where, and to which entity personal data is being transferred.
Where sensitive personal data is being collected, the Communications Director must make sure that the Privacy Notice explicitly states the purpose for which this sensitive personal data is being collected.
Obtaining Consents
Whenever personal data processing is based on the data subject’s consent, or other lawful grounds, the Communications Director is responsible for retaining a record of such consent. The Communications Director is responsible for providing data subjects with options to provide the consent and must inform and ensure that their consent (whenever consent is used as the lawful ground for processing) can be withdrawn at any time.
When requests to correct, amend or destroy personal data records, the Communications Director must ensure that these requests are handled within a reasonable time frame. The Communications Director must also record the requests and keep a log of these.
Personal data must only be processed for the purpose for which they were originally collected. In the event that the Company wants to process collected personal data for another purpose, the Company must seek the consent of its data subjects in clear and concise writing. Any such request should include the original purpose for which data was collected, and also the new, or additional, purpose(s). The request must also include the reason for the change in purpose(s). The Communications Director is responsible for complying with the rules in this paragraph.
Now and in the future, the Communications Director must ensure that collection methods are compliant with relevant law, good practices and industry standards.
The Communications Director is responsible for creating and maintaining a Register of the Privacy Notices.
Organization and Responsibilities
The responsibility for ensuring appropriate personal data processing lies with everyone who works for or with the Company and has access to personal data processed by the Company.
The key areas of responsibilities for processing personal data lie with the following organisational roles:
The board of directors makes decisions about, and approves the Company’s general strategies on personal data protection.
The Communications Director, is responsible for managing the personal data protection program and is responsible for the development and promotion of end-to-end personal data protection policies, as defined in Data Protection Officer Job Description ;
The Company Secretary together with the Communications Director, monitors and analyses personal data laws and changes to regulations, develops compliance requirements, and assists business departments in achieving their Personal data goals.
The Communications Director, is responsible for:
-
Ensuring all systems, services and equipment used for storing data meet acceptable security standards.
-
Performing regular checks and scans to ensure security hardware and software is functioning properly.
The Communications Director, is responsible for:
-
Approving any data protection statements attached to communications such as emails and letters.
-
Addressing any data protection queries from journalists or media outlets like newspapers.
-
Where necessary, working with the Data Protection Officer to ensure marketing initiatives abide by data protection principles.
The Company Secretary is responsible for:
-
Improving all employees’ awareness of user personal data protection.
-
Organizing Personal data protection expertise and awareness training for employees working with personal data.
-
End-to-end employee personal data protection. It must ensure that employees’ personal data is processed based on the employer’s legitimate business purposes and necessity.
Response to Personal Data Breach Incidents
When the Company learns of a suspected or actual personal data breach, the Communications Director must perform an internal investigation and take appropriate remedial measures in a timely manner, according to the Data Breach Policy. Where there is any risk to the rights and freedoms of data subjects, the Company must notify the relevant data protection authorities without undue delay and, when possible, within 72 hours.
Audit and Accountability
The Board of Directors is responsible for auditing how well the Company implements this Policy.
Any employee who violates this Policy will be subject to disciplinary action and the employee may also be subject to civil or criminal liabilities if his or her conduct violates laws or regulations.
Conflicts of Law
This Policy is intended to comply with the laws and regulations in the place of establishment and of the countries in which Lymington and District Chamber of Commerce and Industry operates. In the event of any conflict between this Policy and applicable laws and regulations, the latter shall prevail.
Data Retention Policy
Purpose, Scope and Users
This policy sets the required retention periods for specified categories of personal data and sets out the minimum standards to be applied when destroying certain information within Lymington and District Chamber of Commerce and Industry (further: the “Company”).
This Policy applies to all business units, processes and systems in all countries in which the Company conducts business and has dealings or other business relationships with third parties.
This Policy applies to all Company officers, directors, employees, agents, affiliates, contractors, consultants, advisors or service providers that may collect, process, or have access to data (including personal data and / or sensitive personal data). It is the responsibility of all of the above to familiarise themselves with this Policy and ensure adequate compliance with it.
This policy applies to all information used at the Company. Examples of documents include:
-
Emails
-
Hard copy documents
-
Soft copy documents
-
Video and audio
-
Data generated by physical access control systems
Reference Documents
-
EU GDPR 2016/679 (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC)
-
Personal Data Protection Policy
Retention Rules
Retention General Principle
In the event, for any category of documents not specifically defined elsewhere in this Policy (and in particular within the Data Retention Schedule) and unless otherwise mandated differently by applicable law, the required retention period for such document will be deemed to be one year from the date of creation of the document.
Retention General Schedule
The Communications Director, defines the time period for which the documents and electronic records should to be retained through the Data Retention Schedule.
As an exemption, retention periods within Data Retention Schedule can be prolonged in cases such as:
-
Ongoing investigations from Member States authorities, if there is a chance records of personal data are needed by the Company to prove compliance with any legal requirements; or
-
When exercising legal rights in cases of law suits or similar court proceeding recognized under local law.
Safeguarding of Data during Retention Period
The possibility that data media used for archiving will wear out shall be considered. If electronic storage media are chosen, any procedures and systems ensuring that the information can be accessed during the retention period (both with respect to the information carrier and the readability of formats) shall also be stored in order to safeguard the information against loss as a result of future technological changes. The responsibility for the storage falls to the Communications Director.
Destruction of Data
The Company and its employees or representatives should therefore, on a regular basis, review all data, whether held electronically on their device or on paper, to decide whether to destroy or delete any data once the purpose for which those documents were created is no longer relevant. See Appendix for the retention schedule. Overall responsibility for the destruction of data falls to the Communications Director
Once the decision is made to dispose according to the Retention Schedule, the data should be deleted, shredded or otherwise destroyed to a degree equivalent to their value to others and their level of confidentiality. The method of disposal varies and is dependent upon the nature of the document. For example, any documents that contain sensitive or confidential information (and particularly sensitive personal data) must be disposed of as confidential waste and be subject to secure electronic deletion; some expired or superseded contracts may only warrant in-house shredding. The Document Disposal Schedule section below defines the mode of disposal.
In this context, the employee shall perform the tasks and assume the responsibilities relevant for the information destruction in an appropriate way. The specific deletion or destruction process may be carried out either by an employee or by an internal or external service provider that the Communications Director subcontracts for this purpose. Any applicable general provisions under relevant data protection laws and the Company’s Personal Data Protection Policy shall be complied with.
Appropriate controls shall be in place that prevent the permanent loss of essential information of the company as a result of malicious or unintentional destruction of information – these controls are described in information security policies .
The Communications Director shall fully document and approve the destruction process. The applicable statutory requirements for the destruction of information, particularly requirements under applicable data protection laws, shall be fully observed.
Breach, Enforcement and Compliance
The person appointed with responsibility for Data Protection (the Communications Director) has the responsibility to ensure that the Company complies with this Policy.
Any suspicion of a breach of this Policy must be reported immediately to the Communications Director. All instances of suspected breaches of the Policy shall be investigated and action taken as appropriate.
Failure to comply with this Policy may result in adverse consequences, including, but not limited to, loss of customer confidence, litigation and loss of competitive advantage, financial loss and damage to the Company’s reputation, personal injury, harm or loss. Non-compliance with this Policy by permanent, temporary or contract employees, or any third parties, who have been granted access to Company premises or information, may therefore result in disciplinary proceedings or termination of their employment or contract. Such non-compliance may also lead to legal action against the parties involved in such activities.
Document Disposal
Routine Disposal Schedule
Records which may be routinely destroyed unless subject to an on-going legal or regulatory inquiry are as follows:
-
Announcements and notices of day-to-day meetings and other events including acceptances and apologies;
-
Requests for ordinary information such as travel directions;
-
Reservations for internal meetings without charges / external costs;
-
Transmission documents such as letters, fax cover sheets, e-mail messages, routing slips, compliments slips and similar items that accompany documents but do not add any value;
-
Message slips;
-
Superseded address list, distribution lists etc.;
-
Duplicate documents such as CC and FYI copies, unaltered drafts, snapshot printouts or extracts from databases and day files;
-
Stock in-house publications which are obsolete or superseded; and
-
Trade magazines, vendor catalogues, flyers and newsletters from vendors or other external organizations.
In all cases, disposal is subject to any disclosure requirements which may exist in the context of litigation .
Destruction Method
Level I documents are those that contain information that is of the highest security and confidentiality and those that include any personal data. These documents shall be disposed of as confidential waste (cross-cut shredded and incinerated) and shall be subject to secure electronic deletion. Disposal of the documents should include proof of destruction.
Level II documents are proprietary documents that contain confidential information such as parties’ names, signatures and addresses, or which could be used by third parties to commit fraud, but which do not contain any personal data. The documents should be cross-cut shredded and then placed into locked rubbish bins for collection by an approved disposal firm, and electronic documents will be subject to secure electronic deletion.
Level III documents are those that do not contain any confidential information or personal data and are published Company documents. These should be strip-shredded or disposed of through a recycling company and include, among other things, advertisements, catalogues, flyers, and newsletters. These may be disposed of without an audit trail.
Validity and document management
This document is valid as of 18/05/2018.
The owner of this document is the Communications Director, who must check and, if necessary, update the document at least once a year.
Appendices
Personal data record category& Mandated or designated retention period
Supplier contracts: Seven years after contract is terminated
Member records: One year and three months from signup date if member does not renew subscription.
Email records from non-members: Perpetual unless consent rescinded by data owner, renewed consent will be sought for any proposed change of circumstances or use.
Data Privacy Notice
What we need
Our Personal Data Protection Policy governs the use and storage of your data.
Lymington and District Chamber of Commerce and Industry is a Controller of the personal data you (data subject) provide us. We may collect the following types of personal data from you:
-
Company or Business name
-
Your Name
-
Address
-
Email Address(s)
-
Telephone and/or Mobile number
-
Description of Business
-
Subscription payment
-
Date of subscription payment
-
Dietary requirements
Why we need it
We need your personal data in order to provide you with the following services:
-
Membership of the Lymington and District Chamber of Commerce and Industry
-
Membership of Hampshire Chamber of Commerce
-
Notifications of events or business-related information
-
Attendance at events
-
Correct dietary requirements at events
What we do with it
Your personal data is processed by Lymington and District Chamber of Commerce and Industry representatives located in the United Kingdom. Hosting and storage of your data takes place on lymington.biz which is located in the United Kingdom. It is hosted by SiteGround and you can view their privacy policy at https://www.siteground.co.uk/privacy.htm
We share members contact information with the Hampshire Chamber of Commerce to enable them to send information pertinent to membership of that organisation.
Our accounts are managed by MJC Bookkeeping Limited who keep our records in a secure environment in the UK.
No third-party providers have access to your data, unless specifically required by law.
How long we keep it
Under UK law, we are required to keep your documents for one year according to the Data Retention Policy. After this period, your personal data will be irreversibly destroyed should you decide not to re-subscribe to membership. Any personal data held by us for marketing and service update notifications will be kept by us until such time that you notify us that you no longer wish to receive this information. Please see Data Retention Policy for more information on our personal data retention schedule.
What are your rights?
Should you believe that any personal data we hold on you is incorrect or incomplete, you have the ability to request to see this information, rectify it or have it deleted. Please contact us through our contact page.
You may also change details of the information you submitted to us on joining the Chamber by logging into your account.
In the event that you wish to complain about how we have handled your personal data, please contact LDCCI Communications Director at admin@lymington.biz or in writing at Lymington and District Chamber of Commerce and Industry, 75 High Street, Lymington, Hampshire SO41 9YY United Kingdom. Our Communications Director will then look into your complaint and work with you to resolve the matter.
If you still feel that your personal data has not been handled appropriately according to the law, you can contact the Information Commissioners Office https://ico.org.uk/ and file a complaint with them.