THIS POLICY HAS BEEN UPDATED IN LINE WITH GDPR REGULATIONS, WORDING MAY BE AMENDED IN FUTURE AND MEMBERS WILL BE NOTIFIED VIA THE WEBSITE OR THE NOTIFICATION SYSTEM WHEN UPDATES ARE AVAILABLE.
BASA’s Data Protection Mapping document outlines how BASA handles the data included in new member applications, and who the data is shared with. It also applies to existing members and new contacts that are added throughout a company’s membership. Our lawful basis for processing this data is that it is “necessary for a member’s legitimate interests” and information is sent to members that we feel is relevant to a specific role.
Data is only shared with individuals in your company the BASA Secretary and the BASA Administration Officer and is not shared with any non-members or other third parties apart from:
All BASA members have access to the Company profile and directory information that each member company chooses to declare for the annual Handbook and online open directory via their initial membership application and subsequent edits. Most data that is shared is shared directly between the member and the third-party provider and any data collected is only used to provide you with a service you have requested, or to provide information on an event you have booked.
New contact data is added to a simple excel spreadsheet stored on a cloud based secure server to receive information that has been requested, and/or information that we feel is of interest to that individual.
Data processed includes only contact and company name, job role, email address and telephone numbers, and a clear reason why we process and retain that data is recorded. In addition, relevant personal data gathered through attendance at meetings and events is retained (eg dietary requirements) and is shared only with organising and event venue staff.
Members can log in to their Membership Profile on BASA’s website and view, amend or remove the contact data that we hold, and view the Committees and Contact Groups that we believe are of interest to your role, and which form the basis of the communications sent to you. Alternatively, a request for such data to be viewed, amended or removed can be made by emailing: firstname.lastname@example.org or email@example.com.
Such data will usually be removed within three working days but will always be removed within one month of such written request being received.
Newsletters, information about events and other marketing communication will include the option to Unsubscribe from those communications. The Unsubscribe will usually be processed within three working days but will always be actioned within one month of such written request being received.
Each nominated member company data controller is able to immediately delete any of their company contacts from the website at any time by logging in to their account on the BASA website. If the BASA Secretariat are notified that an individual has left a company, the website will be updated so that no further information is sent to that person. New contacts should subscribe to the website by applying to an existing company via the login function. Contact data may be retained for up to ten years at which time it will be deleted, unless there is a legitimate reason for its further retention*. This includes data gathered about an individual when they register for a meeting or event.
As above, if a request is received for that data to be deleted this will usually be removed within three working days but will always be removed within one month of such written request being received.
Once a request has been made to remove contact data, this will be carried out by the BASA Secretary or BASA administration officer in the timescales noted above. This will involve permanent deletion from the website and permanent deletion from the master spreadsheet.
It is the responsibility of both the BASA Secretary and BASA Accounts Officer to ensure GDPR compliance and in case of query, contact firstname.lastname@example.org or email@example.com in the first instance.
For the purposes of GDPR, BASA is both a Data Processor and Data Controller, and as noted above our lawful basis for processing your data is that “the processing is necessary for your legitimate interests” as defined in clause 6(1)(f) of the legislation.
In the unlikely event of a data breach, Members will be notified as soon as we are aware of the breach and provided with details and steps that will be taken.
Information, advice and services are provided to Members as part of the membership subscription package and these are directly accessed via the members only website area and also via a notification system which sends a brief email summarising the working group documents in a weekly snapshot email and all other postings in a bi-weekly snapshot email. Members can choose to continue receiving either of these snapshot emails at any time, by logging on to the BASA website members area and clicking on the membership profile option on the left under their name.
From time to time, members may receive other communication from the BASA office as part of the day to day running of the work of the association (subscriptions, benefits, payments, working group activity, member company data controller responsibilities to maintain their company data) and this will continue as part of the Association Business.