During the course of running Antinormality Club, we collect, store and use personal data. This policy explains what data we collect, how we handle and store it, and how we use it.

Data protection principles

We am committed to processing data in accordance with our responsibilities under the General Data Protection Regulation (GDPR). Article 5 of the GDPR requires that personal data shall be:

• processed lawfully, fairly and in a transparent manner in relation to individuals

• collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes

• adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed

• accurate and, where necessary, kept up to date

• kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed

• processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage. 

This policy applies to all data that we process.

Anna Fielding is responsible for ensuring our ongoing compliance with this policy and we will review this policy at least annually.

Lawful, fair and transparent processing

To ensure its processing of data is lawful, fair and transparent, we maintain a register of data held. This register is reviewed at least annually.

Individuals have the right to access their personal data and any such requests made to Antinormality Club will be dealt with in a timely manner.

Lawful purposes

 All data must be processed on one of the following lawful bases: consent, contract, legal obligation, vital interests, public task, or legitimate interests. The lawful basis for each type of information is noted in the data register.

Special category data (sensitive personal information) will be processed on the basis of consent.

Where consent in the lawful basis for processing data, we will keep evidence of opt-in consent.

Where communications are sent to individuals based on their consent, they must make the option to revoke consent clearly available and systems should be in place to ensure this revocation is reflected accurately and promptly in our systems.

Data minimisation 

We will ensure that personal data are adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.

Accuracy

We will take all reasonable steps to ensure personal data is accurate.

Where necessary for the lawful basis on which data is processed, steps will be put in place to ensure that personal data is kept up-to-date.

Archiving/removal

To ensure that personal data is kept for no longer than necessary, we will create an archiving policy for each type of personal data. We will review this process annually.

The archiving policy will consider what data should/must be retained, for how long, and why. This information will be noted in the data register.

Individuals have the right to request the deletion of their personal data and any such requests made to me will be dealt with in a timely manner. If an individual requests that their data be deleted, all data relating to that individual will be deleted permanently and irrevocably, including data held by third parties.

Security

We will ensure that personal data is stored securely using modern software that is kept up-to-date, and is backed up securely. Further details of our data security procedures are available on request.  

We will not disclose personal data about Antinormality Club members or subscribers to other individuals or organisations, unless you have consented for me to do so, or we are required to do so by law.

When personal data is deleted this will be done securely, so that the data is irrecoverable.

Third-party processors

We use a small number of third-party processors to collect, process and store our data. These are noted in the data register.

Third party processors must conform to the requirements of GDPR, including those which are based outside of the European Economic Area. We will keep a record of GDPR compliance statements from these third-party processors. 

Breach

In the event of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data, we will promptly assess the risk to people’s rights and freedoms, and if appropriate report this breach to the ICO.