CRAIGIEVAR ASSOCIATION AND HALL
DATA PROTECTION AND PRIVACY POLICY (GDPR COMPLIANT)

1. Introduction
Craigievar Association and Hall (“the Association”) is committed to protecting personal data and handling it responsibly in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and guidance issued by the Office of the Scottish Charity Regulator (OSCR).

This policy explains how we collect, use, store and protect personal data in connection with our activities, including community events, private bookings, and communications.

2. Who We Are
Craigievar Association and Hall is a Scottish charity/community organisation managed by a Committee/Board of approximately 20 Trustees. The Trustees are collectively responsible for ensuring compliance with data protection laws.

Contact for data protection matters:
Penny Fuller at Craigievarcah@gmail.com

3. What Personal Data We Collect

We may collect and process the following types of personal data:

a) Event Attendees

·      Name

·      Email address

·      Booking details (e.g. tickets for quiz nights, ceilidhs)

b) Private Hall Bookings

·      Name

·      Email address

·      Phone number

·      Event details (e.g. birthday party, meeting)

·      Payment/booking information (where applicable)

c) Committee Members/Trustees

·      Contact details

·      Role information

d) Website and Social Media Users

·      Names/usernames (if interacting with us)

·      Messages or enquiries sent via:

o   Website contact forms

o   Facebook

o   Instagram

4. How We Collect Data
We collect personal data through:

·      Event booking platforms (e.g. Bookwhen)

·      Direct email communication

·      Website contact forms

·      Social media platforms (Facebook and Instagram)

·      In-person sign-ups or enquiries

5. Lawful Basis for Processing

We process personal data under the following lawful bases:

·      Consent – e.g. for email communications about events

·      Contract – e.g. processing bookings for hall hire or ticketed events

·      Legitimate Interests – e.g. managing events and communicating with attendees

·      Legal Obligation – e.g. financial record keeping

6. How We Use Personal Data

We use personal data to:

·      Manage event bookings and attendance

·      Administer hall hire and private bookings

·      Communicate with attendees and users

·      Promote events (where consent has been given)

·      Maintain records for operational and legal purposes

We will not sell or share personal data for marketing purposes.

7. Third-Party Processors

We use trusted third-party services to help run our activities, including:

·      Bookwhen – for event and booking management

·      Email providers – for communication

·      Social media platforms (Facebook and Instagram)

·      Website hosting providers

These providers process data on our behalf and are expected to comply with GDPR.

8. Data Storage and Security

We take appropriate steps to protect personal data, including:

·      Secure email accounts and password protection

·      Limited access to data (only relevant Trustees)

·      Use of reputable third-party platforms

·      Avoiding unnecessary data retention

9. Data Retention

We retain personal data only as long as necessary:

·      Event booking data: typically up to 2 years

·      Financial records: up to 6 years (legal requirement)

·      Email contacts: until consent is withdrawn or no longer needed

Data is securely deleted when no longer required.

10. Your Rights

Under data protection law, individuals have the right to:

·      Access their personal data

·      Request correction of inaccurate data

·      Request deletion of their data

·      Restrict or object to processing

·      Withdraw consent at any time

Requests should be made using the contact details in Section 2.

11. Social Media and Website

Our Facebook and Instagram pages and website may collect limited user data (e.g. via messages or cookies). Users should also refer to the privacy policies of those platforms.

We do not control how third-party platforms use data.

12. Data Breaches

Any data breach will be:

·      Recorded and assessed promptly

·      Reported to the Information Commissioner’s Office (ICO) where required

·      Communicated to affected individuals if there is a high risk

13. Responsibilities of Trustees

All Trustees and Committee members must:

·      Handle personal data responsibly

·      Only access data necessary for their role

·      Keep data secure

·      Report any concerns or breaches immediately

This supports compliance with OSCR governance expectations.

14. Policy Review

This policy will be:

·      Reviewed annually, or sooner if required

·      Updated in response to legal or operational changes

·      Approved by the Committee/Trustees

Last Reviewed: 05/06/26
Next Review Due: 05/06/27

15. Approval

This policy was approved by the Committee/Trustees of Craigievar Association and Hall.

Signed: Frances Glass
Name: Frances Glass
Role: Chairperson
Date: 05/06/26

End of Policy