Privacy policy document

DATA PROTECTION POLICY
General Statement of the Classic 2CV Racing Club Ltd (The Company)’s Duties and Scope.:

The Company is required to process relevant personal data regarding members as part of its operation and shall take all reasonable steps to do so in accordance with this policy.
This policy describes how this personal data must be collected, handled and stored to meet the company’s data protection standards, and to comply with the law.

Definitions:
The Company – the Classic 2CV Racing Club Limited.
Data subject – an individual who is the subject of the personal data
BARC – The British Automobile Racing Club

Relevant legislation:
Along with our internal computer systems, this website is designed to comply with the following national and international legislation with regards to data protection and user privacy:

UK Data Protection Act 1988 (DPA)
EU Data Protection Directive 1995 (DPD)
EU General Data Protection Regulation 2018 (GDPR)

The Company recognises The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) adopted 27 April 2016, the two-year transition period and the application date of 25 May 2018 and is actively working towards compliance with that directive.

The Principles :
The Company shall, so far as is reasonably practicable, comply with the Data Protection Principles (the Principles) contained in the Data Protection Act to ensure all data is:-
• Fairly and lawfully processed
• Processed for a specific, lawful purposes
• Adequate, relevant and not excessive
• Accurate and kept up to date
• Not kept for longer than necessary
• Processed in accordance with the rights of the data subject
• Stored securely and appropriately
• Not transferred to other non-EU countries without adequate protection

Personal information that this website collects:
– Names, addresses and contact information (phone numbers, email addresses, etc) and other identifying information such as licence numbers of club members – for the purposes of maintaining our membership database and arranging race entries through the BARC.

– The Company’s website uses Google Analytics (GA) to track user interaction through the site. Although GA records data such as your geographical location, device, internet browser and operating system, none of this information personally identifies you to us. GA also records your computer’s IP address which could be used to personally identify you but Google do not grant us access to this. We consider Google to be a third party data processor.

– Email addresses of additional “interested parties” that sign up to our newsletter, wishing to receive more information through MailChimp (which again we consider to be a third party data processor), or our contact forms so that we may address their questions directly. Email addresses and usernames are also recorded by our forum software if a data subject has registered to the discussion forum.

Processing of Personal Data :
Personal data will remain confidential and will only be disclosed to third parties with appropriate consent. Personal data will be shared with the British Automobile Racing Club (BARC) for the purposes of organising race entries.

The Company may contact data subjects to disseminate information or gather information. Data subjects have the right to request an opt-out to these activities, which must be respected.

Rights of Access to Information :
Data subjects have the right of access to information held by the Company, subject to the provisions of the Data Protection Act 1998 and the Freedom of Information Act 2000. Any data subject wishing to access their personal data should put their request in writing to the Company. The Company will endeavour to respond to any such written requests as soon as is reasonably practicable and in any event, within 40 days. The information will be imparted to the data subject as soon as is reasonably possible after it has come to the Company’s attention and in compliance with the relevant Acts.

Accuracy and right to be forgotten:
The Company will endeavour to ensure that all personal data held in relation to all data subjects is accurate. Data subjects must notify the Company of any changes to information held about them. Data subjects have the right in some circumstances to request that inaccurate information about them is erased.

External Processors:
The Company will ensure that data processed by external processors, for example, race organisers, service providers, Cloud services (including storage), web sites etc. are compliant with this policy and the relevant legislation.

Secure Destruction :
When data held in accordance with this policy is destroyed, it will be destroyed securely in accordance with best practice at the time of destruction.

Retention of Data :
The Company may retain data for differing periods of time for different purposes as required by statute or best practices. Other statutory obligations, legal processes and enquiries may also necessitate the retention of certain data. Data is retained in a database on a server which is hosted inside a secure facility in the UK

Security of data:
All traffic (transfer of data) between this website and your browser is encrypted and delivered over a secure connection. All personal data stored in the database is delivered over a secure connection.

Our third party data processors:
We sometimes use third parties to process personal data on our behalf. These third parties have been carefully chosen and all of them comply with the legislation set out above. All of these third parties are based in the USA and are EU-U.S Privacy Shield compliant, except Xilo which is based in the UK. They are:

Google (Privacy policy)
Mailchimp (Privacy policy)
Xilo (web hosting) (Privacy policy)