Wensleydale Railway plc Privacy Statement
The General Data Protection Regulation (EU) 2016/679 (hereafter referred to as GDPR) is a regulation in European Union law on data protection and privacy for all individuals in the European Union. It was adopted on April 27th 2016 and becomes enforceable on May 25th 2018.
The GDPR aims to give control back to citizens and residents over their personal data and how it is used.
This regulation will apply even after the proposed exit of the United Kingdom from the European Union in 2019.
The GDPR requires that personal data shall be:-
i) Processed lawfully, fairly and in a transparent manner in relation to individuals;
ii) Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;
iii) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
iv) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
v) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals; and
vi) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
Under this regulation, the Wensleydale Railway plc is classified as the Data Controller and is, therefore, responsible for ensuring that data held by the Wensleydale Railway plc is processed according to the wishes of the persons providing data in accordance with the above principles.
Having read through this document if you have any queries about the data we hold and process or in the future need to contact us regarding any data issues then you can contact us by a variety of means:-
Mail:- Data Protection, The Wensleydale Railway plc, Leeming Bar Station, Leases Road, Leeming Bar, Northallerton, DL7 9AR
Website – www.wensleydalerailway.com
Telephone – 01677 425805
Scope of data processing
For the purposes of this document, the word processing is used to cover data collection, data storage, the retrieval, organisation and filing of data, the use of data including its replication and dissemination and also the deletion of data.
The Wensleydale Railway plc maintains records of persons who have supplied their personal details in connection with the following activities:
i) Administration of the activities of volunteers in running train services e.g. rostering, competence records
ii) Events held on the railway e.g. special train services such as Santa Specials
v) Resident Discount Card scheme
The types of data collected are the minimum required to achieve our processing requirements as outlined later in this notice.
These may include:-
Name, salutation, date of birth
Contact details – mail address, email address, telephone number, emergency contact details where necessary for safety reasons
Records of communications sent from the data controller to you and vice versa.
Data is retained only as long as we have a legal obligation to.
Use of your data
The Wensleydale Railway plc will only use your data in accordance with your expressed wishes which you may alter at any time by contacting us. Marketing information will only be provided where you have expressly given us permission to provide you with it.
We may use electronic tools to help us monitor and improve the effectiveness of our communications with you, including tracking whether the emails we send are opened and which links are clicked within a message. We may monitor visits to our website and use tools such as Google Analytics to improve our website and services.
We will not share your data with any other third party outside of the Wensleydale Railway plc and the WRA(T) group nor will not use any other third party to process your data without your permission, unless we are instructed to do so by a Court of Law.
Data security is important to us and we use up to date electronic methods of securing data held on our servers. Examples of this are firewalls to prevent external access to data and a rigorous system of restricting access to data according to the processing need couples with regularly changed complex passwords.
Data in traditional formats e.g. paper are held in locations where access is restricted to authorised personnel. Access to data in these locations is restricted according to the processing need as for electronic data.
Your rights under the GDPR
The GDPR grants you rights over the processing of data that you have provided to us.
These rights are:-
i Access. We will give you access to any of your data that we hold and in the form that you request (e.g. electronic, hard copy);
ii Rectification. If you find that any of your data that we hold is incorrect we will amend it (if your contact data changes you should tell us);
iii Erasure. If you request that we erase all or part of your information we will do so, providing we are not legally obliged to keep the information;
iv Restrict processing. If you wish to restrict the use of your information then we will do so in accordance with your wishes;
v Portability. Your data will not be shared with any organisation, other than the Wensleydale Railway Association (Trust) Ltd, or be sold to any other organisation without your consent;
vi Object. You have the right to object to any use of your data that we hold;
vii Use of automatic decision-making. We will not use any automated processing of your data without your permission
All requests will be dealt with within one month of receipt of the request and the Information Protection Officer will contact you to confirm that your request has been dealt with. There will generally be no charge for dealing with requests for any of the above items but we reserve the right to charge a fee when a request is manifestly unfounded or excessive, particularly if it is repetitive.
You may withdraw consent for anything that you have previously consented to without affecting any of your other rights to Wensleydale Railway plc facilities and services.
Your data will not be transferred to any other country or international organisation without your consent.
Breaches of security
We will monitor the security of your data and investigate any breaches of security taking appropriate action to rectify the issue. You will be informed if there is any breach of data security and actions that have been taken.
If you are not satisfied with the way your data is being processed by us you have the right to complain to the Information Commissioner’s Office who can be contacted through their website at https://ico.org.uk/ or by telephoning their Helpline on 0303 123 1113.
Please Note: From time to time we may use your information for new purposes not currently described in this statement.
If our information practices change some time in the future, we will ways publish our policy changes on the Wensleydale Railway website.