Privacy statement for the Society of Spanish Researchers in the United Kingdom (SRUK/CERU)

Who are we?

SRUK/CERU is an independent and non-profit organisation without any political affiliation, created by and for researchers. SRUK/CERU was created in July 2011 to promote communication within the community of Spanish Researchers working in the United Kingdom by creating a social network that facilitates the sharing of professional and life experiences. The association has encouraged this communication via the establishment of Constituencies throughout the UK. The following statement provides an overview of the personal data management undertaken by the organisation.

SRUK/CERU collects, uses, and is responsible for certain personal information about you. When we do so, we are regulated under the General Data Protection Regulation (GDPR), which applies across the European Union (including in the United Kingdom) from the 25^th of May 2018, and we are responsible as ‘controller’ of that personal information.

 

Personal information we collect and use

Information collected by us

Personal information means any information about an individual from which that person can be identified. It does not include information where the identity has been removed (i.e., anonymous information).

In the course of your time as a Member of SRUK/CERU, we may collect the following personal information which we have grouped together as follows:

1. Identity data, which includes first name and last name.
2. Contact data, including current residential address.
3. Special category data, such as health data, which included dietary requirements of yourself and your guests.
4. Photographic record of volunteers.
5. Personal statements.

It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us.

 

How do we use your personal information?

We will use your personal information to provide you with tailored information and services as a Member of SRUK/CERU.

If we need to use your personal information for an unrelated purposes, we will notify you and we will explain the legal basis which allows us to do so. If you wish to get an explanation as to how the processing for the new purpose is compatible with the original purpose, please contact our Data Compliance Manager (details below).

Please note that we may process your personal information without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.

Who do we share your personal information with?

We may have to share personal information with the parties set out below for the purposes set out above. We work with third party service providers who provide development, hosting, maintenance, and other professional services for us which are integral to the provision of our service. These may include:

• External third parties – service providers based in the UK who provide support services for event hosting. These include venues and booking processors, such as Eventbrite.
• Data Centre Operators and Hosting Service Providers, for storing data and hosting the Services, such as Google, Dropbox, Mailchimp, Survey Monkey, and website hosting provider
• Communications Services Providers, for services related to collection, storage or transmission of email, SMS or other electronic messages
• Payment service providers, such as Woocommerce (https://woocommerce.com/) and PayPal.
• Members of the media as part of the media comment matching service, only when you agree explicitly with this.
• Other University/industry-based colleagues who assist with disseminating surveys as part of the SRUK/CERU ongoing research programme and activities or with providing networking and other cooperation or professional opportunities to our members, only if you agree with this.

We require all third-party suppliers to respect the security of your personal information and to treat it in accordance with the law. We do not allow our third-party suppliers to use our members’ personal information for their own purposes and only permit them to process member personal information for specified purposes and in accordance with our instructions.

SRUK/CERU does not transfer your information outside the European Economic Area (EEA). If one of our third-party suppliers transfers personal data to a non-EU countries, we will ensure the personal data is protected by us as described in this Privacy Policy, and we will ensure that the service providers concerned are working with us under GDPR-compliant processing agreements.

 

How long will your personal information be kept for?

We will only retain your personal information for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.

To determine the appropriate retention period for personal information, we consider the amount, nature, and sensitivity of the personal information, the potential risk of harm from unauthorised use or disclosure, the purposes for which we process the personal information and whether we can achieve those purposes through other means and any applicable legal requirements.

Our current retention schedules are:

• Data of members who do not renew with us – PII retained for two years after their last membership.
• Data of unsuccessful applications for funding – PII kept for six months after the notification of outcome to the applicants.
• Data of successful applications for funding – PII kept for 18 months after the notification of outcome to the applicants.
• Surveys: Keep data for 12 months after the day the survey was closed, unless the data can be retained under Article 89, pertaining to “safeguards and derogations relating to processing for archiving purposes in public interest, scientific or historical research purpose or statistical research”. Each survey is reviewed independently, and retention agreed.

 

Basis for collection and use of your personal information

The table below describes the types of personal information we will use in relation to your time as a Member of SRUK/CERU, and the legal basis we rely on to do so.

Purpose	Type of Data	Lawful Basis
To support your membership of SRUK/CERU	(a) Identity (b) Contact	Legitimate interest for the effective management of your membership
Learn Members interests and aspirations	(e) Personal statement	Legitimate interest – to ensure that the Member has the opportunity to fully participate (b) Ascertain any areas of mutual interest that will enhance the Members time within the organisation and support the aims of the SRUK/CERU
Management of event arrangements	(e) Special category data	Consent – Special Category Data requires a condition for processing. We will process this data under condition A listed in Article 9(2) of the GDPR
Support applications to become mentor/mentee	(a) Identity (d) Personal statement	Legitimate interest – support the membership of the organisation and the fulfilment of its aims and legacy
Photography to promote interests of the organisation	(f) Photographic images	Legitimate interest – inclusion on website with volunteer bios, in newsletters and other promotional material that demonstrate the work of the organisation to stakeholders
Access to Membership online community	(a) Identity	Legitimate interest – provision of online portal for Members to manage their membership requirements
Matching service for media statements	(a) Identity (b) Contact	Legitimate interest. Promote the work for SRUK/CERU
Email of renewal of fee statements	(b) Contact	Legitimate interest – To ensure the effective management of the Members community and fee generation
Newsletters promoting the work and forthcoming events of SRUK/CERU	(b) Contact	Legitimate interest – to ensure Members are aware of work of the organisation and opportunities to participate
Surveys to obtain opinions of SRUK/CERU Members	(b) Contact	These surveys may contain requests for special category information. When the survey contains special category information and PII, the data will be processed under Condition (j) of Article 9 of the GDPR
Grant applications for funding	(a) Identity (b) Contact (e) Personal statement	Legitimate interest – To provide grant funding to applicants who successful complete the application process

 

Note: We may process your personal information for more than one lawful ground depending on the specific purpose for which we are using your information.

 

Your rights

• Right of access – you have the right to request a copy of the information that we hold about you. Under the GDPR, there is no longer a charge for a Subject Access Request.
• Right of rectification – you have a right to correct information that we hold about you that is inaccurate or incomplete.
• Right to be forgotten – in certain circumstances you can ask for the information we hold about you to be erased from our records.
• Right to restriction of processing – where certain conditions apply to have a right to restrict the processing.
• Right of portability – you have the right to have the information we hold about you transferred to another organisation.
• Right to object – you have the right to object to certain types of processing such as direct marketing.
• Right to object to automated processing, including profiling – you also have the right to be subject to the legal effects of automated processing or profiling.
• Right to judicial review – in the event that the Company refuses your request for access, we will provide you with a reason why this has happened, and you will have the right to complain as outlined below.

For further information on each of those rights, including the circumstances in which they apply, see the Guidance from the UK Information Commissioner’s Office (‘ICO’) on individuals’ rights under GDPR.

If you would like to exercise any of those rights, please:

• Email, call or write to us. All requests should be addressed to our Data Compliance Manager (details below).
• Let us have enough information to identify you.
• Let us have proof of your identity and address (a copy of your driving license or passport and a recent utility or credit card bill).
• Let us know the information to which your request relates.

We try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.

 

Keeping your personal information secure

We have put in place appropriate security measures to prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal information to those employees, agents, contractors, and other third parties who have a business need to know. They will only process your personal information on our instructions and they are subject to a duty of confidentiality.

We have put in place procedures to deal with any suspected personal information breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

 

How can you contact us?

SRUK/CERU is the controller and responsible for collecting your personal information. Our Data Compliance Manager can be contacted directly:

• Name and position in SRUK/CERU: Secretary of SRUK/CERU.
• Email: [email protected].
• Telephone: (+44) 20 3239 6967, Monday to Friday from 9h to 15h.