General Data Protection Regulation (GDPR) and AARG Prepared and approved by the AARG Committee This   document   explains   our   responsibilities   with   respect   to   GDPR   and   describes   how   we   discharge   them   in   a compliant manner and informs you of your rights under the new legislation. What is GDPR? GDPR   expands   existing   Data   Protection   Regulations   and   widens   their   scope.   It   requires   that   personal   data   on members (“data subjects”) must be: · processed lawfully, fairly and in a transparent manner in relation to individuals; · collected   for   specified,   explicit   and   legitimate   purposes   and   not   further   processed   in   a   manner   that   is incompatible with those purposes; · adequate,   relevant   and   limited   to   what   is   necessary   in   relation   to   the   purposes   for   which   they   are processed; · accurate   and,   where   necessary,   kept   up   to   date;   every   reasonable   step   must   be   taken   to   ensure   that personal   data   that   are   inaccurate,   having   regard   to   the   purposes   for   which   they   are   processed,   are erased or rectified without delay; · kept   in   a   form   which   permits   identification   of   data   subjects   for   no   longer   than   is   necessary   for   the purposes for which the personal data are processed; · processed   in   a   manner   that   ensures   appropriate   security   of   the   personal   data,   including   protection against   unauthorised   or   unlawful   processing   and   against   accidental   loss,   destruction   or   damage, using appropriate technical or organisational measures. How does AARG comply? Under   the   legislation,   AARG   becomes   the   ‘Data   Controller’   for   the   personal   data   it   holds   on   current   members, and   past   members.   That   data   is   held   within   a   a   membership   spreadsheet   (referred   to   as   the   'database') compiled and controlled by the AARG Secretary. Our policy for compliance with GDPR is as follows: · AARG      has   a   legitimate   reason   to   hold   your   personal   data:    AARG   holds   personal   data to    allow    it    to    service    members    in    regard    to    subscriptions,    event    organisation    and    general communications.   We   retain   ex-members’   personal   data   to   allow   us   to   re-engage   with   them   to entice   them   to   re-join.      Personal   data   relating   to   all   non-members   will   be   addressed   as   defined   in item (vi) below on or before 25 th  May 2018 when the new regulations come into force. · AARG holds your personal data securely: All of AARG’s membership and ex-membership is the AARG membership spreadsheet. · AARG   uses   your   personal   data   responsibly:    AARG   uses   the   personal   data   it   holds   solely for   the   purposes   of   administering   the   Club.   AARG   does   not   disclose,   share,   sell   or   otherwise distribute   personal   data   in   its   database   with   the   exception   that   Name    and   Callsign    is   included   in the   membership   listing   on   the   AARG   public   website.   If   a   member   wishes   to   have   his   name excluded    form    the    memberships    listing    on    the    AARG    website    he    should    inform    the    AARG secretary    who    will    then    notify    the    AARG    website    webmaster.    It    should    be    noted    that    this information is available on other public amateur radio data sources e.g. QRZ.COM, Callbooks etc. · AARG   allows   those   whose   data   we   keep   to   know   what   we   keep   and   why:      AARG   keeps   the   following   personal   data   for   entries   on   the   database   (note   that   not   all   entries   have   all   of the   following   fields   completed):   Full   name   and   title,   salutation   (on   air   name),   primary   callsign, other   callsign(s),   postal   address,   e-mail   address,   telephone   number(s),      information   related   to subscription. · At   present,   some   personal   data   we   keep   on   members,   with   the   exception   of   any   notes added   to   a   record   by   Administrators,   has   been   obtained   either   directly   from   the   member   or   from publicly   available   sources   (e.g.   callbooks,   QRZ.com   etc.).   Under   GDPR,   we   will   be   retaining   this data as it is necessary for AARG and in the interests of the individual member. · AARG   allows   those   whose   personal   data   we   keep   to   request   some   or   all   of   it   to   be   updated   or deleted:    Only   the   AARG   secretary   can   delete   data   from   the   database.   If   any   person   would   like personal    data    removed    from    their    database    record    they    should    contact    AARG    secretary    at derek.secaarg@gmail.com  . Members   may   access   and   update   their   own   primary   data   by   contacting   the   AARG   secretary.   This is   also   how   any   inaccuracies   or   changes   in   your   personal   data   can   be   updated.   AARG   committee members   who   have   access   to   any   data   are   legally   required   to   comply   with   all   of   the   conditions   of GDPR. Whilst   it   is   the   right   of   any   person   to   have   their   personal   data   deleted,   removal   of   personal   data that   would   result   in   AARG   being   unable   to   service   a   membership   or   which   created   a   significant ongoing load on any of our volunteers may result in that person’s membership being suspended. Some   AARG   members   have   signed   up   to   the   AARG   groups.io   forum,   which   is   a   separate   web based   'members   only'   forum.   AARG   members   can   register   if   they   so   wish   setting   their   own passwords   which   are   not   visible   to   any   other   users   including   the   forum   Administrator.   A   copy   of the   AARG   GPDR   will   be   posted   on   the   forum   and   the   same   rules   will   apply.   However,   it   should   be noted   that   members   have   total   control   of   their   personal   data   and   can   remove   themselves   from the forum at any time. · AARG   does   not   retain   personal   data   for   longer   than   is   necessary   for   the   reasons   it was   held   in   the   first   place:    This   is   not   something   we   have   considered   before   but   now   need   to. The   AARG   Committee   believe   the   following   periods   to   be   reasonable   to   allow   it   to   function   in   a responsive manner: · Members: All data to be retained for the period of their membership · Ex-Members: All data to be retained for seven years after cessation of membership · AARG   has   a   nominated   Data   Protection   Officer:   The   Data   Protection   Officer   will   be     AARG Secretary the who may be contacted at derek.secaarg@gmail.com   ·      The     Data     Protection     Officer     will     be     responsible     for     informing     the     Information Commissioners    Office    within    72    hours,    if    there    is    a    suspected    breach    of    security    affecting personal data. What needs to be done by 25 th  May 2018? The   action   on   AARG   secretary   is   to   delete   personal   data   on   ex-members   where   that   data   is   aged   by   the amounts shown in (vi) above. This will be completed before the deadline. What do members & ex-members need to do? If   you   are   content   for   AARG   to   hold   the   personal   data   we   do,   then   nothing.   If   you   would   like   to   see   any   data we     hold     on     you,     or     require     any     of     that     data     to     be     updated     or     deleted,     then     please     contact derek.secaarg@gmail.com