Privacy statement for the Society of Spanish Researchers in the United Kingdom (SRUK/CERU)
Who we are
SRUK/CERU is an independent and non-profit organisation without any political affiliation, created by and for researchers. SRUK/CERU was created in July 2011 to promote communication within the community of Spanish Researchers working in the United Kingdom by creating a social network that facilitates the sharing of professional and life experiences. The association has encouraged this communication via the establishment of Constituencies throughout the UK. The following statement provides an overview of the personal data management undertaken by the organisation.
SRUK/CERU collects, uses and is responsible for certain personal information about you. When we do so we are regulated under the General Data Protection Regulation (GDPR) which applies across the European Union (including in the United Kingdom) from 25 May 2018 and we are responsible as ‘controller’ of that personal information.
The personal information we collect and use
Information collected by us
Personal information means any information about an individual from which that person can be identified. It does not include information where the identity has been removed (anonymous information).
In the course of your time as a Member or Friend of SRUK/CERU, we may collect the following personal information which we have grouped together as follows:
- Identity Data includes first name and last name.
- Contact Data including current residential address.
- Special category data, such as health data, including dietary requirements of yourself and your guests
- Photographic record of volunteers
- Personal statements
It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us.
How we use your personal information
We will use your personal information in order to provide information and services to you as Member or Friend of SRUK/CERU.
If we need to use your personal information for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so. If you wish to get an explanation as to how the processing for the new purpose is compatible with the original purpose, please contact our Data Compliance Manager (details below).
Please note that we may process your personal information without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.
Who we share your personal information with
We may have to share personal information with the parties set out below for the purposes set out above. We work with third party service providers who provide development, hosting, maintenance, and other professional services for us which are integral to the provision of our service. These may include:
- External third parties – service providers based in the UK who provide support services for event hosting. This include venues and booking processors, such as Eventbrite.
- Data Centre Operators and Hosting Service Providers, for storing data and hosting the Services, such as Google, Dropbox, Mailchimp, Survey Monkey and website hosting provider
- Communications Services Providers, for services related to collection, storage or transmission of email, SMS or other electronic messages
- Payment service providers, such as Woocommerce (https://woocommerce.com/) and PayPal.
- Members of the media as part of the media comment matching service, only when you agree explicitly with this.
- Other University/industry-based colleagues who assist with disseminating surveys as part of the SRUK/CERU ongoing research programme and activities or with providing networking and other cooperation or professional opportunities to our members, only if you agree with this.
We require all third-party suppliers to respect the security of your personal information and to treat it in accordance with the law. We do not allow our third-party suppliers to use our members’ personal information for their own purposes and only permit them to process member personal information for specified purposes and in accordance with our instructions.
How long your personal information will be kept
We will only retain your personal information for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.
To determine the appropriate retention period for personal information, we consider the amount, nature, and sensitivity of the personal information, the potential risk of harm from unauthorised use or disclosure, the purposes for which we process the personal information and whether we can achieve those purposes through other means and any applicable legal requirements.
Our current retention schedules are:
- Data of members who do not renew with us – PII retained for two years after their last membership.
- Data of unsuccessful applications for funding – PII kept for six months after the notification of outcome to the applicants.
- Data of successful applications for funding – PII kept for 18 months after the notification of outcome to the applicants.
- Surveys: Keep data for 12 months after the day the survey was closed, unless the data can be retained under Article 89, pertaining to “safeguards and derogations relating to processing for archiving purposes in public interest, scientific or historical research purpose or statistical research”. Each survey is reviewed independently, and retention agreed.
Basis for collection and use of your personal information
The table below describes the types of personal information we will use in relation to your time as a Member of SRUK/CERU, and the legal basis we rely on to do so.
|Purpose||Type of Data||Lawful Basis|
|To support your membership of SRUK/CERU||(a ) Identity
(b ) Contact
|Legitimate interest for the effective management of your membership|
|Learn Members/Friends interests and aspirations||(e ) Personal statement||Legitimate interest – to ensure that the Member has the opportunity to fully participate (b) Ascertain any areas of mutual interest that will enhance the Members time within the organisation and support the aims of the SRUK/CERU|
|Management of event arrangements||(e ) Special category data||Consent – Special Category Data requires a condition for processing. We will process this data under condition A listed in Article 9(2) of the GDPR|
|Support applications to become mentor/mentoree||(a ) Identity
(d ) Personal statement
|Legitimate interest – support the membership of the organisation and the fulfilment of its aims and legacy|
|Photography to promote interests of the organisation||(f ) Photographic images||Legitimate interest – inclusion on website with volunteer bios, in newsletters and other promotional material that demonstrate the work of the organisation to stakeholders|
|Access to Membership online community||(a ) Identity||Legitimate interest – provision of online portal for Members to manage their membership requirements|
|Matching service for media statements||(a ) Identity
(b ) Contact
|Legitimate interest. Promote the work for SRUK/CERU|
|Email of renewal of fee statements||(b ) Contact||Legitimate interest – To ensure the effective management of the Members community and fee generation|
|Newsletters promoting the work and forthcoming events of SRUK/CERU||(b) Contact||Legitimate interest – to ensure Members/Friends are aware of work of the organisation and opportunities to participate|
|Surveys to obtain opinions of SRUK/CERU Members||(b) Contact||These surveys may contain requests for special category information. When the survey contains special category information AND PII, the data will be processed under Condition (j) of Article 9 of the GDPR|
|Grant applications for funding||(a ) Identity
(b ) Contact
(e ) Personal statement
|Legitimate interest – To provide grant funding to applicants who successful complete the application process|
Note: we may process your personal information for more than one lawful ground depending on the specific purpose for which we are using your information.
- Right of access – you have the right to request a copy of the information that we hold about you. Under the GDPR, there is no longer a charge for a Subject Access Request.
- Right of rectification – you have a right to correct information that we hold about you that is inaccurate or incomplete.
- Right to be forgotten – in certain circumstances you can ask for the information we hold about you to be erased from our records.
- Right to restriction of processing – where certain conditions apply to have a right to restrict the processing.
- Right of portability – you have the right to have the information we hold about you transferred to another organisation.
- Right to object – you have the right to object to certain types of processing such as direct marketing.
- Right to object to automated processing, including profiling – you also have the right to be subject to the legal effects of automated processing or profiling.
- Right to judicial review: in the event that the Company refuses your request for access. We will provide you with a reason why and you have the right to complain as outlined below.
For further information on each of those rights, including the circumstances in which they apply, see the Guidance from the UK Information Commissioner’s Office (‘ICO’) on individuals’ rights under GDPR.
If you would like to exercise any of those rights, please:
- Email, call or write to us. All requests should be addressed to our Data Compliance Manager (details below)
- let us have enough information to identify you
- let us have proof of your identity and address (a copy of your driving licence or passport and a recent utility or credit card bill), and
- let us know the information to which your request relates.
We try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.
Keeping your personal information secure
We have put in place appropriate security measures to prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal information to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal information on our instructions and they are subject to a duty of confidentiality.
We have put in place procedures to deal with any suspected personal information breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
How to contact us and complaints
SRUK/CERU is the controller and responsible for collecting your personal information. Our Data Compliance Manager can be contacted directly here:
- Name and position in SRUK/CERU: Secretary of SRUK/CERU
- Email: [email protected]